- Daily - CERT.at

Tageszusammenfassung - 22.03.2023
by Daily end-of-shift report 22 Mar '23

22 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-03-2023 18:00 − Mittwoch 22-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ PoC exploits released for Netgear Orbi router vulnerabilities ∗∗∗ --------------------------------------------- Proof-of-concept exploits for vulnerabilities in Netgears Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-ne… ∗∗∗ Windows Snipping-Tool anfällig für "Acropalypse" ∗∗∗ --------------------------------------------- Anfang der Woche wurde eine "Acropalypse" genannte Lücke im Screenshot-Tool von Google Pixel-Phones bekannt. Das Windows 11 Snipping-Tool verhält sich ebenso. --------------------------------------------- https://heise.de/-7619561 ∗∗∗ Cyber-Sicherheit für das Management ∗∗∗ --------------------------------------------- Das international erscheinende Handbuch „Management von Cyber-Risiken“, das durch das BSI in Zusammenarbeit mit der Internet Security Alliance entwickelt wurde, erhält ein weitreichendes Update --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Blackmail Roulette: The Risks of Electronic Shelf Labels for Retail and Critical Infrastructure ∗∗∗ --------------------------------------------- During our research, we analyzed the unknown micro-controller (MCU) of the SUNY ESL tag, which is a common Chinese ESL tag vendor, gained debug access and reverse engineered the proprietary 433 MHz radio-frequency (RF) protocol. As no authentication is used, we were able to update any ESL tag within RF range with arbitrary content. --------------------------------------------- https://sec-consult.com/blog/detail/blackmail-roulette-the-risks-of-electro… ∗∗∗ Erpressungsmail: „Ich weiß von Ihrem sexuellen Interesse an kleinen Kindern“ ∗∗∗ --------------------------------------------- Aktuell wird uns vermehrt ein Erpressungsmail gemeldet, in dem Empfänger:innen beschuldigt werden, sexuelle Interessen an Kindern zu haben. Angeblich wurde beim Pornoschauen ein Programm heruntergeladen, welches die Kamera aktivierte und die Person beim Masturbieren filmte. Dieses Video wird verbreitet, wenn nicht innerhalb einer Woche Bitcoins überwiesen werden. Alles frei erfunden! Löschen Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsmail-ich-weiss-von-ihrem-… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components) ∗∗∗ --------------------------------------------- The extension is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-003 ∗∗∗ Java-Plattform: Kritische Lücke in VMware Tanzu Spring Framework geschlossen ∗∗∗ --------------------------------------------- Zwei Schwachstellen bedrohen das Spring Framework. Eine Lücke gilt als kritisch. Updates zum Schließen des Sicherheitslecks stehen bereit. --------------------------------------------- https://heise.de/-7614914 ∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslücken ab ∗∗∗ --------------------------------------------- Der Webbrowser Chrome schließt acht Sicherheitslücken mit Updates. Angreifer können durch sie etwa mit manipulierten Webseiten Schadcode einschmuggeln. --------------------------------------------- https://heise.de/-7611326 ∗∗∗ OpenSSL Security Advisory: Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) ∗∗∗ --------------------------------------------- Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230322.txt ∗∗∗ Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). --------------------------------------------- https://www.wordfence.com/blog/2023/03/multiple-reflected-cross-site-script… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), Oracle (kernel, kernel-container, and nss), and SUSE (curl, dpdk, drbd, go1.18, kernel, openstack-cinder, openstack-glance, openstack-neutron-gbp, openstack-nova, python-oslo.utils, oracleasm, python3, slirp4netns, and xen). --------------------------------------------- https://lwn.net/Articles/926843/ ∗∗∗ [R1] Tenable.sc Version 6.1.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Tenable.sc 6.1.0 updates Apache to version 2.4.56 and PHP to 8.1.16 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-16 ∗∗∗ CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures ∗∗∗ --------------------------------------------- Rapid7 has discovered three security concerns in CloudPanel from MGT-COMMERCE, a self-hosted web administration solution. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-clou… ∗∗∗ Cisco Access Point Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco SD-WAN vManage Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE SD-WAN Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software, Firepower Threat Defense Software, IOS Software, and IOS XE Software IPv6 DHCP (DHCPv6) Client Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Association Request Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964832 ∗∗∗ Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964844 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964854 ∗∗∗ IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2022-43863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964862 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6612805 ∗∗∗ IBM Workload Scheduler is vulnerable to XML External Entity Injection (XXE) attack ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2023
by Daily end-of-shift report 21 Mar '23

21 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-03-2023 18:00 − Dienstag 21-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11 bug warns Local Security Authority protection is off ∗∗∗ --------------------------------------------- Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-bug-warns-local-… ∗∗∗ From Phishing Kit To Telegram... or Not!, (Mon, Mar 20th) ∗∗∗ --------------------------------------------- Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns! --------------------------------------------- https://isc.sans.edu/diary/rss/29650 ∗∗∗ Google Cloud Log Extraction ∗∗∗ --------------------------------------------- In this blog post, we review the methods through which we can extract logs from Google Cloud. --------------------------------------------- https://www.sans.org/blog/google-cloud-log-extraction/ ∗∗∗ Find Threats in Event Logs with Hayabusa ∗∗∗ --------------------------------------------- Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. --------------------------------------------- https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusa ∗∗∗ Black Angel Rootkit ∗∗∗ --------------------------------------------- Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. Designed for Red Teams. --------------------------------------------- https://github.com/XaFF-XaFF/Black-Angel-Rootkit ∗∗∗ Linux auditd for Threat Detection [Final] ∗∗∗ --------------------------------------------- The focus of this article will be to describe what behaviors allow for which events to be recorded by auditd. Additionally, you will see where auditd is not capable of recording certain events, despite verbose settings. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d51737… ∗∗∗ Nexus: a new Android botnet? ∗∗∗ --------------------------------------------- On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy’s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022. --------------------------------------------- https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet ∗∗∗ Mitigating SSRF in 2023 ∗∗∗ --------------------------------------------- Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick a server-side application to make a request to an unintended location. SSRF, unlike most other specific vulnerabilities, has gained its own spot on the OWASP Top 10 2021. This reflects both how common and how impactful this type of vulnerability has become. --------------------------------------------- https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/ ∗∗∗ Malicious NuGet Packages Used to Target .NET Developers ∗∗∗ --------------------------------------------- Software developers have been targeted in a new attack via malicious packages in the NuGet repository. --------------------------------------------- https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-de… ∗∗∗ Achtung: Betrügerische Anrufe zu Eurojackpot-Gewinn! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor angeblichen Gewinnbenachrichtigungen per Anruf, E-Mail, Post und Social Media im Namen von Eurojackpot in Acht. Kriminelle geben sich als die Lotterie aus und behaupten, dass Sie Geld gewonnen haben. Im weiteren Verlauf sollen Sie vorab Geld bezahlen, um die Auszahlung zu erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-anrufe-zu-eur… ∗∗∗ Patch CVE-2023-23397 Immediately: What You Need To Know and Do ∗∗∗ --------------------------------------------- We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immedia… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc). --------------------------------------------- https://lwn.net/Articles/926759/ ∗∗∗ XSA-429 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-429.html ∗∗∗ XSA-428 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-428.html ∗∗∗ XSA-427 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-427.html ∗∗∗ Keysight N6845A Geolocation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-01 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 ∗∗∗ VISAM VBASE Automation Base ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05 ∗∗∗ Siemens RUGGEDCOM APE1808 Product Family ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-03 ∗∗∗ Rockwell Automation ThinManager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-22-080-06 ∗∗∗ Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-wellintech-ics-p… ∗∗∗ Spring Vault 3.0.2 and 2.3.3 fix CVE-2023-20859 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-vault-3-0-2-and-2-3-3-fix-cve-2023… ∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Moment CVE-2023-22467 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964588 ∗∗∗ A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852651 ∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964694 ∗∗∗ IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Vulnerability in Apache Commons FileUpload library affect Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964742 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964752 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox ESR have affected APM Synthetic Playback Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964754 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2023
by Daily end-of-shift report 20 Mar '23

20 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-03-2023 18:00 − Montag 20-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks ∗∗∗ --------------------------------------------- A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-hinatabot-botnet-could-l… ∗∗∗ Google: Bearbeitete Pixel-Screenshots lassen sich wiederherstellen ∗∗∗ --------------------------------------------- Wer Teile von Screenshots unkenntlich macht, verlässt sich darauf, dass dies auch so bleibt. Bei Pixel-Smartphones war das bisher nicht so. --------------------------------------------- https://www.golem.de/news/google-bearbeitete-pixel-screenshots-lassen-sich-… ∗∗∗ Ransomware: Emotet kehrt zurück – als OneNote-E-Mail-Anhang ∗∗∗ --------------------------------------------- Die hochentwickelte Schadsoftware Emotet ist wieder aktiv. Sie findet in Form von bösartigen OneNote-Dateien ihren Weg in den E-Mail-Eingang potenzieller Opfer. --------------------------------------------- https://heise.de/-7551285 ∗∗∗ Malware-Masche: Acrobat Sign-Dienst zum Unterschieben von Malware missbraucht ∗∗∗ --------------------------------------------- Avast hat eine neue Masche beobachtet, mit der Cyberkriminelle Opfern Malware unterjubeln wollten. Sie missbrauchen dazu den Adobe-Sign-Dienst. --------------------------------------------- https://heise.de/-7557288 ∗∗∗ Researchers Shed Light on CatB Ransomwares Evasion Techniques ∗∗∗ --------------------------------------------- The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities. --------------------------------------------- https://thehackernews.com/2023/03/researchers-shed-light-on-catb.html ∗∗∗ Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research ∗∗∗ --------------------------------------------- In this blog post, we’ll share some of our latest research into bypassing CloudTrail. We’ll cover a method that allowed CloudTrail bypass with both read and write API actions for the Service Catalog service. This now-fixed vulnerability is noteworthy, because it was the first publicly known CloudTrail bypass that could permit an attacker to alter an AWS environment. --------------------------------------------- https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-c… ∗∗∗ IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole ∗∗∗ --------------------------------------------- In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. Well follow by exposing common TTPs before revealing information leaked through the attackers clipboard data. --------------------------------------------- https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal-Sicherheitslücke könnte Angreifern die Systemübernahme ermöglichen ∗∗∗ --------------------------------------------- Die US-Cyber-Sicherheitsbehörde CISA warnt vor einer Sicherheitslücke im Content-Management-System Drupal. Angreifer könnten verwundbare Systeme kapern. --------------------------------------------- https://heise.de/-7550599 ∗∗∗ OpenSSH 9.3 dichtet Sicherheitslecks ab ∗∗∗ --------------------------------------------- Die Entwickler von OpenSSH haben Version 9.3 der Verschlüsselungssuite veröffentlicht. Sie schließt Sicherheitslücken und behebt kleinere Fehler. --------------------------------------------- https://heise.de/-7550738 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim). --------------------------------------------- https://lwn.net/Articles/926636/ ∗∗∗ IBM Security Bulletins 2023-03-20 ∗∗∗ --------------------------------------------- * Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) * Watson AI Gateway for Cloud Pak for Data is vulnerable to an OpenSSL denial of service caused by a type confusion error (CVE-2023-0286) * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly authorized password changes * Watson AI Gateway for Cloud Pak for Data is vulnerable to Ansible Runner code execution and could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper shell escaping of the shell command. * IBM Aspera Faspex can be vulnerable to improperly authorized password changes * Vulnerability in EFS affects AIX (CVE-2021-29861) * Vulnerability in libc affects AIX (CVE-2021-29860) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) * A denial of service vulnerability in JDOM affects IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE CVE-2021-33813) * Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) * Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4 * Vulnerability in Node.js affects IBM Voice Gateway * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes * Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925) * Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Workload Scheduler. * IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Spring Framework 5.2.23 fixes cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-5-2-23-fixes-cve-2023-20… ∗∗∗ Spring Framework 6.0.7 and 5.3.26 fix cve-2023-20860 and cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2023
by Daily end-of-shift report 17 Mar '23

17 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-03-2023 18:00 − Freitag 17-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe Acrobat Sign abused to push Redline info-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-acrobat-sign-abused-to… ∗∗∗ Hitachi Energy confirms data breach after Clop GoAnywhere attacks ∗∗∗ --------------------------------------------- Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hitachi-energy-confirms-data… ∗∗∗ How to Google Dork a Specific Website for Hacking ∗∗∗ --------------------------------------------- You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools. --------------------------------------------- https://www.stationx.net/how-to-google-dork-a-specific-website/ ∗∗∗ Chaos Malware Quietly Evolves Persistence and Evasion Techniques ∗∗∗ --------------------------------------------- The name Chaos is being used for a ransomware strain, a remote access trojan (RAT), and now a DDoS malware variant too. Talk about chaos! In this case, Sysdig’s Threat Research Team captured attacks using the Chaos variant of the Kaiji botnet malware. There is very little reported information on this malware since September 2022, perhaps because of the unfortunately chaotic naming, or simply because it is relatively new. --------------------------------------------- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ ∗∗∗ Free decryptor released for Conti-based ransomware following data leak ∗∗∗ --------------------------------------------- Security researchers have released a new decryption tool that should come to the rescue of some victims of a modified version of the Conti ransomware, helping them to recover their encrypted data for free. --------------------------------------------- https://www.tripwire.com/state-of-security/free-decryptor-released-conti-ba… ∗∗∗ Phishing-Welle: Vorsicht vor Fake Disney+ Mails ∗∗∗ --------------------------------------------- Sie haben ein E-Mail erhalten, in dem Disney+ Sie darauf hinweist, dass eine Zahlung fehlgeschlagen ist? Löschen Sie die Nachricht oder schieben Sie sie in den SPAM-Ordner – es handelt sich um einen Phishing-Versuch! Die E-Mails werden mit dem Betreff „Aussetzung Ihres Disney+ Kontos“ oder „Sperrung Ihres Disney+ Kontos“ massenhaft verschickt! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-welle-vorsicht-vor-fake-dis… ∗∗∗ #StopRansomware: LockBit 3.0 ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a ∗∗∗ Windows 10/11: Microsoft veröffentlicht Script für den WinRE BitLocker Bypass-Fix ∗∗∗ --------------------------------------------- Seit November 2022 ist bekannt, dass es eine Bitlocker-Bypass-Schwachstelle CVE-2022-41099 im Windows Recovery Environment (WinRE) gibt. Das Patchen ist aber alles andere als einfach. --------------------------------------------- https://www.borncity.com/blog/2023/03/17/windows-10-11-microsoft-verffentli… ∗∗∗ ShellBot Malware Being Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. --------------------------------------------- https://asec.ahnlab.com/en/49769/ ∗∗∗ Debugging D-Link: Emulating firmware and hacking hardware ∗∗∗ --------------------------------------------- GreyNoise researchers explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface. --------------------------------------------- https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacki… ===================== = Vulnerabilities = ===================== ∗∗∗ Exynos: Google findet schwerwiegende Zero Days in Samsung-Chips ∗∗∗ --------------------------------------------- Die betroffenen Geräte lassen sich über das Internet hacken, darunter Smartphones von Samsung, Google und Vivo sowie Wearables und Autos. --------------------------------------------- https://www.golem.de/news/exynos-google-findet-schwerwiegende-zero-days-in-… ∗∗∗ Honeywell OneWireless Wireless Device Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06 ∗∗∗ Rockwell Automation Modbus TCP AOI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-07 ∗∗∗ Omron CJ1M PLC ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-01 ∗∗∗ AVEVA Plant SCADA and AVEVA Telemetry Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-04 ∗∗∗ Autodesk FBX SDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-02 ∗∗∗ [R1] Sensor Proxy Version 1.0.7 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-15 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6555376 ∗∗∗ InfoSphere Identity Insight vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963974 ∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956237 ∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964166 ∗∗∗ Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963640 ∗∗∗ Vulnerability in Java SE may affect IBM Spectrum Protect Operations Center (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963642 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Node.js Angular (CVE-2022-25844) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964174 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Apache commons-fileupload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964176 ∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847947 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ AIX is vulnerable to a denial of service due to lpd (CVE-2022-43382) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848309 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2023
by Daily end-of-shift report 16 Mar '23

16 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-03-2023 18:00 − Donnerstag 16-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CVE-2023-23397 - der (interessante) Teufel steckt im Detail ∗∗∗ --------------------------------------------- Im Regelfall veröffentlichen wir zu Sicherheitslücken, die durch den Hersteller im Rahmen eines regulären Patchzyklus behoben werden, keine Warnung. Die Motivation dahinter ist, dass wir unsere Warnungen als Werkzeug betrachten, Informationen über kritische Schwachstellen mit entsprechender Urgenz an die jeweiligen Adressat:innen bringen wollen. Dementsprechend entscheiden wir relativ konservativ, wovor oder worüber wir warnen, um die Wirkung selbiger nicht zu verwässern. Aber, wie so oft, bestätigen Ausnahmen die Regel [...] --------------------------------------------- https://cert.at/de/blog/2023/3/cve-2023-23397-der-teufel-steckt-im-detail ∗∗∗ CISA warns of Adobe ColdFusion bug exploited as a zero-day ∗∗∗ --------------------------------------------- CISA has added a critical vulnerability impacting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusi… ∗∗∗ Winter Vivern APT hackers use fake antivirus scans to install malware ∗∗∗ --------------------------------------------- An advanced hacking group named Winter Vivern targets European government organizations and telecommunication service providers to conduct espionage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winter-vivern-apt-hackers-us… ∗∗∗ BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion ∗∗∗ --------------------------------------------- The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said. --------------------------------------------- https://www.darkreading.com/risk/bianlian-ransomware-pivots-encryption-pure… ∗∗∗ Simple Shellcode Dissection, (Thu, Mar 16th) ∗∗∗ --------------------------------------------- Most people will never execute a suspicious program or “executable”. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected? I’ll explain with the help of a file I found in a phishing campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/29642 ∗∗∗ Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency ∗∗∗ --------------------------------------------- Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). --------------------------------------------- https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html ∗∗∗ SSRF Cross Protocol Redirect Bypass ∗∗∗ --------------------------------------------- Server Side Request Forgery (SSRF) is a fairly known vulnerability with established prevention methods. So imagine my surprise when I bypassed an SSRF mitigation during a routine retest. Even worse, I have bypassed a filter that we have recommended ourselves! --------------------------------------------- https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html ∗∗∗ Falsche WhatsApp und Telegram Apps auf der Jagd nach Krypto‑Wallets ∗∗∗ --------------------------------------------- ESET-Forscher analysierten Android- und Windows-Clipper, die Sofortnachrichten manipulieren und OCR verwenden können, um Kryptowährungen zu stehlen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/03/16/falsche-whatsapp-und-tele… ∗∗∗ Bee-Ware of Trigona, An Emerging Ransomware Strain ∗∗∗ --------------------------------------------- Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries. --------------------------------------------- https://unit42.paloaltonetworks.com/trigona-ransomware-update/ ∗∗∗ DotRunpeX – demystifying new virtualized .NET injector used in the wild ∗∗∗ --------------------------------------------- ImplMap2x64dbgInvoke-DotRunpeXextractThe post DotRunpeX – demystifying new virtualized .NET injector used in the wild appeared first on Check Point Research. --------------------------------------------- https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized… ===================== = Vulnerabilities = ===================== ∗∗∗ Webkonferenzen: Hochriskante Lücken in Zoom ∗∗∗ --------------------------------------------- In der Online-Konferenzsoftware Zoom haben die Entwickler mehrere Schwachstellen geschlossen. Einige gelten als hochriskant und könnten Codeschmuggel erlauben. --------------------------------------------- https://heise.de/-7547291 ∗∗∗ Kritisches Leck in SSL-VPN-Gateway von Array Networks ∗∗∗ --------------------------------------------- Die SSL-VPN-Gateways von Array Networks haben eine kritische Sicherheitslücke. Angreifer könnten aus dem Netz ohne Authentifizierung Code einschleusen. --------------------------------------------- https://heise.de/-7548009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and pcre2), Oracle (nss), Red Hat (kpatch-patch and nss), SUSE (java-11-openjdk, kernel, and python310), and Ubuntu (emacs24, ffmpeg, firefox, imagemagick, libphp-phpmailer, librecad, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/926289/ ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-004 ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-003 ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-002 ∗∗∗ Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-011 ∗∗∗ Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-010 ∗∗∗ Multiple vulnerabilities within OpenSSL and Node.js affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963634 ∗∗∗ EBICs client of IBM Sterling B2B Integrator vulnerable to multiple issues due to Dojo Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963652 ∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963650 ∗∗∗ IBM Watson Assistant for Cloud pak for Data is affected by vulnerabilities in Pallets Werkzeug . ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963668 ∗∗∗ IBM Aspera Faspex can be vulnerable to improperly authorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955067 ∗∗∗ Vulnerability in PyPI cryptography and Python may affect IBM Spectrum Protect Plus File Systems Agent (CVE-2023-23931, CVE-2023-0286, CVE-2023-24329) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957718 ∗∗∗ Vulnerabilities in Linux Kernel may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963936 ∗∗∗ Multiple Vulnerabilities in Intel Firmware affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6611963 ∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963940 ∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963942 ∗∗∗ Vulnerabilities in Golang Go and Java SE might affect IBM Spectrum Copy Data Management (CVE-2022-41717, CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960739 ∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-2964, CVE-2022-2601, CVE-2020-36557) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960747 ∗∗∗ IBM Sterling B2B Integrator vulnerable to sensitive information exposure due to IBM MQ (CVE-2022-42436) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963954 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963956 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963962 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963958 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963960 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2023
by Daily end-of-shift report 15 Mar '23

15 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-03-2023 18:00 − Mittwoch 15-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th) ∗∗∗ --------------------------------------------- In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception. --------------------------------------------- https://isc.sans.edu/diary/rss/29638 ∗∗∗ How to Find & Fix: WordPress Pharma Hack ∗∗∗ --------------------------------------------- Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don’t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site’s good reputation to lure traffic to a scam. --------------------------------------------- https://blog.sucuri.net/2023/03/find-fix-wordpress-pharma-hack.html ∗∗∗ New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...] --------------------------------------------- https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html ∗∗∗ Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis. --------------------------------------------- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook… ∗∗∗ Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen ∗∗∗ --------------------------------------------- iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt. --------------------------------------------- https://heise.de/-7545702 ∗∗∗ Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab ∗∗∗ --------------------------------------------- Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen. --------------------------------------------- https://heise.de/-7545903 ∗∗∗ Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten ∗∗∗ --------------------------------------------- In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-sms-von-dhl-stiehlt-ihr… ∗∗∗ Uncovering Windows Events ∗∗∗ --------------------------------------------- Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn’t a deep dive into how ETW works, [...] --------------------------------------------- https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54?source=r… ∗∗∗ Released: March 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-20… ∗∗∗ How does malware spread? Top 5 ways malware gets into your network ∗∗∗ --------------------------------------------- Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware. --------------------------------------------- https://www.emsisoft.com/en/blog/43733/how-does-malware-spread-top-5-ways-m… ∗∗∗ A look at CVE-2023–23415 — a Windows ICMP vulnerability + mitigations which is not a cyber meltdown ∗∗∗ --------------------------------------------- Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It’s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it’s a high CVSS score in Windows OS on a commonly used protocol. --------------------------------------------- https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen ∗∗∗ --------------------------------------------- Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen. --------------------------------------------- https://heise.de/-7546150 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm). --------------------------------------------- https://lwn.net/Articles/926205/ ∗∗∗ SAP-Patchday enthält Updates für kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/sap-patchday-enthalt-updates-fur-kritis… ∗∗∗ ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-245/ ∗∗∗ ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-244/ ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500554-THINKPAD-BIOS-VULNERABI… ∗∗∗ AIX is affected by a denial of service (CVE-2022-45061) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963342 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963372 ∗∗∗ Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963612 ∗∗∗ Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963632 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2023
by Daily end-of-shift report 14 Mar '23

14 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-03-2023 18:00 − Dienstag 14-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Cybercriminals exploit SVB collapse to steal money and data ∗∗∗ --------------------------------------------- The collapse of the Silicon Valley Bank (SVB) on March 10, 2023, has sent ripples of turbulence throughout the global financial system, but for hackers, scammers, and phishing campaigns, its becoming an excellent opportunity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-svb-c… ∗∗∗ HUNT_RTF_CVE_2023_21716.yar ∗∗∗ --------------------------------------------- Detects RTF documents with an inflated fonttable. Hunting for CVE-2023-21716 --------------------------------------------- https://github.com/SIFalcon/Detection/blob/main/Yara/Hunting/HUNT_RTF_CVE_2… ∗∗∗ Kali Purple: Die Linux-Distribution für Sicherheitsforscher wird defensiver ∗∗∗ --------------------------------------------- Kali Linux feiert Geburtstag und ist in der neuen Version 2023.1 erschienen. Das neue Kali Purple ist auf defensive Sicherheitstests spezialisiert. --------------------------------------------- https://heise.de/-7544725 ∗∗∗ Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach ∗∗∗ --------------------------------------------- Fortinet says recently patched FortiOS vulnerability was exploited in sophisticated attacks targeting government entities. --------------------------------------------- https://www.securityweek.com/fortinet-finds-zero-day-exploit-in-government-… ∗∗∗ Kaufen Sie keine Amazon-Paletten oder Mystery-Boxen ∗∗∗ --------------------------------------------- Auf Facebook und Instagram bewirbt der gefälschte Amazon-Shop „datinted.com“ „Amazon-Paletten“. Die Paletten, sogenannte Mystery-Boxen, beinhalten angeblich unterschiedliche Produkte wie Kopfhörer, Drohnen und Spielkonsolen – und das für weniger als 50 Euro. Wer bestellt, bekommt aber keine Ware und verliert sein Geld! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-amazon-paletten-ode… ∗∗∗ Verbesserte Office-Makrosicherheit führt zu neuen Angriffsmethoden über OneNote & Co. ∗∗∗ --------------------------------------------- Seit Microsoft und Administratoren von Windows-Systemen mehr in die Makrosicherheit investieren, werden Angriffe über diesen Vektor schwieriger. Cyberkriminelle suchen nach neuen Wegen, um Malware an die Nutzer zu bringen. OneNote nimmt da eine prominente Position als Einfallstor ein – aber auch andere Dateien und die Mark of the Web-Schwachstelle in Windows werden neuerdings vermehr für Angriffe genutzt. --------------------------------------------- https://www.borncity.com/blog/2023/03/14/verbesserte-office-makrosicherheit… ∗∗∗ Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency ∗∗∗ --------------------------------------------- Cisco Talos has identified a new espionage oriented threat actor, which we are naming “YoroTrooper,” targeting a multitude of entities in Europe and Turkey. --------------------------------------------- https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turke… ∗∗∗ ZTNA vs VPN: Secure Remote Work and Access ∗∗∗ --------------------------------------------- Explore the drivers behind switching from VPN to Zero Trust Network Access (ZTNA) for any device access from anywhere. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/ztna-vs-vpn-secure-remote-work.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories 2023-03-14 ∗∗∗ --------------------------------------------- * SSA-847261 V1.1 (Last Update: 2023-03-14): Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation * https://cert-portal.siemens.com/productcert/html/ssa-847261.html * SSA-840800 V1.2 (Last Update: 2023-03-14): Code Injection Vulnerability in RUGGEDCOM ROS * https://cert-portal.siemens.com/productcert/html/ssa-840800.html * SSA-787941 V1.1 (Last Update: 2023-03-14): Denial of Service Vulnerability in RUGGEDCOM ROS V4 * https://cert-portal.siemens.com/productcert/html/ssa-787941.html * SSA-772220 V2.2 (Last Update: 2023-03-14): OpenSSL Vulnerabilities in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-772220.html * SSA-764417 V1.7 (Last Update: 2023-03-14): Weak Encryption Vulnerability in RUGGEDCOM ROS Devices * https://cert-portal.siemens.com/productcert/html/ssa-764417.html * SSA-726834 V1.0: Denial of Service Vulnerability in the RADIUS Client of SIPROTEC 5 Devices * https://cert-portal.siemens.com/productcert/html/ssa-726834.html * SSA-712929 V1.8 (Last Update: 2023-03-14): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-712929.html * SSA-700053 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go * https://cert-portal.siemens.com/productcert/html/ssa-700053.html * SSA-697140 V1.2 (Last Update: 2023-03-14): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products * https://cert-portal.siemens.com/productcert/html/ssa-697140.html * SSA-565386 V1.0: Third-Party Component Vulnerabilities in SCALANCE W-700 IEEE 802.11ax devices before V2.0 * https://cert-portal.siemens.com/productcert/html/ssa-565386.html * SSA-552702 V1.4 (Last Update: 2023-03-14): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products * https://cert-portal.siemens.com/productcert/html/ssa-552702.html * SSA-539476 V1.4 (Last Update: 2023-03-14): Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan * https://cert-portal.siemens.com/productcert/html/ssa-539476.html * SSA-517377 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices * https://cert-portal.siemens.com/productcert/html/ssa-517377.html * SSA-491245 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Solid Edge * https://cert-portal.siemens.com/productcert/html/ssa-491245.html * SSA-482757 V1.2 (Last Update: 2023-03-14): Missing Immutable Root of Trust in S7-1500 CPU devices * https://cert-portal.siemens.com/productcert/html/ssa-482757.html * SSA-476715 V1.1 (Last Update: 2023-03-14): Two Vulnerabilities in Automation License Manager * https://cert-portal.siemens.com/productcert/html/ssa-476715.html * SSB-439005 V5.1 (Last Update: 2023-03-14): Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP * https://cert-portal.siemens.com/productcert/html/ssb-439005.html * SSA-419740 V1.0: Multiple Third-Party Component Vulnerabilities in RUGGEDCOM and SCALANCE Products before V7.2 * https://cert-portal.siemens.com/productcert/html/ssa-419740.html * SSA-413565 V1.1 (Last Update: 2023-03-14): Multiple Vulnerabilities in SCALANCE Products * https://cert-portal.siemens.com/productcert/html/ssa-413565.html * SSA-324955 V2.0 (Last Update: 2023-03-14): SAD DNS Attack in Linux Based Products * https://cert-portal.siemens.com/productcert/html/ssa-324955.html * SSA-321292 V1.4 (Last Update: 2023-03-14): Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-321292.html * SSA-320629 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.3 * https://cert-portal.siemens.com/productcert/html/ssa-320629.html * SSA-260625 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.2 * https://cert-portal.siemens.com/productcert/html/ssa-260625.html * SSA-256353 V1.3 (Last Update: 2023-03-14): Third-Party Component Vulnerabilities in RUGGEDCOM ROS * https://cert-portal.siemens.com/productcert/html/ssa-256353.html * SSA-250085 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in SINEC NMS and SINEMA Server * https://cert-portal.siemens.com/productcert/html/ssa-250085.html * SSA-244969 V1.9 (Last Update: 2023-03-14): OpenSSL Vulnerability in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-244969.html * SSA-223771 V1.2 (Last Update: 2023-03-14): SISCO Stack Vulnerability in SIPROTEC 5 Devices * https://cert-portal.siemens.com/productcert/html/ssa-223771.html * SSA-203374 V1.0: Multiple OpenSSL Vulnerabilities in SCALANCE W1750D Devices * https://cert-portal.siemens.com/productcert/html/ssa-203374.html * SSA-941426 V1.4 (Last Update: 2023-03-14): Multiple LLDP Vulnerabilities in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-941426.html * SSA-851884 V1.0: Authentication Bypass Vulnerability in Mendix SAML Module * https://cert-portal.siemens.com/productcert/html/ssa-851884.html --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-03#Sec… ∗∗∗ Dolibarr : unauthenticated contacts database theft ∗∗∗ --------------------------------------------- Our pentester discovered a critical vulnerability exploitable by an unauthenticated attacker. It provides access to a competitor’s entire customer file, prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it affects Dolibarr 16.x versions. --------------------------------------------- https://www.dsecbypass.com/en/dolibarr-pre-auth-contact-database-dump/ ∗∗∗ PaperCut MF/NG vulnerability bulletin (March 2023) ∗∗∗ --------------------------------------------- We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We do not have any evidence of these vulnerabilities being used against customers at this point. --------------------------------------------- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 ∗∗∗ Schneider Elecronic Security Advisories 2023-03-14 ∗∗∗ --------------------------------------------- 3 new, 15 updated --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Patchday: SAP schließt 19 teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Zum März-Patchday hat SAP Sicherheitsnotizen zu 19 Sicherheitslücken veröffentlicht. Davon stuft der Hersteller fünf als kritisch ein. Updates stehen bereit. --------------------------------------------- https://heise.de/-7544782 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis), Fedora (cairo, freetype, harfbuzz, and qt6-qtwebengine), Red Hat (kpatch-patch), SUSE (chromium, java-1_8_0-openj9, and nodejs18), and Ubuntu (chromium-browser, libxstream-java, php-twig, twig, protobuf, and python-werkzeug). --------------------------------------------- https://lwn.net/Articles/926083/ ∗∗∗ Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64453490/ ∗∗∗ TXONE SECURITY BULLETIN: TXOne StellarOne Improper Access Control Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000292486?language=en_US ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in ENERGY AXC PU ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-003/ ∗∗∗ Lenovo System Update Elevation of Privileges Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500553-LENOVO-SYSTEM-UPDATE-EL… ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500552-LENOVO-XCLARITY-CONTROL… ∗∗∗ A security vulnerability has been identified in IBM HTTP Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963268 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963278 ∗∗∗ Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963308 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2023
by Daily end-of-shift report 13 Mar '23

13 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-03-2023 18:00 − Montag 13-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Clop-Ransomware: Opfer der GoAnywhere-Attacken müssen jetzt zahlen ∗∗∗ --------------------------------------------- Aufgrund einer Sicherheitslücke in der Dateiübertragungslösung GoAnywhere MFT konnten Angreifer zuschlagen und erpressen nun Firmen. --------------------------------------------- https://heise.de/-7543629 ∗∗∗ Banking-Trojaner: 400 Einrichtungen im Visier von Android-Malware ∗∗∗ --------------------------------------------- IT-Forscher beobachten die Weiterentwicklung des Banking-Trojaners Xenomorph für Android. Inzwischen versteht er sich auf 400 Finanzinstitutionen. --------------------------------------------- https://heise.de/-7543682 ∗∗∗ Das Finanzamt versendet keine Pfändungsandrohung per SMS! ∗∗∗ --------------------------------------------- Aktuell werden erneut massenhaft Betrugs-SMS im Namen des Finanzamts versendet. Angeblich hätten Sie trotz mehrerer Mahnungen eine offene Forderung gegen Sie nicht bezahlt. Daher würde nun ein Gerichtsvollzieher Ihren Hausrat pfänden. Achtung: Bezahlen Sie die Forderung nicht! Die Nachricht stammt nicht vom Finanzamt und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/das-finanzamt-versendet-keine-pfaend… ∗∗∗ Security researchers targeted with new malware via job offers on LinkedIn ∗∗∗ --------------------------------------------- A suspected North Korean hacking group is targeting security researchers and media organizations in the U.S. and Europe with fake job offers that lead to the deployment of three new, custom malware families. --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-researchers-targete… ∗∗∗ Medusa ransomware gang picks up steam as it targets companies worldwide ∗∗∗ --------------------------------------------- A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks… ∗∗∗ DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit ∗∗∗ --------------------------------------------- DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-h… ∗∗∗ Overview of a Mirai Payload Generator, (Sat, Mar 11th) ∗∗∗ --------------------------------------------- The Mirai[1] botnet is active for years. It was the first botnet targeting devices running Linux like camera recorders. Our first diary about it was in 2016![2]. Still today, my honeypot is hit by hundreds of Mirai requests every day! I found a Python script that generates a Mirai payload (SHA256:f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e[3]) and deploys networking services to serve it via FTP, HTTP, and TFTP. Nothing very fancy but it will give you a good idea about how Linux hosts are abused to deliver malicious payloads. --------------------------------------------- https://isc.sans.edu/diary/rss/29624 ∗∗∗ BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads ∗∗∗ --------------------------------------------- The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire, the malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPIs ChatGPT, Spotify, Tableau, and Zoom. --------------------------------------------- https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html ∗∗∗ "FakeGPT": New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs ∗∗∗ --------------------------------------------- A Chrome Extension propelling quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Particularly noticeable is the use of a malevolent silently forced Facebook app “backdoor” giving the threat actors super-admin permissions. --------------------------------------------- https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-… ∗∗∗ Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware ∗∗∗ --------------------------------------------- Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users. --------------------------------------------- https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-t… ∗∗∗ Persistence - Context Menu ∗∗∗ --------------------------------------------- Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click and it is a very common action for every Windows user. In offensive operations this action could be weaponized for persistence by executing shellcode every time the user attempts to use the context menu. --------------------------------------------- https://pentestlab.blog/2023/03/13/persistence-context-menu/ ∗∗∗ CISA Warns of Plex Vulnerability Linked to LastPass Hack ∗∗∗ --------------------------------------------- CISA has added vulnerabilities in Plex Media Server and VMware NSX-V to its Known Exploited Vulnerabilities catalog. --------------------------------------------- https://www.securityweek.com/cisa-warns-of-plex-vulnerability-linked-to-las… ===================== = Vulnerabilities = ===================== ∗∗∗ Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover ∗∗∗ --------------------------------------------- [...] After further research it was discovered that the authorization checks are only at the front end https://app.*.clipchamp.com/ and not while invoking the /v2/ API endpoints with the expected parameters. Enumerating all the internal endpoints it was found that the https://app.smoke.clipchamp.com/v2 was leaking the JWT Authentication Bearer Token for any attacker-provided user on the platform leading to Zero Interaction Account takeover for any ClipChamp user on the Smoke Env. --------------------------------------------- https://blog.agilehunt.com/blogs/security/msrc-critical-google-iap-authoriz… ∗∗∗ Kritische Sicherheitslücken: Lexmark aktualisiert Firmware für viele Drucker ∗∗∗ --------------------------------------------- Diverse Drucker von Lexmark haben kritische Sicherheitslücken, die Angreifern das Ausführen von Schadcode ermöglichen. Updates stehen schon bereit. --------------------------------------------- https://heise.de/-7543959 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick, libapache2-mod-auth-mellon, mpv, rails, and ruby-sidekiq), Fedora (chromium, dcmtk, and strongswan), Mageia (chromium-browser-stable, dcmtk, kernel, kernel-linus, libreswan, microcode, redis, and tmux), SUSE (postgresql14 and python39), and Ubuntu (linux-kvm, linux-raspi-5.4, and thunderbird). --------------------------------------------- https://lwn.net/Articles/925987/ ∗∗∗ Shodan Verified Vulns 2023-03-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-03-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Die Schwachstellen CVE-2021-43798 (Grafana Path Traversal Vulnerability) und CVE-2022-32548 (DrayTek Authentication Bypass Vulnerability) sind nun wieder in den Daten von Shodan enthalten. Im Vormonat fehlten diese Daten. Verglichen mit den Daten von Jänner 2023 sind keine auffälligen Änderungen zu erkennen. Ähnlich verhält sich die Schwachstelle CVE-2022-36804 [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/3/shodan-verified-vulns-2023-03-01 ∗∗∗ IBM Security Bulletins 2023-03-13 ∗∗∗ --------------------------------------------- * A vulnerability (CVE-2022-21299) in IBM Java Runtime affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * A vulnerability has been identified in IBM Spectrum Scale which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927) * EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery * IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) * IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) * IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) * IBM Security Guardium is affected by multiple vulnerabilities * IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690, CVE-2014-8152) * IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Security (CVE-2022-31692, CVE-2022-22978) * June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. * Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-21628, CVE-2022-21626) * Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dashboard UI of IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-22876) * There is a vulnerability in Apache Commons BCEL used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-42920) * Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) * Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1) * Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-3509, CVE-2022-3171) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Tenable Plugin Feed ID #202212081952 Fixes Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2023
by Daily end-of-shift report 10 Mar '23

10 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-03-2023 18:00 − Freitag 10-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security: Github führt verpflichtende 2FA ein ∗∗∗ --------------------------------------------- Wer von Github ausgewählt wurde, muss die Zwei-Faktor-Authentifizierung (2FA) innerhalb von 45 Tagen einrichten. --------------------------------------------- https://www.golem.de/news/security-github-fuehrt-verpflichtende-2fa-ein-230… ∗∗∗ Schwachstellen in Bitwarden Password-Manager-Browserweiterung können Passwörter verraten ∗∗∗ --------------------------------------------- Nutzer des Passwort-Managers Bitwarden laufen in das Risiko, dass die Auto-Fill-Funktion beim Besuch von Webseiten Anmeldeinformationen leckt. Bösartige Webseiten könnten über ein in vertrauenswürdigen Seiten eingebettetes IFRAME Anmeldeinformation stehlen und an einen Angreifer senden. --------------------------------------------- https://www.borncity.com/blog/2023/03/10/schwachstellen-in-bitwarden-passwo… ∗∗∗ New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic ∗∗∗ --------------------------------------------- The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. --------------------------------------------- https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html ∗∗∗ EJS - Server Side Prototype Pollution gadgets to RCE ∗∗∗ --------------------------------------------- Last month (February 2023), I took a look into NodeJS HTML templating libraries. During my research, I found an interesting Server Side Prototype Pollution (SSPP) gadget in the EJS library which can be leveraged to RCE. After finding this issue, I spent a week searching for an SSPP in express core or dependencies, but I didnt find any issue. Thats why, after reporting this issue to the repository maintainer, Im making an article to explain technical details. --------------------------------------------- https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce ∗∗∗ How to Avoid LDAP Injection Attacks ∗∗∗ --------------------------------------------- The key vulnerability that puts an application at risk of LDAP injection is improperly processed user input. Applications that don’t sanitize or validate user input are open to LDAP injection attacks because of the structure of LDAP statements and queries. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/c/avoid-ldap-injection-attacks.h… ∗∗∗ The Silent Spy Among Us: Modern Attacks Against Smart Intercoms ∗∗∗ --------------------------------------------- What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project that uncovered 13 vulnerabilities in the popular Akuvox E11. The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold. --------------------------------------------- https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-… ∗∗∗ Multi-Technology Script Leading to Browser Hijacking ∗∗∗ --------------------------------------------- [..] in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don’t know where it’s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT --------------------------------------------- https://isc.sans.edu/diary/rss/29620 ∗∗∗ The oldest privesc: injecting careless administrators terminals using TTY pushback ∗∗∗ --------------------------------------------- This trick is possibly the oldest security bug that still exists today, it’s been traced as far back as 1985. It’s been discovered and rediscovered and re-rediscovered by sysadmins, developpers and pentesters every few years for close to 4 decades now. It’s been subject to multiple developper battles, countless posts, but still remains largely forgotten. This is just another attempt at shedding light on it, for both attackers and defenders. --------------------------------------------- https://www.errno.fr/TTYPushback.html ∗∗∗ When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About ∗∗∗ --------------------------------------------- Multi-factor Authentication (MFA) has long ago become a standard security practice. [..] While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes. [..] In this article well explore this blind spot, understand its root cause and implications, and view the different options security teams can overcome it to maintain their environments protected. --------------------------------------------- https://thehackernews.com/2023/03/when-partial-protection-is-zero.html ∗∗∗ Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation) ∗∗∗ --------------------------------------------- The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described in this blog post), or to translate to arbitrary code execution from argument injection, file overwrites, etc. --------------------------------------------- https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.… ∗∗∗ Unauthorized access to Codespace secrets in GitHub ∗∗∗ --------------------------------------------- We identified a security issue in GitHub’s Repository Security Advisory feature (https://docs.github.com/en/code-security/security-advisories/repository-sec…) that allowed us to retrieve plaintext Codespace secrets of any organization including GitHub. --------------------------------------------- https://ophionsecurity.com/blog/access-organization-secrets-in-github ∗∗∗ Pirated copies of Final Cut Pro infect Macs with cryptojacking malware ∗∗∗ --------------------------------------------- Torrents on The Pirate Bay which claim to contain Final Cut Pro are instead being used to distribute malware, designed to infect your Mac with cryptojacking malware. --------------------------------------------- https://grahamcluley.com/pirated-copies-of-final-cut-pro-infect-macs-with-c… ∗∗∗ GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers ∗∗∗ --------------------------------------------- New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility. --------------------------------------------- https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ∗∗∗ Netcat Attack Cases Targeting MS-SQL Servers (LOLBins) ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike. --------------------------------------------- https://asec.ahnlab.com/en/49249/ ∗∗∗ Everything You Didn’t Know About Cross-Account and Cross-Cloud Provider Attacks ∗∗∗ --------------------------------------------- Wait, did you say ‘Cross-Cloud Provider Attacks’? Yes, this is actually a growing type of attack path: As organizations increasingly adopt multiple cloud platforms, their lack of security visibility across the clouds makes them a sitting target for these types of attacks. --------------------------------------------- https://orca.security/resources/blog/cross-account-cross-provider-attack-pa… ∗∗∗ Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices ∗∗∗ --------------------------------------------- Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and wireless-regdb), Fedora (caddy, python-cryptography, and redis), Oracle (gnutls), SUSE (hdf5, opera, python-Django, redis, tomcat, and xen), and Ubuntu (apache2 and snakeyaml). --------------------------------------------- https://lwn.net/Articles/925840/ ∗∗∗ IBM Security Bulletins 2023-03-10 ∗∗∗ --------------------------------------------- * Apache Commons Beanutils (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2019-10086, CVE-2014-0114) * Apache Commons FileUpload (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2023-24998) * Apache Commons IO (Publicly disclosed vulnerability) Affects IBM eDiscovery Manager (CVE-2021-29425) * IBM MQ is affected by a vulnerability in Apache Commons Net (CVE-2021-37533) * IBM QRadar WinCollect agent has multiple vulnerabilities * IBM QRadar Wincollect agent is vulnerable to server side request forgery (SSRF) (CVE-2022-43879) * IBM SDK, Java Technology Edition, Security Update February 2023 * multiple vulnerabilities in Java SE may affect CICS TX Advanced * multiple vulnerabilities in Java SE may affect CICS TX Standard * multiple vulnerabilities in Java SE may affect TXSeries for Multiplatforms * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Advanced * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Standard * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect TXSeries for Multiplatforms * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Advanced * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Standard * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect TXSeries for Multiplatforms * Watson CP4D Data Stores is vulnerable to jackson-databind due to FasterXML jackson-databind before 2.14.0-rc1 ( CVE-2022-42003 ) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Nessus Agent Version 10.3.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-12 ∗∗∗ [R1] Nessus Agent Version 8.3.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2023
by Daily end-of-shift report 09 Mar '23

09 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-03-2023 18:00 − Donnerstag 09-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Word RCE-Lücke könnte auch Microsoft Outlook betreffen ∗∗∗ --------------------------------------------- Laut einem Bericht bei borncity könnte die mit dem Februar-Patchday gefixte Remote Code Execution - Lücke in Microsoft Word auch Microsoft Outlook (zumindest 2013) betreffen - auch wenn die Februar-Patches eingespielt wurden. Noch sind nicht alle Details dazu klar, wir raten Outlook-Nutzer:innen momentan aber trotzdem dringend dazu die Empfehlungen von Microsoft dazu umzusetzen, und Outlook so zu konfigurieren, dass Mails als reiner Text dargestellt werden. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/microsoft-word-rce-lucke-konnte-auch-mi… ∗∗∗ IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks ∗∗∗ --------------------------------------------- A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. --------------------------------------------- https://thehackernews.com/2023/03/icefire-linux-ransomware.html ∗∗∗ Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware ∗∗∗ --------------------------------------------- Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis, said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. --------------------------------------------- https://thehackernews.com/2023/03/hackers-exploiting-remote-desktop.html ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009 ∗∗∗ --------------------------------------------- This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it. If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7 --------------------------------------------- https://www.drupal.org/sa-contrib-2023-009 ∗∗∗ Oracle Database Vault Protected Table With Realm Data Extraction Vulnerability ∗∗∗ --------------------------------------------- This security issue is fixed from 21c on-wards [ I think back-port patch was released in October 2022 CPU cycle]. Still Exists in 19c (so far from version 19.18 and below). DB Vault is a security feature in Oracle that attempts to restrict “SYS” account power , in addition DB Vault will ensure seperation of duties in place such as account management and authorization can’t be performed by the DBA through SYS account anymore. --------------------------------------------- https://databasesecurityninja.wordpress.com/2023/03/07/oracle-database-vaul… ∗∗∗ Ivanti Avalanche: Security Alert - CVE-2022-44574 – Authentication Bypass for Remote Control RCServlet ∗∗∗ --------------------------------------------- This vulnerability enables an attacker to overwrite credentials which gives access to a Web Panel. This vulnerability affects all Avalanche Premise versions 6.3.x and below. This vulnerability has a CVE score of 6.5. --------------------------------------------- https://forums.ivanti.com/s/article/Avalanche-ZDI-CAN-19513-Security-Adviso… ∗∗∗ Foxit PDF Editor: Lücken erlauben einschleusen von Schadcode ∗∗∗ --------------------------------------------- Sicherheitslücken in Foxit PDF Editor ermöglichen Angreifern, mit manipulierten PDF-Dateien Schadcode einzuschmuggeln und auszuführen. Ein Update steht bereit. --------------------------------------------- https://heise.de/-7540068 ∗∗∗ Home Assistant: Sicherheitslücke entdeckt und geschlossen ∗∗∗ --------------------------------------------- Wer den Home Assistant mit Supervisor benutzt, sollte sein System jetzt aktualisieren. Ansonsten könnten Eindringlinge sich daran zu schaffen machen. --------------------------------------------- https://heise.de/-7540500 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, pesign, samba, and zlib), Oracle (kernel), Slackware (httpd), SUSE (emacs, libxslt, nodejs12, nodejs14, nodejs16, openssl, poppler, python-py, python-wheel, xen, and xorg-x11-server), and Ubuntu (linux-gcp-5.4, linux-gkeop, opusfile, and samba). --------------------------------------------- https://lwn.net/Articles/925723/ ∗∗∗ Cloud Pak for Security uses packages that are vulnerable to multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551876 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962201 ∗∗∗ A vulnerability exists in IBM Robotic Process Automation where Queue Provider credentials are not obfuscated during editing (CVE-2023-25680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962207 ∗∗∗ IBM Robotic Process Automation for Cloud Pak may be vulnerable to a denial of service due to ISC BIND (CVE-2022-38177, CVE-2022-38178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962223 ∗∗∗ Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6536732 ∗∗∗ Multiple Vulnerabilities in IBM HTTP Server affect WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962383 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962407 ∗∗∗ June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962411 ∗∗∗ z\/Transaction Processing Facility is affected by vulnerabilities in the Apache Kafka (kafka-clients) and cryptography packages ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962437 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to incorrect default permissions (CVE-2022-46774) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962455 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2023
by Daily end-of-shift report 08 Mar '23

08 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-03-2023 18:00 − Mittwoch 08-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ What is a Website Defacement? ∗∗∗ --------------------------------------------- Defacement is easily one the most obvious signs of a hacked website. In these attacks, bad actors gain unauthorized access to an environment and leave their mark through digital vandalism, altering its visual appearance or content in the process. --------------------------------------------- https://blog.sucuri.net/2023/03/what-is-website-defacement.html ∗∗∗ Persistence – Event Log Online Help ∗∗∗ --------------------------------------------- Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is used mainly for troubleshooting windows errors by administrators could be also used as a form a persistence during red team operations. --------------------------------------------- https://pentestlab.blog/2023/03/07/persistence-event-log-online-help/ ∗∗∗ „Lidl Frauentagsgeschenk“: Fake-Gewinnspiel zum Frauentag ∗∗∗ --------------------------------------------- Derzeit verbreiten WhatsApp-, Messenger- oder Viber-Nutzer:innen unwissentlich einen Link mit einem betrügerischen Gewinnspiel unter ihren Kontakten. Angeblich verlost die Supermarktkette „Lidl“ anlässlich des Frauentags am 8.März „viele Geldgeschenke“, wie es in der Nachricht heißt. Klicken Sie nicht auf den Link. Kriminelle versuchen Schadsoftware auf Ihrem Gerät zu installieren! --------------------------------------------- https://www.watchlist-internet.at/news/lidl-frauentagsgeschenk-fake-gewinns… ∗∗∗ GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. --------------------------------------------- https://asec.ahnlab.com/en/48940/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002) ∗∗∗ --------------------------------------------- Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User. --------------------------------------------- https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html ∗∗∗ ABB Substation management unit COM600 IEC-104 protocol stack vulnerability ∗∗∗ --------------------------------------------- Hitachi Energy disclosed a vulnerability (CVE-2022-29492) that affects certain HE products. This vulnerability also affects the IEC 68070-5-104 (IEC-104) protocol stack of ABB Substation Management Unit COM600. Subsequently, a successful exploit could allow attackers to cause a denial-of-service attack against the COM600 product. --------------------------------------------- https://web.apsis.one/wve/68c20aba-1b85-416f-bf3f-ce8b1779c260 ∗∗∗ CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE ∗∗∗ --------------------------------------------- Aqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victims Jenkins server, potentially leading to a complete compromise of the Jenkins server. --------------------------------------------- https://blog.aquasec.com/jenkins-server-vulnerabilities ∗∗∗ Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Die kostenlose Musikproduktionssoftware von Apple lässt sich offenbar angreifen. Nutzer unter macOS sollten schnell aktualisieren. --------------------------------------------- https://heise.de/-7538801 ∗∗∗ Patchday: Fortinet dichtet 15 Schwachstellen ab, davon eine kritische ∗∗∗ --------------------------------------------- Der Patchday bei Fortinet bringt IT-Verantwortlichen Updates zum Schließen von 15 Sicherheitslücken. Eine davon ist kritisch und erlaubt Einschleusen von Code. --------------------------------------------- https://heise.de/-7538910 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr), Fedora (c-ares), Oracle (curl, kernel, pesign, samba, and zlib), Red Hat (curl, gnutls, kernel, kernel-rt, and pesign), Scientific Linux (kernel, pesign, samba, and zlib), SUSE (libX11, python-rsa, python3, python36, qemu, rubygem-rack, xorg-x11-server, and xwayland), and Ubuntu (libtpms, linux-ibm, linux-raspi, linux-raspi, python3.7, python3.8, and sofia-sip). --------------------------------------------- https://lwn.net/Articles/925606/ IBM Security Bulletins 2023-03-08 --------------------------------------------- IBM Robotic Process Automation, IBM WebSphere, IBM MQ, Financial Transaction Manager, IBM VM Recovery Manager, IBM Aspera faspio Gateway, IBM Security Verify Bridge, IBM Spectrum Scale, IBM Security Guardium. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Veeam fixt kritische Schwachstelle CVE-2023-27532 in Backup & Replication V11a/V12 ∗∗∗ --------------------------------------------- Kleiner Hinweis für Nutzer der Backup-Software des Herstellers Veeam. Dieser hat zum 7. März 2023 eine kritische Schwachstelle (CVE-2023-27532) in seinem Produkt Backup & Replication in den Versionen V11a/V12 per Update behoben. --------------------------------------------- https://www.borncity.com/blog/2023/03/08/veeam-fixt-kritische-schwachstelle… ∗∗∗ Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN82424996/ ∗∗∗ Cisco IOS XR Software for ASR 9000 Series Routers Bidirectional Forwarding Detection Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Nessus Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-11 ∗∗∗ [R1] Nessus Version 8.15.9 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2023
by Daily end-of-shift report 07 Mar '23

07 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-03-2023 18:00 − Dienstag 07-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Proof-of-Concept released for critical Microsoft Word RCE bug ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. --------------------------------------------- https://www.bleepingcomputer.com/news/security/proof-of-concept-released-fo… ∗∗∗ Old Windows ‘Mock Folders’ UAC bypass used to drop malware ∗∗∗ --------------------------------------------- A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac… ∗∗∗ Sheins Android App Caught Transmitting Clipboard Data to Remote Servers ∗∗∗ --------------------------------------------- An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. --------------------------------------------- https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.ht… ∗∗∗ SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..] --------------------------------------------- https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.ht… ∗∗∗ Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing ∗∗∗ --------------------------------------------- Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V). --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-vulnerability-in-end-… ∗∗∗ Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co. ∗∗∗ --------------------------------------------- Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich „einfachen Menschen“ den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-neue-fake-investment-pl… ∗∗∗ Betrugsmasche gegen Verrechnung ∗∗∗ --------------------------------------------- Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen. --------------------------------------------- https://certitude.consulting/blog/de/betrugsmasche-gegen-verrechnung/ ∗∗∗ Using Memory Analysis to Detect EDR-Nullifying Malware ∗∗∗ --------------------------------------------- One tool Trend Micro described, dubbed “AVBurner”, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis. --------------------------------------------- https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-ed… ===================== = Vulnerabilities = ===================== ∗∗∗ Benutzt hier jemand SHA-3? Die Referenzimplementation ... ∗∗∗ --------------------------------------------- Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow. --------------------------------------------- http://blog.fefe.de/?ts=9af9c7a3 ∗∗∗ Multiple vulnerabilities in PostgreSQL extension module pg_ivm ∗∗∗ --------------------------------------------- * Exposure of sensitive information to an unauthorized actor - CVE-2023-22847 * Uncontrolled search path element - CVE-2023-23554 --------------------------------------------- https://jvn.jp/en/jp/JVN19872280/ ∗∗∗ ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-212/ ∗∗∗ ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-214/ ∗∗∗ Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13 ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen. --------------------------------------------- https://heise.de/-7537197 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff). --------------------------------------------- https://lwn.net/Articles/925469/ ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-053/ ∗∗∗ WordPress BuddyForms Plugin — Unauthenticated Insecure Deserialization (CVE-2023–26326) ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthentic… ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960473 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960481 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960485 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960493 ∗∗∗ IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960495 ∗∗∗ IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960511 ∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828569 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2023
by Daily end-of-shift report 06 Mar '23

06 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-03-2023 18:00 − Montag 06-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shops fälschen Zahlung mit Klarna ∗∗∗ --------------------------------------------- Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-faelschen-zahlung-mit-kla… ∗∗∗ DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server ∗∗∗ --------------------------------------------- Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt. --------------------------------------------- https://www.borncity.com/blog/2023/03/05/dcom-hrtung-cve-2021-26414-zum-14-… ∗∗∗ Magbo Spam Injection Encoded with hex2bin ∗∗∗ --------------------------------------------- We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection. --------------------------------------------- https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.h… ∗∗∗ New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims ∗∗∗ --------------------------------------------- A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...] --------------------------------------------- https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.ht… ∗∗∗ How to prevent Microsoft OneNote files from infecting Windows with malware ∗∗∗ --------------------------------------------- The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-one… ∗∗∗ Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears ∗∗∗ --------------------------------------------- In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems. --------------------------------------------- https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-nove… ===================== = Vulnerabilities = ===================== ∗∗∗ strongSwan Vulnerability (CVE-2023-26463) ∗∗∗ --------------------------------------------- A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets. --------------------------------------------- https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-20… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/925323/ ∗∗∗ Multiple Vulnerabilities in Arris DG3450 Cable Gateway ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959963 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959973 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960159 ∗∗∗ Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960175 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960189 ∗∗∗ Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960201 ∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960211 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960213 ∗∗∗ Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258535 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258547 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/273103 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/278361 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/541019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2023
by Daily end-of-shift report 03 Mar '23

03 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-03-2023 18:00 − Freitag 03-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI and CISA warn of increasing Royal ransomware attack risks ∗∗∗ --------------------------------------------- CISA and the FBI have issued a joint advisory highlighting the increasing threat behind ongoing Royal ransomware attacks targeting many U.S. critical infrastructure sectors, including healthcare, communications, and education. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-increas… ∗∗∗ Persistence Techniques That Persist ∗∗∗ --------------------------------------------- In this blog post, we will focus on how malware can achieve persistence by abusing the Windows Registry. Specifically, we will focus on lesser-known techniques, many of which have been around since the days of Windows XP and are just as effective today on Windows 10 and 11. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/persistence-techniq… ∗∗∗ NIST Cybersecurity Framework 2.0: Aktualisierte Leitlinien gegen Cybercrime ∗∗∗ --------------------------------------------- Weil sich die IT-Angriffslandschaft stetig ändert, hat das US-amerikanische Institute of Standards and Technology sein Cybersecurity-Framework aktualisiert. --------------------------------------------- https://heise.de/-7534206 ∗∗∗ FAQ: Welche Cyberangriffe es gibt und wie sich Risiken vermeiden lassen ∗∗∗ --------------------------------------------- Cyberangriffe können jeden betreffen, doch mit ein paar einfachen Maßnahmen können Sie Ihr persönliches Risiko zumindest minimieren. --------------------------------------------- https://heise.de/-7523370 ∗∗∗ Thousands of Websites Hijacked Using Compromised FTP Credentials ∗∗∗ --------------------------------------------- Cybersecurity startup Wiz warns of a widespread redirection campaign in which thousands of websites have been compromised using legitimate FTP credentials. --------------------------------------------- https://www.securityweek.com/thousands-of-websites-hijacked-using-compromis… ∗∗∗ Of Degens and Defrauders: Using Open-Source Investigative Tools to Investigate Decentralized Finance Frauds and Money Laundering. (arXiv:2303.00810v1 [cs.CR]) ∗∗∗ --------------------------------------------- This study demonstrates how open-source investigative tools can extract transaction-based evidence that could be used in a court of law to prosecute DeFi frauds. Additionally, we investigate how these funds are subsequently laundered. --------------------------------------------- http://arxiv.org/abs/2303.00810 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-03-03 ∗∗∗ --------------------------------------------- IBM Cloud Pak, IBM Financial Transaction Manager, Operations Dashboard, IBM App Connect Enterprise Certified Container, IBM Sterling Connect:Express, IBM HTTP Server, IBM Spectrum Control, IBM Aspera Faspex, IBM SAN, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, IBM Maximo, IBM WebSphere Remote Server, IBM Business Automation Workflow, Rational Functional Tester. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Schadcode-Attacken auf HPE Serviceguard unter Linux möglich ∗∗∗ --------------------------------------------- Die Entwickler haben in Serviceguard for Linux von HPE drei Sicherheitslücken geschlossen. Abgesicherte Version stehen zum Download bereit. --------------------------------------------- https://heise.de/-7534361 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10 and node-css-what), SUSE (gnutls, google-guest-agent, google-osconfig-agent, nodejs10, nodejs14, nodejs16, opera, pkgconf, python-cryptography, python-cryptography-vectors, rubygem-activesupport-4_2, thunderbird, and tpm2-0-tss), and Ubuntu (git, kernel, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-lowlatency, linux-oracle, linux-azure-fde, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, php7.0, python-pip, ruby-rack, spip, and sudo). --------------------------------------------- https://lwn.net/Articles/925060/ ∗∗∗ Lücken in Intel-CPUs: Microsoft veröffentlicht außerplanmäßiges Sicherheitsupdate ∗∗∗ --------------------------------------------- Es soll insgesamt vier Lücken stopfen. Die Schwachstellen sind allerdings schon seit Juni 2022 bekannt. Betroffen sind Windows 10, Windows 11 und Windows Server. --------------------------------------------- https://www.zdnet.de/88407530/luecken-in-intel-cpus-microsoft-veroeffentlic… ∗∗∗ [R1] Nessus Version 10.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-09 ∗∗∗ BOSCH-SA-931197: Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-931197.html ∗∗∗ SonicOS SSLVPN Improper Restriction of Excessive MFA Attempts Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0005 ∗∗∗ SonicOS Unauthenticated Stack-Based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2023
by Daily end-of-shift report 02 Mar '23

02 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-03-2023 18:00 − Donnerstag 02-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YARA: Detect The Unexpected ..., (Thu, Mar 2nd) ∗∗∗ --------------------------------------------- He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ... So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences. --------------------------------------------- https://isc.sans.edu/diary/rss/29598 ∗∗∗ SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics ∗∗∗ --------------------------------------------- The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. --------------------------------------------- https://thehackernews.com/2023/03/sysupdate-malware-strikes-again-with.html ∗∗∗ This Hacker Tool Can Pinpoint a DJI Drone Operators Exact Location ∗∗∗ --------------------------------------------- Every DJI quadcopter broadcasts its operators position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates. --------------------------------------------- https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/ ∗∗∗ Helping Cyber Defenders “Decide” to Use MITRE ATT&CK ∗∗∗ --------------------------------------------- Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and today announces a new accompaniment to the guide, CISA’s Decider tool. --------------------------------------------- https://www.cisa.gov/news-events/news/helping-cyber-defenders-decide-use-mi… ∗∗∗ Application SecurityCase StudiesCloud Native SecurityVulnerabilities Gitpod remote code execution 0-day vulnerability via WebSockets ∗∗∗ --------------------------------------------- This article walks us through a current Snyk Security Labs research project focusing on cloud based development environments (CDEs) — which resulted in a full workspace takeover on the Gitpod platform and extended to the user’s SCM account. The issues here have been responsibly disclosed to Gitpod and were resolved within a single working day --------------------------------------------- https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/ ∗∗∗ CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organizations cyber posture. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a ∗∗∗ Tainted Love: A Systematic Review of Online Romance Fraud. (arXiv:2303.00070v1 [cs.HC]) ∗∗∗ --------------------------------------------- Romance fraud involves cybercriminals engineering a romantic relationship ononline dating platforms. It is a cruel form of cybercrime whereby victims areleft heartbroken, often facing financial ruin. We characterise the literarylandscape on romance fraud, advancing the understanding of researchers andpractitioners by systematically reviewing and synthesising contemporaryqualitative and quantitative evidence. --------------------------------------------- http://arxiv.org/abs/2303.00070 ∗∗∗ Dishing Out DoS: How to Disable and Secure the Starlink User Terminal. (arXiv:2303.00582v1 [cs.CR]) ∗∗∗ --------------------------------------------- Satellite user terminals are a promising target for adversaries seeking totarget satellite communication networks. Despite this, many protectionscommonly found in terrestrial routers are not present in some user terminals.As a case study we audit the attack surface presented by the Starlinkrouters admin interface, using fuzzing to uncover a denial of service attackon the Starlink user terminal. --------------------------------------------- http://arxiv.org/abs/2303.00582 ===================== = Vulnerabilities = ===================== ∗∗∗ Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008 ∗∗∗ --------------------------------------------- Project: Group control for forums Security risk: Critical Description: This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-008 ∗∗∗ Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007 ∗∗∗ --------------------------------------------- Project: Thunder Security risk: Moderately critical Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.The module doesnt sufficiently check access when serving user data via graphql leading to an access bypass vulnerability --------------------------------------------- https://www.drupal.org/sa-contrib-2023-007 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git), Debian (spip), Fedora (epiphany), Mageia (binwalk, chromium-browser-stable, crmsh, emacs, libraw, libtiff, nodejs, pkgconf, tar, and vim), Oracle (kernel and systemd), SUSE (emacs, kernel, nrpe, and rubygem-activerecord-4_2), and Ubuntu (c-ares, git, postgresql-12, postgresql-14, and sox). --------------------------------------------- https://lwn.net/Articles/924922/ ∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates teilweise verfügbar ∗∗∗ --------------------------------------------- Da Angreifende auf betroffenen Geräten beliebigen Code ausführen können, sind alle auf diesen Geräten befindlichen und darüber erreichbaren Daten gefährdet. Da es sich um Netzwerkkomponenten handelt, sind auch Szenarien denkbar wo darüber fliessende Daten gelesen, beeinträchtigt und/oder verändert werden können. --------------------------------------------- https://cert.at/de/warnungen/2023/3/kritische-sicherheitslucken-in-arubaos-… ∗∗∗ Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-006 ∗∗∗ ABB: Improper authentication vulnerability in S+ Operations (CVE ID: CVE-2023-0228) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=7PAA0… ∗∗∗ IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6590487 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959355 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959357 ∗∗∗ There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959359 ∗∗∗ Persistent cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-22860 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958691 ∗∗∗ Vulnerability in bind affects IBM Integrated Analytics System [CVE-2022-2795] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959567 ∗∗∗ IBM Cloud Pak for Network Automation v2.4.4 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959583 ∗∗∗ There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959601 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU and IBM Java - OpenJ9 CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959625 ∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848317 ∗∗∗ IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956299 ∗∗∗ Operations Dashboard is vulnerable to denial of service and response splitting due to vulnerabilities in Netty (CVE-2022-41881 and CVE-2022-41915) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959639 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2023
by Daily end-of-shift report 01 Mar '23

01 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-02-2023 18:00 − Mittwoch 01-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TPM-2.0-Spezifikationen: Angreifer könnten Schadcode auf TPM schmuggeln ∗∗∗ --------------------------------------------- In die Spezifikation der TPM-2.0-Referenzbibliothek haben sich Fehler eingeschlichen. Angreifer könnten verwundbaren Implementierungen eigenen Code unterjubeln. --------------------------------------------- https://heise.de/-7531171 ∗∗∗ Finish him! Kostenloses Entschlüsselungstool besiegt MortalKombat-Ransomware ∗∗∗ --------------------------------------------- Kaum hat der Erpressungstrojaner MortalKombat das Licht der Welt erblickt, holen Sicherheitsforscher zum finalen Schlag aus. --------------------------------------------- https://heise.de/-7531337 ∗∗∗ Gefälschter PayLife-Login in Anzeigen bei Google-Suche! ∗∗∗ --------------------------------------------- PayLife-User:innen aufgepasst: Kriminelle schalten aktuell Werbung auf Google, welche auf eine gefälschte PayLife-Website führt. Ein kleiner Tippfehler reicht aus, um die betrügerische Werbung als erstes Ergebnis angezeigt zu bekommen. Wer die eigenen Login-Daten auf der Phishing-Seite eingibt, ermöglicht es den Kriminellen, Zahlungen zu tätigen. Das Geld ist verloren! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschter-paylife-login-in-anzeig… ∗∗∗ The dangers from across browser-windows ∗∗∗ --------------------------------------------- Beim Durchsuchen des Webs versucht Ihr Browser, Sie bestmöglich zu schützen, aber manchmal scheitert er daran, wenn er nicht ordnungsgemäß von der Website angewiesen wird, die Sie besuchen. Einer der wichtigsten Sicherheitsmechanismen des Browsers ist die Same-Origin Policy [1][2][3] (SOP), die einschränkt, wie Skripte und Dokumente aus einer Ursprungsquelle mit Ressourcen und Dokumenten aus einer [...] --------------------------------------------- https://certitude.consulting/blog/de/the-dangers-from-across-browser-window… ∗∗∗ BlackLotus UEFI-Bootkit überwindet Secure Boot in Windows 11 ∗∗∗ --------------------------------------------- Sicherheitsforscher von ESET haben eine BlackLotus getaufte Malware in freier Wildbahn entdeckt, die sich des UEFI bemächtigt. BlackLotus dürfte die erste UEFI-Bootkit-Malware in freier Wildbahn sein, die Secure Boot unter Windows 11 (und wohl auch Windows 10) aushebeln kann. --------------------------------------------- https://www.borncity.com/blog/2023/03/01/blacklotus-uefi-bootkit-berwindet-… ∗∗∗ CISA: ZK Java Framework RCE Flaw Under Active Exploit ∗∗∗ --------------------------------------------- The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately. --------------------------------------------- https://www.darkreading.com/risk/cisa-zk-java-framework-rce-flaw-under-acti… ∗∗∗ SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft ∗∗∗ --------------------------------------------- The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials. --------------------------------------------- https://sysdig.com/blog/cloud-breach-terraform-data-theft/ ∗∗∗ DNS abuse: Advice for incident responders ∗∗∗ --------------------------------------------- What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers. --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-re… ∗∗∗ Google Cloud Platform allows data exfiltration without a (forensic) trace ∗∗∗ --------------------------------------------- Attackers can exfiltrate company data stored in Google Cloud Platform (GCP) storage buckets without leaving obvious forensic traces of the malicious activity in GCP’s storage access logs, Mitiga researchers have discovered. [...] In short, the main problem is that GCP’s basic storage logs – which are, by the way, not enabled by default – use the same description/event (objects.get) for [...] --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/ ∗∗∗ Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads ∗∗∗ --------------------------------------------- The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements [...] --------------------------------------------- https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-… ∗∗∗ The Level of Human Engagement Behind Automated Attacks ∗∗∗ --------------------------------------------- Even automated attacks are driven by humans, but the level of engagement we observed may surprise you! When the human or an organization behind an automated attack shows higher levels of innovation and sophistication in their attack tactics, the danger increases dramatically as they are no longer simply employing an opportunistic “spray and pray” strategy, but rather more highly evolved strategies that are closer to a so-called targeted attack. --------------------------------------------- https://www.gosecure.net/blog/2023/02/28/the-level-of-human-engagement-behi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools and syslog-ng), Fedora (gnutls and guile-gnutls), Oracle (git, httpd, lua, openssl, php, python-setuptools, python3.9, sudo, tar, and vim), Red Hat (kpatch-patch), Scientific Linux (git), SUSE (compat-openssl098, glibc, openssl, postgresql13, python-Django, webkit2gtk3, and xterm), and Ubuntu (awstats, expat, firefox, gnutls28, lighttpd, php7.2, php7.4, php8.1, python-pip, and tar). --------------------------------------------- https://lwn.net/Articles/924794/ ∗∗∗ Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products ∗∗∗ --------------------------------------------- Several ThingWorx and Kepware products are affected by two vulnerabilities that can be exploited for DoS attacks and unauthenticated remote code execution. The post Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-patched-in-thingworx-… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex App for Web Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Intelligence Center Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ TPM 2.0 Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500551-TPM-20-VULNERABILITIES ∗∗∗ Nuvoton TPM Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500550-NUVOTON-TPM-DENIAL-OF-… ∗∗∗ Malicious IKEv2 packet by authenticated peer can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 5.23.1: SC-202303.1-5 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-08 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 6.0.0: SC-202303.1-6 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-07 ∗∗∗ IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856457 ∗∗∗ DataPower Operator vulnerable to Denial of Service (CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958490 ∗∗∗ Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958504 ∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-22389, CVE-2022-25313, CVE-2022-25236, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235 and CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959019 ∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959033 ∗∗∗ IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958701 ∗∗∗ IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957688 ∗∗∗ IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957686 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2023
by Daily end-of-shift report 28 Feb '23

28 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-02-2023 18:00 − Dienstag 28-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical flaws in WordPress Houzez theme exploited to hijack websites ∗∗∗ --------------------------------------------- Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-… ∗∗∗ New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware ∗∗∗ --------------------------------------------- Threat actors are promoting a new Exfiltrator-22 post-exploitation framework designed to spread ransomware in corporate networks while evading detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-expl… ∗∗∗ Passwortmanager: Lastpass teilt weitere Details zum Dezember-Hack mit ∗∗∗ --------------------------------------------- Über einen Keylogger auf einem Privatrechner konnten Angreifer Adminzugriff auf diverse Lastpass-Kundendaten und dessen Quellcode erhalten. --------------------------------------------- https://www.golem.de/news/passwortmanager-lastpass-teilt-weitere-details-zu… ∗∗∗ Side-Channel Attack against CRYSTALS-Kyber ∗∗∗ --------------------------------------------- CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. --------------------------------------------- https://www.schneier.com/blog/archives/2023/02/side-channel-attack-against-… ∗∗∗ CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests. --------------------------------------------- https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html ∗∗∗ A Complete Kubernetes Config Review Methodology ∗∗∗ --------------------------------------------- The are many resources out there that tap into the subject of Kubernetes Pentesting or Configuration Review, however, they usually detail specific topics and misconfigurations and don’t offer a broad perspective on how to do a complete Security Review. That is why in this article I want to cover a more complete overview on all the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment. --------------------------------------------- https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-meth… ∗∗∗ Vulnerabilities Being Exploited Faster Than Ever: Analysis ∗∗∗ --------------------------------------------- The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7. --------------------------------------------- https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ev… ∗∗∗ Konzertkarten auf Facebook kaufen: Vorsicht vor Betrug ∗∗∗ --------------------------------------------- Facebook ist eine beliebte Anlaufstelle, um Karten für ausverkaufte Konzerte zu ergattern. Bedenken Sie aber, dass hinter vielen Angeboten Fake-Profile stecken. Überprüfen Sie das Profil der Verkäufer:innen sehr genau und bezahlen Sie niemals mit der PayPal-Funktion „Geld an Freunde & Familie senden“. Wir zeigen Ihnen, wie Sie betrügerische Angebote auf Facebook erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/konzertkarten-auf-facebook-kaufen-vo… ∗∗∗ Gefälschtes E-Mail von FinanzOnline über Sicherheitsaktualisierung im Umlauf ∗∗∗ --------------------------------------------- Nehmen Sie E-Mails vom Finanzamt bzw. von FinanzOnline sehr genau unter die Lupe. Im Moment sind unzählige betrügerische Schreiben im Umlauf. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-von-finanzonline… ∗∗∗ Sicherheitsanbieter Cyren geht in Liquidation – NoSpamProxy betroffen ∗∗∗ --------------------------------------------- Kurze Information für Nutzer, die Sicherheitsfunktionen des Anbieters Cyren einsetzen (z. B. NoSpamProxy). Der Anbieter Cyren steckt in wirtschaftlichen Schwierigkeiten und wird wohl liquidiert – die betreffenden Dienste werden eingestellt. --------------------------------------------- https://www.borncity.com/blog/2023/02/28/sicherheitsanbieter-cyren-geht-in-… ∗∗∗ Bitdefender Releases Free MortalKombat Ransomware Decryptor ∗∗∗ --------------------------------------------- The free Mortal Kombat ransomware decryptor is now available for victims to recover their encrypted files without having to pay the ransom. --------------------------------------------- https://www.hackread.com/bitdefender-mortalkombat-ransomware-decryptor/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0006 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.3 CVE(s): CVE-2023-20857 Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0006.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, python-werkzeug, and spip), Fedora (curl), Mageia (apache-commons-fileupload, apr, c-ares, clamav, git, gnutls, ipython, jupyter-core, php, postgresql, python-cryptography, python-jupyterlab, python-twisted, sofia-sip, and sox), Red Hat (git, httpd, kernel, kernel-rt, kpatch-patch, lua, openssl, pcs, php, python-setuptools, python3.9, systemd, tar, vim, and zlib), SUSE (libxslt, php8, postgresql15, python3, tpm2-0-tss, and ucode-intel), and --------------------------------------------- https://lwn.net/Articles/924690/ ∗∗∗ IBM Security Bulletins 2023-02-23 ∗∗∗ --------------------------------------------- IBM VM Recovery Manager, IBM MQ Appliance, Red Hat OpenShift on IBM Cloud, IBM Business Automation Workflow, WebSphere Application Server, IBM SAN b-type switch, IBM FlashSystem, TMS RAMSAN, IBM HTTP Server, IBM CloudPak, Operations Dashboard, IBM QRadar SIEM Application Framework Base Image. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2022-38108: RCE in SolarWinds Network Performance Monitor ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hong and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the SolarWinds Network Performance Monitor. This bug was originally discovered and reported by ZDI Vulnerability Research Piotr Bazydło. The vulnerability results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. --------------------------------------------- https://www.thezdi.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-netw… ∗∗∗ ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020047 ∗∗∗ ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020046 ∗∗∗ web2py development tool vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78253670/ ∗∗∗ Osprey Pump Controller 1.0.1 Exploit Code released ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ OS Command Injection in Barracuda CloudGen WAN ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/os-command-injection-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2023
by Daily end-of-shift report 27 Feb '23

27 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-02-2023 18:00 − Montag 27-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ QUICforge - Client-seitige Request-Forgery-Angriffe im QUIC Protokoll ∗∗∗ --------------------------------------------- Ein Überblick warum das QUIC Protokoll ein für die Sicherheit relevantes und besonders aktuelles Forschungsgebiet ist und welche Herausforderung die Nutzung von QUIC birgt. --------------------------------------------- https://sec-consult.com/de/blog/detail/quicforge-client-seitige-request-for… ∗∗∗ Exchange Server: Microsoft empfiehlt Aktualisierung der Antivirus-Ausnahmen (Feb. 2023) ∗∗∗ --------------------------------------------- Microsofts Exchange Server-Team hat seine Empfehlungen in Bezug auf Ausnahmen für Antivirus-Scans überarbeitet und bittet Administratoren die Einstellungen der Antivirus-Software zu überprüfen und gegebenenfalls anzupassen. --------------------------------------------- https://www.borncity.com/blog/2023/02/27/exchange-server-microsoft-empfiehl… ∗∗∗ Bösartige Authenticator-Apps auch im Google-Play-Store ∗∗∗ --------------------------------------------- Vergangene Woche haben App-Entwickler bösartige Authenticator-Apps in Apples App-Store entdeckt. Jetzt wurden sie auch im Google-Play-Store fündig. --------------------------------------------- https://heise.de/-7528469 ∗∗∗ Nur mit iPhone-PIN: Diebe räumen Apple-ID und Bankkonten ab ∗∗∗ --------------------------------------------- iPhone-Diebstähle können zu einer vollständigen Apple-ID- und Bankkonten-Übernahme führen. Schuld ist Apples (zu) einfache Passwort-Recovery per PIN. --------------------------------------------- https://heise.de/-7527961 ∗∗∗ Kleinanzeigenplattformen: Betrügerische Käufer:innen täuschen Zahlung auf gefälschter PayPal-Website vor ∗∗∗ --------------------------------------------- Willhaben, Ebay, Shpock und Co.: Nehmen Sie sich vor betrügerischen Interessent:innen in Acht! Betrügerische Interessent:innen auf Kleinanzeigenplattformen behaupten, den Kaufbetrag inklusive Versandkosten an den Zahlungsdienst PayPal überwiesen zu haben. Sie schicken Ihnen einen personalisierten Link, über den Sie das Geld angeblich anfordern können. Brechen Sie den Kontakt ab, Sie werden auf eine gefälschte PayPal-Seite gelockt. Kriminelle stehlen damit Ihre Zugangsdaten und Geld von Ihrem PayPal-Konto! --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-kleinanzeigen… ∗∗∗ PureCrypter malware hits govt orgs with ransomware, info-stealers ∗∗∗ --------------------------------------------- A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/purecrypter-malware-hits-gov… ∗∗∗ RIG Exploit Kit still infects enterprise users via Internet Explorer ∗∗∗ --------------------------------------------- The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the services long operational history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rig-exploit-kit-still-infect… ∗∗∗ Is My Site Hacked? (13 Signs) ∗∗∗ --------------------------------------------- Symptoms of a hack can vary wildly. A concerning security alert from Google, a browser warning when you visit your site, or even a notice from your hosting provider that they’ve taken down your website - all of these events may indicate that your site has been hacked. Fortunately, there are a number of quick (and free) ways you can check and find out if your website has been compromised. --------------------------------------------- https://blog.sucuri.net/2023/02/is-my-website-hacked.html ∗∗∗ Open Source Security and Risk Analysis Report ∗∗∗ --------------------------------------------- In its 8 th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report delivers our annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-… --------------------------------------------- https://www.synopsys.com/software-integrity/resources/analyst-reports/open-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Zoho ManageEngine ServiceDesk Plus ist verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit dem IT-Verwaltungssystem ManageEngine ServiceDesk Plus von Zoho attackieren. Eine ältere Zoho-Lücke wird derweil angegriffen. --------------------------------------------- https://heise.de/-7528332 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr-util, freeradius, mono, nodejs, php7.3, php7.4, and python-cryptography), Fedora (epiphany, haproxy, and podman), SUSE (chromium, libraw, php7, php74, python-pip, and rubygem-activerecord-4_2), and Ubuntu (apr, clamav, curl, intel-microcode, nss, openvswitch, webkit2gtk, and zoneminder). --------------------------------------------- https://lwn.net/Articles/924546/ ∗∗∗ Windows: Microsoft liefert cURL-Bibliothek weiterhin mit Schwachstellen aus (Feb. 2023) ∗∗∗ --------------------------------------------- Es ist eine unschöne Geschichte, die ich erneut hier im Blog einstelle. Microsoft gelingt es nicht, cURL mit Windows so auszuliefern, dass die Software auf dem aktuellen Stand ist und keine bekannte Sicherheitslücken mehr aufweist. --------------------------------------------- https://www.borncity.com/blog/2023/02/25/windows-microsoft-liefert-curl-bib… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ Advisory: Vulnerable TigerVNC Version used in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16769091… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM MQ for HPE NonStop Server is affected by channel CCDT vulnerability CVE-2022-40237 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958136 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958146 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service in Pypa Setuptools (CVE-2022-40897) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958142 ∗∗∗ IBM Security Verify Bridge (windows and docker versions) affected by a denial of service issue in Go (CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958156 ∗∗∗ Certifi package as used by IBM QRadar User Behavior Analytics is vulnerable to improper certificate validation (CVE-2022-23491) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958452 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958458 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958478 ∗∗∗ A security vulnerability ( CVE-2022-3509, CVE-2022-3171 ) has been identified in IBM WebSphere Application Server Liberty shipped with IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958474 ∗∗∗ FasterXML-jackson-databinds vulnerabilities affect IBM Operations Analytics Predictive Insights (CVE-2022-42004,CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958482 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958476 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958484 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958486 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2177, CVE-2016-2178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697949 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2180). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697951 ∗∗∗ IBM b-type SAN switches and directors affected by OpenSSL Security Advisory [22 Sep 2016] and [26 Sep 2016]. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697953 ∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650695 ∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650699 ∗∗∗ IBM b-type SAN directors and switches is affected by privilege escalation vulnerability (CVE-2016-8202). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697803 ∗∗∗ Vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors (CVE-2016-2108) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697943 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2023
by Daily end-of-shift report 24 Feb '23

24 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-02-2023 18:00 − Freitag 24-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: ChatGPT-Scams nehmen stark zu ∗∗∗ --------------------------------------------- Im Internet gibt es viele Seiten, die vorgeben, der intelligente Chatbot zu sein. In Wahrheit verbreiten sie Schadsoftware. --------------------------------------------- https://futurezone.at/produkte/chatgpt-scam-malware-apps-android-chatbot-vo… ∗∗∗ KI: Journalist überlistet Bank mit künstlicher Intelligenz ∗∗∗ --------------------------------------------- Einem Journalisten ist es gelungen, die Stimmauthentifizierung einer Bank mit KI zu umgehen. Das könnten auch Betrüger. --------------------------------------------- https://www.golem.de/news/ki-journalist-ueberlistet-bank-mit-kuenstlicher-i… ∗∗∗ Privatsphäre: Chrome-Extensions können noch immer eine Menge anrichten ∗∗∗ --------------------------------------------- Eine Analyse zeigt, was sich trotz Googles Chrome Extension Manifest V3 alles ausspähen lässt, wenn Nutzer bei der Installation nicht vorsichtig sind. --------------------------------------------- https://www.golem.de/news/privatsphaere-chrome-extensions-koennen-noch-imme… ∗∗∗ The code that wasn’t there: Reading memory on an Android device by accident ∗∗∗ --------------------------------------------- CVE-2022-25664, a vulnerability in the Qualcomm Adreno GPU, can be used to leak large amounts of information to a malicious Android application. Learn more about how the vulnerability can be used to leak information in both the user space and kernel space level of pages, and how the GitHub Security Lab used the kernel space information leak to construct a KASLR bypass. --------------------------------------------- https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-… ∗∗∗ In Final Cut & Co: Warnung vor Cryptojacking durch gecrackte Mac-Apps ∗∗∗ --------------------------------------------- Malware für Cryptomining wird über gecrackte Mac-Apps verbreitet und verbirgt sich dabei immer besser, warnen Sicherheitsforscher. Apple reagiert. --------------------------------------------- https://heise.de/-7527273 ∗∗∗ Update on the Exchange Server Antivirus Exclusions ∗∗∗ --------------------------------------------- For years we have been saying how running antivirus (AV) software on your Exchange Servers can enhance the security and health of your Exchange organization. We’ve also said that if you are deploying file-level scanners on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both scheduled and real-time scanning. But times have changed, and so has the cybersecurity landscape. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/update-on-the-exc… ∗∗∗ Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool ∗∗∗ --------------------------------------------- Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-troj… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco stopft teils hochriskante Schwachstellen ∗∗∗ --------------------------------------------- Für mehrere Produkte stellt Netzwerkausrüster Cisco Sicherheitsupdates bereit. Sie schließen teils als hohe Bedrohung eingestufte Schwachstellen. --------------------------------------------- https://heise.de/-7526208 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (binwalk, chromium, curl, emacs, frr, git, libgit2, and tiff), Fedora (qt5-qtbase), SUSE (c-ares, kernel, openssl-1_1-livepatches, pesign, poppler, rubygem-activerecord-5_1, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/924358/ ∗∗∗ Ineffective Cross Site Request Forgery (CSRF) protection in IBM Business Process Manager (BPM) (CVE-2017-1769) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/301273 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to information disclosure (CVE-2022-43923) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957654 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958016 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958024 ∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958016 ∗∗∗ Vulnerabilities found within Apache Storm that is used by IBM Tivoli Network Manager (ITNM) IP Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958056 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958062 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958064 ∗∗∗ CVE-2022-32149 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958066 ∗∗∗ CVE-2022-32149 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958072 ∗∗∗ Multiple vulnerabilities in Go may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958068 ∗∗∗ CVE-2022-3676 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958086 ∗∗∗ CVE-2022-3676 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958074 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855111 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955929 ∗∗∗ CVE-2022-37734 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958076 ∗∗∗ CVE-2022-37734 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958084 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958080 ∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958082 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by a vulnerability in JSON Web Token ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955935 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957710 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect z/Transaction Processing Facility ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957822 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2023
by Daily end-of-shift report 23 Feb '23

23 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-02-2023 18:00 − Donnerstag 23-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New S1deload Stealer malware hijacks Youtube, Facebook accounts ∗∗∗ --------------------------------------------- An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware… ∗∗∗ Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3. --------------------------------------------- https://thehackernews.com/2023/02/python-developers-warned-of-trojanized.ht… ∗∗∗ Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products ∗∗∗ --------------------------------------------- Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. --------------------------------------------- https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html ∗∗∗ OffSec Tools ∗∗∗ --------------------------------------------- This repository is intended for pentesters and red teamers using a variety of offensive security tools during their assessments. The repository is a collection of useful tools suitable for assessments in internal environments. --------------------------------------------- https://github.com/Syslifters/offsec-tools ∗∗∗ Technical Analysis of BlackBasta Ransomware 2.0 ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates. --------------------------------------------- https://www.zscaler.com/blogs/security-research/back-black-basta ∗∗∗ Users looking for ChatGPT apps get malware instead ∗∗∗ --------------------------------------------- The massive popularity of OpenAI’s chatbot ChatGPT has not gone unnoticed by cyber criminals: they are exploiting the public’s eagerness to experiment with it to trick users into downloading Windows and Android malware and visit phishing pages. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/23/chatgpt-windows-android/ ∗∗∗ Stealthy Mac Malware Delivered via Pirated Apps ∗∗∗ --------------------------------------------- Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware. --------------------------------------------- https://www.securityweek.com/stealthy-mac-malware-delivered-via-pirated-app… ∗∗∗ Anti-Forensic Techniques Used By Lazarus Group ∗∗∗ --------------------------------------------- Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. --------------------------------------------- https://asec.ahnlab.com/en/48223/ ∗∗∗ ChromeLoader Disguised as Illegal Game Programs Being Distributed ∗∗∗ --------------------------------------------- Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. --------------------------------------------- https://asec.ahnlab.com/en/48211/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities ∗∗∗ --------------------------------------------- Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10. --------------------------------------------- https://blog.talosintelligence.com/vuln-spotlight-eip-stack-group-feb-2023/ ∗∗∗ BIOS-Sicherheitsupdates: HP-Computer für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktualisierten BIOS-Versionen für HP-Computer haben die Entwickler mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7524562 ∗∗∗ Firewall-Distribution: pfSense 23.01 schließt Sicherheitslücken ∗∗∗ --------------------------------------------- In der Firewall-Distribution pfSense 23.01 haben die Entwickler mehrere Sicherheitslücken geschlossen. Die Basis haben sie auch auf aktuellen Stand gehievt. --------------------------------------------- https://heise.de/-7525432 ∗∗∗ Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023) ∗∗∗ --------------------------------------------- Last week, there were 104 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below. --------------------------------------------- https://www.wordfence.com/blog/2023/02/wordfence-intelligence-ce-weekly-vul… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (asterisk, git, mariadb-10.3, node-url-parse, python-cryptography, and sofia-sip), Fedora (c-ares, golang-github-need-being-tree, golang-helm-3, golang-oras, golang-oras-1, and golang-oras-2), Oracle (httpd:2.4, kernel, php:8.0, python-setuptools, python3, samba, systemd, tar, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (phpMyAdmin, poppler, and postgresql12), and Ubuntu (dcmtk and linux-hwe). --------------------------------------------- https://lwn.net/Articles/924236/ ∗∗∗ Case update: DIVD-2022-00052 - Multiple vulnerabilities is Cloudflow software ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00052/ ∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager HA GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957680 ∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957708 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957710 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager HA GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957714 ∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957754 ∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957758 ∗∗∗ CVE-2022-3509 and CVE-2022-3171 may affect IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957764 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2023
by Daily end-of-shift report 22 Feb '23

22 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-02-2023 18:00 − Mittwoch 22-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung vor Angriffen auf IBM Aspera Faspex und Mitel MiVoice ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA warnt davor, dass Cyberkriminelle Sicherheitslücken in IBM Aspera Faspex und Mitel MiVoice angreifen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7523870 ∗∗∗ Jetzt patchen! Exploit-Code für kritische Fortinet FortiNAC-Lücke in Umlauf ∗∗∗ --------------------------------------------- Da Exploit-Code veröffentlicht wurde, könnten Angreifer Fortinets Netzwerk-Zugangskontrolllösung FortiNAC ins Visier nehmen. --------------------------------------------- https://heise.de/-7523427 ∗∗∗ Fake Give-Aways und Geschenkaktionen im Namen von ‚MrBeast‘! ∗∗∗ --------------------------------------------- Wer sich regelmäßig YouTube-Videos ansieht, kommt kaum an MrBeast vorbei. Der Youtuber mit über 134 Millionen Abonnent:innen ist für seine Give-Away-Videos bekannt, bei denen er Tausende oder gar Millionen von Dollar verschenkt. Diesen Ruf machen sich auch Kriminelle zunutze, indem sie betrügerische Gewinnversprechen und Geschenkaktionen im Namen von MrBeast verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-give-aways-und-geschenkaktionen… ∗∗∗ Hydrochasma hackers target medical research labs, shipping firms ∗∗∗ --------------------------------------------- A previously unknown threat actor named Hydrochasma has been targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hydrochasma-hackers-target-m… ∗∗∗ WhatsApp ignoriert seit Jahren ein Sicherheitsproblem, das alle betrifft ∗∗∗ --------------------------------------------- Fremde können das eigene Profil übernehmen und sich für euch ausgeben - ganz ohne Hacking oder Phishing. --------------------------------------------- https://futurezone.at/apps/whatsapp-sicherheit-problem-konto-telefonnummer-… ∗∗∗ Attackers Abuse Cron Jobs to Reinfect Websites ∗∗∗ --------------------------------------------- Malicious cron jobs are nothing new; we’ve seen attackers use them quite frequently to reinfect websites. However, in recent months we’ve noticed a distinctive new wave of these infections that appears to be closely related to this article about a backdoor that we’ve been tracking. --------------------------------------------- https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websi… ∗∗∗ Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks ∗∗∗ --------------------------------------------- An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc. --------------------------------------------- https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.h… ∗∗∗ Lets build a Chrome extension that steals everything ∗∗∗ --------------------------------------------- Manifest v3 may have taken some of the juice out of browser extensions, but I think there is still plenty left in the tank. To prove it, let’s build a Chrome extension that steals as much data as possible. --------------------------------------------- https://mattfrisbie.substack.com/p/spy-chrome-extension ∗∗∗ How NPM Packages Were Used to Spread Phishing Links ∗∗∗ --------------------------------------------- [...] On Monday, 20th of February, Checkmarx Labs discovered an anomaly in the NPM ecosystem when we cross-referenced new information with our databases. Clusters of packages had been published in large quantities to the NPM package manager. Further investigation revealed that the packages were part of a trending new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns. --------------------------------------------- https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-li… ∗∗∗ Android voice chat app with 5m installs leaked user chats ∗∗∗ --------------------------------------------- The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan. --------------------------------------------- https://www.hackread.com/android-voice-chat-app-data-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: VMware dichtet kritisches Sicherheitsleck ab ∗∗∗ --------------------------------------------- VMware schließt mit Updates für Carbon Black App Control und vRealize sowie Cloud Foundation eine kritische und eine hochriskante Schwachstelle. --------------------------------------------- https://heise.de/-7523335 ∗∗∗ Foxit PDF-Updates dichten hochriskante Schwachstellen ab ∗∗∗ --------------------------------------------- In der PDF-Software Foxit klafften Sicherheitslücken, durch die Angreifer etwa mit manipulierten PDF-Dateien Schadcode einschleusen und ausführen hätten können. --------------------------------------------- https://heise.de/-7523313 ∗∗∗ Multiple vulnerabilities in Nokia BTS Airscale ASIKA [PDF] ∗∗∗ --------------------------------------------- Synacktiv performed an audit on the base transceiver station Nokia Airscale ASIKA, running the firmware version btsmed_5G19B_GNB_0007_001836_000863, and discovered multiple vulnerabilities. --------------------------------------------- https://www.synacktiv.com/sites/default/files/2023-02/Synacktiv-Nokia-BTS-A… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6). --------------------------------------------- https://lwn.net/Articles/924070/ ∗∗∗ Synology-SA-23:01 ClamAV ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to possibly execute arbitrary code or local users to obtain sensitive information via a susceptible version of Antivirus Essential, Synology Mail Server, and Synology MailPlus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_01 ∗∗∗ IBM Security Bulletins 2023-02-22 ∗∗∗ --------------------------------------------- * A vulnerability in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * A vulnerability in the GUI affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * BM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) * IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] * IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities in jsonwebtoken affects IBM Watson Assistant for IBM Cloud Pak for Data * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Plus (CVE-2019-11777) * Vulnerability in Log4j affects IBM Integrated Analytics System [CVE-2022-23305] --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Nexus 9000 Series Fabric Switches in ACI Mode Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation Issues ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS Fabric Interconnects Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 9300-FX3 Series Fabric Extender for UCS Fabric Interconnects Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 6.0.0: SC-202302.2 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-06 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 5.23.1: SC-202302.3 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2023
by Daily end-of-shift report 21 Feb '23

21 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-02-2023 18:00 − Dienstag 21-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kriminalität: Ransomware will Versicherungspolice ∗∗∗ --------------------------------------------- Die Ransomware Hardbit 2.0 verlangt die Versicherungspolice der Unternehmen, um die Lösegeldforderung anzupassen. Nicht ungefährlich für die Betroffenen. --------------------------------------------- https://www.golem.de/news/kriminalitaet-ransomware-will-versicherungspolice… ∗∗∗ Researchers Discover Dozens Samples of Information Stealer Stealc in the Wild ∗∗∗ --------------------------------------------- A new information stealer called Stealc thats being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report. --------------------------------------------- https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.ht… ∗∗∗ Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs ∗∗∗ --------------------------------------------- On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user. --------------------------------------------- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ ∗∗∗ A Deep Dive Into a PoshC2 Implant ∗∗∗ --------------------------------------------- PoshC2 is an open-source C2 framework used by penetration testers and threat actors. It can generate a Powershell-based implant, a C#.NET implant that we analyze in this paper, and a Python3 implant. --------------------------------------------- https://resources.securityscorecard.com/research/poshc2-implant ∗∗∗ ClamAV Critical Patch Review ∗∗∗ --------------------------------------------- The description of those bugs got our attention since we have format handlers in unblob for both DMG and HFS+. We therefore decided to spend some time trying to understand them and learn if we may be affected by similar bugs. --------------------------------------------- https://onekey.com/blog/clamav-critical-patch-review/ ∗∗∗ OWASP Kubernetes Top 10 ∗∗∗ --------------------------------------------- The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top 10 is a prioritized list of common risks backed by data collected from organizations varying in maturity and complexity. --------------------------------------------- https://sysdig.com/blog/top-owasp-kubernetes/ ∗∗∗ iOS 16.3 und 16.3.1: Apple räumt weitere schwere Lücken ein ∗∗∗ --------------------------------------------- Apple neigt seit längerem dazu, nicht alle gestopften Löcher in seinen Betriebssystemen sofort zu kommunizieren. Nun wurden Infos zu iOS 16.3 nachgereicht. --------------------------------------------- https://heise.de/-7522282 ∗∗∗ What can we learn from the latest Coinbase cyberattack? ∗∗∗ --------------------------------------------- Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/21/coinbase-cyberattack/ ∗∗∗ Keine Pellets auf ferberpainting.de bestellen! ∗∗∗ --------------------------------------------- Auf der Suche nach Pellets für die Beheizung des Eigenheims stoßen aktuell zahlreiche Personen auf ferberpainting.de bzw. ferberpainting.com. Für 199,90 Euro werden dort 40 Säcke mit 25 KG Pellets abgebildet und angeboten. Wer hier bestellt erlebt eine böse Überraschung, denn geliefert werden 40 leere Säcke. --------------------------------------------- https://www.watchlist-internet.at/news/keine-pellets-auf-ferberpaintingde-b… ∗∗∗ Ihre Bank ruft an? Es könnte sich um Betrug handeln! ∗∗∗ --------------------------------------------- Sie erhalten einen Anruf. Angeblich eine Mitarbeiterin Ihrer Bank. Die Anruferin erklärt, dass sie ungewöhnliche Abbuchungen von Ihrem Konto festgestellt hat. Sie hilft Ihnen dabei, das Geld zurückzubekommen und Ihr Konto zu schützen. Vorsicht: Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/ihre-bank-ruft-an-es-koennte-sich-um… ∗∗∗ HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) ∗∗∗ --------------------------------------------- In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. --------------------------------------------- https://asec.ahnlab.com/en/48063/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0004 ∗∗∗ --------------------------------------------- CVSSv3 Range: 9.1 CVE(s): CVE-2023-20858 Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0004.html ∗∗∗ VMSA-2023-0005 ∗∗∗ --------------------------------------------- CVSSv3 Range: 8.8 CVE(s): CVE-2023-20855 Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0005.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel). --------------------------------------------- https://lwn.net/Articles/923942/ ∗∗∗ TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-002 ∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-052-01 ∗∗∗ IBM FlashSystem 710, 720, 810, and 820 systems and RamSan 710, 720, 810, and 820 systems are not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)\nFlash ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690011 ∗∗∗ Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem and TMS RAMSAN 710, 720, 810, and 820 systems (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-154 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690125 ∗∗∗ Two (2) Vulnerabilities in glibc affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems (CVE-2014-5119 and CVE-2014-0475) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690127 ∗∗∗ Sixteen (16) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690129 ∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690131 ∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690149 ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-25928) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956598 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6328143 ∗∗∗ IBM Db2 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953755 ∗∗∗ IBM MQ is affected by multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 8 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957066 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to JSON5 code execution (CVE-2022-46175) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957134 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2023
by Daily end-of-shift report 20 Feb '23

20 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-02-2023 18:00 − Montag 20-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CISA warnt: Mögliche System-Kompromittierung durch Lücken in Thunderbird ∗∗∗ --------------------------------------------- Die Version 102.8 von Thunderbird schließt Schwachstellen, durch die Angreifer die Kontrolle über ein System erlangen könnten. Davor warnt die CISA. --------------------------------------------- https://heise.de/-7521002 ∗∗∗ Microsoft-Updates: Nebenwirkungen für VMware und Windows Server 2022 ∗∗∗ --------------------------------------------- Die Februar-Updates zum Microsoft-Patchdays haben ungewollte Nebenwirkungen. Sie betreffen Windows Server 2022 unter VMware und die Windows-11-Updateverteilung. --------------------------------------------- https://heise.de/-7521199 ∗∗∗ Nach Cyber-Einbruch: Angreifer leiten GoDaddy-Webseiten um ∗∗∗ --------------------------------------------- Beim Webhoster GoDaddy konnten Angreifer Anfang Dezember 2022 Schadcode einschleusen, der dort gehostete Webseiten auf Malware-Seiten umleitete. --------------------------------------------- https://heise.de/-7521325 ∗∗∗ Achtung: Finanzamt schickt kein SMS ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen des Finanzamtes gefälschte Nachrichten. Im SMS wird behauptet, dass Sie einen Betrag von € 286, 93 erhalten. Um das Geld zu bekommen, müssen Sie sich verifizieren und auf einen Link klicken. Klicken Sie nicht auf den Link, Sie landen auf einer Phishing-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-finanzamt-schickt-kein-sms/ ∗∗∗ New WhiskerSpy malware delivered via trojanized codec installer ∗∗∗ --------------------------------------------- Security researchers have discovered a new backdoor called WhiskerSpy used in a campaign from a relatively new advanced threat actor tracked as Earth Kitsune, known for targeting individuals showing an interest in North Korea. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-whiskerspy-malware-deliv… ∗∗∗ OneNote Suricata Rules, (Sun, Feb 19th) ∗∗∗ --------------------------------------------- I end my diary entry "Detecting (Malicious) OneNote Files" with a set of Suricata rules to detect various OneNote files. --------------------------------------------- https://isc.sans.edu/diary/rss/29564 ∗∗∗ The Dangers of Installing Nulled WordPress Themes and Plugins ∗∗∗ --------------------------------------------- Nulled WordPress themes and plugins are a controversial topic for many in the web development world - and arguably one of the bigger threats to WordPress security. Essentially modified versions of official WordPress themes and plugins with their licensing restrictions removed, these nulled software copies are often touted as premium functionality packaged in a free download. --------------------------------------------- https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-… ∗∗∗ NimPlant - A light first-stage C2 implant written in Nim and Python ∗∗∗ --------------------------------------------- NimPlant was developed as a learning project and released to the public for transparency and educational purposes. For a large part, it makes no effort to hide its intentions. Additionally, protections have been put in place to prevent abuse. In other words, do NOT use NimPlant in production engagements as-is without thorough source code review and modifications! --------------------------------------------- https://github.com/chvancooten/NimPlant ∗∗∗ Finding forensics breadcrumbs in Android image storage ∗∗∗ --------------------------------------------- [...] In this post I’ll be talking about image scanning apps, and how to reverse engineer them to pinpoint user activity and tie a user to a particular image’s creation from a source file e.g. pages from a PDF. --------------------------------------------- https://www.pentestpartners.com/security-blog/finding-forensics-breadcrumbs… ∗∗∗ Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers ∗∗∗ --------------------------------------------- Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-att… ∗∗∗ QR code generator My QR Code leaks users’ login data and addresses ∗∗∗ --------------------------------------------- My QR Code was informed about the leak almost two weeks ago, yet it failed to respond or secure its server. --------------------------------------------- https://www.hackread.com/qr-code-generator-my-qr-code-data-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Fortinet schließt 40 Sicherheitslücken, PoC-Exploit angekündigt ∗∗∗ --------------------------------------------- Fortinet hat im Februar Updates für diverse Produkte veröffentlicht, die insgesamt 40 Sicherheitslücken schließen. Davon gelten zwei als kritisch. --------------------------------------------- https://heise.de/-7520937 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares, gnutls28, golang-github-opencontainers-selinux, isc-dhcp, nss, openssl, snort, and thunderbird), Fedora (clamav, curl, phpMyAdmin, thunderbird, vim, webkitgtk, and xen), Red Hat (firefox), Slackware (kernel), SUSE (apache2-mod_security2, gssntlmssp, postgresql-jdbc, postgresql12, and timescaledb), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/923803/ ∗∗∗ Newly Disclosed Vulnerability Exposes EOL Arris Routers to Attacks ∗∗∗ --------------------------------------------- Malwarebytes warns of a remote code execution vulnerability impacting Arris G2482A, TG2492, and SBG10 routers, which have reached end-of-life (EOL). --------------------------------------------- https://www.securityweek.com/newly-disclosed-vulnerability-exposes-eol-arri… ∗∗∗ Critical SQL injection vulnerabilities in MISP (fixed in v2.4.166 and v2.4.167) ∗∗∗ --------------------------------------------- As of the past 2 months, we’ve received two separate reports of two unrelated SQLi vector vulnerabilities in MISP that can lead to any authenticated user being able to execute arbitrary SQL queries in MISP. --------------------------------------------- https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilit… ∗∗∗ IBM Security Bulletins 2023-02-20 ∗∗∗ --------------------------------------------- Flash Storage->RamSan-710, Flash Storage->RamSan-720, Flash Storage->RamSan-810, Flash Storage->RamSan-820, IBM Cloud Object Storage System, IBM Cloud Pak for Applications, IBM FlashSystem 720, IBM FlashSystem 900, IBM Multi-Enterprise Integration Gateway, IBM Multi-Enterprise Integration Gateway, IBM Power E1050 (9043-MRX), IBM Power L1022 (9786-22H), IBM Power L1024 (9786-42H), IBM Power S1014 (9105-41B), IBM Power S1022 (9105-22A), IBM Power S1022s (9105-22B), IBM Power S1024 (9105-42A), IBM WebSphere Hybrid Edition, Tivoli System Automation Application Manager --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2023
by Daily end-of-shift report 17 Feb '23

17 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-02-2023 18:00 − Freitag 17-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Mirai Botnet Variant V3G4 Exploiting 13 Flaws to Target Linux and IoT Devices ∗∗∗ --------------------------------------------- A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. --------------------------------------------- https://thehackernews.com/2023/02/new-mirai-botnet-variant-v3g4.html ∗∗∗ Massenhaft SMS im Namen des Finanzamts im Umlauf ∗∗∗ --------------------------------------------- Wir erhalten derzeit zahlreiche Meldungen zu einer SMS, die im Namen des Finanzamtes versendet wird. Angeblich besteht eine offene Forderung, die trotz mehrfacher Mahnungen nicht beglichen wurde. Bei Nichtzahlung bis zum 18. Februar drohe der Gerichtsvollzieher und die Pfändung. Lassen Sie sich nicht unter Druck setzen. Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/massenhaft-sms-im-namen-des-finanzam… ∗∗∗ Kritische Sicherheitslücken in ClamAV - Updates verfügbar ∗∗∗ --------------------------------------------- 17. Februar 2023 Beschreibung Zwei kritische Schwachstellen in ClamAV erlauben es unauthentisierten Angreifenden, beliebigen Code auszuführen. CVE-Nummer(n): CVE-2023-20032, CVE-2023-20052 Auswirkungen Die Lücken in ClamAV können durch präparierte HFS+ bzw. DMG Images ausgelöst werden. Da ClamAV oft als Virenscanner in Mailservern eingesetzt wird, können durch den Versand entsprechender Files per Email verwundbare Installationen kompromittiert werden. [...] --------------------------------------------- https://cert.at/de/warnungen/2023/2/kritische-sicherheitslucken-in-clamav ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories ∗∗∗ --------------------------------------------- Secerity Critical: * FortiNAC - External Control of File Name or Path in keyUpload scriptlet * FortiWeb - Stack-based buffer overflows in Proxyd Severity High: 15 Advisories * FortiADC, FortiExtender, FortiNAC, FortiOS, FortiProxy, FortiSwitchManager, FortiWAN, FortiWeb Severity Medium/Low: 23 Advisories --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=02-2023 ∗∗∗ Node.js Thursday February 16 2023 Security Releases ∗∗∗ --------------------------------------------- * OpenSSL Security updates * Node.js Permissions policies can be bypassed via process.mainModule * Node.js OpenSSL error handling issues in nodejs crypto library * Fetch API in Node.js did not protect against CRLF injection in host headers * Regular Expression Denial of Service in Headers in Node.js fetch API * Node.js insecure loading of ICU data through ICU_DATA environment variable * npm update for Node.js 14 --------------------------------------------- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ ∗∗∗ CISA Releases Fifteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * Siemens Solid Edge * Siemens SCALANCE X-200 IRT * Siemens Brownfield Connectivity Client * Siemens Brownfield Connectivity Gateway * Siemens SiPass integrated AC5102/ACC-G2 and ACC-AP * Siemens Simcenter Femap * Siemens TIA Project Server * Siemens RUGGEDCOM APE1808 * Siemens SIMATIC Industrial Products * Siemens COMOS * Siemens Mendix * Siemens JT Open, JT Utilities, and Parasolid * Sub-IoT DASH 7 Alliance Protocol * Delta Electronic DIAEnergie (Update B) * BD Alaris Infusion Central --------------------------------------------- https://www.cisa.gov/uscert/ncas/current-activity/2023/02/16/cisa-releases-… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (firefox, phpMyAdmin, tpm2-tools, and tpm2-tss), Slackware (mozilla), SUSE (mozilla-nss, rubygem-actionpack-4_2, rubygem-actionpack-5_1, and tar), and Ubuntu (linux-azure and linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/923644/ ∗∗∗ Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- * IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to jsonwebtoken CVEs * IBM FlashSystem 9100 family and IBM Storwize V7000 2076-724 (Gen3) systems are NOT affected by security vulnerabilities CVE-2018-12037 and CVE-2018-12038 * IBM MQ Operator and Queue Manager container images are vulnerable to vulnerabilities from libksba and sqlite (CVE-2022-47629 and CVE-2022-35737) * IBM Security Guardium Data Encryption is using Components with Known Vulnerabilities (CVE-2022-31129, CVE-2022-24785) * IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) * IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] * Java vulnerabilities affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * LDAP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple Vulnerabilities in Multicloud Management Security Services * Multiple vulnerabilities found with third-party libraries used by IBM® MobileFirst Platform * Multiple vulnerabilities in Golang Go affect IBM Decision Optimization in IBM Cloud Pak for Data * Multiple vulnerabilities in IBM Java SDK affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Network Security (NSS) vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * OpenSLP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerabilities in IBM Java affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerabilities in IBM Java and Apache Tomcat affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products* Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776) * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2018-11784) * Vulnerability in DHCP affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5732) * Vulnerability in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2019-2602) * Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in OpenSLP affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2017-17833) * Vulnerability in OpenSSL affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in SSH protocols affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2008-5161) * Vulnerability in Service Assistant affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-1775) * Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5391) * Vulnerability in zlib affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Atrocore 1.5.25 Shell Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2023
by Daily end-of-shift report 16 Feb '23

16 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-02-2023 18:00 − Donnerstag 16-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emsisoft says hackers are spoofing its certs to breach networks ∗∗∗ --------------------------------------------- A hacker is using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emsisoft-says-hackers-are-sp… ∗∗∗ Hackers backdoor Microsoft IIS servers with new Frebniis malware ∗∗∗ --------------------------------------------- Hackers are deploying a new malware named Frebniss on Microsofts Internet Information Services (IIS) that stealthily executes commands sent via web requests. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-backdoor-microsoft-i… ∗∗∗ „Fake Customer Trick“: Kriminelle ergaunern hochwertige Produkte ∗∗∗ --------------------------------------------- Der Name des Halbleiterherstellers Infineon wird derzeit für kriminelle Zwecke missbraucht: Per Mail geben sich Betrüger:innen als Infineon-Mitarbeiter Marcus Schlenker aus und bekunden Interesse an einer Großbestellung. Für die Empfänger:innen klingt das nach einem unkomplizierten und schnellen Geschäft. Doch tatsächlich landen die versendeten Produkte in den Händen von Kriminellen, auf die Bezahlung warten die Opfer vergeblich. --------------------------------------------- https://www.watchlist-internet.at/news/fake-customer-trick-kriminelle-ergau… ∗∗∗ Malware Reverse Engineering for Beginners – Part 2 ∗∗∗ --------------------------------------------- Often, malware targeting Windows will be packed and delivered as a second stage. There are different ways to “deliver” malware to the endpoint. This blog will cover key concepts and examples regarding how malware is packed, obfuscated, delivered, and executed on the endpoint. --------------------------------------------- https://www.intezer.com/blog/incident-response/malware-reverse-engineering-… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday bei Intel: Angreifer könnten Server über Root-Lücke attackieren ∗∗∗ --------------------------------------------- Intel hat für verschiedene Firm- und Software wichtige Sicherheitsupdates veröffentlicht. In vielen Fällen könnten sich Angreifer höhere Rechte verschaffen. --------------------------------------------- https://heise.de/-7517141 ∗∗∗ Jetzt patchen! Entwickler des CMS Joomla warnen vor kritischer Sicherheitslücke ∗∗∗ --------------------------------------------- Es ist ein "sehr wichtiger" Sicherheitspatch für Joomla erscheinen. --------------------------------------------- https://heise.de/-7517312 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (community-mysql, edk2, firefox, and git), Slackware (curl and git), SUSE (apache2-mod_security2, aws-efs-utils, bind, curl, git, ImageMagick, java-11-openjdk, java-17-openjdk, java-1_8_0-openjdk, kernel, libksba, and mozilla-nss), and Ubuntu (golang-golang-x-text, golang-x-text, linux-aws, linux-intel-iotg, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux linux-ibm-5.4, linux-oracle-5.4, linux-gke, linux-gke-5.15, nss, and xorg-server, xorg-server-hwe-16.04). --------------------------------------------- https://lwn.net/Articles/923503/ ∗∗∗ Splunk Enterprise Updates Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Splunk updates for Enterprise products resolve multiple high-severity vulnerabilities, including several in third-party packages. --------------------------------------------- https://www.securityweek.com/splunk-enterprise-updates-patch-high-severity-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.8 ∗∗∗ --------------------------------------------- CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP CVE-2023-25728: Content security policy leak in violation reports using iframes CVE-2023-25730: Screen hijack via browser fullscreen mode CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8 ... --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/ ∗∗∗ MISP 2.4.168 released with bugs fixed, security fixes and major improvements in STIX support. ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.168 with bugs fixed and various security fixes. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.168 ∗∗∗ ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ WAGO: Exposure of configuration interface in unmanaged switches ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-055/ ∗∗∗ IBM App Connect Enterprise is affected by a remote attacker due to the zip4j library [CVE-2023-22899] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955913 ∗∗∗ Multiple vulnerabilities in moment.js affect IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31129, CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852667 ∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850801 ∗∗∗ WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956223 ∗∗∗ Intel Ethernet controllers as used in IBM QRadar SIEM are vulnerable to a denial of service (CVE-2021-0197, CVE-2021-0198, CVE-2021-0199, CVE-2021-0200) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956287 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2023
by Daily end-of-shift report 15 Feb '23

15 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-02-2023 18:00 − Mittwoch 15-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Adobe Patchday: Schadcode-Attacken auf After Effects & Co. möglich ∗∗∗ --------------------------------------------- Adobe hat unter anderem für After Effects, InDesign und Photoshop Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-7496102 ∗∗∗ Bluetooth-Fehler in Android 13 kann Diabetiker gefährden ∗∗∗ --------------------------------------------- Ein Fehler in Android 13 kann die Kommunikation zwischen Blutzuckersensor und zugehöriger App stören. Dann warnt die App nicht vor gefährlicher Unterzuckerung. --------------------------------------------- https://heise.de/-7496644 ∗∗∗ Angreifer attackieren Microsoft 365 und Windows - Mehrere kritische Lücken ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem Azure, Exchange Server und Windows erschienen. Mehrere Lücken sind als "kritisch" eingestuft. --------------------------------------------- https://heise.de/-7496015 ∗∗∗ Abo-Falle beim Kauf von Handyhüllen auf puffcase-official.com ∗∗∗ --------------------------------------------- Wenn Sie auf der Suche nach einer Schutzhülle für Ihr Smartphone sind, nehmen Sie sich vor puffcase-official.com in Acht. Während die „Puffcases“ auf den ersten Blick günstig wirken und zu einem schnellen Kauf verleiten, stellt sich die Seite als Abo-Falle heraus. Davon erfahren Sie erst, wenn die neuerliche Abbuchung auf Ihrer Kreditkarte auftaucht. Bestellen Sie hier nicht! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-beim-kauf-von-handyhuellen… ∗∗∗ NPM packages posing as speed testers install crypto miners instead ∗∗∗ --------------------------------------------- A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computers resources to mine cryptocurrency for the threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-packages-posing-as-speed… ∗∗∗ Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack ∗∗∗ --------------------------------------------- Gone in 60 seconds using a USB-A plug and brute force instead of a key Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/02/15/hyundai_kia_… ∗∗∗ PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered Pybot DDoS being distributed with illegal software. The program used as bait by the threat actor is a token generator called Nitro Generator. Nitro is a paid Discord service with various benefits which can be seen below in Figure 1. Nitro Generator is a tool that generates codes that can be used for free access to Nitro. --------------------------------------------- https://asec.ahnlab.com/en/47789/ ∗∗∗ cURL audit: How a joke led to significant findings ∗∗∗ --------------------------------------------- In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. [..] the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect the many software applications that use libcurl. This blog post describes how we found the following vulnerabilities --------------------------------------------- https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-… ∗∗∗ ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric ∗∗∗ --------------------------------------------- Siemens has published 13 new advisories covering a total of 86 vulnerabilities. [..] Schneider Electric has published three advisories covering 10 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-100-vulnerabilities-addresse… ∗∗∗ DNS Abuse Techniques Matrix ∗∗∗ --------------------------------------------- The FIRST DNS Abuse SIG has been working on a document for some time, which has now finally been published: a matrix of DNS abuse techniques and their stakeholders. Its intended to help people experiencing DNS abuse, particularly incident responders and security teams. --------------------------------------------- https://www.first.org/global/sigs/dns/DNS-Abuse-Techniques-Matrix_v1.1.pdf ∗∗∗ Sustained Activity by Threat Actors ∗∗∗ --------------------------------------------- The European Union Agency for Cybersecurity (ENISA) and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular threat actors. The malicious cyber activities of the presented threat actors pose a significant and ongoing threat to the European Union. --------------------------------------------- https://www.enisa.europa.eu/news/sustained-activity-by-threat-actors ∗∗∗ Abusing Azure App Service Managed Identity Assignments ∗∗∗ --------------------------------------------- [...] Managed Identities are great and admins should absolutely use them. But admins also need to understand the risks that come with Managed Identities and how to deal with those risks. In this blog post I will explain those risks, demonstrate how an attacker can abuse App Service Managed Identity assignments, and show you how to identify and deal with those risks yourself. --------------------------------------------- https://posts.specterops.io/abusing-azure-app-service-managed-identity-assi… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD: Cross-Thread Return Address Predictions ∗∗∗ --------------------------------------------- AMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges. --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045 ∗∗∗ HAProxy Security Update (CVE-2023-25725) ∗∗∗ --------------------------------------------- A team of security researchers notified me on Thursday evening that they had found a dirty bug in HAProxys headers processing, and that, when properly exploited, this bug allows to build an HTTP content smuggling attack. [..] The issue was fixed in all versions and all modes (HTX and legacy), and all versions were upgraded. [..] Distros were notified (not very long ago admittedly, the delay was quite short for them) and updated packages will appear soon. --------------------------------------------- https://www.mail-archive.com/haproxy@formilux.org/msg43229.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28 and haproxy), Fedora (syslog-ng), Mageia (apr-util, chromium-browser-stable, editorconfig-core-c, ffmpeg, libzen, phpmyadmin, tpm2-tss, and webkit2), Oracle (kernel and kernel-container), Slackware (mozilla and php), SUSE (git, haproxy, kernel, nodejs18, phpMyAdmin, and timescaledb), and Ubuntu (APR-util, git, and haproxy). --------------------------------------------- https://lwn.net/Articles/923364/ ∗∗∗ Lenovo Product Security Advisories ∗∗∗ --------------------------------------------- * AMI MegaRAC SP-X BMC Redfish Vulnerabilities * AMI MegaRAC SP-X BMC Vulnerabilities * Crypto API Toolkit for Intel SGX Advisory * Intel Ethernet Controllers and Adapters Advisory * Intel Ethernet VMware Drivers Advisory * Intel Integrated Sensor Solution Advisory * Intel Server Platform Services (SPS) Vulnerabilities * Intel SGX SDK Advisory * Multi-Vendor BIOS Security Vulnerabilities (February 2023) --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Released: February 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released Security Updates (SUs) for vulnerabilities found in:Exchange Server 2013Exchange Server 2016Exchange Server 2019SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.SUs are available for the following specific versions of Exchange Server:Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)Exchange Server 2016 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-426 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-426.html ∗∗∗ Advisory: Impact of Insyde UEFI Boot Issues on B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16759315… ∗∗∗ ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Email Security Appliance and Cisco Secure Email and Web Manager Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2023
by Daily end-of-shift report 14 Feb '23

14 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-02-2023 18:00 − Dienstag 14-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New stealthy Beep malware focuses heavily on evading detection ∗∗∗ --------------------------------------------- A new stealthy malware named Beep was discovered last week, featuring many features to evade analysis and detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-beep-malware-fo… ∗∗∗ Exploiting a remote heap overflow with a custom TCP stack ∗∗∗ --------------------------------------------- In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it. --------------------------------------------- https://www.synacktiv.com/publications/exploiting-a-remote-heap-overflow-wi… ∗∗∗ Securing Open-Source Solutions: A Study of osTicket Vulnerabilities ∗∗∗ --------------------------------------------- One of the applications assessed was osTicket, an open-source ticketing system. With distinctive features and plugins, osTicket gives users the ability to “Manage, organize, and archive all your support requests and responses (...).” During our assessment, the Checkmarx Labs team found some interesting vulnerabilities. In this blog/report, not only will we disclose some of the identified vulnerabilities but also elaborate on the team’s approach to identifying them. --------------------------------------------- https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-ostick… ∗∗∗ Amazon: Vorsicht vor Fake-Anrufen ∗∗∗ --------------------------------------------- Aktuell geben sich Kriminelle als Mitarbeiter:innen von Amazon aus und täuschen ein Problem mit Ihrer Bestellung vor. Sie werden aufgefordert Zahlungsdaten zu übermitteln, Zahlungen freizugeben und eine Wartungssoftware wie TeamViewer zu installieren. Legen Sie auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-vorsicht-vor-fake-anrufen/ ∗∗∗ A Deep Dive into Reversing CODESYS ∗∗∗ --------------------------------------------- This white paper offers a technical deep dive into PLC protocols and how to safely scan CODESYS-based ICS networking stacks. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/14/a-deep-dive-into-reversing-code… ∗∗∗ Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys ∗∗∗ --------------------------------------------- Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery. --------------------------------------------- https://www.hackread.com/typosquatting-abquery-package-aabquerys/ ===================== = Vulnerabilities = ===================== ∗∗∗ Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug ∗∗∗ --------------------------------------------- Conditional code considered cryptographically counterproductive. --------------------------------------------- https://nakedsecurity.sophos.com/2023/02/13/serious-security-gnutls-follows… ∗∗∗ Patch Now: Apples iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw ∗∗∗ --------------------------------------------- Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild.Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. --------------------------------------------- https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html ∗∗∗ Patchday: SAP schützt seine Software vor möglichen Attacken ∗∗∗ --------------------------------------------- Es sind unter anderem für SAP BusinessObjects und SAP Start Service wichtige Sicherheitsupdates erschienen. --------------------------------------------- https://heise.de/-7494856 ∗∗∗ Bestimmte auf HP-Computern vorinstallierte Windows-10-Versionen sind verwundbar ∗∗∗ --------------------------------------------- Wer einen PC von HP mit einer älteren Windows-10-Ausgabe nutzt, sollte einen Sicherheitspatch installieren. --------------------------------------------- https://heise.de/-7494955 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django). --------------------------------------------- https://lwn.net/Articles/923267/ ∗∗∗ Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483 ∗∗∗ --------------------------------------------- A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA. CVE-2023-24483 --------------------------------------------- https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-deskto… ∗∗∗ Citrix Workspace app for Windows Security Bulletin for CVE-2023-24484 & CVE-2023-24485 ∗∗∗ --------------------------------------------- A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA. CVE-2023-24484 & CVE-2023-24485 --------------------------------------------- https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windo… ∗∗∗ Citrix Workspace app for Linux Security Bulletin for CVE-2023-24486 ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched. CVE-2023-24486 --------------------------------------------- https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux… ∗∗∗ SonicWall Email Security Information Discloser Vulnerability ∗∗∗ --------------------------------------------- SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacker access to an error page that includes sensitive information about users email addresses. CVE: CVE-2023-0655 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0002 ∗∗∗ The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- The installers of ELECOM Camera Assistant and QuickFileDealer provided by ELECOM CO.,LTD. may insecurely load Dynamic Link Libraries. --------------------------------------------- https://jvn.jp/en/jp/JVN60263237/ ∗∗∗ Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools ∗∗∗ --------------------------------------------- tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN00712821/ ∗∗∗ 101news By Mayuri K 1.0 SQL Injection ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020025 ∗∗∗ Developed by Ameya Computers LOGIN SQL INJECTİON ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020024 ∗∗∗ SSA-953464 V1.0: Multiple Vulnerabilites in Siemens Brownfield Connectivity - Client before V2.15 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf ∗∗∗ SSA-847261 V1.0: Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf ∗∗∗ SSA-836777 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-836777.pdf ∗∗∗ SSA-744259 V1.0: Golang Vulnerabilities in Brownfield Connectivity - Gateway before V1.10.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf ∗∗∗ SSA-693110 V1.0: Buffer Overflow Vulnerability in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-693110.pdf ∗∗∗ SSA-686975 V1.0: IPU 2022.3 Vulnerabilities in Siemens Industrial Products using Intel CPUs ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-686975.pdf ∗∗∗ SSA-658793 V1.0: Command Injection Vulnerability in SiPass integrated AC5102 / ACC-G2 and ACC-AP ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-658793.pdf ∗∗∗ SSA-640968 V1.0: Untrusted Search Path Vulnerability in TIA Project-Server formerly known as TIA Multiuser Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-640968.pdf ∗∗∗ SSA-617755 V1.0: Denial of Service Vulnerability in the SNMP Agent of SCALANCE X-200IRT Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-617755.pdf ∗∗∗ SSA-565356 V1.0: X_T File Parsing Vulnerabilities in Simcenter Femap before V2023.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-565356.pdf ∗∗∗ SSA-491245 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf ∗∗∗ SSA-450613 V1.0: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808 Product Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-450613.pdf ∗∗∗ SSA-252808 V1.0: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf ∗∗∗ PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-001/ ∗∗∗ Weintek EasyBuilder Pro cMT Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-045-01 ∗∗∗ Advisory: Reflected Cross-Site Scripting Vulnerabitities in SDM ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16756072… ∗∗∗ IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to Apache Commons Text [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955251 ∗∗∗ IBM App Connect Enterprise Certified Container operands may be vulnerable to security restrictions bypass due to [CVE-2021-25743] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955255 ∗∗∗ IBM Sterling Control Center is vulnerable to a denial of service due to Jave SE (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955277 ∗∗∗ IBM Sterling Control Center is vulnerable to security bypass due to Eclipse Openj9 (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955281 ∗∗∗ CVE-2022-21624 may affect IBM\u00ae SDK, Java\u2122 Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955493 ∗∗∗ CVE-2022-3676 may affect Eclipse Openj9 used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955497 ∗∗∗ IBM QRadar SIEM is vulnerable to possible information disclosure [CVE-2023-22875] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2023
by Daily end-of-shift report 13 Feb '23

13 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-02-2023 18:00 − Montag 13-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erpressungstrojaner Play infiltriert Systeme von A10 Networks ∗∗∗ --------------------------------------------- Angreifer konnten auf interne Daten des Herstellers von Netzwerkgeräten A10 Networks zugreifen. Kundendaten sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-7493748 ∗∗∗ Gefälschtes Therme Wien-Gewinnspiel auf Facebook ∗∗∗ --------------------------------------------- Auf Facebook kursiert momentan ein betrügerisches Gewinnspiel für einen Tagesurlaub inklusive Massage in der Therme Wien. Das Gewinnspiel, das von der Facebook-Seite „Freizeit-Helden“ beworben wird, steht aber in keinem Zusammenhang mit der Therme Wien und sammelt Daten. Nehmen Sie nicht teil und melden Sie das Posting. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-therme-wien-gewinnspiel… ∗∗∗ Details zur LocalPotato NTLM Authentication-Schwachstelle (CVE-2023-21746) ∗∗∗ --------------------------------------------- Mitte Januar 2023 Monat hatte ich im Blog-Beitrag Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) auf eine lokale NTLM-Authentifizierungsschwachstelle (CVE-2023-21746) hingewiesen. Die Entdecker bezeichnen diese als LocalPotator, hatten seinerzeit aber keine Details offen gelegt. Jetzt wurde dies nachgeholt. --------------------------------------------- https://www.borncity.com/blog/2023/02/11/details-zur-localpotato-ntlm-authe… ∗∗∗ We had a security incident. Here’s what we know. ∗∗∗ --------------------------------------------- TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems. --------------------------------------------- https://www.reddit.com/r/netsec/comments/10y59q2/we_had_a_security_incident… ∗∗∗ Devs targeted by W4SP Stealer malware in malicious PyPi packages ∗∗∗ --------------------------------------------- Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-steale… ∗∗∗ Security baseline for Microsoft Edge version 110 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 110! We have reviewed the new settings in Microsoft Edge version 110 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 110 introduced 13 new computer settings and 13 new user settings. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ PCAP Data Analysis with Zeek, (Sun, Feb 12th) ∗∗∗ --------------------------------------------- Having full packet captures of a device or an entire network can be extremely useful. It is also a lot of data to go through and process manually. Zeek [1] can help to simplify network traffic analysis. It can also help save a lot of storage space. I'll be going through and processing some PCAP data collected from my honeypot. --------------------------------------------- https://isc.sans.edu/diary/rss/29530 ∗∗∗ Linux auditd for Threat Hunting [Part 2] ∗∗∗ --------------------------------------------- In this part, I will highlight only 1 technique (process/command execution) and explain the fields. In Part 3, I will show you tests I ran for several other behaviors. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-hunting-part-2-c75500f5… ∗∗∗ Crypto Wallet Address Replacement Attack ∗∗∗ --------------------------------------------- At around 17:49 UTC on 9 February 2023, Phylum’s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. This time, however, the attacker changed the obfuscation technique and radically increased the volume of attacks. [..] over 451 unique packages. These targeted some very popular packages, many of them in the crypto/finance and web development space --------------------------------------------- https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-repla… ∗∗∗ The Linux Kernel and the Cursed Driver (CVE-2022-4842) ∗∗∗ --------------------------------------------- TL;DR: We found a bug in the not-so-well-maintained NTFS3 driver in Linux. Abusing the vulnerability could lead to a denial-of-service (DoS) attack on machines with a mounted NTFS filesystem. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/the-linux-kernel-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Monitorr 1.7.6 Shell Upload ∗∗∗ --------------------------------------------- Topic: Monitorr 1.7.6 Shell Upload Risk: High Text:# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution # Exploit Author: Achuth V P (retrymp3... --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020021 ∗∗∗ Cisco Email Security Appliance URL Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- On January 18, 2023, Cisco disclosed the following: A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. [...] After additional investigation, it was determined that this vulnerability is not exploitable. For more information, see the Workarounds section of this advisory. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ABB Cyber Security Advisory: Drive Composer multiple vulnerabilities ∗∗∗ --------------------------------------------- Affected products: CVE-2018-1285, CVE-2022-35737, CVE-2021-27293, CVE-2022-37434: - Drive Composer entry 2.8 and earlier - Drive Composer pro 2.8 and earlier. CVE-2018-1002205: - Drive Composer entry 2.4 and earlier - Drive Composer pro 2.4 and earlier An attacker who successfully exploited these vulnerabilities could cause the product to stop, make the product inaccessible or insert and run arbitrary code. --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=9AKK1… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/923163/ ∗∗∗ Wordpress Multiple themes - Unauthenticated Arbitrary File Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020022 ∗∗∗ NEC PC Settings Tool vulnerable to missing authentication for critical function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60320736/ ∗∗∗ Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN98612206/ ∗∗∗ IBM Security Bulletins 2023-02-13 ∗∗∗ --------------------------------------------- * AIX is vulnerable to denial of service vulnerabilities * IBM Cloud Pak for Network Automation v2.4.3 addresses multiple security vulnerabilities * IBM MQ Appliance is vulnerable to an unspecified Java SE vulnerability (CVE-2022-21626) * IBM PowerVM Novalink is vulnerable because Apache Commons IO could allow a remote attacker to traverse directories on the system * IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to protobuf-java core and lite are vulnerable to a denial of service. (CVE-2022-3509) * IBM PowerVM Novalink is vulnerable because Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. (CVE-2022-21628) * IBM QRadar SIEM includes multiple components with known vulnerabilities * IBM QRadar SIEM is vulnerable to information exposure (CVE-2022-34351) * IBM Security Directory Integrator is affected by multiple security vulnerabilities * IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579) * IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970) * IBM Sterling B2B Integrator is vulnerable to http header injection due to IBM WebSphere Application Server (CVE-2022-34165) * IBM Sterling Connect:Direct FTP+ is vulnerable to denial of service due to IBM Java (CVE-2022-21626) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js bunyan module command execution * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities with ca-certificates, OpenJDK, Sudo affect IBM Cloud Object Storage Systems (Feb 2023v1) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2023
by Daily end-of-shift report 10 Feb '23

10 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-02-2023 18:00 − Freitag 10-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th) ∗∗∗ --------------------------------------------- PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one. --------------------------------------------- https://isc.sans.edu/diary/rss/29538 ∗∗∗ Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign ∗∗∗ --------------------------------------------- Late last year we reported on a malware campaign targeting thousands of WordPress websites to redirect visitors to bogus Q&A websites. The sites themselves contained very little useful information to a regular visitor, but — more importantly — also contained Google Adsense advertisements. It appeared to be an attempt to artificially pump ad views to generate revenue. Since September, our SiteCheck remote scanner has detected this campaign on 10,890 infected sites. --------------------------------------------- https://blog.sucuri.net/2023/02/bogus-url-shorteners-redirect-thousands-of-… ∗∗∗ Cracking the Odd Case of Randomness in Java ∗∗∗ --------------------------------------------- During a recent white-box assessment, we came across the use of RandomStringUtils.randomAlphanumeric being used in a security sensitive context. We knew it used Java’s weak java.util.Random class but were interested in seeing how practically exploitable it actually was, so we decided to dig into it and see how it worked under the hood. --------------------------------------------- https://www.elttam.com/blog/cracking-randomness-in-java/ ∗∗∗ What are the writable shares in this big domain? ∗∗∗ --------------------------------------------- RSMBI is a python tool that answers to the question: What are the writable shares in this big domain? RSMBI connect to each target and it mounts the available shares in the /tmp folder (but that can also be changed). Once the shares are successfully mounted the threads (or the solo one) would start (os.)walking recursively all the folders, trying get a file handle with writing rights. --------------------------------------------- https://github.com/oldboy21/RSMBI ∗∗∗ 0Day Avalanche Blockchain API DoS ∗∗∗ --------------------------------------------- This is a remote API DoS/crash that should OOM chain P and render a vulnerable node mostly or entirely useless. --------------------------------------------- https://g.livejournal.com/15852.html ∗∗∗ Fake-Spendenaufrufe: Kriminelle missbrauchen Erdbebenkatastrophe ∗∗∗ --------------------------------------------- Das Erdbeben in der Türkei und in Nordsyrien löste eine Welle der Hilfsbereitschaft aus. Es gibt zahlreiche Möglichkeiten, um Überlebende finanziell zu unterstützen. Kriminelle missbrauchen die humanitäre Krise und versuchen auf verschiedenen Wegen die Solidarität durch Fake-Spendenaufrufe auszunutzen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-spendenaufrufe-kriminelle-missb… ===================== = Vulnerabilities = ===================== ∗∗∗ CKSource CKEditor5 35.4.0 Cross Site Scripting ∗∗∗ --------------------------------------------- CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data. --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020019 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift). --------------------------------------------- https://lwn.net/Articles/922929/ ∗∗∗ Statement About the DoS Vulnerability in the E5573Cs-322 ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20230210-01… ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954671 ∗∗∗ Vulnerabilities in IBM Semeru Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619, CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954673 ∗∗∗ Vulnerability in IBM Java Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954675 ∗∗∗ Vulnerability in IBM Java (CVE-2022-3676) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954681 ∗∗∗ Vulnerability in IBM Java (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954683 ∗∗∗ Vulnerability in Firefox (CVE-2022-43926) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954679 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954685 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution due to [CVE-2022-45907] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954691 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954695 ∗∗∗ CVE-2022-3676 may affect IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954701 ∗∗∗ IBM MQ Appliance is vulnerable to identity spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6823807 ∗∗∗ IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2021-45485, CVE-2021-45486 and CVE-2022-1012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851373 ∗∗∗ IBM MQ Appliance is vulnerable to HTTP header injection (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622055 ∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622053 ∗∗∗ IBM MQ Appliance is vulnerable to improper session invalidation (CVE-2022-40230) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622051 ∗∗∗ IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622041 ∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622047 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of servce due to IBM Java (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954727 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM\/GKLM) (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2023
by Daily end-of-shift report 09 Feb '23

09 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-02-2023 18:00 − Donnerstag 09-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ESXiArgs ransomware version prevents VMware ESXi recovery ∗∗∗ --------------------------------------------- New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-vers… ∗∗∗ Solving one of NOBELIUM’s most novel attacks: Cyberattack Series ∗∗∗ --------------------------------------------- This is the first in an ongoing series exploring some of the most notable cases of the Microsoft Detection and Response Team (DART), which investigates cyberattacks on behalf of our customers. The Cyberattack Series takes you behind the scenes for an inside look at the investigation and share lessons that you can apply to better protect your own organization. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nob… ∗∗∗ [SANS ISC] A Backdoor with Smart Screenshot Capability ∗∗∗ --------------------------------------------- Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being “smart” means performing actions depending on the context, the environment, or user actions. For a while, backdoors and trojans have implemented screenshot capabilities. From an attacker’s point of view, it’s interesting to “see” what’s displayed on the victim’s computer. --------------------------------------------- https://blog.rootshell.be/2023/02/09/sans-isc-a-backdoor-with-smart-screens… ∗∗∗ Exploit Vector Analysis of Emerging ESXiArgs Ransomware ∗∗∗ --------------------------------------------- In recent days CVE-2021-21974, a heap-overflow vulnerability in VMWare ESXi’s OpenSLP service has been prominently mentioned in the news in relation to a wave of ransomware effecting numerous organizations. The relationship between CVE-2021-21974 and the ransomware campaign may be blown out of proportion. We do not currently know what the initial access vector is, and it is possible it could be any of the vulnerabilities related to ESXi’s OpenSLP service. --------------------------------------------- https://www.greynoise.io/blog/exploit-vector-analysis-of-emerging-esxiargs-… ∗∗∗ Passwort-Manager: Umstrittene Sicherheitslücke in KeePass beseitigt ∗∗∗ --------------------------------------------- Eine viel diskutierte Sicherheitslücke, die Einbrechern im System den Passwort-Export erleichterte, hat der Entwickler nun mit einem Update geschlossen. --------------------------------------------- https://heise.de/-7489944 ∗∗∗ Datenleck: Deezer informiert Kunden jetzt per E-Mail ∗∗∗ --------------------------------------------- 230 Millionen Deezer-Datensätze wurden entwendet und etwa beim Have-I-been-pwned-Projekt hinzugefügt. Jetzt informiert Deezer betroffene Kunden darüber. --------------------------------------------- https://heise.de/-7490760 ∗∗∗ Teures Visum bei asia-visa.com ∗∗∗ --------------------------------------------- Sie möchten ein Visum für Thailand oder Vietnam beantragen? Bei einer Internetrecherche stoßen Sie möglicherweise auf asia-visa.com – ein Anbieter, der Ihnen den „Papierkram“ abnimmt. Wir raten Ihnen ab, das überteuerte Angebot zu nutzen und empfehlen, die Einreisegenehmigung über die offizielle Stelle zu beantragen. --------------------------------------------- https://www.watchlist-internet.at/news/teures-visum-bei-asia-visacom/ ∗∗∗ CISA and FBI Release ESXiArgs Ransomware Recovery Guidance ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/08/cisa-and-fbi-rele… ∗∗∗ Neue PayPal-Betrugsmasche – mit echten Push-Benachrichtigungen (Feb. 2023) ∗∗∗ --------------------------------------------- Über Twitter bin ich auf eine neue Betrugsmasche hingewiesen worden, die Leute schon mal ins Boxhorn jagen kann. Denn die Masche beginnt, dass das Opfer eine Push-Benachrichtigung von PayPal über eine Zahlung (per Einzug) bekommt. Aber die Nachricht ist trotzdem Betrug und hat das Ziel, an Daten des Opfers heranzukommen. Ich habe die Hinweise auf Twitter mal in diesem Beitrag zusammen gefasst. --------------------------------------------- https://www.borncity.com/blog/2023/02/08/neue-paypal-betrugsmasche-mit-echt… ∗∗∗ Sicherheitsvorfall bei wargaming.net (Feb. 2023)? ∗∗∗ --------------------------------------------- Ein Leser hat mich auf einen Sicherheitsvorfall beim Spieleentwickler wargaming.net aufmerksam gemacht. Ich habe dann ein wenig recherchiert, ist nicht der erste Vorfall bei diesem Anbieter. Es könnte aber auch ein Phishing-Versuch sein (das versuche ich noch zu klären). Hier einige Informationen, was mir bekannt ist. --------------------------------------------- https://www.borncity.com/blog/2023/02/09/sicherheitsvorfall-bei-wargaming-n… ∗∗∗ Evasion Techniques Uncovered: An Analysis of APT Methods ∗∗∗ --------------------------------------------- DLL search order hijacking and DLL sideloading are commonly used by nation state sponsored attackers to evade detection. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/09/evasion-techniques-uncovered-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution ∗∗∗ --------------------------------------------- This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status. --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020017 ∗∗∗ SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow ∗∗∗ --------------------------------------------- The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php ∗∗∗ Angreifer könnten über Nvidia GeForce Experience Daten manipulieren ∗∗∗ --------------------------------------------- In der aktuellen Version das Grafikkarten-Tools GeForce Experience von Nvidia haben die Entwickler drei Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7490068 ∗∗∗ Notfallpatch für Dateiübertragungslösung GoAnywhere MFT erschienen ∗∗∗ --------------------------------------------- Admins können ihre GoAnywhere-MFT-Server (On-Premises) nun mit einem Sicherheitsupdate gegen aktuelle laufende Attacken absichern. --------------------------------------------- https://heise.de/-7490040 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird). --------------------------------------------- https://lwn.net/Articles/922756/ ∗∗∗ Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras ∗∗∗ --------------------------------------------- A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time. [...] Dahua device vulnerabilities may be targeted by DDoS botnets, but in the case of CVE-2022-30564, it would most likely be exploited in highly targeted attacks whose goal is to tamper with evidence, rather than cybercrime operations. The issue was reported to the vendor in the fall of 2022. Dahua has released patches for each of the impacted devices. --------------------------------------------- https://www.securityweek.com/vulnerability-allows-hackers-to-remotely-tampe… ∗∗∗ CVE-2023-0003 Cortex XSOAR: Local File Disclosure Vulnerability in the Cortex XSOAR Server (Severity: MEDIUM) ∗∗∗ --------------------------------------------- A file disclosure vulnerability in the Palo Alto Networks Cortex XSOAR server software enables an authenticated user with access to the web interface to read local files from the server. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0003 ∗∗∗ CVE-2023-0002 Cortex XDR Agent: Product Disruption by Local Windows User (Severity: MEDIUM) ∗∗∗ --------------------------------------------- A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0002 ∗∗∗ CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password (Severity: MEDIUM) ∗∗∗ --------------------------------------------- An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0001 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-24964) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953519 ∗∗∗ IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6891111 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Eclipse Openj9 security bypass (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953807 ∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953825 ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953873 ∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953879 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953641 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953593 ∗∗∗ Vulnerability in Axios affects IBM Process Mining . IBM X-Force ID: 232247 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6611183 ∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0208 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852405 ∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0148 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852407 ∗∗∗ Vulnerability in d3-color affects IBM Process Mining . WS-2022-0322 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856473 ∗∗∗ IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for user privilege escalation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6909427 ∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954391 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954401 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954403 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954405 ∗∗∗ Vulnerability in Apache Commons Text affects IBM Process Mining . CVE-2022-42889 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954409 ∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954411 ∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954421 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2023
by Daily end-of-shift report 08 Feb '23

08 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-02-2023 18:00 − Mittwoch 08-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware-Attacke: CISA veröffentlicht Wiederherstellungsskript für VMware ESXi ∗∗∗ --------------------------------------------- Die US-amerikanische Cyber-Sicherheitsbehörde CISA hat ein Wiederherstellungsskript bereitgestellt, mit dem betroffene Server gerettet werden könnten. --------------------------------------------- https://heise.de/-7488498 ∗∗∗ Achtung: Betrügerische Rechnungen in E-Mails und PayPal-App! ∗∗∗ --------------------------------------------- PayPal-User:innen aufgepasst: Kriminelle stellen aktuell Coinbase-Rechnungen über PayPal. Diese Rechnungen landen dadurch sowohl in Ihrem Mail-Postfach, als auch Ihrer PayPal-App und können dadurch für echt gehalten werden! Ignorieren Sie die Rechnungen und setzen Sie sich bei Unklarheiten mit PayPal in Verbindung. Bezahlen Sie nichts und befolgen Sie keinesfalls die Händler-Anweisungen aus der Rechnung. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-rechnungen-in… ∗∗∗ Sicherheitsupdate: Acht Sicherheitslücken in OpenSSL geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Softwarebibliothek für verschlüsselte Verbindungen OpenSSL attackieren. Der Bedrohungsgrad hält sich aber in Grenzen. --------------------------------------------- https://heise.de/-7489560 ∗∗∗ Medusa botnet returns as a Mirai-based variant with ransomware sting ∗∗∗ --------------------------------------------- A new version of the Medusa DDoS (distributed denial of service) botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-botnet-returns-as-a-m… ∗∗∗ Simple HTML Phishing via Telegram Bot, (Wed, Feb 8th) ∗∗∗ --------------------------------------------- Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them. --------------------------------------------- https://isc.sans.edu/diary/rss/29528 ∗∗∗ Post-Exploitation: Abusing the KeePass Plugin Cache ∗∗∗ --------------------------------------------- This blog post presents a post-exploitation approach to inject code into KeePass without process injection. It is performed by abusing the cache resulting from the compilation of PLGX plugin. --------------------------------------------- https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cac… ∗∗∗ A Detailed Analysis of a New Stealer Called Stealerium ∗∗∗ --------------------------------------------- Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. --------------------------------------------- https://securityscorecard.com/research/a-detailed-analysis-of-a-new-stealer… ∗∗∗ Rustproofing Linux (nccgroup) ∗∗∗ --------------------------------------------- The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust. In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer. --------------------------------------------- https://lwn.net/Articles/922638/ ∗∗∗ Pwn2Owning Two Hosts at the Same Time: Abusing Inductive Automation Ignition’s Custom Deserialization ∗∗∗ --------------------------------------------- Pwn2Own Miami 2022 was a fine competition. At the contest, I successfully exploited three different targets. In this blog post, I would like to show you my personal best research of the competition: the custom deserialization issue in Inductive Automation Ignition. --------------------------------------------- https://www.thezdi.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-… ∗∗∗ CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability ∗∗∗ --------------------------------------------- Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-obser… ∗∗∗ How to Use Cloud Access Security Brokers for Data Protection ∗∗∗ --------------------------------------------- A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise’s security policies whenever cloud-based resources are accessed. --------------------------------------------- https://www.hackread.com/cloud-access-security-brokers-data-protection/ ===================== = Vulnerabilities = ===================== ∗∗∗ PMASA-2023-1 ∗∗∗ --------------------------------------------- XSS vulnerability in drag-and-drop upload Affected Versions: phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0. --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2023-1/ ∗∗∗ Webbrowser: Google Chrome dichtet Sicherheitslecks ab und ändert Release-Zyklus ∗∗∗ --------------------------------------------- Der Webbrowser Google Chrome 110 schließt 15 teils hochriskante Schwachstellen. Der Hersteller stellt zudem auf ein neues Release-System um. --------------------------------------------- https://heise.de/-7488524 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/922626/ ∗∗∗ Tuesday February 14 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, 18.x and 19.x releases lines on or shortly after, Tuesday February 14 2023 in order to address: 2 low severity issues. 2 medium severity issues. 1 high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases ∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in The Huawei Children Smart Watch (Simba-AL00) ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvithc… ∗∗∗ IBM Security Bulletins 2023-02-08 ∗∗∗ --------------------------------------------- * A Security Vulnerability has been identified in the IBM Java SDK as shipped with IBM Security Verify Access. * IBM Aspera Orchestrator affected by vulnerability (CVE-2022-28615) * IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577) * IBM® Db2® is vulnerable to an information disclosure vulnerabilitiy due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927) * IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) * IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted Load command. (CVE-2022-43929) * IBM Jazz for Service Management is vulnerable to All XStream (Publicly disclosed vulnerability) (CVE-2022-41966) * IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Express.js Express denial of service (CVE-2022-24999) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Moment denial of service (CVE-2022-31129) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js follow-redirects module information disclosure vulnerabilities (CVE-2022-0536, CVE-2022-0155) * IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787) * IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) * Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2 * Multiple vulnerabilities in the Expat library affect IBM® Db2® Net Search Extender may lead to denial of service or arbitrary code execution. * Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. * Unspecified vulnerability in Java Affects IBM Infosphere Global Name Management (CVE-2022-21496) * Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476) * Vulnerability in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-34165) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2023
by Daily end-of-shift report 07 Feb '23

07 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-02-2023 18:00 − Dienstag 07-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researcher breaches Toyota supplier portal with info on 14,000 partners ∗∗∗ --------------------------------------------- The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022. EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-s… ∗∗∗ APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th) ∗∗∗ --------------------------------------------- Many of the bots I am observing attempt to detect the infected system&#;x26;#;39;s public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted. --------------------------------------------- https://isc.sans.edu/diary/rss/29516 ∗∗∗ Android Security Bulletin—February 2023 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. [..] The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. --------------------------------------------- https://source.android.com/docs/security/bulletin/2023-02-01 ∗∗∗ Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console ∗∗∗ --------------------------------------------- AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS. --------------------------------------------- https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/ ∗∗∗ Smishing: Vorsicht vor Fake Magenta-SMS ∗∗∗ --------------------------------------------- Momentan sind vermehrt gefälschte Magenta-SMS im Umlauf. In der Nachricht wird behauptet, dass Ihre Rechnung nicht beglichen werden konnte. Klicken Sie nicht auf den Link – dieser führt zu einer gefälschten Magenta-Seite, wo Kriminelle Ihre Daten und Ihr Geld stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/smishing-vorsicht-vor-diesem-fake-ma… ∗∗∗ Saferinternet.at-Studie: Jugendliche und Falschinformationen im Internet ∗∗∗ --------------------------------------------- Anlässlich des heutigen Safer Internet Day führte Saferinternet.at eine Studie zum Thema „Jugendliche und Falschinformationen im Internet“ durch. Die Studienergebnisse zeigen, dass Österreichs Jugendliche beim Umgang mit Informationen im Internet in einem Dilemma stecken: Die Jugendlichen informieren sich zu Alltagsthemen vor allem über soziale Medien, vertrauen den dort bezogenen Informationen jedoch kaum. --------------------------------------------- https://www.watchlist-internet.at/news/studie-jugendliche-und-falschinforma… ∗∗∗ Safer Internet Day: FAQ Internetsicherheit für Kinder und Jugendliche ∗∗∗ --------------------------------------------- Im Internet lauern für Heranwachsende viele Gefahren, die sie noch nicht einschätzen können. Mit Wissensvermittlung und Tools können sie geschützt werden. --------------------------------------------- https://heise.de/-7333482 ∗∗∗ This notorious ransomware has now found a new target ∗∗∗ --------------------------------------------- The authors of Clop ransomware are experimenting with a Linux variant - a warning that multiple different platforms are in the sights of cyber extortionists. --------------------------------------------- https://www.zdnet.com/article/this-notorious-ransomware-is-now-targeting-li… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-094: Netatalk dsi_writeinit Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-094/ ∗∗∗ TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering ∗∗∗ --------------------------------------------- Subcomponent: Frontend Rendering (ext:frontend, ext:core) Affected Versions: 8.7.0-8.7.50, 9.0.0-9.5.39, 10.0.0-10.4.34, 11.0.0-11.5.22, 12.0.0-12.1.3 Severity: High References: CVE-2023-24814, CWE-79 --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-001 ∗∗∗ Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419) ∗∗∗ --------------------------------------------- Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. ONLYOFFICE, OpenKM, LogicalDOC, Mayan [..] Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412… ∗∗∗ OpenSSL Security Advisory [7th February 2023] ∗∗∗ --------------------------------------------- * Severity: High - X.400 address type confusion in X.509 GeneralName (CVE-2023-0286): [...] this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. * Severity: Moderate - CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401 --------------------------------------------- https://www.openssl.org/news/secadv/20230207.txt ∗∗∗ Dateiübertragungslösung: Zero-Day-Lücke in GoAnywhere-MFT-Servern ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf Server mit GoAnywhere MFT abgesehen. Bislang gibt es kein Sicherheitsupdate. Eine temporäre Übergangslösung sichert Systeme ab. --------------------------------------------- https://heise.de/-7487393 ∗∗∗ VMSA-2023-0003 ∗∗∗ --------------------------------------------- CVSSv3 Range: 7.8 CVE(s): CVE-2023-20854 Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux). --------------------------------------------- https://lwn.net/Articles/922519/ ∗∗∗ Ichiran App vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11257333/ ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ EnOcean SmartServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-037-01 ∗∗∗ IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953461 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839565 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953483 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Denial of Service vulnerability affects IBM Business Automation Workflow - CVE-2022-25887 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952745 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953525 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953557 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953559 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to bypassing security restrictions, denial of service attacks, and data integrity impacts due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953579 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953583 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953587 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953589 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2023
by Daily end-of-shift report 06 Feb '23

06 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-02-2023 18:00 − Montag 06-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Weltweiter Ransomware-Angriff ∗∗∗ --------------------------------------------- Bei einem weltweit breit gestreuten Ransomware-Angriff wurden laut Medienberichten tausende ESXi-Server, die u. a. zur Virtualisierung von IT-Fachverfahren genutzt werden, verschlüsselt. Der regionale Schwerpunkt der Angriffe lag dabei auf Frankreich, den USA, Deutschland und Kanada, auch weitere Länder sind betroffen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Downloads via Google Ads: "Tsunami" an Malvertising verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Immer mehr Angreifer versuchen, Geräte von Nutzern mit Malware zu infizieren. Forscher beobachten einen massiven Anstieg auf Google bei der Suche nach Software. --------------------------------------------- https://heise.de/-7485196 ∗∗∗ Tiere zu verschenken: Vorsicht vor betrügerischen Inseraten auf Facebook ∗∗∗ --------------------------------------------- In Facebook-Gruppen tauchen immer wieder betrügerische Inserate für abzugebende Hunde oder Pferde auf. Angeblich sei der Besitzer bzw. die Besitzerin plötzlich verstorben. Daher suchen die Angehörigen dringend einen guten Platz für das Tier. Sie müssen lediglich die Transportkosten bezahlen, da sich das Tier im Ausland befindet. Dahinter steckt aber Betrug, das Tier gibt es gar nicht und Sie verlieren viel Geld! --------------------------------------------- https://www.watchlist-internet.at/news/tiere-zu-verschenken-vorsicht-vor-be… ∗∗∗ Assemblyline as a Malware Analysis Sandbox, (Sat, Feb 4th) ∗∗∗ --------------------------------------------- If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. "Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline's most powerful functionalities is its recursive analysis model."[2] --------------------------------------------- https://isc.sans.edu/diary/rss/29510 ∗∗∗ Royal Ransomware adds support for encrypting Linux, VMware ESXi systems ∗∗∗ --------------------------------------------- Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines. Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, [...] --------------------------------------------- https://securityaffairs.com/141876/cyber-crime/royal-ransomware-vmware-esxi… ∗∗∗ FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection ∗∗∗ --------------------------------------------- An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said [...] --------------------------------------------- https://thehackernews.com/2023/02/formbook-malware-spreads-via.html ∗∗∗ GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry ∗∗∗ --------------------------------------------- E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, [...] --------------------------------------------- https://thehackernews.com/2023/02/guloader-malware-using-malicious-nsis.html ∗∗∗ ImageMagick: The hidden vulnerability behind your online images ∗∗∗ --------------------------------------------- In a recent APT Simulation engagement, the Ocelot team identified that ImageMagick was used to process images in a Drupal-based website, and hence, the team decided to try to find new vulnerabilities in this component, proceeding to download the latest version of ImageMagick, 7.1.0-49 at that time. As a result, two zero days were identified: [...] --------------------------------------------- https://www.metabaseq.com/imagemagick-zero-days/ ∗∗∗ The Defenders Guide to OneNote MalDocs ∗∗∗ --------------------------------------------- With the heyday of macro-enabled spreadsheets and documents behind us, threat actors have experimented with novel ways to deliver their payloads, including disk image files (.iso, .vhd files), HTML Smuggling (.hta files with embedded scripts), and now OneNote files. --------------------------------------------- https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs ∗∗∗ How the CISA catalog of vulnerabilities can help your organization ∗∗∗ --------------------------------------------- The CISA catalog of known exploited vulnerabilities is designed for the federal government and useful to everyone. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/02/how-the-cisa-catalog-can-hel… ∗∗∗ Collect, Exfiltrate, Sleep, Repeat ∗∗∗ --------------------------------------------- In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command [...] --------------------------------------------- https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ ∗∗∗ Solving a VM-based CTF challenge without solving it properly ∗∗∗ --------------------------------------------- A pretty common reverse-engineering CTF challenge genre for the hard/very-hard bucket are virtual machines. There are several flavors to this*, but the most common one is to implement a custom VM in a compiled language and provide it together with bytecode of a flag checker. This was the case for the More Control task from Byte Bandits CTF 2023 - the task this entry is about. --------------------------------------------- https://gynvael.coldwind.pl/?id=763 ∗∗∗ Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations ∗∗∗ --------------------------------------------- Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. --------------------------------------------- https://asec.ahnlab.com/en/47088/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder ∗∗∗ --------------------------------------------- On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations. The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant [...] --------------------------------------------- https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/922337/ ∗∗∗ CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) said two vulnerabilities from Oracle and SugarCRM are actively being exploited and ordered federal civilian agencies to patch them before February 23. --------------------------------------------- https://therecord.media/cisa-adds-oracle-sugarcrm-bugs-to-exploited-vulnera… ∗∗∗ Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6570741 ∗∗∗ Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6592963 ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953401 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953433 ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857695 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2023
by Daily end-of-shift report 03 Feb '23

03 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-02-2023 18:00 − Freitag 03-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers weaponize Microsoft Visual Studio add-ins to push malware ∗∗∗ --------------------------------------------- Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-weaponize-microsoft-… ∗∗∗ Anker: Eufy-Kameras waren nicht so sicher wie beworben ∗∗∗ --------------------------------------------- Nach anfänglichem Abstreiten gibt Anker zu, dass die Werbeversprechen zur Sicherheit der Eufy-Überwachungskameras nicht eingehalten wurden. --------------------------------------------- https://www.golem.de/news/anker-eufy-kameras-waren-nicht-so-sicher-wie-bewo… ∗∗∗ Konami Code Backdoor Concealed in Image ∗∗∗ --------------------------------------------- Attackers are always looking for new ways to conceal their malware and evade detection, whether it’s through new forms of obfuscation, concatenation, or — in this case — unorthodox use of image file extensions. One of the most common backdoors that we have observed over the last few months has been designed to evade detection by placing the payload in an image file and requiring some additional tricks to unlock it. --------------------------------------------- https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html ∗∗∗ Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails ∗∗∗ --------------------------------------------- IBM Aspera Faspex promises security to end users by offering encryption options for the files being uploaded through its application. This security model is broken through the pre-authentication RCE vulnerability we discovered, that allowed us to execute arbitrary commands on the Aspera Faspex server. --------------------------------------------- https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ ∗∗∗ Cisco patcht mehrere Produkte - potenzielle Backdoor-Lücke ∗∗∗ --------------------------------------------- Cisco hat Updates zum Schließen von Sicherheitslücken in mehreren Produkten veröffentlicht. Die gravierendste klafft in der IOx Application Hosting Environment. --------------------------------------------- https://heise.de/-7483079 ∗∗∗ Zwei Sicherheitsprobleme in OpenSSH 9.2 gelöst ∗∗∗ --------------------------------------------- Der OpenSSH-Client ist in einer aktualisierten Version erschienen. Informationen über die geschlossenen Sicherheitslücken sind noch rar. --------------------------------------------- https://heise.de/-7483316 ∗∗∗ Erneute Phishing-Welle mit E-Mails im Namen der WKO ∗∗∗ --------------------------------------------- „Aktualisierung Ihrer Firmendaten“: Haben Sie eine E-Mail vom „WKO Serviceteam“ mit diesem Betreff erhalten, sollten Sie genau hinsehen. Denn derzeit versenden Cyberkriminelle willkürlich solche Phishing-Mails an österreichische Unternehmer:innen und geben sich dabei als Wirtschaftskammer Österreich aus. --------------------------------------------- https://www.watchlist-internet.at/news/erneute-phishing-welle-mit-e-mails-i… ∗∗∗ OneNote Dokumente als neues Hilfsmittel für Spammer und Co. ∗∗∗ --------------------------------------------- Nachdem Microsoft im Juli letzten Jahres die Hürde für Spammer deutlich höher gelegt hat - eingebettete Makros in heruntergeladenen Office Dokumente wurden per Default disabled - musste aus Sicht der Angreifer entsprechender Ersatz gefunden werden. Neuen Erkenntnissen zufolge, wurde dieser auch erfolgreich in Form von OneNote Dokumenten gefunden. --------------------------------------------- https://cert.at/de/aktuelles/2023/2/onenote-dokumente-als-neues-hilfsmittel… ∗∗∗ What is an OSINT Tool – Best OSINT Tools 2023 ∗∗∗ --------------------------------------------- An OSINT tool is a must for every researcher - In this article, we will explore the 15 best OSINT tools that you can use for your investigations. --------------------------------------------- https://www.hackread.com/what-is-osint-tool-best-osint-tools-2023/ ===================== = Vulnerabilities = ===================== ∗∗∗ K000130496: Overview of F5 vulnerabilities (February 2023) ∗∗∗ --------------------------------------------- On February 1, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000130496 ∗∗∗ Angreifer könnten Windows-PCs mit VMware Workstation attackieren ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Lücke in der Virtualisierungslösung VMware Workstation. Angreifer brauchten lokale Benutzerrechte auf dem PC des Opfers. --------------------------------------------- https://heise.de/-7483515 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff). --------------------------------------------- https://lwn.net/Articles/922112/ ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-033-01 Delta Electronics DIAScreen, ICSA-23-033-02 Mitsubishi Electric GOT2000 Series and GT SoftGOT2000, ICSA-23-033-03 Baicells Nova, ICSA-23-033-04 Delta Electronics DVW-W02W2-E2, ICSA-23-033-05 Delta Electronics DX-2100-L1-CN, ICSA-22-221-01 Mitsubishi Electric Multiple Factory Automation Products (Update D). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/cisa-releases-six… ∗∗∗ B&R Advisory: Several Issues in APROL Database ∗∗∗ --------------------------------------------- Several Issues in ARPOL database, CVE ID: CVE-2022-43761, CVE-2022-43762, CVE-2022-43763, CVE-2022-43764, CVE-2022-43765 --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16748230… *** IBM Security Bulletins 2023-02-01 *** --------------------------------------------- Tivoli System Automation Application Manager, IBM MQ, IBM FlashSystem 5000, IBM FlashSystem 7200, IBM FlashSystem 7300, IBM FlashSystem 9100, IBM FlashSystem 9200, IBM FlashSystem 9500, IBM FlashSystem V9000, IBM Spectrum Virtualize as Software Only, IBM Spectrum Virtualize for Public Cloud, IBM Storwize V5000, V5000E, V7000 and V5100, Jazz for Service Management, SAN Volume Controller, IBM App Connect Enterprise, IBM Voice Gateway, IBM Aspera, IBM MQ, IBM Business Automation Workflow, IBM Control Desk, IBM Maximo, IBM Sterling Connect:Direct File Agent. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Exploitation of GoAnywhere MFT zero-day vulnerability ∗∗∗ --------------------------------------------- A warning has been issued about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2023
by Daily end-of-shift report 02 Feb '23

02 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-02-2023 18:00 − Donnerstag 02-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New DDoS-as-a-Service platform used in recent attacks on hospitals ∗∗∗ --------------------------------------------- A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platfo… ∗∗∗ New Nevada Ransomware targets Windows and VMware ESXi systems ∗∗∗ --------------------------------------------- A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-target… ∗∗∗ LockBit ransomware goes Green, uses new Conti-based encryptor ∗∗∗ --------------------------------------------- The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-gree… ∗∗∗ Password-stealing “vulnerability” reported in KeePass – bug or feature? ∗∗∗ --------------------------------------------- Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway? --------------------------------------------- https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability… ∗∗∗ Rotating Packet Captures with pfSense, (Wed, Feb 1st) ∗∗∗ --------------------------------------------- Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files. --------------------------------------------- https://isc.sans.edu/diary/rss/29500 ∗∗∗ What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits ∗∗∗ --------------------------------------------- We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/what-socs-need-to-know-about… ∗∗∗ OpenSSH 9.2 released ∗∗∗ --------------------------------------------- OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe is exploitable. --------------------------------------------- https://lwn.net/Articles/922006/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Causing Deletion of All Users in CrushFTP Admin Area ∗∗∗ --------------------------------------------- During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django). --------------------------------------------- https://lwn.net/Articles/921957/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-23517, CVE-2023-23518,CVE-2022-42826. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0001.html ∗∗∗ Jira Service Management Server and Data Center Advisory (CVE-2023-22501) ∗∗∗ --------------------------------------------- This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0 --------------------------------------------- https://confluence.atlassian.com/jira/jira-service-management-server-and-da… ∗∗∗ Drupal Releases Security Update to Address a Vulnerability in Apigee Edge ∗∗∗ --------------------------------------------- Drupal released a security update to address a vulnerability affecting the Apigee Edge module for Drupal 9.x. An attacker could exploit this vulnerability to bypass access authorization or disclose sensitive information. CISA encourages users and administrators to review Drupal’s security advisory SA-CONTRIB-2023-005 and apply the necessary update. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/drupal-releases-s… ∗∗∗ Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6912697 ∗∗∗ IBM API Connect is impacted by an external service interaction vulnerability (CVE-2022-34350) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6921243 ∗∗∗ IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6921285 ∗∗∗ IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952181 ∗∗∗ IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6909467 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2023
by Daily end-of-shift report 01 Feb '23

01 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-01-2023 18:00 − Mittwoch 01-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Zehntausende Qnap-NAS hängen verwundbar am Internet ∗∗∗ --------------------------------------------- Angreifer könnten direkt über das Internet an einer kritischen Sicherheitslücke in Netzwerkspeichern von Qnap ansetzen. --------------------------------------------- https://heise.de/-7477826 ∗∗∗ Microsoft Defender for Endpoint schickt nun auch Linux-Rechner in die Isolation ∗∗∗ --------------------------------------------- Weil auch Linux-Geräte als Einfallstor für Cyber-Angreifer dienen können, isoliert Microsofts Security-Software künftig bei Bedarf auch sie aus dem Firmennetz. --------------------------------------------- https://heise.de/-7477878 ∗∗∗ Diskussion um Schwachstelle in KeePass ∗∗∗ --------------------------------------------- Eine Schwachstelle erlaubt das Ändern der KeePass-Konfiguration, wenn Nutzer bestimmte Rechte haben. Mit denen können sie jedoch viel mehr anstellen. --------------------------------------------- https://heise.de/-7478396 ∗∗∗ Neue Vinted-Verkäufer:innen aufgepasst: Keine Zahlungen freigeben! ∗∗∗ --------------------------------------------- Auf der Second-Hand-Plattform vinted.at kommt es aktuell vermehrt zu einer Betrugsmasche, die sich an neue Verkäufer:innen richtet. Die ersten Interessent:innen melden sich schnell und verlangen eine Telefonnummer. Anschließend folgen SMS im Namen von Vinted, die eine Bestätigung der Kreditkartendaten zum Erhalt der Zahlung fordern. Achtung: Die SMS stammen nicht von vinted.at, sondern von Kriminellen und die vermeintlichen Bestätigungen führen zu Abbuchungen [...] --------------------------------------------- https://www.watchlist-internet.at/news/neue-vinted-verkaeuferinnen-aufgepas… ∗∗∗ Hackers use new IceBreaker malware to breach gaming companies ∗∗∗ --------------------------------------------- Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-new-icebreaker-m… ∗∗∗ DShield Honeypot Setup with pfSense, (Tue, Jan 31st) ∗∗∗ --------------------------------------------- Setting up a DShield honeypot is well guided by the installation script [1]. After several minutes of following the instructions and adding some custom details, the honeypot is up and running. What's needed after that is to expose the honeypot to the internet. I recently decided to update my home router and thought it was a great opportunity to dig into using pfSense [2]. --------------------------------------------- https://isc.sans.edu/diary/rss/29490 ∗∗∗ Detecting (Malicious) OneNote Files, (Wed, Feb 1st) ∗∗∗ --------------------------------------------- We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document"). --------------------------------------------- https://isc.sans.edu/diary/rss/29494 ∗∗∗ Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076) ∗∗∗ --------------------------------------------- Cisco has released patches for a high-severity vulnerability (CVE-2023-20076) found in some of its industrial routers, gateways and enterprise wireless access points, which may allow attackers to insert malicious code that can’t be deleted by simply rebooting the device or updating its firmware. “In this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/01/cve-2023-20076/ ∗∗∗ Google sponsored ads malvertising targets password manager ∗∗∗ --------------------------------------------- Our reserachers found a more direct way to go after your password by using Google sponsored ads campaigns --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponso… ∗∗∗ Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking ∗∗∗ --------------------------------------------- Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched. --------------------------------------------- https://www.securityweek.com/unpatched-econolite-traffic-controller-vulnera… ∗∗∗ Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware ∗∗∗ --------------------------------------------- Microsoft warns that phishing, fake software updates and unpatched vulnerabilities are being exploited for ransomware attacks. --------------------------------------------- https://www.zdnet.com/article/microsoft-we-are-tracking-these-100-active-ra… ∗∗∗ Password Nightmare Explained ∗∗∗ --------------------------------------------- This blog post belongs to a series in which we examine various influences on password strategies. The first post in the series analyzed the macrosocial influence of a country on its citizens’ passwords. The second post was focused on the analysis of the influence of a community on password choice. In this last post, we aim to increase the strength of our readers’ passwords by influencing their password strategies using knowledge and insights from our research. --------------------------------------------- https://www.gosecure.net/blog/2023/01/31/password-nightmare-explained/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in Driver Distributor where passwords are stored in a recoverable format ∗∗∗ --------------------------------------------- Driver Distributor provided by FUJIFILM Business Innovation Corp. contains a vulnerability where passwords are stored in a recoverable format. --------------------------------------------- https://jvn.jp/en/jp/JVN22830348/ ∗∗∗ Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software ∗∗∗ --------------------------------------------- Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. --------------------------------------------- https://thehackernews.com/2023/02/additional-supply-chain-vulnerabilities.h… ∗∗∗ Virenschutz: Datei-Upload bis Exitus durch Trend Micro Apex One-Schwachstelle ∗∗∗ --------------------------------------------- Eine hochriskante Sicherheitslücke im Trend Micro Apex One Server könnten Angreifer missbrauchen, um den Server mit Dateien zu fluten und damit lahmzulegen. --------------------------------------------- https://heise.de/-7477479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fig2dev and libstb), Fedora (seamonkey), SUSE (ctags, python-setuptools, samba, tmux, and xterm), and Ubuntu (advancecomp, apache2, python-django, slurm-llnl, and vim). --------------------------------------------- https://lwn.net/Articles/921848/ ∗∗∗ CVE-2023-22374: F5 BIG-IP Format String Vulnerability ∗∗∗ --------------------------------------------- Rapid7 found an additional vulnerability in the appliance-mode REST interface. We reported it to F5 and are now disclosing it in accordance with our vulnerability disclosure policy. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/01/cve-2023-22374-f5-big-ip-format… ∗∗∗ IBM Security Bulletins 2023-02-01 ∗∗∗ --------------------------------------------- App Connect Professional is affected by JsonErrorReportValve in Apache Tomcat. A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-23477) A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-23477) A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-23477) A vulnerability in the IBM Java Runtime affects IBM Rational ClearQuest (CVE-2022-21626) A vulnerability may affect the IBM Elastic Storage System GUI (CVE-2022-43869) HTTP header injection vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-34165) IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to json5 (CVE-2022-46175) IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons [CVE-2022-42889 and CVE-2022-33980] IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML IBM Cloud Pak for Multicloud Management is vulnerable to denial of service due to protobuf-java core and lite IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of FasterXML Jackson (CVE-2022-42003) IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS IBM Infosphere Information Server is vulnerable to cross-site scripting (CVE-2023-23475) IBM Spectrum Scale GUI is vulnerable to Format string attack (CVE-2022-43869) IBM Sterling B2B Integrator is vulnerable to denial of service due to Netty (CVE-2021-37136, CVE-2021-37137) IBM Sterling Connect:Direct File Agent is vulnerable to a denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) IBM Sterling Connect:Direct File Agent is vulnerable to a memory exploit due to Eclipse Openj9 (CVE-2022-3676) IBM Sterling External Authentication Server vulnerable to denial of service due to Apache Xerces2 (CVE-2022-23437) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in GNU glibc (CVE-2021-3999) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-27664) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in protobuf (CVE-2022-1941) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in OpenSSL (CVE-2022-2068) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in GNU gzip (CVE-2022-1271) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to issues in OpenSSL (CVE-2022-1434, CVE-2022-1343, CVE-2022-1292, CVE-2022-1473 ) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to query parameter smuggling in Golang Go (CVE-2022-2880) IBM WebSphere Application Server Liberty used by IBM Cloud Pak for Watson AIOps is vulnerable to HTTP header injection (CVE-2022-34165) Multiple vulnerabilities in IBM Java SDK affects App Connect Professional. Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061) Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-2068, CVE-2022-2097) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi… ∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi… ∗∗∗ Multiple Vulnerabilities Patched in Quick Restaurant Menu Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-… ∗∗∗ SA45653 - Cross-site Request Forgery in Login Form ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Cross-site-Re… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2023
by Daily end-of-shift report 31 Jan '23

31 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 30-01-2023 18:00 − Dienstag 31-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exploit released for critical VMware vRealize RCE vulnerability ∗∗∗ --------------------------------------------- Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances. VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Github Desktop & Atom: Signaturschlüssel von Github entwendet ∗∗∗ --------------------------------------------- Auf Github wurden Signaturschlüssel entwendet, die bald zurückgerufen werden. Betroffen sind Github Desktop und Atom für Mac, die den Dienst einstellen. (Github, Security) --------------------------------------------- https://www.golem.de/news/github-desktop-atom-signaturschluessel-von-github… ∗∗∗ Prilex modification now targeting contactless credit card transactions ∗∗∗ --------------------------------------------- Kaspersky discovers three new variants of the Prilex PoS malware capable of blocking contactless NFC transactions on an infected device. --------------------------------------------- https://securelist.com/prilex-modification-now-targeting-contactless-credit… ∗∗∗ Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process ∗∗∗ --------------------------------------------- On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). --------------------------------------------- https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-ca… ∗∗∗ Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th) ∗∗∗ --------------------------------------------- I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard. --------------------------------------------- https://isc.sans.edu/diary/rss/29488 ∗∗∗ Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years ∗∗∗ --------------------------------------------- A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years."TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically --------------------------------------------- https://thehackernews.com/2023/01/researchers-uncover-packer-that-helped.ht… ∗∗∗ Chromebook SH1MMER exploit promises admin jailbreak ∗∗∗ --------------------------------------------- Schools laptops are out if this one gets around, but beware bricking Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/01/30/chromebook_e… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg.[..] These releases will be made available on Tuesday 7th February 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is High --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html ∗∗∗ Abstandhalten zu undurchsichtigen Multi-Level-Marketing-Angeboten wie shopwithme.biz ∗∗∗ --------------------------------------------- Wer sich aktuell auf sozialen Medien wie Facebook, YouTube oder TikTok bewegt, kommt an Werbevideos, die das große Geld versprechen, kaum vorbei. Mit minimalem Aufwand und revolutionären Methoden sollen Sie ganz einfach Unsummen an Geld verdienen können. Ähnliches verspricht man beispielsweise bei shopwithme.biz. Ein genauerer Blick lässt vermuten: Hier verdient man nicht durch den Verkauf von Produkten, sondern durch die Anwerbung neuer Kundschaft. Wir raten hier --------------------------------------------- https://www.watchlist-internet.at/news/abstandhalten-zu-undurchsichtigen-mu… ∗∗∗ A Phishing Page that Changes According to the User’s Email Address (Using Favicon) ∗∗∗ --------------------------------------------- The ASEC analysis team continuously monitors phishing emails, and we have been detecting multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user. --------------------------------------------- https://asec.ahnlab.com/en/46786/ ===================== = Vulnerabilities = ===================== ∗∗∗ [20230101] - Core - CSRF within post-installation messages ∗∗∗ --------------------------------------------- Severity: Low Versions: 4.0.0-4.2.6 Exploit type: CSRF Description: A missing token check causes a CSRF vulnerability in the handling of post-installation messages. Affected Installs Joomla! CMS versions 4.0.0-4.2.6 Solution: Upgrade to version 4.2.7 --------------------------------------------- https://developer.joomla.org:443/security-centre/890-20230101-core-csrf-wit… ∗∗∗ [20230102] - Core - Missing ACL checks for com_actionlogs ∗∗∗ --------------------------------------------- Severity: Low Versions: 4.0.0-4.2.6 Exploit type: Incorrect Access Control Description: A missing ACL check allows non super-admin users to access com_actionlogs. Solution: Upgrade to version 4.2.7 --------------------------------------------- https://developer.joomla.org:443/security-centre/891-20230102-core-missing-… ∗∗∗ VMSA-2023-0002 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.5 CVE(s): CVE-2023-20856 Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0002.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo). --------------------------------------------- https://lwn.net/Articles/921765/ ∗∗∗ [R1] Tenable Plugin Feed ID #202212212055 Fixes Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges. We have resolved the issue and also made several defense-in-depth fixes alongside. --------------------------------------------- https://www.tenable.com/security/tns-2023-04 ∗∗∗ WordPress Vulnerability & Patch Roundup January 2023 ∗∗∗ --------------------------------------------- * SiteGround Security – SQL injection * ExactMetrics – Cross Site Scripting (XSS) * Enable Media Replace – Arbitrary File Upload * Spectra WordPress Gutenberg Blocks – Stored Cross Site Scripting * GiveWP – SQL Injection * Better Font Awesome – Cross Site Scripting (XSS) * LearnPress – SQL Injection * Royal Elementor Addons and Templates – Cross Site Scripting (XSS) * Strong Testimonials – Stored Cross Site Scripting (XSS) * HUSKY (formerly WOOF) – PHP Object Injection * WP Show Posts – Cross Site Scripting (XSS) * Widgets for Google Reviews – Cross Site Scripting (XSS) * Strong Testimonials – Cross Site Scripting (XSS) * Simple Sitemap – Cross Site Scripting (XSS) * Contextual Related Posts – Stored Cross Site Scripting (XSS) * Stream – Broken Access Control * Customer Reviews for WooCommerce – Cross Site Scripting (XSS) * Themify Portfolio Post – Stored Cross Site Scripting * Spotlight Social Media Feeds – Stored Cross Site Scripting (XSS) * RSS Aggregator by Feedzy – Stored Cross Site Scripting (XSS) --------------------------------------------- https://blog.sucuri.net/2023/01/wordpress-vulnerability-patch-roundup-janua… ∗∗∗ IBM Security Bulletins) ∗∗∗ --------------------------------------------- * IBM UrbanCode Deploy (UCD) is vulnerable to cross-site scripting ( CVE-2022-46771 ) * IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go (CVE-2022-24921, CVE-2022-28327, CVE-2022-24675) * IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities affect IBM Sterling External Authentication Server * Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring. * Multiple vulnerabilities in libcURL affect IBM Rational ClearCase ( CVE-2022-42915, CVE-2022-42916, CVE-2022-32221, CVE-2022-35252, * * CVE-2022-32205, CVE-2022-32206, CVE-2022-32207 ) * IBM Sterling Secure Proxy vulnerable to multiple issues * Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2022-2097, CVE-2022-2068) * A vulnerability in the IBM Java Runtime affects IBM Rational ClearCase (CVE-2022-21626) * Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to jsonwebtoken CVE-2022-23529 * Automation Assets in IBM Cloud Pak for Integration is vulnerable to CSS injection due to Swagger CVE-2019-17495 * Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to protobuf CVE-2022-1941 * Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities * IBM Watson Knowledge Catalog on Cloud Pak for Data is vulnerable to SQL injection (CVE-2022-41731) * IBM Virtualization Engine TS7700 is vulnerable to a denial of service threat due to use of IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 (CVE-2022-21626) * Multiple vulnerabilities affect IBM Db2\u00ae on Cloud Pak for Data and Db2 Warehouse\u00ae on Cloud Pak for Data * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in XStream * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PyPA Wheel * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js json5 * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js decode-uri-component * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PostgreSQL * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Tomcat * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Spark * Multiple Vulnerabilities in Java packages affect IBM Voice Gateway * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in HSQLDB * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Google Protocol Buffers * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-031-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2023
by Daily end-of-shift report 30 Jan '23

30 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-01-2023 18:00 − Montag 30-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Sicherheitsforscher kombinieren Lücken in VMware vRealize Log ∗∗∗ --------------------------------------------- Angreifer könnten zeitnah vRealize Log von VMware ins Visier nehmen und Schadcode mit Root-Rechten ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7474931 ∗∗∗ Vorsicht vor gefälschten FinanzOnline-Benachrichtigungen ∗∗∗ --------------------------------------------- Kriminelle versenden gefälschte FinanzOnline-E-Mails. Aktuell sind uns zwei Varianten bekannt: In einem Mail wird behauptet, dass Sie eine Erstattung aus dem Sozialfonds erhalten. In einem anderen Mail steht, dass Sie eine Rückerstattung erhalten und einen QR-Code scannen müssen. Folgen Sie nicht den Anweisungen, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli… ∗∗∗ Malware PlugX infiziert USB-Geräte ∗∗∗ --------------------------------------------- Sicherheitsforscher der Unit 42 von Palo Alto Networks haben Cyberangriffe mit neuer Variante der altbekannten Schadsoftware beobachtet. Die mutmaßlich aus China stammende PlugX-Malware ist aufgefallen, weil diese Variante alle angeschlossenen USB-Wechselmediengeräte wie Disketten-, Daumen- oder Flash-Laufwerke sowie alle weiteren Systeme [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/28/malware-plugx-infiziert-usb-gerte/ ∗∗∗ Laufwerksverschlüsselung per BitLocker: Das sollten Sie beachten ∗∗∗ --------------------------------------------- Die Geräteverschlüsselung von Microsoft schützt Ihre Daten vor unerwünschten Zugriffen. Zuweilen greift BitLocker automatisch, oft muss man selbst Hand anlegen. --------------------------------------------- https://heise.de/-7467041 ∗∗∗ Shady reward apps on Google Play amass 20 million downloads ∗∗∗ --------------------------------------------- A new category of activity tracking applications has been having massive success recently on Google Play, Androids official app store, having been downloaded on over 20 million devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shady-reward-apps-on-google-… ∗∗∗ SaaS Rootkit Exploits Hidden Rules in Microsoft 365 ∗∗∗ --------------------------------------------- A vulnerability within Microsofts OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/saas-rootkit-exploits-h… ∗∗∗ Gootkit Malware Continues to Evolve with New Components and Obfuscations ∗∗∗ --------------------------------------------- The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is "exclusive to this group. --------------------------------------------- https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html ∗∗∗ Titan Stealer: A New Golang-Based Information Stealer Malware Emerges ∗∗∗ --------------------------------------------- A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," [...] --------------------------------------------- https://thehackernews.com/2023/01/titan-stealer-new-golang-based.html ∗∗∗ Asking MEMORY.DMP and Volatility to make up ∗∗∗ --------------------------------------------- A few days ago Ive posted RE category write-ups from the KnightCTF 2023. Another category Ive looked at – quite intensely at that – was forensics. While this blog post isnt a write-up for that category, I still wanted (and well, was asked to actually) write down some steps I took to make Volatility work with MEMORY.DMP file provided in the "Take care of this" challenge series. Or actually steps I took to convert MEMORY.DMP into something volatility could work with. --------------------------------------------- https://gynvael.coldwind.pl/?id=762 ∗∗∗ Analysis Report on Malware Distributed via Microsoft OneNote ∗∗∗ --------------------------------------------- This document is an analysis report on malware that is being actively distributed using Microsoft OneNote. The ASEC analysis team identified the rapidly increasing trend of OneNote malware distribution from November 2022 and has classified the malware according to the level of intricacy based on the screen that appears when the file is actually opened. --------------------------------------------- https://asec.ahnlab.com/en/46457/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap-NAS: Kritische Sicherheitslücke ermöglicht Unterjubeln von Schadcode ∗∗∗ --------------------------------------------- In Qnap-Netzwerkgeräten mit QTS- und QuTS-hero-Betriebssystem könnten Angreifer Schadcode einschleusen und ausführen. Updates schließen die kritische Lücke. --------------------------------------------- https://heise.de/-7475288 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, dojo, git, lemonldap-ng, libapache-session-browseable-perl, libapache-session-ldap-perl, libzen, node-object-path, openjdk-11, sofia-sip, tiff, tor, and varnish), Fedora (libgit2, open62541, pgadmin4, rubygem-git, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-libgit2-sys, rust-libgit2-sys0.12, rust-pore, rust-pretty-git-prompt, rust-rd-agent, rust-rd-hashd, rust-resctl-bench, rust-resctl-demo, rust-silver, and rust-tokei), Scientific --------------------------------------------- https://lwn.net/Articles/921620/ ∗∗∗ CERT-Warnung: Standard KeePass-Setup ermöglicht Passwort-Klau (CVE-2023-24055) ∗∗∗ --------------------------------------------- Kurzer Hinweis bzw. Warnung an Nutzer des KeePass Password Safe zur Verwaltung von Kennwörtern und Zugangsdaten. Das Cyber Emergency Response Team aus Belgien (CERT.be) hat am 27. Januar 2023 eine Warnung zu KeePass veröffentlicht. Im Standard-Setup sind Schreibzugriffe auf die [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/30/cert-warnung-standard-keepass-setu… ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848023 ∗∗∗ Enterprise Content Management System Monitor is affected by a vulnerability in Eclipse Openj9 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890603 ∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to Denial of Service (DoS) attacks (CVE-2022-40153) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890629 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855093 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855105 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855099 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855097 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2023
by Daily end-of-shift report 27 Jan '23

27 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-01-2023 18:00 − Freitag 27-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProxyShell & Co.: Microsoft gibt Tipps, um Exchange Server abzusichern ∗∗∗ --------------------------------------------- Vor dem Hintergrund mehrerer kritischer Sicherheitslücken und Attacken auf Exchange Server zeigt Microsoft, welche Updates Admins dringend installieren müssen. --------------------------------------------- https://heise.de/-7472639 ∗∗∗ CPUs von Intel und ARM: Linux und der Umgang mit datenabhängigem Timing ∗∗∗ --------------------------------------------- Wenn die Dauer von Operationen von den Daten abhängt, ermöglicht dies Timing-Attacken auf Informationen. Wie geht Linux damit um? --------------------------------------------- https://www.golem.de/news/cpus-von-intel-und-arm-linux-und-der-umgang-mit-d… ∗∗∗ Bitwarden password vaults targeted in Google ads phishing attack ∗∗∗ --------------------------------------------- Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users password vault credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-ta… ∗∗∗ Live Linux IR with UAC, (Thu, Jan 26th) ∗∗∗ --------------------------------------------- The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr. As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. [...] With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made. --------------------------------------------- https://isc.sans.edu/diary/rss/29480 ∗∗∗ WhatsApp hijackers take over your account while you sleep ∗∗∗ --------------------------------------------- Theres an easy way to protect yourself. Heres how. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/protect-your-whatsapp-accoun… ∗∗∗ "2.6 million DuoLingo account entries" up for sale ∗∗∗ --------------------------------------------- We take a look at claims of large amounts of DuoLingo user data up for sale, supposedly scraped from publicly available sources. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/2.6-million-duolingo-account… ∗∗∗ Tourismusbranche im Visier von Kriminellen: Cyberangriffe über booking.com ∗∗∗ --------------------------------------------- Der Hotelverband Deutschland, der französische Hotelverband GNI und die Wirtschaftskammer Österreich warnen vor zwei unterschiedlichen Betrugsversuchen über die Kommunikationskanäle von booking.com. Die Angriffe zielen darauf ab, das Computer-System der Unterkünfte mit Schadsoftware zu infizieren oder Kunden:innendaten abzugreifen. --------------------------------------------- https://www.watchlist-internet.at/news/tourismusbranche-im-visier-von-krimi… ∗∗∗ Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms ∗∗∗ --------------------------------------------- We recap our research on privilege escalation and powerful permissions in Kubernetes and analyze the ways various platforms have addressed it. --------------------------------------------- https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation/ ∗∗∗ A Blog with NoName ∗∗∗ --------------------------------------------- Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations --------------------------------------------- https://www.team-cymru.com/post/a-blog-with-noname ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, and modsecurity-apache), Fedora (libgit2, mediawiki, and redis), Oracle (go-toolset:ol8, java-1.8.0-openjdk, systemd, and thunderbird), Red Hat (java-1.8.0-openjdk and redhat-ds:12), SUSE (apache2, bluez, chromium, ffmpeg-4, glib2, haproxy, kernel, libXpm, podman, python-py, python-setuptools, samba, xen, xrdp, and xterm), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/921477/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/26/cisa-releases-eig… ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857695 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857999 ∗∗∗ IBM App Connect Enterprise Certified Container may be vulnerable to denial of service due to [CVE-2022-42898] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858007 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-27664] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858011 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-32189] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858009 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to [CVE-2022-23491] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858005 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858015 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847951 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2023
by Daily end-of-shift report 26 Jan '23

26 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-01-2023 18:00 − Donnerstag 26-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exploit released for critical Windows CryptoAPI spoofing bug ∗∗∗ --------------------------------------------- Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and U.K.s NCSC allowing MD5-collision certificate spoofing. Tracked as CVE-2022-34689, this security flaw was addressed with security updates released in August 2022 [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a new Python-based attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022."This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report [..] --------------------------------------------- https://thehackernews.com/2023/01/pyration-new-python-based-rat-utilizes.ht… ∗∗∗ Massive Supply-Chain-Attacke auf Router von Asus, D-Link & Co. beobachtet ∗∗∗ --------------------------------------------- Angreifer haben derzeit weltweit eine kritische Schwachstelle in Wireless-SoCs von Realtek im Visier. In Deutschland soll es Millionen Attacken gegeben haben. [...] Von der Lücke sind rund 190 IoT-Modelle von 66 Herstellern betroffen. Eine Auflistung von betroffenen Geräten findet man in der ursprünglichen Warnmeldung am Ende des Beitrags. Sicherheitspatches von Realtek sind schon seit Sommer 2021 verfügbar. --------------------------------------------- https://heise.de/-7471324 ∗∗∗ Cybercrime: Polizei zerschlägt Ransomware-Gruppe "Hive" ∗∗∗ --------------------------------------------- Deutsche Ermittler haben in Zusammenarbeit mit den Behörden in den Niederlanden und den USA die Kontrolle über das Ransomware-Netzwerk "Hive" übernommen. --------------------------------------------- https://heise.de/-7472192 ∗∗∗ Chinese PlugX Malware Hidden in Your USB Devices? ∗∗∗ --------------------------------------------- The PlugX malware stood out to us as this variant infects any attached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB is later plugged into. This PlugX malware also hides actor files in a USB device using a novel technique that works even on the most recent Windows operating systems (OS) at the time of writing this post. --------------------------------------------- https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/ ∗∗∗ AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa23-025a ∗∗∗ Achtung: Phishing zur Kontensperrung zielt auf Ing-Banking-Kunden (Jan. 2023) ∗∗∗ --------------------------------------------- us gegebenem Anlass greife ich die nächste Phishing-Kampagne hier im Blog auf, die sich an Kunden von Banken richtet. Kunden der Online-Bank Ing erhalten in einer Kampagne eine Phishing-Mail mit dem Hinweis, dass das Konto gesperrt worden sei, weil nicht auf eine Nachricht der Bank reagiert worden sei. --------------------------------------------- https://www.borncity.com/blog/2023/01/26/achtung-phishing-zur-kontensperrun… ∗∗∗ New Mimic Ransomware Abuses Everything APIs for its Encryption Process ∗∗∗ --------------------------------------------- Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate BIND: Angreifer könnten DNS-Server mit Anfragen überfluten ∗∗∗ --------------------------------------------- Die Entwickler haben in der DNS-Software auf Open-Source-Basis BIND drei DoS-Lücken geschlossen. --------------------------------------------- https://heise.de/-7471773 ∗∗∗ Wordpress-Plug-in: Kritische Lücke in Learnpress auf 75.000 Webseiten ∗∗∗ --------------------------------------------- Das Wordpress-Plug-in Learnpress kommt auf über 100.000 Webseiten zum Einsatz. Mangels installierter Updates sind 75.000 davon für Kompromittierung anfällig. --------------------------------------------- https://heise.de/-7471283 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git), Fedora (libXpm and redis), Oracle (bind, firefox, grub2, java-1.8.0-openjdk, java-11-openjdk, kernel, libtasn1, libXpm, and sssd), Red Hat (thunderbird), SUSE (freeradius-server, kernel, libzypp-plugin-appdata, python-certifi, and xen), and Ubuntu (bind9, krb5, linux-raspi, linux-raspi-5.4, and privoxy). --------------------------------------------- https://lwn.net/Articles/921345/ ∗∗∗ libcurl as used by IBM QRadar Wincollect agent is vulnerable to denial of service (CVE-2022-43552, CVE-2022-43551) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857685 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to query parameter smuggling due to [CVE-2022-2880] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857849 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-2879] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857851 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-41715] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857853 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to elevated privileges due to [CVE-2022-42919] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857847 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2023
by Daily end-of-shift report 25 Jan '23

25 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-01-2023 18:00 − Mittwoch 25-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht vor Phishing-Mails von FinanzOnline und ID Austria ∗∗∗ --------------------------------------------- Betrüger*innen versuchen mit gefälschten Mails an sensible Daten zu kommen. --------------------------------------------- https://futurezone.at/digital-life/phishing-mails-finanzonline-id-austria-v… ∗∗∗ GoTo-Hacker erbeuten verschlüsselte Backups inklusive Schlüssel ∗∗∗ --------------------------------------------- GoTo, ein Anbieter für Software-as-a-Service und Remote-Work-Tools, veröffentlicht weitere Erkenntnisse über einen IT-Sicherheitsvorfall. --------------------------------------------- https://heise.de/-7470609 ∗∗∗ OTORIO DCOM Hardening Toolkit für Windows für OT-Systeme veröffentlicht ∗∗∗ --------------------------------------------- In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle, die eine Umgehung der Sicherheitsfunktionen ermöglicht. Microsoft hat das dokumentiert und gepatcht, und will im März 2023 aber einen letzten einen Patch freigeben. Sicherheitsanbieter OTORIO hat im Vorfeld ein OpenSource DCOM Hardening Toolkit für OT-Systeme veröffentlicht, mit dem Unternehmen ihre DCOM-Umgebungen analysieren und ggf. härten können. --------------------------------------------- https://www.borncity.com/blog/2023/01/25/otorio-dcom-hardening-toolkit-fr-w… ∗∗∗ Recovery-Scam durch betrugsdezernat.com und betrugsdezernat.org! ∗∗∗ --------------------------------------------- Wer auf betrügerischen Investment-Plattformen Geld verloren hat, wünscht sich meist nichts mehr, als sämtliche Einzahlungen zurückerhalten zu können. Darauf setzen auch die Kriminellen, die schon hinter dem Investitionsbetrug steckten. Sie geben sich als (häufig erfundene) Behörden aus und behaupten, das verlorene Geld festgesetzt zu haben. Eine kleine Vorauszahlung der Opfer soll zur Rückbuchung aller Verluste führen. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scam-durch-betrugsdezernatc… ∗∗∗ Senden Sie Ihre Daten nicht an gewerbe-datenanzeiger.at! ∗∗∗ --------------------------------------------- Haben auch Sie eine Nachricht von Gewerbe Datenanzeiger bekommen, die Sie auffordert, Ihre Firmendaten preiszugeben? Ignorieren Sie die Nachricht, wenn Sie antworten, schließen Sie ein teures Abo in Höhe von 1.992 € ab! --------------------------------------------- https://www.watchlist-internet.at/news/senden-sie-ihre-daten-nicht-an-gewer… ∗∗∗ Ransomware access brokers use Google ads to breach your network ∗∗∗ --------------------------------------------- A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims passwords, and ultimately breach networks for ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-access-brokers-us… ∗∗∗ New stealthy Python RAT malware targets Windows in attacks ∗∗∗ --------------------------------------------- A new Python-based malware has been spotted in the wild featuring remote access trojan (RAT) capabilities to give its operators control over the breached systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-python-rat-malw… ∗∗∗ Lessons Learned from the Windows Remote Desktop Honeypot Report ∗∗∗ --------------------------------------------- Over several weeks in October of 2022, Specops collected 4.6 million attempted passwords on their Windows Remote Desktop honeypot system. Here is what they learned. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lessons-learned-from-the-win… ∗∗∗ A First Malicious OneNote Document, (Wed, Jan 25th) ∗∗∗ --------------------------------------------- Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1]. --------------------------------------------- https://isc.sans.edu/diary/rss/29470 ∗∗∗ Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network ∗∗∗ --------------------------------------------- Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often related to redirecting legitimate website traffic to third party sites of their choosing - including tech support scams, adult dating, phishing, or drive-by-downloads. Since late December, our team has been tracking a new spike in WordPress website infections related to the following malicious domain: [...] --------------------------------------------- https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-site… ∗∗∗ At the Edge of Tier Zero: The Curious Case of the RODC ∗∗∗ --------------------------------------------- The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case. While RODCs, by definition, are not part of the set of resources that can control “enterprise identities”, known as Tier Zero, we have seen cases where there is a privilege escalation path from an RODC to domain dominance. --------------------------------------------- https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-th… ∗∗∗ Vulnerability of Zyxel switches posed serious risk for business processes of many companies ∗∗∗ --------------------------------------------- The issue received a CVSSv3 score of 8.2, qualifying it as high severity --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/vulnerability-of-zyxel-switches… ∗∗∗ Attacking The Supply Chain: Developer ∗∗∗ --------------------------------------------- In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/attacking-the-supply-chain-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2022-42330 / XSA-425 ∗∗∗ --------------------------------------------- Guests can cause Xenstore crash via soft reset --------------------------------------------- https://xenbits.xen.org/xsa/advisory-425.html ∗∗∗ Kritische Schadcode-Lücken in Logging-Tool VMware vRealize Log geschlossen ∗∗∗ --------------------------------------------- Netzwerk-Admins sollten ihre Systeme mit VMware vRealize Log auf den aktuellen Stand bringen, um Angreifer auszusperren. --------------------------------------------- https://heise.de/-7470157 ∗∗∗ Kritische Sicherheitslücke: Neuere Lexmark-Drucker ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Lexmark warnt vor Sicherheitslücken in seinen Druckern. Neuere Modelle ermöglichten Angreifern, Schadcode einzuschleusen und auszuführen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7470640 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind, --------------------------------------------- https://lwn.net/Articles/921194/ ∗∗∗ [R1] Tenable.sc 6.0.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-03 ∗∗∗ IBM Security Verify Governance, Identity Manager virtual appliance component uses weaker than expected cryptography (CVE-2022-22462) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857339 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2022-40750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857579 ∗∗∗ IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. (CVE-2022-31772) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6833806 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libxml2, expat, libtasn1 and systemd ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857613 ∗∗∗ Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857607 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2023
by Daily end-of-shift report 24 Jan '23

24 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 23-01-2023 18:00 − Dienstag 24-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers use Golang source code interpreter to evade detection ∗∗∗ --------------------------------------------- A Chinese-speaking hacking group tracked as DragonSpark was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-co… ∗∗∗ Microsoft 365 to block downloaded Excel XLL add-ins to boost security ∗∗∗ --------------------------------------------- Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-down… ∗∗∗ Emotet Malware Makes a Comeback with New Evasion Techniques ∗∗∗ --------------------------------------------- The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. --------------------------------------------- https://thehackernews.com/2023/01/emotet-malware-makes-comeback-with-new.ht… ∗∗∗ Identitätsdiebstahl: Erste Hilfe bei Onlinebetrug unter Ihrem Namen ∗∗∗ --------------------------------------------- Kriminelle kaufen mit illegal erworbenen Login-Daten auf Ihre Rechnung ein oder posten Beschimpfungen in Ihrem Namen? Das sollten Sie jetzt tun. --------------------------------------------- https://heise.de/-7452745 ∗∗∗ A security audit of Git ∗∗∗ --------------------------------------------- The Open Source Technology Improvement Fund has announced the completion of a security audit of the Git source. --------------------------------------------- https://lwn.net/Articles/921067/ ∗∗∗ OSINT your OT suppliers ∗∗∗ --------------------------------------------- There is much talk about supply chain security and reviewing your suppliers for cyber security. But how much information do they intentionally and unintentionally leak about your organisation online? --------------------------------------------- https://www.pentestpartners.com/security-blog/osint-your-ot-suppliers/ ∗∗∗ Facebook: E-Bike-Gewinnspiele sind Fake ∗∗∗ --------------------------------------------- Mit „Danke“ kommentieren und E-Bike gewinnen: Dieses Gewinnspiel macht gerade auf Facebook die Runde. Angeblich haben die Fahrräder kleine Kratzer, die Motoren funktionieren aber einwandfrei. Vorsicht: Das Gewinnspiel ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/facebook-e-bike-gewinnspiele-sind-fa… ∗∗∗ Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats ∗∗∗ --------------------------------------------- We observed a recent spate of supply chain attacks attempting to exploit CVE-2021-35394, affecting IoT devices with chipsets made by Realtek. --------------------------------------------- https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ ∗∗∗ Vice Society Ransomware Group Targets Manufacturing Companies ∗∗∗ --------------------------------------------- In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-grou… ∗∗∗ A step-by-step introduction to the use of ROP gadgets to bypass DEP ∗∗∗ --------------------------------------------- DEP (Data Execution Prevention) is a memory protection feature that allows the system to mark memory pages as non-executable. ROP (Return-oriented programming) is an exploit technique that allows an attacker to execute shellcode with protections such as DEP enabled. --------------------------------------------- https://cybergeeks.tech/a-step-by-step-introduction-to-the-use-of-rop-gadge… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Symantec Endpoint Protection als Sprungbrett für Angreifer ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle könnten Angreifer Windows-PCs mit Sicherheitssoftware von Symantec attackieren. --------------------------------------------- https://heise.de/-7468961 ∗∗∗ iOS 16.3, iPadOS 16.3 und macOS 13.2: Welche Lücken Apple stopft ∗∗∗ --------------------------------------------- Erneut bekommen Macs, iPhones und iPads jede Menge Sicherheitsfixes. Zu den Details schweigt sich Apple teilweise mal wieder aus. --------------------------------------------- https://heise.de/-7469023 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and spip), Fedora (kernel), Mageia (chromium-browser-stable, docker, firefox, jpegoptim, nautilus, net-snmp, phoronix-test-suite, php, php-smarty, samba, sdl2, sudo, tor, viewvc, vim, virtualbox, and x11-server), Red Hat (bash, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, pcs, postgresql-jdbc, [...] --------------------------------------------- https://lwn.net/Articles/921024/ ∗∗∗ Critical Vulnerabilities Patched in OpenText Enterprise Content Management System ∗∗∗ --------------------------------------------- Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-patched-opentext-ente… ∗∗∗ Pgpool-II vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN72418815/ ∗∗∗ pgAdmin 4 vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN01398015/ ∗∗∗ VMSA-2023-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0001.html ∗∗∗ XINJE XD ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-024-01 ∗∗∗ SOCOMEC MODULYS GP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-024-02 ∗∗∗ IBM WebSphere Application Server traditional container is vulnerable to information disclosure (CVE-2022-43917) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857007 ∗∗∗ Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857039 ∗∗∗ FileNet Content Manager GraphQL jackson-databind security vulnerabilities, affected but not vulnerable ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857047 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2023
by Daily end-of-shift report 23 Jan '23

23 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-01-2023 18:00 − Montag 23-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Anmeldung bei ManageEngine ServiceDesk Plus MSP mit beliebigem Passwort möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Helpdesk-Software ManageEngine ServiceDesk Plus MSP von Zoho. --------------------------------------------- https://heise.de/-7467650 ∗∗∗ "Cyberkriminelle" verschaffen sich Zugang zu Sky-Kundenkonten ∗∗∗ --------------------------------------------- Der Pay-TV-Anbieter Sky bestätigt, dass sich bösartige Akteure Zugriff zu Kundenkonten verschafft haben. Details gibt es noch nicht, der Schaden ist unklar. --------------------------------------------- https://heise.de/-7468078 ∗∗∗ Vorsicht vor Betrug bei der Wohnungssuche im Ausland ∗∗∗ --------------------------------------------- Sie planen ein Auslandssemester oder suchen für einen befristeten Zeitraum eine Wohnung oder ein WG-Zimmer? Nehmen Sie sich vor günstigen Traumwohnungen in Acht! Dahinter könnte eine Betrugsmasche stecken. Finger weg, wenn Sie ohne Besichtigung eine Zahlung leisten müssen, die angeblich von TripAdvisor, Airbnb oder Booking.com verwaltet wird. Sie verlieren Ihr Geld und stehen ohne Wohnung da. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-wohnungssuche-fuer-… ∗∗∗ Massive ad-fraud op dismantled after hitting millions of iOS devices ∗∗∗ --------------------------------------------- A massive ad fraud operation dubbed Vastflux that spoofed more than 1,700 applications from 120 publishers, mostly for iOS, has been disrupted by security researchers at cybersecurity company HUMAN. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-ad-fraud-op-dismantl… ∗∗∗ Whos Resolving This Domain?, (Mon, Jan 23rd) ∗∗∗ --------------------------------------------- Challenge of the day: To find the process that resolved a specific domain. And this is not always easy! --------------------------------------------- https://isc.sans.edu/diary/rss/29462 ∗∗∗ Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks ∗∗∗ --------------------------------------------- The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week. --------------------------------------------- https://thehackernews.com/2023/01/threat-actors-turn-to-sliver-as-open.html ∗∗∗ ShareFinder: How Threat Actors Discover File Shares ∗∗∗ --------------------------------------------- Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all [...] --------------------------------------------- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover… ∗∗∗ Activation Context Cache Poisoning: Exploiting CSRSS for Privilege Escalation ∗∗∗ --------------------------------------------- Starting in July of 2022, the Windows CSRSS process entered the consciousness of the infosec community as the source of several local privilege escalation vulnerabilities in Microsoft Windows. The first public information appeared on July 12 with the release of the patch for CVE-2022-22047, which was being actively exploited. Shortly thereafter, Microsoft published an article providing some technical details [...] --------------------------------------------- https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-ex… ∗∗∗ Inglourious Drivers - A Journey of Finding Vulnerabilities in Drivers ∗∗∗ --------------------------------------------- TL;DR I discovered multiple bugs in OEM vendors for peripheral devices, which affected many users of these OEM vendors (Razer, EVGA, MSI, AMI). Many of the vulnerabilities originated in a [...] --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers… ===================== = Vulnerabilities = ===================== ∗∗∗ Unter Attacke: Sicherheitsleck in GTA V ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Angreifer missbrauchen eine Sicherheitslücke im Spiel GTA V, um die Statistiken von Opfern zu verändern. Sie könnten jedoch Schadcode unterzuschieben. --------------------------------------------- https://heise.de/-7467685 ∗∗∗ Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347) ∗∗∗ --------------------------------------------- U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and [...] --------------------------------------------- https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecke… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/920829/ ∗∗∗ A CVE-2022-21626 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856759 ∗∗∗ Multiple vulnerability affect IBM Business Automation Workflow - CVE-2022-42003, CVE-2022-42004 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856761 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2023
by Daily end-of-shift report 20 Jan '23

20 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-01-2023 18:00 − Freitag 20-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit released for critical ManageEngine RCE bug, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now available for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Exploiting null-dereferences in the Linux kernel ∗∗∗ --------------------------------------------- While the null-dereference bug itself was fixed in October 2022, the more important fix was the introduction of an oops limit which causes the kernel to panic if too many oopses occur. While this patch is already upstream, it is important that distributed kernels also inherit this oops limit and backport it to LTS releases if we want to avoid treating such null-dereference bugs as full-fledged security issues in the future. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences… ∗∗∗ Importance of signing in Windows environments, (Fri, Jan 20th) ∗∗∗ --------------------------------------------- NTLM relaying has been a plague in Windows environments for many years and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services. --------------------------------------------- https://isc.sans.edu/diary/rss/29456 ∗∗∗ Vulnerable WordPress Sites Compromised with Different Database Infections ∗∗∗ --------------------------------------------- Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels. We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. --------------------------------------------- https://blog.sucuri.net/2023/01/vulnerable-wordpress-sites-compromised-with… ∗∗∗ New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability ∗∗∗ --------------------------------------------- Earlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server. --------------------------------------------- https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.ht… ∗∗∗ Neue Love-Scam Masche: Wenn die Internetbekanntschaft Sie zum Online-Handel überredet ∗∗∗ --------------------------------------------- Betrügerische Internetbekanntschaften versuchen auf unterschiedlichsten Wegen an Ihr Geld zu kommen. Bei einer neuen Masche erschleichen sich die Kriminellen Ihr Vertrauen, um Sie später auf den Online-Marktplatz haremark. --------------------------------------------- https://www.watchlist-internet.at/news/neue-love-scam-masche-wenn-die-inter… ∗∗∗ CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion ∗∗∗ --------------------------------------------- n this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Adobe ColdFusion. --------------------------------------------- https://www.thezdi.com/blog/2023/1/18/cve-2022-35690-unauthenticated-rce-in… ∗∗∗ NCSC to retire Logging Made Easy ∗∗∗ --------------------------------------------- The NCSC is retiring Logging Made Easy (LME). After 31 March 2023, we will no longer support LME, and the GitHub page will close shortly after. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/ncsc-to-retire-logging-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco: Hochriskantes Sicherheitsleck in Unified Communications Manager ∗∗∗ --------------------------------------------- In der Unified Communications Manager-Software von Cisco klafft eine Sicherheitslücke mit hohem Risiko. Der Hersteller stellt Updates zum Schließen bereit. --------------------------------------------- https://heise.de/-7465203 ∗∗∗ Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434) ∗∗∗ --------------------------------------------- The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications. --------------------------------------------- https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/920646/ ∗∗∗ Vulnerability Spotlight: XSS vulnerability in Ghost CMS ∗∗∗ --------------------------------------------- The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-xss-vulnerabilit… ∗∗∗ Hitachi Energy PCU400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-019-01 ∗∗∗ ;">uniFLOW MOM Tech Support Potential Data Exposure Vulnerability – 20 January 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Vulnerability in minimatch affects IBM Process Mining . CVE-2022-3517 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856471 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856659 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856661 ∗∗∗ Liberty is vulnerable to denial of service due to GraphQL Java affecting IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856687 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856719 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856717 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-34305 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856713 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-45143 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856721 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2023
by Daily end-of-shift report 19 Jan '23

19 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-01-2023 18:00 − Donnerstag 19-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Illegal Solaris darknet market hijacked by competitor Kraken ∗∗∗ --------------------------------------------- Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named Kraken, who claims to have hacked it on January 13, 2022. --------------------------------------------- https://www.bleepingcomputer.com/news/security/illegal-solaris-darknet-mark… ∗∗∗ Microsoft investigates bug behind unresponsive Windows Start Menu ∗∗∗ --------------------------------------------- Microsoft is investigating an issue causing the Windows taskbar and Start Menu to become unresponsive and triggering Outlook and Teams login problems. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-bug-… ∗∗∗ PayPal accounts breached in large-scale credential stuffing attack ∗∗∗ --------------------------------------------- PayPal is sending out notices of a data breach to thousands of users who had their accounts accessed by credential stuffing actors, resulting in the compromise of some personal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-… ∗∗∗ New Blank Image attack hides phishing scripts in SVG files ∗∗∗ --------------------------------------------- An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides… ∗∗∗ Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 ∗∗∗ --------------------------------------------- Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. --------------------------------------------- https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/1… ∗∗∗ SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th) ∗∗∗ --------------------------------------------- Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world. The results werent too optimistic, it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published. --------------------------------------------- https://isc.sans.edu/diary/rss/29452 ∗∗∗ Android Users Beware: New Hook Malware with RAT Capabilities Emerges ∗∗∗ --------------------------------------------- The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. --------------------------------------------- https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html ∗∗∗ CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA ∗∗∗ --------------------------------------------- CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/circleci-malware-stole-githu… ∗∗∗ Pwned or Bot ∗∗∗ --------------------------------------------- Its fascinating to see how creative people can get with breached data. Of course theres all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone elses system. --------------------------------------------- https://www.troyhunt.com/pwned-or-bot/ ∗∗∗ LockBit ransomware – what you need to know ∗∗∗ --------------------------------------------- It is the worlds most active ransomware group - responsible for an estimated 40% of all ransomware infections worldwide. Find out what you need to know about LockBit in my article on the Tripwire State of Security blog. --------------------------------------------- https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need… ∗∗∗ Windows 11 22H2: Systemwiederherstellung verursacht "This app can’t open"-Fehler ∗∗∗ --------------------------------------------- Ich höre zwar immer wieder "läuft ohne Probleme", aber für den Fall der Fälle, also falls Windows 11 22H2 mal Schluckauf haben sollte und den Fehler "Diese App kann nicht geöffnet werden" zeigt, da hätte ich was zur Ursache. Hochoffiziell von Microsoft als Fehler bestätigt. --------------------------------------------- https://www.borncity.com/blog/2023/01/19/windows-11-22h2-systemwiederherste… ∗∗∗ Windows 10: "Schlagloch" Windows PE-Patch zum Fix der Bitlocker-Bypass-Schwachstelle CVE-2022-41099 ∗∗∗ --------------------------------------------- Nachtrag zum Januar 2023 Patchday für Windows. Es gibt in der Windows PE-Umgebung von Windows 10 eine Schwachstelle (CVE-2022-41099), die eine Umgehung der Bitlocker-Verschlüsselung umgeht. Zum Fixen muss die Windows PE-Umgebung der Clients manuell aktualisiert werden. --------------------------------------------- https://www.borncity.com/blog/2023/01/19/windows-10-schlagloch-windows-pe-p… ∗∗∗ Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest ∗∗∗ --------------------------------------------- In this blog, we’ll tackle encrypting AWS in transit and at rest. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/improve-your-aws-se… ∗∗∗ Following the LNK metadata trail ∗∗∗ --------------------------------------------- While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. --------------------------------------------- https://blog.talosintelligence.com/following-the-lnk-metadata-trail/ ∗∗∗ Darth Vidar: The Dark Side of Evolving Threat Infrastructure ∗∗∗ --------------------------------------------- Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. Upon initial inspection, the identified sample appeared to be Arkei (another info-stealer), however differences in both the sample’s code and C2 communications were observed. --------------------------------------------- https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo). --------------------------------------------- https://lwn.net/Articles/920478/ ∗∗∗ Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM ∗∗∗ --------------------------------------------- Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME). --------------------------------------------- https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vuln… ∗∗∗ CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services ∗∗∗ --------------------------------------------- A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered. --------------------------------------------- https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execu… ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-001 ∗∗∗ [R1] Nessus Version 8.15.8 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-02 ∗∗∗ Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856209 ∗∗∗ IBM Security Guardium is affected by a gson-1.7.1.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856221 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856221 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2022-48195, CVE-2022-29577, CVE-2022-28367, CVE-2015-6420) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856401 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856409 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39011) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856403 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39089) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856405 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39090) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856407 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856439 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856443 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2023
by Daily end-of-shift report 18 Jan '23

18 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-01-2023 18:00 − Mittwoch 18-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ RC4 Is Still Considered Harmful ∗∗∗ --------------------------------------------- Ive been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number 2310 with the handling of RC4 encryption that allowed you to authenticate as another user if you could either interpose on the Kerberos network traffic to and from the KDC or directly if the user was configured to disable typical pre-authentication requirements. This blog post goes into more detail [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harm… ∗∗∗ Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware, (Wed, Jan 18th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/29448 ∗∗∗ Is WordPress Secure? ∗∗∗ --------------------------------------------- According to W3Techs, 43.2% of all websites on the internet use WordPress. And of all websites that use a CMS (Content Management System) more than half (64%) leverage WordPress to power their blog or website. Unfortunately, since WordPress has such a large market share it has also become a prime target for attackers. You might be wondering whether WordPress is safe to use. And the short answer is yes - WordPress core is safe to use, but only if you maintain it to the latest version and [...] --------------------------------------------- https://blog.sucuri.net/2023/01/is-wordpress-secure.html ∗∗∗ CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9) --------------------------------------------- https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html ∗∗∗ Jetzt patchen! Tausende Firewalls von Sophos angreifbar ∗∗∗ --------------------------------------------- Sicherheitsforscher haben das Internet auf verwundbare Sophos-Firewalls gescannt und sind fündig geworden. Sicherheitspatches gibt es seit Dezember 2022. --------------------------------------------- https://heise.de/-7462565 ∗∗∗ MSI-Motherboards sollen trotz aktivem Secure Boot manipulierte Systeme starten ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat herausgefunden, dass der Schutzmechanismus Secure Boot auf MSI-Motherboards standardmäßig aktiv ist, aber trotzdem alles durchwinkt. --------------------------------------------- https://heise.de/-7462913 ∗∗∗ Hochriskante Sicherheitslücken in Qt "nur ein Bug" ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher von Cisco Thalos haben hochriskante Sicherheitslücken in Qt-QML gefunden. Qt sieht App-Entwickler am Zuge und stuft sie nur als Bug ein. --------------------------------------------- https://heise.de/-7462956 ∗∗∗ Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability ∗∗∗ --------------------------------------------- Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns. --------------------------------------------- https://www.securityweek.com/vendors-actively-bypass-security-patch-year-ol… ∗∗∗ The Defender’s Guide to Windows Services ∗∗∗ --------------------------------------------- This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. --------------------------------------------- https://posts.specterops.io/the-defenders-guide-to-windows-services-67c1711… ∗∗∗ Silo, or not silo, that is the question ∗∗∗ --------------------------------------------- As we (security folks) were working on the hardening of WSUS update servers, we had to answer an interesting question dealing with how to best isolate a sensitive server like WSUS on on-premises Active Directory. The question was: should I put my WSUS server into my T0 silo? --------------------------------------------- https://medium.com/tenable-techblog/silo-or-not-silo-that-is-the-question-d… ∗∗∗ Elastic IP Transfer: Identifying and Mitigating Risks from a New Attack-Vector on AWS ∗∗∗ --------------------------------------------- Elastic IPs (EIPs) are public and static IPv4 addresses provided by AWS. EIPs can be viewed as a pool of IPv4 addresses, accessible from the internet, that can be used in numerous ways. Once an EIP is allocated to an AWS account, it can be associated with a single compute instance or an elastic network [...] --------------------------------------------- https://orca.security/resources/blog/elastic-ip-transfer-attack-vector-on-a… ∗∗∗ An in-depth HTTP Strict Transport Security Tutorial ∗∗∗ --------------------------------------------- HSTS is an Internet standard and policy that tells the browser to only interact with a website using a secure HTTPS connection. Check out this article to learn how to leverage the security of your website and customers’ data and the security benefits you’ll gain from doing so. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/a/http-strict-transport-security… ∗∗∗ Kriminelle versprechen Geld für Haarspenden auf Job-Börsen, aber zahlen nicht! ∗∗∗ --------------------------------------------- Wenn Sie auf Facebook in diversen Job-Börsen nach einer Beschäftigung suchen, stoßen Sie womöglich auf ein verlockendes Angebot für Ihre Haare. Um für Krebskranke Perücken anzufertigen, ist man bereit, Ihnen bis zu 2000 Euro für Ihre Haare zu bezahlen. Achtung: Wenn Sie hier Kontakt aufnehmen, gibt man Ihnen genaue Anweisungen zum Abschneiden Ihrer Haare und verspricht eine Bezahlung bei Abholung. Doch dann sind Ihre Haare ab, Sie werden blockiert und [...] --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versprechen-geld-fuer-haa… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Sicherheitslücken in über 100 Oracle-Produkten ∗∗∗ --------------------------------------------- Das erste Oracle Critical Patch Update des Jahres 2023 liefert Beschreibungen und Updates für Sicherheitslücken in mehr als 100 Produkten des Unternehmens. --------------------------------------------- https://heise.de/-7462438 ∗∗∗ Versionsverwaltung: Git schließt zwei kritische Lücken in Version 2.39 ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Lücken in Git entdeckt, durch die beliebiger Code ausgeführt werden konnte. Patches stehen bereit, Nutzer sollten umgehend updaten. --------------------------------------------- https://heise.de/-7462680 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3). --------------------------------------------- https://lwn.net/Articles/920318/ ∗∗∗ Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers ∗∗∗ --------------------------------------------- Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).Two security defects were identified in TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 SOHO (small office/home office) routers, allowing attackers to execute code, crash devices, or guess login credentials. --------------------------------------------- https://www.securityweek.com/remote-code-execution-vulnerabilities-found-tp… ∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850801 ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp… ∗∗∗ Security Advisory - Misinterpretation of Input in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moiiahpp-… ∗∗∗ Security Advisory - Data Processing Error Vulnerability in a Huawei Band ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-dpeviahb-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-boviahpp-… ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp… ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-5… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2023
by Daily end-of-shift report 17 Jan '23

17 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 16-01-2023 18:00 − Dienstag 17-01-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th) ∗∗∗ --------------------------------------------- I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it. --------------------------------------------- https://isc.sans.edu/diary/rss/29442 ∗∗∗ The misadventures of an SPF record ∗∗∗ --------------------------------------------- I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT, University, University of Miami, along with 1000+ other domains had mistakenly used the “+all” SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf. --------------------------------------------- https://caniphish.com/phishing-resources/blog/scanning-spf-records ∗∗∗ Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung ∗∗∗ --------------------------------------------- Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen. --------------------------------------------- https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-s… ∗∗∗ Beware of DDosia, a botnet created to facilitate DDoS attacks ∗∗∗ --------------------------------------------- The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky. --------------------------------------------- https://blog.avast.com/ddosia-project ∗∗∗ The prevalence of RCE exploits and what you should know about RCEs ∗∗∗ --------------------------------------------- Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem. --------------------------------------------- https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what… ∗∗∗ Attackers Can Abuse GitHub Codespaces for Malware Delivery ∗∗∗ --------------------------------------------- A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports. --------------------------------------------- https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-… ∗∗∗ Gefälschtes Post-SMS im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/ ∗∗∗ Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks ∗∗∗ --------------------------------------------- We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-leg… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft resolves four SSRF vulnerabilities in Azure cloud services ∗∗∗ --------------------------------------------- Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security. --------------------------------------------- https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vul… ∗∗∗ Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich ∗∗∗ --------------------------------------------- Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren. --------------------------------------------- https://heise.de/-7461118 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor). --------------------------------------------- https://lwn.net/Articles/920217/ ∗∗∗ Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc. ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen. --------------------------------------------- https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-… ∗∗∗ LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-control… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 109 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/ ∗∗∗ A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855731 ∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855777 ∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855831 ∗∗∗ AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855827 ∗∗∗ IBM Robotic Process Automation is vulnerable to Cross-Site Scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2023
by Daily end-of-shift report 16 Jan '23

16 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-01-2023 18:00 − Montag 16-01-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Viele Cacti-Server öffentlich erreichbar und verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher stoßen auf tausende über das Internet erreichbare Server mit dem IT-Monitoring-Tool Cacti. Zahlreiche Instanzen wurden noch nicht gepatcht. --------------------------------------------- https://heise.de/-7459904 ∗∗∗ CircleCI-Hack: 2FA-Zugangsdaten von Mitarbeiter ergaunert ∗∗∗ --------------------------------------------- Die Betreiber der Cloud-basierten Continuous-Integration-Plattform CircleCI haben ihren Bericht über den Sicherheitsvorfall veröffentlicht. --------------------------------------------- https://heise.de/-7460123 ∗∗∗ Gefälschte Job-Angebote im Namen der Wirtschafskammer auf Facebook ∗∗∗ --------------------------------------------- Auf Facebook kursieren gefälschte Jobangebote im Namen der Wirtschaftskammer Österreich. Die Anzeigen versprechen Gehälter zwischen 50 und 200 Euro pro Stunde. Die Wirtschaftskammern selbst warnen bereits auf Facebook vor den gefälschten Stellenangeboten. Bewerben Sie sich nicht und klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-job-angebote-im-namen-de… ∗∗∗ Avast releases free BianLian ransomware decryptor ∗∗∗ --------------------------------------------- Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-releases-free-bianlian… ∗∗∗ Malicious ‘Lolip0p’ PyPi packages install info-stealing malware ∗∗∗ --------------------------------------------- A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packa… ∗∗∗ PSA: Why you must run an ad blocker when using Google, (Mon, Jan 16th) ∗∗∗ --------------------------------------------- Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time. --------------------------------------------- https://isc.sans.edu/diary/rss/29438 ∗∗∗ Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware ∗∗∗ --------------------------------------------- Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022. --------------------------------------------- https://thehackernews.com/2023/01/beware-tainted-vpns-being-used-to.html ∗∗∗ Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software ∗∗∗ --------------------------------------------- A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. --------------------------------------------- https://thehackernews.com/2023/01/raccoon-and-vidar-stealers-spreading.html ∗∗∗ Hacked! My Twitter user data is out on the dark web -- now what? ∗∗∗ --------------------------------------------- Your Twitter user data may now be out there too, including your phone number. Heres how to check and what you can do about it. --------------------------------------------- https://www.zdnet.com/article/hacked-my-twitter-user-data-is-out-on-the-dar… ∗∗∗ Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML ∗∗∗ --------------------------------------------- Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML. Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all [...] --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-integer-and-buff… ===================== = Vulnerabilities = ===================== ∗∗∗ PoC exploits released for critical bugs in popular WordPress plugins ∗∗∗ --------------------------------------------- Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-cr… ∗∗∗ Webbrowser: Microsoft Edge-Update schließt hochriskante Lücken ∗∗∗ --------------------------------------------- Microsoft hat in einem Update des Webbrowsers Edge Sicherheitslücken aus dem Chromium-Projekt abgedichtet. Sie schließt auch weitere hochriskante Lücken. --------------------------------------------- https://heise.de/-7459742 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp). --------------------------------------------- https://lwn.net/Articles/920120/ ∗∗∗ Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) ∗∗∗ --------------------------------------------- Im April 2021 hatten Sicherheitsforscher eine Privilege Escalation Schwachstelle im Windows RPC-Protokoll entdeckt, der eine lokale Privilegienerweiterung durch NTLM-Relay-Angriffe ermöglichte. Nun scheint ein Sicherheitsforscher auf eine nicht so bekannte Möglichkeit zur Durchführung von NTLM Reflection-Angriffen gestoßen zu sein, die er [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/15/nach-remotepotato0-kommt-die-windo… ∗∗∗ IBM Security Bulletins 2023-01-16 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM® Engineering Lifecycle Engineering products, IBM Integration Bus, IBM Maximo Asset Management, IBM MQ Internet Pass-Thru, IBM QRadar SIEM, IBM Sterling Partner Engagement Manager, IBM Tivoli Application Dependency Discovery Manager (TADDM), IBM Tivoli Netcool Configuration Manager, IBM Tivoli Network Manager (ITNM), IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM), Rational Functional Tester --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ HIMA: unquoted path vulnerabilities in X-OPC and X-OTS ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-059/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2023
by Daily end-of-shift report 13 Jan '23

13 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-01-2023 18:00 − Freitag 13-01-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fortinet says hackers exploited critical vulnerability to infect VPN customers ∗∗∗ --------------------------------------------- Remote code-execution bug was exploited to backdoor vulnerable servers. --------------------------------------------- https://arstechnica.com/?p=1909594 ∗∗∗ NortonLifeLock warns that hackers breached Password Manager accounts ∗∗∗ --------------------------------------------- Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-ha… ∗∗∗ Malware: Android-TV-Box mit vorinstallierter Schadsoftware gekauft ∗∗∗ --------------------------------------------- Auf Amazon hat ein Sicherheitsforscher eine Android-TV-Box gekauft - und entdeckte eine tief ins System integrierte Schadsoftware. --------------------------------------------- https://www.golem.de/news/malware-android-tv-box-mit-vorinstallierter-schad… ∗∗∗ Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar ∗∗∗ --------------------------------------------- Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar. --------------------------------------------- https://thehackernews.com/2023/01/cybercriminals-using-polyglot-files-in.ht… ∗∗∗ Keeping the wolves out of wolfSSL ∗∗∗ --------------------------------------------- Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). --------------------------------------------- https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-f… ∗∗∗ Bad things come in large packages: .pkg signature verification bypass on macOS ∗∗∗ --------------------------------------------- Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root. [..] This was fixed by Apple with a 2 character fix: changing uint32_t to uint64_t in macOS 13.1. --------------------------------------------- https://sector7.computest.nl/post/2023-01-xar/ ∗∗∗ Crassus Windows privilege escalation discovery tool ∗∗∗ --------------------------------------------- Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal. --------------------------------------------- https://github.com/vullabs/Crassus ∗∗∗ Cyber-Attacken auf kritische Lücke in Control Web Panel ∗∗∗ --------------------------------------------- Cyberkriminelle greifen eine kritische Sicherheitslücke in CWP (Control Web Panel, ehemals CentOS Web Panel) an. Sie kompromittieren die verwundbaren Systeme. --------------------------------------------- https://heise.de/-7458440 ∗∗∗ Red Hat ergänzt Malware-Erkennungsdienst für RHEL ∗∗∗ --------------------------------------------- Im Rahmen von Red Hat Insights ergänzt das Unternehmen nun einen Malware-Erkennungsdienst. Der ist für RHEL 8 und 9 verfügbar. --------------------------------------------- https://heise.de/-7458189 ∗∗∗ Most Cacti Installations Unpatched Against Exploited Vulnerability ∗∗∗ --------------------------------------------- Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks. --------------------------------------------- https://www.securityweek.com/most-cacti-installations-unpatched-against-exp… ∗∗∗ Bestellen Sie nicht auf Cardione.at! ∗∗∗ --------------------------------------------- Cardione ist ein Nahrungsergänzungsmittel, das angeblich bei Bluthochdruck helfen soll. Cardione.at wirbt mit gefälschten Empfehlungen eines Arztes, es gibt keine Impressums- oder sonstige Unternehmensdaten. Wir raten: Bestellen Sie keine Cardione Tabletten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bestellung-auf-cardione… ∗∗∗ Fake-Shop alvensleben.net imitiert Sofortüberweisung und fragt TANs ab! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor Fake-Shops wie alvensleben.net in Acht. Der Shop hat insbesondere Kinderspielzeug, Brettspiele und Sportgeräte im Sortiment, bietet aber auch Gartenmöbel und Klettergerüste sowie Bettwäsche an. Bezahlt werden soll per Sofortüberweisung. Achtung: Die Daten werden nicht an den Zahlungsdienstleister weitergeleitet, sondern von den Kriminellen abgegriffen. Später werden Sie zur Übermittlung von TAN-Codes überredet und dadurch um Ihr Geld gebracht! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alvenslebennet-imitiert-so… ∗∗∗ Microsoft ASR/Defender Update kann Desktop-/Startmenü-Verknüpfungen löschen ∗∗∗ --------------------------------------------- Wie aktuell in mehreren Medien berichtet wird, scheint das letzte Update von MS ASR/Defender Auswirkungen auf Desktop-/Startmenüverknüpfungen zu haben, und kann unter anderem dazu führen dass O365 Applikationen nicht mehr gestartet werden können. Gängiger Workaround scheint momentan zu sein, die entsprechenden Regeln auf "Audit" zu setzen. Microsoft hat die Regel wieder entfernt, es kann aber noch dauern, bis das global wirksam wird. Inzwischen wird empfohlen, im Admin Center auf SI MO497128 zu schauen. --------------------------------------------- https://cert.at/de/aktuelles/2023/1/microsoft-asrdefender-update-kann-deskt… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/919907/ ∗∗∗ IBM Security Bulletins 2023-01-13 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Data, IBM Cloud Pak for Security, IBM Security Verify Access Appliance, IBM Watson Speech Services, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1), ICP Speech to Text and Text to Speech --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Releases Twelve Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/cisa-releases-twe… ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/juniper-networks-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2023
by Daily end-of-shift report 12 Jan '23

12 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-01-2023 18:00 − Donnerstag 12-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Konten leergeräumt: Neue Phishing-Welle mit Apple Pay ∗∗∗ --------------------------------------------- Mit einem ausgeklügelten Trick versuchen Kriminelle an Kreditkartendaten zu kommen. Wer Grundlegendes beachtet, ist allerdings ausreichend geschützt. --------------------------------------------- https://futurezone.at/digital-life/apple-pay-phishing-welle-mail-kreditkart… ∗∗∗ Hack: Sicherheitslücke in SugarCRM-Servern wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Etliche SugarCRM-Server in den USA und Deutschland wurden schon gehackt. Ein Hotfix wurde bereits veröffentlicht. --------------------------------------------- https://www.golem.de/news/hack-sicherheitsluecke-in-sugarcrm-servern-wird-a… ∗∗∗ Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability ∗∗∗ --------------------------------------------- Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. --------------------------------------------- https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html ∗∗∗ New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors ∗∗∗ --------------------------------------------- A new analysis of Raspberry Robins attack infrastructure has revealed that its possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. --------------------------------------------- https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html ∗∗∗ IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours ∗∗∗ --------------------------------------------- A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access. --------------------------------------------- https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html ∗∗∗ Prowler v3: AWS & Azure security assessments ∗∗∗ --------------------------------------------- Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. Prowler v3 is now multi-cloud with Azure added as the second supported cloud provider. --------------------------------------------- https://isc.sans.edu/diary/rss/29430 ∗∗∗ Exfiltration Over a Blocked Port on a Next-Gen Firewall ∗∗∗ --------------------------------------------- [..] all successfully exfiltrated data packets were in small formats [..], smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size. When asked about this finding, the NG-FW vendor acknowledged that "to determine which application is being used, and whether the session aligned with the protocol’s standard, the NG-FW must allow at least one packet to pass." --------------------------------------------- https://cymulate.com/blog/data-exfiltration-firewall/ ∗∗∗ Kritische Sicherheitslücke bedroht End-of-Life-Router von Cisco ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa verschiedene Router, IP-Telefone und Webex veröffentlicht. --------------------------------------------- https://heise.de/-7456480 ∗∗∗ AI-generated phishing attacks are becoming more convincing ∗∗∗ --------------------------------------------- Its time for you and your colleagues to become more skeptical about what you read. Thats a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harrass, and spread fake news. Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed. --------------------------------------------- https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-ar… ∗∗∗ Threema Under Fire After Downplaying Security Research ∗∗∗ --------------------------------------------- The developers of the open source secure messaging app Threema have come under fire over their public response to a security analysis conducted by researchers at the Swiss university ETH Zurich. --------------------------------------------- https://www.securityweek.com/threema-under-fire-after-downplaying-security-… ∗∗∗ SCCM Site Takeover via Automatic Client Push Installation ∗∗∗ --------------------------------------------- tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation. --------------------------------------------- https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-in… ∗∗∗ Gefährliche Fehlkonfigurationen von Active Directory-Dienstkonten ∗∗∗ --------------------------------------------- Das Identifizieren von Schwachstellen in der AD-Konfiguration kann sich als Albtraum erweisen, warnt Gastautor Guido Grillenmeier von Semperis. --------------------------------------------- https://www.zdnet.de/88406475/gefaehrliche-fehlkonfigurationen-von-active-d… ∗∗∗ Microsoft Exchange Januar 2023 Patchday-Nachlese: Dienste starten nicht etc. ∗∗∗ --------------------------------------------- Zum 10. Januar 2023 (Patchday) hat Microsoft Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software, haben aber bekannte Fehler und verursachen neue neue Probleme bei der Installation. Hier ein kurzer Überblick über den Sachstand. --------------------------------------------- https://www.borncity.com/blog/2023/01/12/microsoft-exchange-januar-2023-pat… ∗∗∗ What is Red Teaming & How it Benefits Orgs ∗∗∗ --------------------------------------------- Running real-world attack simulations can help improve organizations cybersecurity resilience --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/what-is-red-teaming.html ∗∗∗ Shodan Verified Vulns 2023-01-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-01-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/1/shodan-verified-vulns-2023-01-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 ∗∗∗ --------------------------------------------- Description: This module enables users to create private vocabularies. The module doesnt enforce permissions appropriately for the taxonomy overview page and overview form. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-001 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, [...] --------------------------------------------- https://lwn.net/Articles/919785/ ∗∗∗ TP-Link SG105PE vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78481846/ ∗∗∗ WAGO: Unauthenticated Configuration Export in web-based management in multiple devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-054/ ∗∗∗ Visual Studio Code Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21779 ∗∗∗ Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854685 ∗∗∗ Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854713 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854647 ∗∗∗ Vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Servers used by IBM Master Data Management (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854595 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering products using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851835 ∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854915 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854927 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to arbitrary code execution due to [CVE-2022-25893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854929 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854931 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily