- Daily - CERT.at

Tageszusammenfassung - 11.01.2023
by Daily end-of-shift report 11 Jan '23

11 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-01-2023 18:00 − Mittwoch 11-01-2023 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Lorenz ransomware gang plants backdoors to use months later ∗∗∗ --------------------------------------------- Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lorenz-ransomware-gang-plant… ∗∗∗ Bad Paths & The Importance of Using Valid URL Characters ∗∗∗ --------------------------------------------- To ensure that your web files and pages are accessible to a wide range of users with various different devices and operating systems, it’s important to use valid URL characters. Unsafe characters are known to cause compatibility issues with various browser clients, web servers, and even lead to incompatibility issues with web application firewalls. --------------------------------------------- https://blog.sucuri.net/2023/01/bad-paths-the-importance-of-using-valid-url… ∗∗∗ Gefälschte Telegram-App spioniert unter Android ∗∗∗ --------------------------------------------- IT-Forscher von Eset haben eine gefälschte Telegram-App aufgespürt, die ihre Opfer umfassend ausspioniert. Sie wird jedoch außerhalb von Google Play verteilt. --------------------------------------------- https://heise.de/-7455996 ∗∗∗ Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products ∗∗∗ --------------------------------------------- A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms. --------------------------------------------- https://www.securityweek.com/cybercrime-group-exploiting-old-windows-driver… ∗∗∗ SMB “Access is denied” caused by anti-NTLM relay protection ∗∗∗ --------------------------------------------- We investigated a situation where an SMB client could not connect to an SMB server. The SMB server returned an “Access Denied” during the NTLM authentication, even though the credentials were correct and there were no restrictions on both the server-side share and client-side (notably UNC Hardened Access). --------------------------------------------- https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntl… ∗∗∗ Dark Pink ∗∗∗ --------------------------------------------- New APT hitting Asia-Pacific, Europe that goes deeper and darker --------------------------------------------- https://blog.group-ib.com/dark-pink-apt ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: 17 Sicherheitslücken in Google Chrome gestopft ∗∗∗ --------------------------------------------- Das erste Update des Jahres hievt den Webbrowser Chrome auf Stand 109. Die Entwickler schließen darin 17 Schwachstellen, von denen einige hochriskant sind. --------------------------------------------- https://heise.de/-7455130 ∗∗∗ Patchday: Schadcode-Attacken auf Adobe InCopy und InDesign möglich ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben in mehreren Anwendungen gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7455222 ∗∗∗ Patchday: Angreifer verschaffen sich unter Windows System-Rechte ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Exchange Server, Office und Windows veröffentlicht. --------------------------------------------- https://heise.de/-7455122 ∗∗∗ Exploit-Code gesichtet: Attacken auf IT-Monitoring-Tool Cacti möglich ∗∗∗ --------------------------------------------- Angreifer könnten an einer kritischen Sicherheitslücke in Cacti ansetzen und Schadcode auf Servern ausführen. --------------------------------------------- https://heise.de/-7455833 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0). --------------------------------------------- https://lwn.net/Articles/919649/ ∗∗∗ Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs ∗∗∗ --------------------------------------------- Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs). --------------------------------------------- https://www.securityweek.com/unpatchable-hardware-vulnerability-allows-hack… ∗∗∗ Exchange Server Sicherheitsupdates (10. Januar 2023), dringend patchen ∗∗∗ --------------------------------------------- Microsoft hat zum 10. Januar 2023 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software. --------------------------------------------- https://www.borncity.com/blog/2023/01/11/exchange-server-sicherheitsupdates… ∗∗∗ AMD Client Vulnerabilities - January 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500539-AMD-CLIENT-VULNERABILIT… ∗∗∗ AMD Server Vulnerabilities - January 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500538-AMD-SERVER-VULNERABILIT… ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Cloud due to the October 2022 CPU plus CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854413 ∗∗∗ Vulnerability in IBM WebSphere Liberty Profile affects IBM InfoSphere Identity Insight (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854451 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854571 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to OpenSSL as a part of Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854575 ∗∗∗ IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854577 ∗∗∗ The IBM Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for Log4j vulnerabilities CVE-2021-4104 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6825215 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2023
by Daily end-of-shift report 10 Jan '23

10 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 09-01-2023 18:00 − Dienstag 10-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels ∗∗∗ --------------------------------------------- Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist. --------------------------------------------- https://heise.de/-7447684 ∗∗∗ Meeting-Client Zoom unter Android, macOS und Windows angreifbar ∗∗∗ --------------------------------------------- Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7453606 ∗∗∗ Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte. --------------------------------------------- https://heise.de/-7453534 ∗∗∗ Patchday: SAP behandelt vier kritische Schwachstellen ∗∗∗ --------------------------------------------- SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren. --------------------------------------------- https://heise.de/-7454402 ∗∗∗ Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges ∗∗∗ --------------------------------------------- On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention. --------------------------------------------- https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/ ∗∗∗ New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th) ∗∗∗ --------------------------------------------- I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper. --------------------------------------------- https://isc.sans.edu/diary/rss/29416 ∗∗∗ ChatGPT-Written Malware ∗∗∗ --------------------------------------------- I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.…within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks. --------------------------------------------- https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html ∗∗∗ Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL ∗∗∗ --------------------------------------------- The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week. --------------------------------------------- https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html ∗∗∗ The Dark Side of Gmail ∗∗∗ --------------------------------------------- Behind one of Gmail’s lesser-known features lies a potential threat to websites and platforms managers. --------------------------------------------- https://osintmatter.com/the-dark-side-of-gmail/ ∗∗∗ Crypto-inspired Magecart skimmer surfaces via digital crime haven ∗∗∗ --------------------------------------------- One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspir… ∗∗∗ Malware-based attacks on ATMs - A summary ∗∗∗ --------------------------------------------- Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics. --------------------------------------------- https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/ ===================== = Vulnerabilities = ===================== ∗∗∗ Securepoint UTM: Hotfix schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet. --------------------------------------------- https://heise.de/-7453560 ∗∗∗ UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface ∗∗∗ --------------------------------------------- Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen. --------------------------------------------- https://heise.de/-7454141 ∗∗∗ Eleven Vulnerabilities Patched in Royal Elementor Addons ∗∗∗ --------------------------------------------- On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day. --------------------------------------------- https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-ro… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/919543/ ∗∗∗ 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider ∗∗∗ --------------------------------------------- The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities. --------------------------------------------- https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advi… ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A) --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two… ∗∗∗ Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-acce… ∗∗∗ IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗ --------------------------------------------- CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Siemens Security Advisories (7 new, 15 updated) ∗∗∗ --------------------------------------------- SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1 SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1 SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#Sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2023
by Daily end-of-shift report 09 Jan '23

09 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-01-2023 18:00 − Montag 09-01-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security: Kunden-Secrets von CircleCI wohl komplett kompromittiert ∗∗∗ --------------------------------------------- CircleCI warnt Kunden dringend, sämtliche Secrets zu tauschen. Builds und Netzwerke könnten über zwei Wochen lang kompromittiert worden sein. --------------------------------------------- https://www.golem.de/news/security-kunden-secrets-von-circleci-wohl-komplet… ∗∗∗ Verschlüsselung: RSA zerstört? Experten zweifeln ∗∗∗ --------------------------------------------- Ein neuer Algorithmus knackt die Verschlüsselung RSA angeblich schneller als jemals zuvor - diesmal mit einem Quantencomputer. Experten zweifeln daran. --------------------------------------------- https://heise.de/-7449806 ∗∗∗ Rust: bis zu 2500 Projekte durch Bibliothek Hyper für DoS verwundbar ∗∗∗ --------------------------------------------- Enthält die to_bytes-Funktion von Hyper keine Längenbeschränkung, so lassen sich schnell DoS-Attacken ausführen. Abhilfe schafft die offizielle Doku. --------------------------------------------- https://heise.de/-7451019 ∗∗∗ BaFin warnt vor "Godfather"-Banking-Trojaner ∗∗∗ --------------------------------------------- Die BaFin warnt vor einem Banking-Trojaner, der Android-Geräte angreift. Die "Godfather" genannte Malware kann 400 internationale Finanzinstitutionen ausspähen. --------------------------------------------- https://heise.de/-7453238 ∗∗∗ Android-Malware: Neue Version von SpyNote stiehlt Banking-Daten ∗∗∗ --------------------------------------------- Die Verbreitung erfolgt über Phishing-E-Mails. Seit Oktober 2022 ist der Quellcode von SpyNote frei verfügbar. Seitdem nehmen die Aktivitäten von SpyNote deutlich zu. --------------------------------------------- https://www.zdnet.de/88406317/android-malware-neue-version-von-spynote-stie… ∗∗∗ Kostenloses Entschlüsselungs-Tool für Ransomware MegaCortex veröffentlicht ∗∗∗ --------------------------------------------- Das Tool ist eine gemeinsame Entwicklung von Bitdefender und No More Ransom. Es funktioniert mit allen Varianten von MegaCortex. --------------------------------------------- https://www.zdnet.de/88406357/kostenloses-entschluesselungs-tool-fuer-ranso… ∗∗∗ Windows 11 GPO "Enable MPR notifications ..." zur Sicherheit setzen ∗∗∗ --------------------------------------------- Kleiner Tipp für Administratoren, die so langsam Windows 11 in Unternehmensumgebungen einführen. In den Standardeinstellungen des Betriebssystems lassen sich mittels einer einfachen DLL die Winlogon-Anmeldeinformationen im Klartext auslesen. Die neue Gruppenrichtlinie "Enable MPR notifications" soll dies nun verhindern. --------------------------------------------- https://www.borncity.com/blog/2023/01/08/windows-11-gpo-enable-mpr-notifica… ∗∗∗ VSCode Marketplace can be abused to host malicious extensions ∗∗∗ --------------------------------------------- Threat analysts at AquaSec have experimented with the security of VSCode Marketplace and found that its surprisingly easy to upload malicious extensions from accounts that appear verified on the platform. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-a… ∗∗∗ Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls ∗∗∗ --------------------------------------------- Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-crea… ∗∗∗ Unraveling the techniques of Mac ransomware ∗∗∗ --------------------------------------------- Understanding how Mac ransomware works is critical in protecting today’s hybrid environments. We analyzed several known Mac ransomware families and highlighted these families’ techniques, which defenders can study further to prevent attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-tec… ∗∗∗ Finding & Removing Malware From Weebly Sites ∗∗∗ --------------------------------------------- Weebly is an easy-to-use website builder that allows admins to quickly create and publish responsive blogs and sites. Website builder environments are usually considered to be very safe and not prone to malware infections, but during a recent investigation I found some malicious behavior which revealed that even closed proprietary systems for WYSIWYG website builders like Weebly can be abused. --------------------------------------------- https://blog.sucuri.net/2023/01/finding-removing-malware-from-weebly-sites.… ∗∗∗ Dridex Malware Now Attacking macOS Systems with Novel Infection Method ∗∗∗ --------------------------------------------- A variant of the infamous Dridex banking malware has set its sights on Apples macOS operating system using a previously undocumented infection method, according to latest research. --------------------------------------------- https://thehackernews.com/2023/01/dridex-malware-now-attacking-macos.html ∗∗∗ LummaC2 Stealer: A Potent Threat to Crypto Users ∗∗∗ --------------------------------------------- During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine. --------------------------------------------- https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto… ∗∗∗ Unwrapping Ursnifs Gifts ∗∗∗ --------------------------------------------- In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment [...] --------------------------------------------- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ ∗∗∗ Distribution of NetSupport RAT Malware Disguised as a Pokemon Game ∗∗∗ --------------------------------------------- NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. --------------------------------------------- https://asec.ahnlab.com/en/45312/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in MatrixSSL ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In der IoT-Bibliothek MatrixSSL haben IT-Forscher eine als kritisch eingestufte Sicherheitslücke entdeckt. Angreifer könnten dadurch Code einschleusen. --------------------------------------------- https://heise.de/-7453087 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14). --------------------------------------------- https://lwn.net/Articles/919202/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python2.7), SUSE (ca-certificates-mozilla, libksba, and ovmf), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, [...] --------------------------------------------- https://lwn.net/Articles/919422/ ∗∗∗ Kritische Sicherheitslücke in Open-Source-Projekt JsonWebToken entdeckt ∗∗∗ --------------------------------------------- Die Schwachstelle erlaubt unter Umständen eine Remotecodeausführung. Nutzer sollten auf die fehlerbereinigte Version 9.0.0 von JsonWebToken umsteigen. --------------------------------------------- https://www.zdnet.de/88406385/kritische-sicherheitsluecke-in-open-source-pr… ∗∗∗ ThinkPad X13s: BIOS-Update schließt Schwachstellen ∗∗∗ --------------------------------------------- Der Hersteller Lenovo hat in einer Sicherheitsmeldung auf eine Reihe Schwachstellen im BIOS des ThinkPad X13s hingewiesen. Diese ermöglichen eine Speicherbeschädigung (Memory Corruption) und die Offenlegung von Informationen. Es steht ein BIOS-Update zum Schließen der Schwachstellen bereit. --------------------------------------------- https://www.borncity.com/blog/2023/01/07/thinkpad-x13s-bios-update-schliet-… ∗∗∗ IBM Security Bulletins 2023-01-06 - 2023-01-09 ∗∗∗ --------------------------------------------- AIX, CICS Transaction Gateway, Enterprise Content Management System Monitor, IBM App Connect Enterprise, IBM Business Automation Workflow, IBM Connect:Direct Web Services, IBM InfoSphere Information Server, IBM Integration Bus, IBM Maximo Application Suite, IBM MQ, IBM Process Mining, IBM Robotic Process Automation for Cloud Pak, IBM Spectrum Protect Server, IBM SPSS Analytic Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct Web Services, IBM Tivoli Netcool Impact, Power HMC --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877 ∗∗∗ --------------------------------------------- https://github.com/numanturle/CVE-2022-44877 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2023
by Daily end-of-shift report 05 Jan '23

05 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-01-2023 18:00 − Donnerstag 05-01-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Bluebottle hackers used signed Windows driver in attacks on banks ∗∗∗ --------------------------------------------- A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bluebottle-hackers-used-sign… ∗∗∗ SpyNote Android malware infections surge after source code leak ∗∗∗ --------------------------------------------- The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as CypherRat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spynote-android-malware-infe… ∗∗∗ PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources ∗∗∗ --------------------------------------------- We take a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. --------------------------------------------- https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/ ∗∗∗ ProxyNotShell Mitigations K.O. ∗∗∗ --------------------------------------------- Warum ist ProxyNotShell noch ein Thema? Die Schwachstellen wurden doch von Microsoft Anfang November geschlossen? Kurz gesagt, weil sich viele auf die letzte Mitigation von Microsoft verlassen haben, anstatt auf den November-Patch. --------------------------------------------- https://cert.at/de/blog/2023/1/proxynotshell-mitigations-ko ∗∗∗ The dos and don’ts of ransomware negotiations ∗∗∗ --------------------------------------------- Has your organization suddenly been attacked by a ransomware virus? Take a deep breath and try to remain composed. It can be easy to panic or become overwhelmed in the face of an attack, but it is vital to remain calm and focused in order to make the best decisions for your organization. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/the-dos-and-donts-o… ∗∗∗ Dridex Returns, Targets MacOS Using New Entry Method ∗∗∗ --------------------------------------------- The Dridex variant we analyzed targets MacOS platforms with a new technique to deliver documents embedded with malicious macros to users. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-01-05 ∗∗∗ --------------------------------------------- AIX, IBM Content Navigator, IBM Maximo Application Suite, IBM Robotic Process Automation, IBM Robotic Process Automation for Cloud Pak, IBM Security Verify Governance, IBM Sterling B2B Integrator, IBM TXSeries for Multiplatforms, IBM Tivoli Network Manager, ITNM, Operations Dashboard, TADDM, IBM Cloud Object Storage Systems --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Zoho fixt Datenbank-Lücke in Password Manager Pro und Zugriffskontroll-Software ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die ManageEngine-Produkte Access Manager Plus, PAM360 und Password Manager Pro. --------------------------------------------- https://heise.de/-7449108 ∗∗∗ Patchday: Kritische Kernel-Lücken bedrohen Android ∗∗∗ --------------------------------------------- Google stellt gegen mögliche Attacken abgesicherte Android-Versionen 10, 11, 12, 12L und 13 zum Download bereit. Angreifer können sich Nutzerrechte verschaffen. --------------------------------------------- https://heise.de/-7449147 ∗∗∗ Fortinet stopft Schadcode-Lücken in Netzwerk-Produkten ∗∗∗ --------------------------------------------- Angreifer könnten unberechtigt unter anderem auf FortiManager zugreifen. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-7449288 ∗∗∗ Sicherheitspatch: Angreifer könnten Systeme mit IBM Tivoli Monitoring übernehmen ∗∗∗ --------------------------------------------- Schwachstellen in mehreren Komponenten bedrohen die System- und Netzwerküberwachungslösung IBM Tivoli Monitoring. --------------------------------------------- https://heise.de/-7449768 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus). --------------------------------------------- https://lwn.net/Articles/919112/ ∗∗∗ Hitachi Energy UNEM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-01 ∗∗∗ Hitachi Energy FOXMAN-UN ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-02 ∗∗∗ Hitachi Energy Lumada Asset Performance Management ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2023
by Daily end-of-shift report 04 Jan '23

04 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-01-2023 18:00 − Mittwoch 04-01-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Noch 60.000 Exchange-Server für ProxyNotShell-Attacken anfällig ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor verwundbaren Exchange-Servern. 30.000 davon sind in Europa – der Großteil in Deutschland. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-7448029 ∗∗∗ l+f: Flipper Zero – Delfin auf Phishing-Tour ∗∗∗ --------------------------------------------- Vorsicht beim Kauf des beliebten Hacking-Gadgets Flipper Zero. Cyberkriminelle haben Fake-Shops eingerichtet, um Interessierte abzukassieren. --------------------------------------------- https://heise.de/-7448371 ∗∗∗ Nur noch eine Woche Zeit: Support-Ende von Windows 8.1 ∗∗∗ --------------------------------------------- Die letzten Stunden für Windows 8.1 haben geschlagen. In nicht einmal einer Woche stellt Microsoft die Unterstützung für Windows 8.1 endgültig ein. --------------------------------------------- https://heise.de/-7448516 ∗∗∗ Update to RTRBK - Diff and File Dates in PowerShell, (Wed, Jan 4th) ∗∗∗ --------------------------------------------- I use my RTRBK script pretty much every week, every single time that I work with a client that doesn't have their network gear in a backup cycle in fact. (for a review of this tool, see the original post https://isc.sans.edu/diary/RTRBK+Router+Switch+Firewall+Backups+in+PowerShe… ) Anyway, I was considering how I could improve this script, aside from adding more and more device types to the backups. A "diff" report was my obvious first thought - [...] --------------------------------------------- https://isc.sans.edu/diary/rss/29400 ∗∗∗ Breaking RSA with a Quantum Computer ∗∗∗ --------------------------------------------- A group of Chinese researchers have just published a paper claiming that they can—although they have not yet done so—break 2048-bit RSA. This is something to take seriously. It might not be correct, but it’s not obviously wrong. We have long known from Shor’s algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today. What the researchers have done is combine classical lattice reduction factoring techniques with a quantum approximate optimization algorithm. --------------------------------------------- https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-… ∗∗∗ Androids First Security Updates for 2023 Patch 60 Vulnerabilities ∗∗∗ --------------------------------------------- Google announced on Tuesday the first Android security updates for 2023, which patch a total of 60 vulnerabilities. The first part of the update, which arrives on devices as the 2023-01-01 security patch level, addresses 19 security defects in the Framework and System components. --------------------------------------------- https://www.securityweek.com/androids-first-security-updates-2023-patch-60-… ∗∗∗ Ransomware predictions in 2023: more gov’t action and a pivot to data extortion ∗∗∗ --------------------------------------------- There were thousands of ransomware attacks in 2022, from breaches targeting militaries to incidents that brought entire governments to a standstill. Ransomware giants like Conti closed shop, while groups like LockBit and Hive took their place, attacking thousands of hospitals, governments, businesses and schools across the world. So what does 2023 have in store for us? --------------------------------------------- https://therecord.media/ransomware-predictions-in-2023-more-govt-action-and… ∗∗∗ DeTT&CT: Automate your detection coverage with dettectinator ∗∗∗ --------------------------------------------- Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usage. If you missed it, you can find the article here. Although, after writing that article, I encountered some challenges. For instance, I considered using DeTT&CT in a production environment but there were hundreds of existing detection rules to consider, and it would have been a tedious process to manually create the necessary YAML file for building a detection coverage layer. --------------------------------------------- https://blog.nviso.eu/2023/01/04/dettct-automate-your-detection-coverage-wi… ∗∗∗ Shc Linux Malware Installing CoinMiner ∗∗∗ --------------------------------------------- The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl. --------------------------------------------- https://asec.ahnlab.com/en/45182/ ∗∗∗ Three easy steps to dramatically improve your AWS security posture: Step 1, set up IAM properly ∗∗∗ --------------------------------------------- Have you ever heard the saying that the greatest benefit of the cloud is that limitless resources can be spun-up with just a few clicks of the mouse? If so, you would be best served by forgetting that saying altogether. Just because cloud resources can be spun-up with a few clicks of the mouse does not mean that they should be. Rather, prior to launching anything in the cloud, careful consideration and planning are a necessity. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/three-easy-steps-to… ===================== = Vulnerabilities = ===================== ∗∗∗ January 2023 Vulnerability Advisories ∗∗∗ --------------------------------------------- FortiTester (CVSS Score: 7.6), FortiPortal (CVSS Score: 6.6), FortiWeb (CVSS Score: 5.3), FortiManager (CVSS Score: 6), FortiADC (CVSS Score: 8.6) --------------------------------------------- https://fortiguard.fortinet.com/psirt-monthly-advisory/january-2023-vulnera… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xorg-x11-server-Xwayland), Red Hat (webkit2gtk3), SUSE (rmt-server), and Ubuntu (freeradius). --------------------------------------------- https://lwn.net/Articles/919051/ ∗∗∗ IBM Security Bulletins 2023-01-04 ∗∗∗ --------------------------------------------- IBM Common Licensings Administration And Reporting Tool (ART), IBM DataPower Gateway, IBM Global Mailbox, IBM Integration Bus, IBM MQ, IBM Security Verify Governance, IBM Sterling Global Mailbox, IBM WebSphere MQ, IBM WebSphere Message Broker, ITNM --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2023
by Daily end-of-shift report 03 Jan '23

03 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 02-01-2023 18:00 − Dienstag 03-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BMW, Mercedes, Kia, Porsche: Sicherheitsforscher hacken etliche Autohersteller ∗∗∗ --------------------------------------------- Forschern ist es gelungen die API-Endpunkte etlicher Autohersteller wie BMW oder Kia zu hacken - von der Konten- bis zur Autoübernahme war alles möglich. --------------------------------------------- https://www.golem.de/news/bmw-mercedes-kia-porsche-sicherheitsforscher-hack… ∗∗∗ Schadcode auf PyPI: Supply-Chain-Angriff auf PyTorch Nightly Builds ∗∗∗ --------------------------------------------- Wer kürzlich PyTorch-nightly unter Linux via pip installiert hat, erhielt Schadcode. Das PyTorch-Team hat Gegenmaßnahmen eingeleitet. --------------------------------------------- https://heise.de/-7447195 ∗∗∗ Its about time: OS Fingerprinting using NTP, (Tue, Jan 3rd) ∗∗∗ --------------------------------------------- Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP. --------------------------------------------- https://isc.sans.edu/diary/rss/29394 ∗∗∗ Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe ∗∗∗ --------------------------------------------- Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar. "What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday. --------------------------------------------- https://thehackernews.com/2023/01/raspberry-robin-worm-evolves-to-attack.ht… ∗∗∗ Cloud Metadata - AWS IAM Credential Abuse ∗∗∗ --------------------------------------------- [...] In this run through we have a vulnerable AWS EC2 instance configured to use IMDSv1 (Instance Metadata Service) which we will exploit, escalate our privileges and carry out post-compromise activities. While not every AWS EC2 instance has an associated IAM role (AWS Identity and Access Management), when they do these role profiles contain credentials/keys. --------------------------------------------- https://sneakymonkey.net/cloud-credential-abuse/ ∗∗∗ SSRF vulnerabilities caused by SNI proxy misconfigurations ∗∗∗ --------------------------------------------- SNI proxies are load balancers that use the SNI extension field to select backend systems. When misconfigured, SNI proxies can be vulnerable to SSRF attacks that provide access to web application backends. --------------------------------------------- https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sn… ∗∗∗ Exploiting GraphQL Query Depth ∗∗∗ --------------------------------------------- GraphQL was created and developed with flexibility in mind: clients should be given the power to ask for exactly what they need and nothing more. Much of this flexibility involves allowing customers to execute multiple queries in a single request, [...] --------------------------------------------- https://checkmarx.com/blog/exploiting-graphql-query-depth/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-01-03 ∗∗∗ --------------------------------------------- IBM Business Automation Workflow, IBM InfoSphere Information Server, IBM Integrated Analytics System, IBM Process Mining, IBM Security SOAR, IBM Security Verify Governance, IBM Sterling B2B Integrator, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Rational Directory Server (Tivoli) & Rational Directory Administrator --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Trend Micros Sicherheitslösung Maximum Security benötigt einen Sicherheitspatch ∗∗∗ --------------------------------------------- Angreifer könnten Windows-PCs mit Sicherheitssoftware von Trend Micro attackieren. Ein Sicherheitspatch ist verfügbar. --------------------------------------------- https://heise.de/-7446553 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir). --------------------------------------------- https://lwn.net/Articles/918965/ ∗∗∗ ThinkPad X13s BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500537 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2023
by Daily end-of-shift report 02 Jan '23

02 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-12-2022 18:00 − Montag 02-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ EarSpy-Lauschangriff auf Smartphones: Forschern gelingt Abhören aus der Ferne ∗∗∗ --------------------------------------------- In Mobiltelefone integrierte Ohrlautsprecher werden immer leistungsstärker. Dies hat den Nachteil, dass die verursachten Mini-Vibrationen verräterischer sind. --------------------------------------------- https://heise.de/-7444910 ∗∗∗ Rund 230 Millionen Deezer-Datensätze zu Have I been pwned hinzugefügt ∗∗∗ --------------------------------------------- Bei einem Einbruch in einen Deezer-Dienstleister konnten offenbar rund 230 Millionen Datensätze kopiert werden. Have I been pwned hat sie jetzt hinzugefügt. --------------------------------------------- https://heise.de/-7445237 ∗∗∗ Sicherheitsrisiko Microsoft Outlook App: Überträgt Anmeldedaten und Mails in die Cloud ∗∗∗ --------------------------------------------- Ich hole zum Jahresanfang 2023 nochmals ein Thema hoch, welches ich hier im Blog bereits 2015 und im Januar 2021 angesprochen habe. Es geht um die Microsoft Outlook App, die für Android- und iOS-Geräte angeboten und meines Erachtens breit eingesetzt [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/01/sicherheitsrisiko-microsoft-outloo… ∗∗∗ Ransomware gang cloned victim’s website to leak stolen data ∗∗∗ --------------------------------------------- The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victims site to publish stolen data on it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victi… ∗∗∗ NetworkMiner 2.8 Released, (Mon, Jan 2nd) ∗∗∗ --------------------------------------------- First of all, happy new year to all our Readers! There exist tools that are very popular for a long time because they are regularly updated and... just make the job! NetworkMiner is one of them (the first release was in 2007). I don't use it regularly but it is part of my forensic toolbox for a while and already helped me in many investigations. --------------------------------------------- https://isc.sans.edu/diary/rss/29390 ∗∗∗ WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws ∗∗∗ --------------------------------------------- WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. --------------------------------------------- https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html ∗∗∗ Python developers, uninstall this malicious package right now ∗∗∗ --------------------------------------------- If youre a Python developer and one who is accustomed to installed the latest preview builds of libraries, you might want to take immediate mitigative action. PyTorch, an open-source machine learning framework initially developed by Meta and now under the Linux Foundation, has seemingly been the target of a supply chain attack, which has potentially led to many users installing a malicious package. --------------------------------------------- https://www.neowin.net/news/python-developers-uninstall-this-malicious-pack… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗ --------------------------------------------- IBM Content Collector, IBM Tivoli Monitoring --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Jetzt patchen: Netgear schließt hochriskante Lücke in mehreren Routern ∗∗∗ --------------------------------------------- Netgear empfiehlt ein dringendes Sicherheitsupdate für mehrere seiner Router-Modelle. Betroffen sind von der Lücke auch Modelle der Nighthawk-Reihe. --------------------------------------------- https://heise.de/-7444672 ∗∗∗ Synology warnt vor kritischer Lücke in VPN-Plus-Server ∗∗∗ --------------------------------------------- Wer Synology-Router als VPN-Server einsetzt, muss die Software zügig aktualisieren. Eine kritische Sicherheitslücke ermöglicht Angreifern sonst Codeschmuggel. --------------------------------------------- https://heise.de/-7444783 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918883/ ∗∗∗ Vulnerabilities in Java and IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights - CVE-2022-34165, CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852357 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2022
by Daily end-of-shift report 30 Dec '22

30 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-12-2022 18:00 − Freitag 30-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Netgear warns users to patch recently fixed WiFi router bug ∗∗∗ --------------------------------------------- Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch… ∗∗∗ New Linux malware uses 30 plugin exploits to backdoor WordPress sites ∗∗∗ --------------------------------------------- A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-pl… ∗∗∗ Security Update Guide Improvement – Representing Hotpatch Updates ∗∗∗ --------------------------------------------- Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. --------------------------------------------- https://msrc-blog.microsoft.com/2022/12/29/security-update-guide-improvemen… ∗∗∗ Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th) ∗∗∗ --------------------------------------------- There are a variety of services listening for connections on DShield honeypots. Different systems scanning the internet can connect to these listening services due to exceptions in the firewall. Any attempted connections blocked by the firewall are logged and can be analyzed later. This can be useful to see TCP port connection attempts, but it usefulness is limited. --------------------------------------------- https://isc.sans.edu/diary/rss/29382 ∗∗∗ SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th) ∗∗∗ --------------------------------------------- Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call robust or secure. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy. --------------------------------------------- https://isc.sans.edu/diary/rss/29384 ∗∗∗ CISA Warns of Active exploitation of JasperReports Vulnerabilities ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two-years-old security flaws impacting TIBCO Softwares JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. --------------------------------------------- https://thehackernews.com/2022/12/cisa-warns-of-active-exploitation-of.html ∗∗∗ ENLBufferPwn (CVE-2022-47949) ∗∗∗ --------------------------------------------- ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victims console by just having an online game with them (remote code execution). --------------------------------------------- https://github.com/PabloMK7/ENLBufferPwn ∗∗∗ Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463 ∗∗∗ --------------------------------------------- Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an introduction to browser internals and delve into the topic of Chrome browser exploitation on Windows in greater depth. --------------------------------------------- https://jhalon.github.io/chrome-browser-exploitation-3/ ∗∗∗ EU-Regeln für Cybersicherheit bald in Kraft: Rund 20.000 Betriebe betroffen ∗∗∗ --------------------------------------------- Die EU hat die novellierte Richtlinie zur Netz- und Informationssicherheit (NIS2) im Amtsblatt veröffentlicht. Der Countdown zur Umsetzung in Deutschland läuft. --------------------------------------------- https://heise.de/-7444366 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Automation, IBM Cloud Pak for Business Automation, IBM Cloud Application Business Insights, IBM Cloud Transformation Advisor, Tivoli Netcool/OMNIbus, Netcool/System Service Monitor --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918778/ ∗∗∗ Synology-SA-22:26 VPN Plus Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_26 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2022
by Daily end-of-shift report 29 Dec '22

29 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-12-2022 18:00 − Donnerstag 29-12-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Google Home speakers allowed hackers to snoop on conversations ∗∗∗ --------------------------------------------- A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed… ∗∗∗ WordPress Vulnerability & Patch Roundup December 2022 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. --------------------------------------------- https://blog.sucuri.net/2022/12/wordpress-vulnerability-patch-roundup-decem… ∗∗∗ The Worst Hacks of 2022 ∗∗∗ --------------------------------------------- The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks. --------------------------------------------- https://www.wired.com/story/worst-hacks-2022/ ∗∗∗ New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection ∗∗∗ --------------------------------------------- We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses. --------------------------------------------- https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hi… ∗∗∗ One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware. (arXiv:2212.13716v1 [cs.CR]) ∗∗∗ --------------------------------------------- Currently, the development of IoT firmware heavily depends on third-partycomponents (TPCs) to improve development efficiency. Nevertheless, TPCs are notsecure, and the vulnerabilities in TPCs will influence the security of IoTf irmware. --------------------------------------------- http://arxiv.org/abs/2212.13716 ∗∗∗ A survey and analysis of TLS interception mechanisms and motivations. (arXiv:2010.16388v2 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- TLS is an end-to-end protocol designed to provide confidentiality andintegrity guarantees that improve end-user security and privacy. While TLShelps defend against pervasive surveillance of intercepted unencrypted traffic,it also hinders several common beneficial operations typically performed bymiddleboxes on the network traffic. --------------------------------------------- http://arxiv.org/abs/2010.16388 ∗∗∗ HardCIDR – Network CIDR and Range Discovery Tool ∗∗∗ --------------------------------------------- HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test. --------------------------------------------- https://www.darknet.org.uk/2022/12/hardcidr-network-cidr-and-range-discover… ===================== = Vulnerabilities = ===================== ∗∗∗ Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting ∗∗∗ --------------------------------------------- The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918715/ ∗∗∗ Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers ∗∗∗ --------------------------------------------- Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities. --------------------------------------------- https://www.securityweek.com/several-dos-code-execution-vulnerabilities-fou… ∗∗∗ Ungepatchte Citrix-Server zu Tausenden über kritische Schwachstellen angreifbar ∗∗∗ --------------------------------------------- Citrix hat in den letzten Monaten Sicherheitsupdates für kritische Schwachstellen in Citrix ADC- und Gateway-Produkten freigegeben und entsprechende Sicherheitswarnungen veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/12/29/ungepatchte-citrix-server-zu-tause… ∗∗∗ (Non-US) DIR-825/EE : H/W Rev. R2 & DIR-825/AC Rev. G1A:: F/W 1.0.9 :: Multiple Vulnerabilities by Trend Micro, the Zero Day Initiative (ZDI) ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM Synthetic Playback Agent is vulnerable due to its use of Apache Commons Text [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852105 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2022
by Daily end-of-shift report 28 Dec '22

28 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-12-2022 18:00 − Mittwoch 28-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ KI-Wunder ChatGPT kann bösartige E-Mails und Code generieren ∗∗∗ --------------------------------------------- Check Point Research (CPR) warnt vor Hackern, die ChatGPT und Codex von OpenAI nutzen könnten, um gezielte Cyberangriffe durchzuführen. https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hac… --------------------------------------------- https://www.zdnet.de/88406214/ki-wunder-chatgpt-kann-boesartige-e-mails-und… ∗∗∗ Droht eine Exchange ProxyNotShell-Katastrophe zum Jahreswechsel 2022/2023? ∗∗∗ --------------------------------------------- Beunruhigende Informationen, die mich gerade erreicht haben. Nicht auf dem aktuellen Patchstand befindliche Microsoft Exchange On-Premises-Server sind anfällig für Angriffe über die ProxyNotShell-Schwachstellen. Vor Weihnachten gab es dann die Information, dass die Hackergruppe FIN7 seit längerem eine automatisierte Angriffsplattform zum [...] --------------------------------------------- https://www.borncity.com/blog/2022/12/28/droht-eine-exchange-proxynotshell-… ∗∗∗ Why Attackers Target GitHub, and How You Can Secure It ∗∗∗ --------------------------------------------- The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain. --------------------------------------------- https://www.darkreading.com/edge-articles/why-attackers-target-github-and-h… ∗∗∗ Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th) ∗∗∗ --------------------------------------------- In this post we'll take a look at parsing and manipulating JSON in Powershell. --------------------------------------------- https://isc.sans.edu/diary/rss/29380 ∗∗∗ CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet ∗∗∗ --------------------------------------------- Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given the situation of past Citrix vulnerabilities, RIFT started to research on how to identify the [...] --------------------------------------------- https://blog.fox-it.com/2022/12/28/cve-2022-27510-cve-2022-27518-measuring-… ∗∗∗ EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer ∗∗∗ --------------------------------------------- As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. --------------------------------------------- https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibratio… ∗∗∗ Alias and Directive Overloading in GraphQL ∗∗∗ --------------------------------------------- Denial of Service (DoS) attacks in GraphQL APIs are nothing new. It turns out that when you let clients control what data they want to receive from the server, malicious users try to abuse this flexibility to exhaust resources. --------------------------------------------- https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim). --------------------------------------------- https://lwn.net/Articles/918655/ ∗∗∗ Microsoft Patches Azure Cross-Tenant Data Access Flaw ∗∗∗ --------------------------------------------- Microsoft has silently fixed an important-severity security flaw in its Azure Cognitive Search (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks. --------------------------------------------- https://www.securityweek.com/microsoft-patches-azure-cross-tenant-data-acce… ∗∗∗ ABB Security Advisory: NE843 Pulsar Plus Controller ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&Lan… ∗∗∗ A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 (CVE-2022-34165). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851953 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2022
by Daily end-of-shift report 27 Dec '22

27 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-12-2022 18:00 − Dienstag 27-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ EarSpy attack eavesdrops on Android phones via motion sensors ∗∗∗ --------------------------------------------- A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the callers gender and identity, and even discern private speech. --------------------------------------------- https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-… ∗∗∗ Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes ∗∗∗ --------------------------------------------- A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware. --------------------------------------------- https://www.darkreading.com/cloud/container-verification-bug-malicious-imag… ∗∗∗ BlueNoroff introduces new methods bypassing MoTW ∗∗∗ --------------------------------------------- We continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal. --------------------------------------------- https://securelist.com/bluenoroff-methods-bypass-motw/108383/ ∗∗∗ DShield Sensor Setup in Azure, (Wed, Dec 21st) ∗∗∗ --------------------------------------------- In November I setup the DShield sensor in my Azure tenant using Ubuntu version 20.04. Here are the steps I followed. --------------------------------------------- https://isc.sans.edu/diary/rss/29370 ∗∗∗ GuLoader Malware Utilizing New Techniques to Evade Security Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software. --------------------------------------------- https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html ∗∗∗ Navigating the Vast Ocean of Sandbox Evasions ∗∗∗ --------------------------------------------- After creating a bespoke sandbox environment, we discuss techniques used to target malware evasions with memory detection and more. --------------------------------------------- https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/ ∗∗∗ Erinnerung: Basic Authentication in Exchange Online wird 2023 abgeschaltet ∗∗∗ --------------------------------------------- Microsoft hat die Tage daran erinnert, dass die sogenannte Basic Authentication in Exchange Online ausläuft und im kommenden Jahr abgeschaltet wird. --------------------------------------------- https://www.borncity.com/blog/2022/12/27/erinnerung-basic-authentication-in… ∗∗∗ Caution! Malware Signed With Microsoft Certificate ∗∗∗ --------------------------------------------- Microsoft announced details on the distribution of malware signed with a Microsoft certificate. According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later). --------------------------------------------- https://asec.ahnlab.com/en/44726/ ∗∗∗ Distribution of Magniber Ransomware Stops (Since November 29th) ∗∗∗ --------------------------------------------- Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted. --------------------------------------------- https://asec.ahnlab.com/en/43858/ ∗∗∗ Inside the IcedID BackConnect Protocol ∗∗∗ --------------------------------------------- As part of our ongoing tracking of IcedID / BokBot, we wanted to share some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol. --------------------------------------------- https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol ===================== = Vulnerabilities = ===================== ∗∗∗ Ksmbd: Kritische Lücke im SMB-Dienst des Linux-Kernels ∗∗∗ --------------------------------------------- Der Linux-Kernel verfügt seit vergangenem Jahr über eine eigene SMB-Implementierung. Diese enthält eine sehr gefährliche Lücke - Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/ksmbd-kritische-luecke-im-smb-dienst-des-linux-ke… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable). --------------------------------------------- https://lwn.net/Articles/918607/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc). --------------------------------------------- https://lwn.net/Articles/918631/ ∗∗∗ Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks ∗∗∗ --------------------------------------------- Defiant’s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-premium-gift-cards-word… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0011 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0011.html ∗∗∗ Cross-Site Scripting im Admin-Panel von Lucee Server (SYSS-2022-051) ∗∗∗ --------------------------------------------- Im Admin-Panel von Lucee Server besteht eine Cross-Site Scripting (XSS)-Schwachstelle. Angreifende können somit JavaScript-Code im Browser ausführen. --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-im-admin-panel-von-lu… ∗∗∗ MISP 2.4.167 released with many improvements, bugs fixed and security fixes. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.167 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2022
by Daily end-of-shift report 23 Dec '22

23 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-12-2022 18:00 − Freitag 23-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Vice Society ransomware gang switches to new custom encryptor ∗∗∗ --------------------------------------------- The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gang… ∗∗∗ Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd) ∗∗∗ --------------------------------------------- Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/29376 ∗∗∗ Passwortmanager: LastPass-Hacker haben Zugriff auf Kennworttresore von Kunden ∗∗∗ --------------------------------------------- Bei einem IT-Sicherheitsvorfall beim Anbieter des Passwortmanagers LastPass konnten Angreifer doch auf Kundendaten inklusive gespeicherter Passwörter zugreifen. --------------------------------------------- https://heise.de/-7441929 ∗∗∗ Sourcecode vom Zugriffsmanagementdienst Okta geleakt ∗∗∗ --------------------------------------------- Unbekannte Angreifer konnten auf das Github-Repository von Okta zugreifen und Code kopieren. Die Sicherheit des Dienstes soll dadurch nicht gefährdet sein. --------------------------------------------- https://heise.de/-7442131 ∗∗∗ IcedID Botnet Distributors Abuse Google PPC to Distribute Malware ∗∗∗ --------------------------------------------- We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Is this CVSS 10 Linux Kernel vuln going to ruin your Christmas? ∗∗∗ --------------------------------------------- Before Linux users worldwide get panties in a panicked bunch, there appears to be more positive news however: At first glance the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies unpurturbed. --------------------------------------------- https://thestack.technology/is-this-cvss-10-linux-kernel-vulnerability-ksmb… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls). --------------------------------------------- https://lwn.net/Articles/918486/ ∗∗∗ Threat Brief: OWASSRF Vulnerability Exploitation ∗∗∗ --------------------------------------------- We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts weve observed use the same PowerShell backdoor, which we track as SilverArrow. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-owassrf/ ∗∗∗ CVE-2022-42889 Text4shell Apache Commons Text RCE Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022 ∗∗∗ PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-prem… ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851437 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ AIX is affected by a denial of service (CVE-2022-43680) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851439 ∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848295 ∗∗∗ IBM Integration Designer is vulnerable to denial of service ( CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851449 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April and July 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851613 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2022
by Daily end-of-shift report 22 Dec '22

22 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-12-2022 18:00 − Donnerstag 22-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FIN7 hackers create auto-attack platform to breach Exchange servers ∗∗∗ --------------------------------------------- The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-att… ∗∗∗ Ransomware and wiper signed with stolen certificates ∗∗∗ --------------------------------------------- In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations. --------------------------------------------- https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates… ∗∗∗ Microsoft research uncovers new Zerobot capabilities ∗∗∗ --------------------------------------------- The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research… ∗∗∗ “Suspicious login” scammers up their game – take care at Christmas ∗∗∗ --------------------------------------------- A picture is worth 1024 words - we clicked through so you dont have to. --------------------------------------------- https://nakedsecurity.sophos.com/2022/12/21/suspicious-login-scammers-up-th… ∗∗∗ Neuer Android-Trojaner zielt auf Banking-Apps und Krypto-Plattformen ab ∗∗∗ --------------------------------------------- Eine neue Banking-Malware namens Godfather hat 16 Länder im Visier. Deutschland fällt darunter. Sie zeichnet Eingaben in über 415 Banking- und Krypto-Apps auf. --------------------------------------------- https://heise.de/-7441440 ∗∗∗ Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata ∗∗∗ --------------------------------------------- If the site is hosted on an Amazon Web Services (AWS) server, then collecting the AWS metadata is relatively simple. This exploit only requires calling the appropriate REST API endpoint with the right payload in the ‘url’ parameter to achieve a successful exploit. --------------------------------------------- https://www.wordfence.com/blog/2022/12/exploiting-wordpress-plugin-vulnerab… ∗∗∗ Qakbot Being Distributed via Virtual Disk Files (*.vhd) ∗∗∗ --------------------------------------------- There’s been a recent increase in the distribution of malware using disk image files. --------------------------------------------- https://asec.ahnlab.com/en/44662/ ∗∗∗ Vidar Stealer Exploiting Various Platforms ∗∗∗ --------------------------------------------- Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2. --------------------------------------------- https://asec.ahnlab.com/en/44554/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Windows code-execution vulnerability went undetected until now ∗∗∗ --------------------------------------------- Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. --------------------------------------------- https://arstechnica.com/information-technology/2022/12/critical-windows-cod… ∗∗∗ Sicherheitsupdates: Angreifer könnten Synology-Router kompromittieren ∗∗∗ --------------------------------------------- Aktuelle Versionen von Synology Router Manager schließen mehrere Sicherheitslücken. Der Hersteller stuft den Schweregrad als kritisch ein. --------------------------------------------- https://heise.de/-7440888 ∗∗∗ Wichtige Sicherheitsupdates für Avira Security, AVG Antivirus & Co. ∗∗∗ --------------------------------------------- Norton hat in seinem Portfolio von Anti-Viren-Software mehrere Sicherheitslücken geschlossen. Angreifer könnten sich höhere Nutzerrechte verschaffen. --------------------------------------------- https://heise.de/-7441040 ∗∗∗ Puckungfu: A NETGEAR WAN Command Injection ∗∗∗ --------------------------------------------- This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s WAN interface. --------------------------------------------- https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-in… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3). --------------------------------------------- https://lwn.net/Articles/918379/ ∗∗∗ Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-openimageio-file… ∗∗∗ Two New Security Flaws Reported in Ghost CMS Blogging Software ∗∗∗ --------------------------------------------- https://thehackernews.com/2022/12/two-new-security-flaws-reported-in.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/ ∗∗∗ Priva TopControl Suite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-01 ∗∗∗ Rockwell Automation Studio 5000 Logix Emulate ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-02 ∗∗∗ Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-03 ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-04 ∗∗∗ IBM Content Navigator is vulnerable to missing authorization. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6844453 ∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851347 ∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540 ) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851337 ∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851351 ∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851339 ∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851345 ∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851343 ∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851349 ∗∗∗ Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851341 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2022
by Daily end-of-shift report 21 Dec '22

21 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-12-2022 18:00 − Mittwoch 21-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers bombard PyPi platform with information-stealing malware ∗∗∗ --------------------------------------------- The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platfor… ∗∗∗ VirusTotal cheat sheet makes it easy to search for specific results ∗∗∗ --------------------------------------------- VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makes… ∗∗∗ FBI warns of search engine ads pushing malware, phishing ∗∗∗ --------------------------------------------- The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-a… ∗∗∗ Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT ∗∗∗ --------------------------------------------- After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-m… ∗∗∗ Fake jQuery Domain Redirects Site Visitors to Scam Pages ∗∗∗ --------------------------------------------- A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing. --------------------------------------------- https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-… ∗∗∗ Kindersicherungs-Apps: Smarte Kids könnten Eltern attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Android-Apps untersucht, über die Eltern Internetzugriffe von Kindern einschränken können. Doch Schwachstellen weichen den Schutz auf. --------------------------------------------- https://heise.de/-7435146 ∗∗∗ Adult popunder campaign used in mainstream ad fraud scheme ∗∗∗ --------------------------------------------- Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunde… ∗∗∗ Meddler-in-the-Middle Phishing Attacks Explained ∗∗∗ --------------------------------------------- Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. --------------------------------------------- https://unit42.paloaltonetworks.com/meddler-phishing-attacks/ ∗∗∗ Godfather: A banking Trojan that is impossible to refuse ∗∗∗ --------------------------------------------- Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries. --------------------------------------------- https://blog.group-ib.com/godfather-trojan ∗∗∗ Didn’t Notice Your Rate Limiting: GraphQL Batching Attack ∗∗∗ --------------------------------------------- In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS). --------------------------------------------- https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching… ∗∗∗ A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 ∗∗∗ --------------------------------------------- This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-… ∗∗∗ Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks ∗∗∗ --------------------------------------------- In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates. --------------------------------------------- https://heise.de/-7434860 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils). --------------------------------------------- https://lwn.net/Articles/918313/ ∗∗∗ Passwordless Persistence and Privilege Escalation in Azure ∗∗∗ --------------------------------------------- Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons. --------------------------------------------- https://posts.specterops.io/passwordless-persistence-and-privilege-escalati… ∗∗∗ Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29902403/ ∗∗∗ Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking ∗∗∗ --------------------------------------------- https://www.securityweek.com/critical-vulnerability-hikvision-wireless-brid… ∗∗∗ Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-5-2-7-4-1-7-1-5-e… ∗∗∗ Rechteausweitung in Razer Synapse (SYSS-2022-047) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/rechteausweitung-in-razer-synapse-syss-202… ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849213 ∗∗∗ GraphQL Denial of Service security vulnerability CVE-2022-37734 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828663 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849223 ∗∗∗ Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849249 ∗∗∗ OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850775 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2022
by Daily end-of-shift report 20 Dec '22

20 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 19-12-2022 18:00 − Dienstag 20-12-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux File System Monitoring & Actions, (Tue, Dec 20th) ∗∗∗ --------------------------------------------- There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (File Integrity Monitoring). Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless? --------------------------------------------- https://isc.sans.edu/diary/rss/29362 ∗∗∗ ChatGPT: Emerging AI Threat Landscape ∗∗∗ --------------------------------------------- ChatGPT is a prototype chatbot released by OpenAI. The chatbot is powered by AI and is gaining more traction than previous chatbots because it not only interacts in a conversational manner but has the capability to create code and many other complex questions and requests. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-eme… ∗∗∗ Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications. --------------------------------------------- https://thehackernews.com/2022/12/microsoft-details-gatekeeper-bypass.html ∗∗∗ Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg ∗∗∗ --------------------------------------------- We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior. --------------------------------------------- https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter… ∗∗∗ clif - simple command-line application fuzzer ∗∗∗ --------------------------------------------- clif is a command-line application fuzzer, pretty much what a wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that, for some reasons, Googles alf-fuzz doesnt allow for unlimited argument or option specification. --------------------------------------------- https://andy.codes/content/blog/2022-12-20-clif.html ∗∗∗ Better Make Sure Your Password Manager Is Secure ∗∗∗ --------------------------------------------- As part of a security analysis, our colleagues kuekerino, ubahnverleih and parzel examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application. --------------------------------------------- https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_pa… ∗∗∗ New RisePro Infostealer Increasingly Popular Among Cybercriminals ∗∗∗ --------------------------------------------- A recently identified information stealer named ‘RisePro’ is being distributed by pay-per-install malware downloader service ‘PrivateLoader’, cyberthreat firm Flashpoint reports. Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs. --------------------------------------------- https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-a… ∗∗∗ Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins ∗∗∗ --------------------------------------------- As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code. --------------------------------------------- https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/ ∗∗∗ Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities ∗∗∗ --------------------------------------------- More than two years ago, a researcher, A2nkF demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. In this blog entry, we will discuss how we discovered 3 more vulnerabilities from the old exploit chain. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/diving-into-an-old-exploit-c… ∗∗∗ Raspberry Robin Malware Targets Telecom, Governments ∗∗∗ --------------------------------------------- We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targ… ∗∗∗ Web3 IPFS Only Used for Phishing - So Far ∗∗∗ --------------------------------------------- We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phis… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird). --------------------------------------------- https://lwn.net/Articles/918268/ ∗∗∗ FoxIt Patches Code Execution Flaws in PDF Tools ∗∗∗ --------------------------------------------- Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products. --------------------------------------------- https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools ∗∗∗ [R1] Nessus Network Monitor Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-28 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-01 ∗∗∗ Rockwell Automation GuardLogix and ControlLogix controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-02 ∗∗∗ ARC Informatique PcVue ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-03 ∗∗∗ Rockwell Automation MicroLogix 1100 and 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-04 ∗∗∗ Delta 4G Router DX-3021 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-05 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.5ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849101 ∗∗∗ IBM UrbanCode Build is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849111 ∗∗∗ IBM UrbanCode Build is affected by CVE-2021-43980 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849109 ∗∗∗ IBM UrbanCode Build is affected by CVE-2022-34305 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849107 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2022
by Daily end-of-shift report 19 Dec '22

19 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-12-2022 18:00 − Montag 19-12-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Infostealer Malware with Double Extension, (Sun, Dec 18th) ∗∗∗ --------------------------------------------- Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines. --------------------------------------------- https://isc.sans.edu/diary/rss/29354 ∗∗∗ Day 3 — Next Level Font Obfuscation ∗∗∗ --------------------------------------------- Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable. --------------------------------------------- https://medium.com/@doctoreww/day-3-next-level-font-obfuscation-7a6cd978c7a5 ∗∗∗ Venom ∗∗∗ --------------------------------------------- Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations. --------------------------------------------- https://github.com/Idov31/Venom ∗∗∗ Exploiting API Framework Flexibility ∗∗∗ --------------------------------------------- The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches. --------------------------------------------- https://attackshipsonfi.re/p/exploiting-api-framework-flexibility ∗∗∗ Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-Weihnachtsgeschäft ∗∗∗ --------------------------------------------- Weihnachten bedeutet auch wieder Hochsaison für Betrüger, die mit gefälschten Shops und irreführenden SMS auf das Geld ihrer Opfer aus sind. --------------------------------------------- https://www.derstandard.at/story/2000141845543/fake-shops-und-phishing-sms-… ∗∗∗ BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor ∗∗∗ --------------------------------------------- Kurzer Hinweis für Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET über Active Directory Domain Services bis hin zu Windows Server. --------------------------------------------- https://www.borncity.com/blog/2022/12/18/bsi-legt-19-it-grundschutz-baustei… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-12-16 - 2022-12-18 ∗∗∗ --------------------------------------------- Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ HP kümmert sich mit BIOS-Updates um Schadcode-Lücken ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in HP-Computern. Einige Lücken betreffen ausschließlich AMD-Systeme. --------------------------------------------- https://heise.de/-7398783 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/918203/ ∗∗∗ Synology-SA-22:24 Samba AD DC ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_24 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329 ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash. --------------------------------------------- https://support.citrix.com/article/CTX473048/citrix-hypervisor-security-bul… ∗∗∗ Zenphoto vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN06093462/ ∗∗∗ Corel Roxio Creator LJB starts a program with an unquoted file path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13075438/ ∗∗∗ ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1681/ ∗∗∗ DLL Search Order Hijacking Vulnerability in the DWG TrueView™ Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0024 ∗∗∗ Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6845928 ∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6841801 ∗∗∗ IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848587 ∗∗∗ IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848585 ∗∗∗ IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848583 ∗∗∗ IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848577 ∗∗∗ UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848581 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848847 ∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848879 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2022
by Daily end-of-shift report 16 Dec '22

16 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-12-2022 18:00 − Freitag 16-12-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing attack uses Facebook posts to evade email security ∗∗∗ --------------------------------------------- A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII). --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attack-uses-faceboo… ∗∗∗ Backdoor Targets FreePBX Asterisk Management Portal ∗∗∗ --------------------------------------------- Written in PHP and JavaScript, FreePBX is a web-based open-source GUI that manages Asterisk, a voice over IP and telephony server. This open-source software allows users to build customer phone systems. During a recent investigation, I came across a simple piece of malware targeting FreePBX’s Asterisk Management portal which allowed attackers to arbitrarily add and delete users, as well as modify the website’s .htaccess file. Let’s take a closer look at this backdoor. --------------------------------------------- https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-managemen… ∗∗∗ Decentralized Identity Attack Surface – Part 2 ∗∗∗ --------------------------------------------- This is the second part of our Decentralized Identity (DID) blog series. In case you’re not familiar with DID concepts, we highly encourage you to start with the first part. This time we will cover a different DID implementation — Sovrin. We will also see what a critical (CVSS 10) DID vulnerability looks like by reviewing the one we found in this popular implementation. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/decentralized-ident… ∗∗∗ Das Ende vom unsicheren Hash-Algorithmus SHA-1 zieht sich wie Kaugummi ∗∗∗ --------------------------------------------- Das National Institute of Standards and Technology schickt das längst geknackte SHA-1-Verfahren in Rente – endgültig aber erst in acht Jahren. --------------------------------------------- https://heise.de/-7396973 ∗∗∗ Codeschmuggel möglich: Microsoft stuft Sicherheitslücke auf "kritisch" herauf ∗∗∗ --------------------------------------------- Eine Sicherheitslücke, für die Microsoft ein Update bereitgestellt hat, ermöglicht unerwartet Angreifern ohne Anmeldung, Schadcode einzuschleusen. --------------------------------------------- https://heise.de/-7396879 ∗∗∗ The Data Protection Officer, an ubiquitous role nobody really knows. (arXiv:2212.07712v1 [cs.CR]) ∗∗∗ --------------------------------------------- Among all cybersecurity and privacy workers, the Data Protection Officer (DPO) stands between those auditing a company's compliance and those acting as management advisors. A person that must be somehow versed in legal, management, and cybersecurity technical skills. We describe how this role tackles socio-technical risks in everyday scenarios. --------------------------------------------- http://arxiv.org/abs/2212.07712 ∗∗∗ FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food ∗∗∗ --------------------------------------------- The joint CSA analyzes the common tactics, techniques, and procedures (TTPs) utilized by criminal actors to spoof emails and domains to impersonate legitimate employees and order goods that went unpaid and were possibly resold at devalued prices with labeling that lacked industry standard “need-to-knows” (i.e., necessary information about ingredients, allergens, or expiration dates). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/fbi-fda-oci-and-u… ∗∗∗ Agenda Ransomware Uses Rust to Target More Vital Industries ∗∗∗ --------------------------------------------- This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agendas Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2022-0034 ∗∗∗ --------------------------------------------- vRealize Operations (vROps) contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0034.html *** Cisco Security Advisories 2022-12-16 *** --------------------------------------------- Cisco has updated 18 security advisories: (4x Critical, 11x High, 3x Medium) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP… *** Vulnerabilities in Autodesk Image Processing component used by Autodesk products II *** --------------------------------------------- Applications and services that utilize Image Processing component used by Autodesk products may be impacted by Out-of-bound Read, Heap-based Overflow, Out-of-bound Write, Memory corruption, and Use-after-free vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0025 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libde265, php7.3, and thunderbird), Fedora (firefox, freeradius, freerdp, and xorg-x11-server), Oracle (firefox, prometheus-jmx-exporter, and thunderbird), Red Hat (firefox, nodejs:16, prometheus-jmx-exporter, and thunderbird), and SUSE (ceph and chromium). --------------------------------------------- https://lwn.net/Articles/918047/ ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/samba-releases-se… ∗∗∗ Remote code execution bypass in Eclipse Business Intelligence Reporting Tool (BiRT) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/remote-code-execution-by… ∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848317 ∗∗∗ Multiple Vulnerabilities in base image packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848319 ∗∗∗ Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848279 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2022
by Daily end-of-shift report 15 Dec '22

15 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-12-2022 18:00 − Donnerstag 15-12-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ LEGO BrickLink bugs let hackers hijack accounts, breach servers ∗∗∗ --------------------------------------------- Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Groups official second-hand and vintage marketplace for LEGO bricks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lego-bricklink-bugs-let-hack… ∗∗∗ Hacking Using SVG Files to Smuggle QBot Malware onto Windows Systems ∗∗∗ --------------------------------------------- Phishing campaigns involving the Qakbot malware are using Scalable Vector Graphics (SVG) images embedded in HTML email attachments. --------------------------------------------- https://thehackernews.com/2022/12/hacking-using-svg-files-to-smuggle-qbot.h… ∗∗∗ Technical Review: A Deep Analysis of the Dirty Pipe Vulnerability ∗∗∗ --------------------------------------------- Dirty Pipe (CVE-2022-0847) proved that there is a new way to exploit Linux syscalls to write to files with a read-only privileges. --------------------------------------------- https://blog.aquasec.com/deep-analysis-of-the-dirty-pipe-vulnerability ∗∗∗ Digging Inside Azure Functions: HyperV Is the Last Line of Defense ∗∗∗ --------------------------------------------- We investigated Azures serverless architecture and found that a HyperV VM was the remaining defense after a container breakout. --------------------------------------------- https://unit42.paloaltonetworks.com/azure-serverless-functions-security/ ∗∗∗ Patch Tuesday: (zur Abwechslung) Augen auf! ∗∗∗ --------------------------------------------- Manchmal gelangen wir die verzwickte Lage, dass sich in den Patchnotes Updates für Schwachstellen verbergen, aufgrund derer wir zwar keine Warnung veröffentlichen, aber auf die wir dennoch explizit hinweisen wollen. Diesen Monat ist es wieder einmal soweit. --------------------------------------------- https://cert.at/de/blog/2022/12/patch-tuesday-zur-abwechslung-augen-auf ∗∗∗ Windows Server 2019/2022: Dezember 2022-Sicherheitsupdates verursachen Hyper-V-Probleme ∗∗∗ --------------------------------------------- Die zum Dezember 2022 Patchday von Microsoft ausgerollten Sicherheitsupdates führen in bestimmten Konstellationen zum Problemen mit Hyper-V. --------------------------------------------- https://www.borncity.com/blog/2022/12/15/windows-server-2019-2022-dezember-… ∗∗∗ Microsoft-Zertifikate zur Signatur von Malware missbraucht (Dez. 2022) ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf Fälle gestoßen, wo es Cyberkriminellen gelungen ist, Malware durch gültige digitale Zertifikate von Microsoft zu signieren. --------------------------------------------- https://www.borncity.com/blog/2022/12/15/microsoft-zertifikate-zur-signatur… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as Critical ∗∗∗ --------------------------------------------- Microsoft has revised the severity of a security vulnerability it originally patched in September 2022, upgrading it to "Critical" after it emerged that it could be exploited to achieve remote code execution. --------------------------------------------- https://thehackernews.com/2022/12/microsoft-reclassifies-spnego-extended.ht… ∗∗∗ Typo3: Neue Fassungen schließen hochriskante Sicherheitslücke ∗∗∗ --------------------------------------------- Angreifer könnten in Typo3 etwa eigenen PHP-Code einschleusen. Mit neuen Versionen schließen die Entwickler diese und weitere Sicherheitslücken. --------------------------------------------- https://heise.de/-7395790 ∗∗∗ Microsoft Patch Tuesday, December 2022 Edition ∗∗∗ --------------------------------------------- Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. --------------------------------------------- https://krebsonsecurity.com/2022/12/microsoft-patch-tuesday-december-2022-e… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and git), Slackware (mozilla and xorg), SUSE (apache2-mod_wsgi, capnproto, xorg-x11-server, xwayland, and zabbix), and Ubuntu (emacs24, firefox, linux-azure, linux-azure-5.15, linux-azure-fde, linux-oem-6.0, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/917947/ ∗∗∗ Der unsichtbare Feind: Buffer Overflow Schwachstellen in Zyxel Routern nach wie vor problematisch ∗∗∗ --------------------------------------------- https://sec-consult.com/de/blog/detail/enemy-within-unauthenticated-buffer-… ∗∗∗ Drupal Releases Security Updates to Address Vulnerabilities in H5P and File (Field) Paths ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/15/drupal-releases-s… ∗∗∗ [R1] Tenable.ad Versions 3.29.4, 3.19.12 and 3.11.9 Fix One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-27 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848189 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848195 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848221 ∗∗∗ Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848225 ∗∗∗ A vulnerability in Python affects IBM Elastic Storage System (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848229 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Node [CVE-2022-39353] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848213 ∗∗∗ Vulnerabilities in IBM Java SDK affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847605 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related IBM WebSphere Application Server Liberty and FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847541 ∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2022
by Daily end-of-shift report 14 Dec '22

14 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-12-2022 18:00 − Mittwoch 14-12-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft-signed malicious Windows drivers used in ransomware attacks ∗∗∗ --------------------------------------------- Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-… ∗∗∗ Open-source repositories flooded by 144,000 phishing packages ∗∗∗ --------------------------------------------- Unknown threat actors have uploaded a total of 144,294 phishing-related packages on the open-source package repositories NuGet, PyPI, and NPM. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-source-repositories-flo… ∗∗∗ Input Validation for Website Security ∗∗∗ --------------------------------------------- Web forms are incredibly useful tools. They allow you to gather important information about potential clients and site visitors, collect comments and feedback, upload files, subscribe new users to your blog, or even collect payment details. But if your forms aren’t properly validating user inputs, you might be in for a nasty surprise: a variety of issues can occur if data is uploaded to your site’s environment without specific controls. --------------------------------------------- https://blog.sucuri.net/2022/12/input-validation-for-website-security.html ∗∗∗ Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities ∗∗∗ --------------------------------------------- Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects.The Go-based tool, powered by the Open Source Vulnerabilities (OSV) database, is designed to connect "a projects list of dependencies with the vulnerabilities that affect them," [..] --------------------------------------------- https://thehackernews.com/2022/12/google-launches-largest-distributed.html ∗∗∗ New GoTrim Botnet Attempting to Break into WordPress Sites Admin Accounts ∗∗∗ --------------------------------------------- A new Go-based botnet has been spotted scanning and brute-forcing self-hosted websites using the WordPress content management system (CMS) to seize control of the targeted systems."This new brute forcer is part of a new campaign we have named GoTrim because it was written in Go and uses :::trim::: to split data communicated to and from the C2 server," --------------------------------------------- https://thehackernews.com/2022/12/new-gotrim-botnet-attempting-to-break.html ∗∗∗ Ade iOS 15: Apple stellt Support auf neueren iPhones offenbar ein ∗∗∗ --------------------------------------------- iPhones ab Baujahr 2017 erhalten Sicherheits-Updates nur noch nach Upgrade auf iOS 16. Lücken in iOS 15 werden laut Apple aktiv ausgenutzt. --------------------------------------------- https://heise.de/-7394913 ∗∗∗ BSI-Magazin mit Schwerpunkt "Ransomware" veröffentlicht ∗∗∗ --------------------------------------------- Die zweite Ausgabe des BSI-Magazins "Mit Sicherheit" in diesem Jahr ist erschienen. Das BSI stellt in diesem BSI-Magazin eine der aktuell größten Bedrohungen für die IT-Sicherheit in einem Sonderteil in den Mittelpunkt: Ransomware. [..] Weitere Themen sind Automotive Security, der Digitale Verbraucherschutz sowie die Zusammenarbeit von BSI und NATO zur Gestaltung der Cloud-Sicherheit im Bündnis. Außerdem gibt es im neuen BSI-Magazin eine neue Checkliste mit Tipps für ein sicheres Heimnetzwerk. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ NSA, CISA, and ODNI Release Guidance on Potential Threats to 5G Network Slicing ∗∗∗ --------------------------------------------- Original release date: December 13, 2022Today, the National Security Agency (NSA), CISA, and the Office of the Director of National Intelligence (ODNI), published Potential Threats to 5G Network Slicing. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents both the benefits and risks associated with 5G network slicing. It also provides mitigation strategies that address potential threats to 5G network slicing. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/13/nsa-cisa-and-odni… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities found on Arcadyan Routers ∗∗∗ --------------------------------------------- The two vulnerabilities were found by Asher Davila L. in Arcadyan wireless modems with model number VRV9506JAC23. It is probable that they are also present in other Arcadyan models as well because their web interfaces are similar and they have common features. The following are the two found vulnerabilities: * CVE-2020-9420: Cleartext transmission of sensitive information * CVE-2020-9419: Stored cross-site scripting --------------------------------------------- https://gist.github.com/AsherDLL/03d0762b5a535e300f1121caebe333ce ∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslecks ab ∗∗∗ --------------------------------------------- Google hat eine aktualisierte Version des Webbrowsers Chrome bereitgestellt. Sie schließt mindestens vier hochriskante Sicherheitslücken. --------------------------------------------- https://heise.de/-7394554 ∗∗∗ VMSA-2022-0032: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware Cloud Foundation (Cloud Foundation) ∗∗∗ --------------------------------------------- Synopsis: VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0032.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pngcheck), Fedora (qemu), Mageia (admesh, busybox, emacs, libarchive, netkit-telnet, ruby, rxvt-unicode, and shadowutils), Oracle (bcel and kernel), Red Hat (389-ds-base, bcel, dbus, firefox, grub2, kernel, kernel-rt, kpatch-patch, thunderbird, and usbguard), Scientific Linux (bcel), SUSE (containerd, firefox, grafana, java-1_8_0-openjdk, libtpms, net-snmp, and wireshark), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/917839/ ∗∗∗ Adobe Patches 38 Flaws in Enterprise Software Products ∗∗∗ --------------------------------------------- After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple enterprise-facing products.The San Jose, California software maker said the flaws could expose users to code execution and privilege escalation attacks across all computer platforms. --------------------------------------------- https://www.securityweek.com/adobe-patches-38-flaws-enterprise-software-pro… ∗∗∗ ICS Patch Tuesday: Siemens Fixes 80 OpenSSL, OpenSSH Flaws in Switches ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have addressed over 140 vulnerabilities with their December 2022 Patch Tuesday updates.Siemensread more --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-fixes-80-openssl-ope… ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Original release date: December 13, 2022Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible: iCloud for Windows 14.1 Safari 16.2 macOS Monterey 12.6.2 macOS Big Sur 11.7.2 tvOS 16.2 watchOS 9.2 iOS 15.7.2 and iPadOS 15.7.2 iOS 16.2 and iPadOS 16.2 macOS Ventura 13.1 --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/13/apple-releases-se… ∗∗∗ Sonicwall Capture Client Local Privilege Escalation via SentinelOne Agent (Aikido) ∗∗∗ --------------------------------------------- An arbitrary file deletion vulnerability (Aikido) in Sonicwall Capture Client via SentinelOne Agent could allow a local attacker to escalate privileges and delete files. The exploit was confirmed to work with 6 vulnerable EDR products, including the SentinelOne Agent for Windows.Please note: an attacker must first obtain low-privileged access on the target system in order to exploit this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0025 ∗∗∗ Cisco Identity Services Engine Unauthorized File Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Weidmueller: Multiple IoT and control products affected by JavaScript injection vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-056/ ∗∗∗ NVIDIA GPU Display Driver Advisory - November 2022 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500536-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ Vulnerabilities in Linux Kernel, Golang Go, and cURL libcurl may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847643 ∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847655 ∗∗∗ Vulnerabilities in zlib and Golang Go may affect the IBM Spectrum Protect Server (CVE-2018-25032, CVE-2022-27664) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847653 ∗∗∗ IBM Copy Services Manager is vulnerable to a remote attack vulnerabilities due to IBM WebSphere Application Server Liberty vulnerabilities (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847789 ∗∗∗ IBM Tivoli Netcool\/OMNIbus Transport Module Common Integration Library is affected by vulnerability in Apache Kafka (CVE-2022-34917) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847829 ∗∗∗ IBM Tivoli Netcool\/OMNIbus Probe and Integrations Library are affected by vulnerabilities in FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6846525 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847939 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847945 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2022
by Daily end-of-shift report 13 Dec '22

13 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 12-12-2022 18:00 − Dienstag 13-12-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Amazon ECR Public Gallery flaw could have wiped or poisoned any image ∗∗∗ --------------------------------------------- The researcher reported the vulnerability to AWS Security on November 15, 2022, and Amazon rolled out a fix in under 24 hours. While there are no signs of this flaw being abused in the wild, threat actors could have used it in massive-scale supply chain attacks against many users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-ecr-public-gallery-fl… ∗∗∗ IIS modules: The evolution of web shells and how to detect them ∗∗∗ --------------------------------------------- This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-ev… ∗∗∗ A Deep Dive into BianLian Ransomware ∗∗∗ --------------------------------------------- BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete. --------------------------------------------- https://resources.securityscorecard.com/research/bian-lian-deep-dive ∗∗∗ New Python-Based Backdoor Targeting VMware ESXi Servers ∗∗∗ --------------------------------------------- Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers. The targeted servers were impacted by known security defects (such as CVE-2019-5544 and CVE-2020-3992) that were likely used for initial compromise, but what caught the researchers’ attention was the simplicity, persistence, and capabilities of the deployed backdoor. --------------------------------------------- https://www.securityweek.com/new-python-based-backdoor-targeting-vmware-esx… ∗∗∗ What’s My Name Again? Reolink camera command injection ∗∗∗ --------------------------------------------- TL;DR Research on Reolink’s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless. --------------------------------------------- https://www.pentestpartners.com/security-blog/whats-my-name-again-reolink-c… ∗∗∗ Aktuelle Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗ --------------------------------------------- Seit ca. zwei Wochen sehen sich vermehrt österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur mit DDoS Angriffen konfrontiert. Die genauen Hintergründe und Motive der Attacken sind uns zurzeit nicht bekannt. Die Täter:innen greifen hierbei zu verschiedenen Methoden und versuchen auch, sich an getroffene Gegenmaßnahmen anzupassen. --------------------------------------------- https://cert.at/de/aktuelles/2022/12/aktuelle-welle-an-ddos-angriffen-auf-s… ∗∗∗ REPORT: A new trick from Facebook scammers and Sharkbot Android malware returns ∗∗∗ --------------------------------------------- A new wave of scams utilizes Facebook’s tagging feature to trick Page owners into believing they’ve violated Facebook’s terms and conditions. Several variations of the attack exist, but all lead to phishing sites designed to steal Page owner’s credentials. --------------------------------------------- https://blog.f-secure.com/f-alert-report-a-new-trick-from-facebook-scammers… ===================== = Vulnerabilities = ===================== ∗∗∗ Redmine vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- Redmine contains a cross-site scripting vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN60211811/ ∗∗∗ Announcing TYPO3 12.1.1 [12.1.2], 11.5.20 and 10.4.33 security releases ∗∗∗ --------------------------------------------- today weve released TYPO3 12.1.1, 11.5.20 LTS and 10.4.33 LTS, which are ready for you to download. All versions are security releases and contain important security fixes [unfortunately TYPO3 v12.1.1 contained a regression, which has been fixed in TYPO3 v12.1.2.] --------------------------------------------- https://lists.typo3.org/pipermail/typo3-announce/2022/000523.html ∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: * "Change password for frontend users" (fe_change_pwd) * "Newsletter subscriber management" (fp_newsletter) * "Master-Quiz" (fp_masterquiz) For further information on the issues, please read the related advisories TYPO3-EXT-SA-2022-016, TYPO3-EXT-SA-2022-017 and TYPO3-EXT-SA-2022-018 which were published today --------------------------------------------- https://lists.typo3.org/pipermail/typo3-announce/2022/000524.html ∗∗∗ OpenSSL: X.509 Policy Constraints Double Locking (CVE-2022-3996) ∗∗∗ --------------------------------------------- Severity: Low If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. --------------------------------------------- https://www.openssl.org/news/secadv/20221213.txt ∗∗∗ Patchday SAP: 14 neue Sicherheitsmeldungen im Dezember ∗∗∗ --------------------------------------------- Zum Jahresende behandelt SAP in 14 Sicherheitsnotizen Schwachstellen in der Software des Unternehmens. IT-Verantwortliche sollten die Updates rasch anwenden. --------------------------------------------- https://heise.de/-7392718 ∗∗∗ Jetzt patchen! Kritische Zero-Day-Lücke in FortiOS wird angegriffen ∗∗∗ --------------------------------------------- Fortinet meldet eine kritische Sicherheitslücke in FortiOS. Cyberkriminelle missbrauchen diese bereits für Angriffe. Updates stehen bereit. --------------------------------------------- https://heise.de/-7392455 ∗∗∗ VMSA-2022-0031 ∗∗∗ --------------------------------------------- Synopsis: VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0031.html ∗∗∗ VMSA-2022-0033 ∗∗∗ --------------------------------------------- Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0033.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim). --------------------------------------------- https://lwn.net/Articles/917749/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6 ∗∗∗ --------------------------------------------- In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.6 ∗∗∗ --------------------------------------------- CVE-2022-46880: Use-after-free in WebGL CVE-2022-46872: Arbitrary file read from a compromised content process CVE-2022-46881: Memory corruption in WebGL CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS CVE-2022-46882: Use-after-free in WebGL CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/ ∗∗∗ Security Vulnerabilities fixed in Firefox 108 ∗∗∗ --------------------------------------------- CVE-2022-46871: libusrsctp library out of date CVE-2022-46872: Arbitrary file read from a compromised content process CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS CVE-2022-46877: Fullscreen notification bypass CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 CVE-2022-46879: Memory safety bugs fixed in Firefox 108 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-51/ ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance. CVE-ID: CVE-2022-27518 --------------------------------------------- https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-… ∗∗∗ Privilege Escalation Schwachstellen (UNIX Insecure File Handling) in SAP® Host Agent (saposcol) ∗∗∗ --------------------------------------------- Due to insecure file handling issues of the SAP® Host Agent, a local attacker can exploit the helper binary saposcol to escalate privileges on UNIX systems. Successful exploitation leads to full system compromise with root access. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/privilege-escalation-… ∗∗∗ ICS Advisory (ICSA-22-347-03): Contec CONPROSSYS HMI System (CHS) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 ∗∗∗ ICS Advisory (ICSA-22-347-02): Schneider Electric APC Easy UPS Online ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-02 ∗∗∗ ICS Advisory (ICSA-22-347-01): ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01 ∗∗∗ Wiesemann & Theis multiple products prone to web interface vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-057/ ∗∗∗ Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-038/ ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847315 ∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6619729 ∗∗∗ IBM QRadar Network Packet Capture has released 7.3.1 Patch 1, and 7.2.8 Patch 1 in response to the vulnerabilities known as Spectre and Meltdown. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/571419 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2021-41041, CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847341 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847351 ∗∗∗ Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847349 ∗∗∗ Multiple vulnerabilities have been identified in Smack API shipped with IBM Tivoli Netcool Impact (CVE-2014-0363, CVE-2014-0364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847337 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847563 ∗∗∗ WebSphere Application Server is vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests which affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847593 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847591 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847587 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847595 ∗∗∗ Vulnerability in OAuthlib affects IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-36087) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6842215 ∗∗∗ Vulnerabilities in Redis affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-24736, CVE-2022-24735) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6842235 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2022
by Daily end-of-shift report 12 Dec '22

12 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-12-2022 18:00 − Montag 12-12-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Clop ransomware partners with TrueBot malware for access to networks ∗∗∗ --------------------------------------------- Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-ransomware-partners-wit… ∗∗∗ Popular WAFs Subverted by JSON Bypass ∗∗∗ --------------------------------------------- Web application firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format. --------------------------------------------- https://www.darkreading.com/application-security/popular-wafs-json-bypass ∗∗∗ On-device WebAuthn and what makes it hard to do well ∗∗∗ --------------------------------------------- WebAuthn improves login security a lot by making it significantly harder for a users credentials to be misused - a WebAuthn token will only respond to a challenge if its issued by the site a secret was issued to, and in general will only do so if the user provides proof of physical presence[1]. But giving people tokens is tedious and also I have a new laptop which only has USB-C but does have a working fingerprint reader and I [...] --------------------------------------------- https://mjg59.dreamwidth.org/62746.html ∗∗∗ Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant ∗∗∗ --------------------------------------------- Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks, which took place during 2020 and 2021 and likely went as far back as 2015, involved a revamped variant of a malware called Janicab that leverages a number of public services like WordPress [...] --------------------------------------------- https://thehackernews.com/2022/12/hack-for-hire-group-targets-travel-and.ht… ∗∗∗ Log4j’s Log4Shell Vulnerability: One Year Later, It’s Still Lurking ∗∗∗ --------------------------------------------- Despite mitigation, one of the worst bugs in internet history is still prevalent—and being exploited. --------------------------------------------- https://www.wired.com/story/log4j-log4shell-one-year-later/ ∗∗∗ Practically-exploitable Cryptographic Vulnerabilities in Matrix ∗∗∗ --------------------------------------------- We report several practically-exploitable cryptographic vulnerabilities in the end-to-end encryption in Matrix and describe proof-of-concept attacks exploiting these vulnerabilities. [...] Whilst the language of the paper and this website is in present tense, many of the vulnerabilities disclosed have been fixed. See our paper (or Matrix’ website) for more details. --------------------------------------------- https://nebuchadnezzar-megolm.github.io/ ∗∗∗ Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability ∗∗∗ --------------------------------------------- Cisco informed customers on Thursday that it’s working on patches for a high-severity vulnerability affecting some of its IP phones. --------------------------------------------- https://www.securityweek.com/cisco-working-patch-publicly-disclosed-ip-phon… ∗∗∗ So schützen Sie sich vor problematischen Online-Shops ∗∗∗ --------------------------------------------- Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Lieferzeiten werden nicht eingehalten, die Qualität der Produkte lässt zu wünschen übrig, oder es kommt zu hohen Zoll- oder Retourenkosten. Wir zeigen Ihnen, worauf Sie achten müssen, um keine bösen Überraschungen beim Online-Shopping zu erleben! --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-problemati… ∗∗∗ So schützen Sie sich vor Abo-Fallen im Internet ∗∗∗ --------------------------------------------- Auch im Internet hat niemand etwas zu verschenken! Lassen Sie Vorsicht walten bei Angeboten, die zu gut sind, um wahr zu sein. Diese „Angebote“ nutzen Kriminelle, um Sie in die Falle zu locken. Wenn Sie bemerken, dass Geldbeträge ohne Ihre Zustimmung von Ihrem Konto abgebucht werden, handelt es sich möglicherweise um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-abo-fallen… ∗∗∗ Was tun, wenn Sie in eine Abo-Falle getappt sind? ∗∗∗ --------------------------------------------- Auf der Suche nach kostenlosen Angeboten und gratis Testversionen werden Sie im Internet schnell fündig. Doch Vorsicht: Hier ist nicht alles Gold, was glänzt! Oft handelt es sich nämlich um Abo-Fallen, bei denen Ihnen unbegründet Rechnungen zugeschickt oder Geldbeträge vom Konto abgebucht werden und man Ihnen mit Inkassobüros oder Rechtsanwaltsschreiben droht. Die Lösung? Auf keinen Fall bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-sie-in-eine-abo-falle-g… ∗∗∗ Precious Gemstones: The New Generation of Kerberos Attacks ∗∗∗ --------------------------------------------- Unit 42 researchers show new methods to improve detection of a next-gen line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access. --------------------------------------------- https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS - heap-based buffer overflow in sslvpnd ∗∗∗ --------------------------------------------- A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise: [...] --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-22-398 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, grub2, hsqldb, node-eventsource, and openexr), Fedora (bcel, keylime, rust-capnp, rust-sequoia-octopus-librnp, xfce4-screenshooter, and xfce4-settings), Oracle (nodejs:18), Scientific Linux (grub2), Slackware (libarchive), SUSE (go1.18, go1.19, nautilus, opera, python-slixmpp, and samba), and Ubuntu (python2.7, python3.5, qemu, and squid3). --------------------------------------------- https://lwn.net/Articles/917690/ ∗∗∗ IFM: weak password recovery vulnerability in moneo appliance ∗∗∗ --------------------------------------------- Summary: An unauthenticated remote attacker could reset the administrators password with information from the default, self-signed certificate. Impact: An unathenticated attacker can remotely reset the administrator password. Solution: Mitigation: The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number. Remediation: The password-reset mechanism will be updated in a future version. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-050/ ∗∗∗ IBM Security Bulletins 2022-12-09 - 2022-12-12 ∗∗∗ --------------------------------------------- Apache Commons HttpClient 3.x (and few others), Apache POI, IBM App Connect Enterprise, IBM® Db2® Net Search Extender, IBM Elastic Storage System, IBM Engineering Workflow Management (EWM), IBM InfoSphere Information Server, IBM Spectrum Copy Data Management, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, IBM Spectrum Scale packaged in IBM Elastic Storage Server, IBM Spectrum Scale packaged in IBM Elastic Storage System, IBM Tivoli Application Dependency Discovery Manager (TADDM), Rational Team Concert (RTC), z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Intel Data Center Manager 5.1 Local Privilege Escalation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022120027 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2022
by Daily end-of-shift report 09 Dec '22

09 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-12-2022 18:00 − Freitag 09-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Unsichtbare npm-Malware umgeht Sicherheitsprüfungen mit manipulierten Versionen ∗∗∗ --------------------------------------------- JFrog hat ein unerwartetes Verhalten der npm-Werkzeuge entdeckt: Für Pakete bestimmter Versionsformate zeigen sie wohl keine sicherheitsrelevanten Hinweise an. --------------------------------------------- https://heise.de/-7372357 ∗∗∗ So schützen Sie sich vor Fake-Shops ∗∗∗ --------------------------------------------- Fake-Shops locken mit gutem Design und unschlagbaren Preisen in die Falle. Doch wie erkennen Sie Fake-Shops und andere betrügerische Online-Shops, bevor es zu spät ist? Hier beschreiben wir hier die gängigsten Formen von Fake-Shops und ihre Erkennungsmerkmale. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-fake-shops/ ∗∗∗ Ransomware: Löschen statt entschlüsseln ∗∗∗ --------------------------------------------- Die defekte Ransomware Cryptonite kann Ihre Dateien nicht entschlüsseln, selbst wenn Sie das Lösegeld bezahlen. Stattdessen werden alle Daten einfach gelöscht. --------------------------------------------- https://www.zdnet.de/88405737/ransomware-loeschen-statt-entschluesseln/ ∗∗∗ New Zombinder platform binds Android malware with legitimate apps ∗∗∗ --------------------------------------------- A darknet platform dubbed Zombinder allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds… ∗∗∗ Hacked corporate email accounts used to send MSP remote access tool ∗∗∗ --------------------------------------------- MuddyWater hackers, a group associated with Irans Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accou… ∗∗∗ DeathStalker targets legal entities with new Janicab variant ∗∗∗ --------------------------------------------- While hunting for less common Deathstalker intrusions, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020. --------------------------------------------- https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab… ∗∗∗ How to train your Ghidra ∗∗∗ --------------------------------------------- Brief introduction to setting up Ghidra, and then configuring it with a familiar UI and shortcuts, so that you would not need to re-learn all the key sequences you have got used to over the years. --------------------------------------------- https://securelist.com/how-to-train-your-ghidra/108272/ ∗∗∗ Finding Gaps in Syslog - How to find when nothing happened, (Wed, Dec 7th) ∗∗∗ --------------------------------------------- I recently got a call from a client, they had an outage that required a firewall reboot, but couldn't give me an exact clock time. They were looking for anything in the logs just prior to that reboot that might indicate a carrier issue, as they had experienced a few outages like this recently. --------------------------------------------- https://isc.sans.edu/diary/rss/29314 ∗∗∗ Port Scanning in Powershell Redux: Speeding Up the Results (challenge accepted!), (Fri, Dec 9th) ∗∗∗ --------------------------------------------- In the story I wrote in October about using PowerShell for Port Scanning (https://isc.sans.edu/diary/29202), I noted that the basic "test-connect" operation made for a pretty slow port scanner, which seems to be the message that everyone latched onto. Of course, my immediate response was "challenge accepted!", so let's go - let's make that operation faster! --------------------------------------------- https://isc.sans.edu/diary/rss/29324 ∗∗∗ Trojanized OneNote Document Leads to Formbook Malware ∗∗∗ --------------------------------------------- Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs’ researchers are always looking out for new or unusual file types, and through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-… ∗∗∗ Compromised Cloud Compute Credentials: Case Studies From the Wild ∗∗∗ --------------------------------------------- A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ ∗∗∗ Fantasy - a new Agrius wiper deployed through a supply‑chain attack ∗∗∗ --------------------------------------------- ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry --------------------------------------------- https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-c… ∗∗∗ On hacking forums, even the scammers aren’t safe ∗∗∗ --------------------------------------------- Cybercriminals use a range of techniques to steal victims’ money — from developing malicious software to siphon financial data to old-fashioned “rip-and-runs” — but that doesn’t mean they’re immune to falling for these scams themselves. Scammers scamming scammers, including sometimes the scammers who have scammed them, is “an entire sub-economy” on darknet marketplaces, according to [...] --------------------------------------------- https://therecord.media/on-hacking-forums-even-the-scammers-arent-safe/ ∗∗∗ OpenSSL CVE-2022-3786: Food for Thought on the Importance of Security Scanning ∗∗∗ --------------------------------------------- After a CVE on open source software has been discovered and a fix has been released, a fruitful practice for security researchers is to go deep into the nature of the CVE and the fix. --------------------------------------------- https://checkmarx.com/blog/openssl-cve-2022-3786-food-for-thought-on-the-im… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins 2022-12-05 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Cloud Transformation Advisor, IBM Event Streams, IBM InfoSphere Information Server, IBM Power System, IBM QRadar SIEM, IBM Rational Functional Tester, IBM Rational Test Automation Server, IBM Spectrum Scale, IBM Sterling Secure Proxy, IBM Watson Developer Cloud --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-06 ∗∗∗ --------------------------------------------- IBM Business Automation Workflow, IBM Content Navigator, IBM Operations Analytics, IBM Rational Business Developer, IBM SPSS Collaboration and Deployment Services, IBM Security SiteProtector System, IBM Sterling External Authentication Server, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Business Service Manager, IBM Tivoli Composite Application Manager for Transactions, IBM WebSphere Application Server --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-07 ∗∗∗ --------------------------------------------- AIX, HMC, IBM Business Automation Workflow Event Emitters, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Data Risk Manager, IBM Enterprise Content Management System Monitor, IBM Match 360, IBM PowerVM Novalink, IBM Virtualization Engine TS7700, IBM Watson Assistant for IBM Cloud Pak for Data --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-08 ∗∗∗ --------------------------------------------- AIX, IBM API Connect, IBM CICS Transaction Gateway, IBM Cloud Transformation Advisor, IBM InfoSphere Information Server, IBM MQ, IBM PowerVM Novalink, IBM Security Verify --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-09 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM Security Verify Governance, IBM Spectrum Copy Data Management, IBM Spectrum Protect for Space Management Client, IBM Tivoli Application Dependency Discovery Manager, z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ VMSA-2022-0030 ∗∗∗ --------------------------------------------- VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0030.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dlt-daemon, jqueryui, and virglrenderer), Fedora (firefox, vim, and woff), Oracle (kernel and nodejs:18), Red Hat (java-1.8.0-ibm and redhat-ds:11), Slackware (python3), SUSE (buildah, matio, and osc), and Ubuntu (heimdal and postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/917398/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (leptonlib), Fedora (woff), Red Hat (grub2), Slackware (emacs), SUSE (busybox, chromium, java-1_8_0-openjdk, netatalk, and rabbitmq-server), and Ubuntu (gcc-5, gccgo-6, glibc, protobuf, and python2.7, python3.10, python3.6, python3.8). --------------------------------------------- https://lwn.net/Articles/917530/ ∗∗∗ Synology-SA-22:23 PWN2OWN TORONTO 2022 ∗∗∗ --------------------------------------------- Multiple vulnerabilities reported by PWN2OWN TORONTO 2022 have been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_23 ∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500535-AMI-MEGARAC-SP-X-BMC-V… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Smart WiFi Router ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-dosvihsw… ∗∗∗ K87046687: VMware Tools vulnerability CVE-2022-31676 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87046687 ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-01 ∗∗∗ AVEVA InTouch Access Anywhere ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-02 ∗∗∗ Rockwell Automation Logix controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2022
by Daily end-of-shift report 07 Dec '22

07 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-12-2022 18:00 − Mittwoch 07-12-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers ∗∗∗ --------------------------------------------- Microsoft, three others release patches to fix a vulnerability in their respective products that enables such manipulation. Other EDR products potentially are affected as well. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cyberattackers-popular-… ∗∗∗ DEV-0139 launches targeted attacks against the cryptocurrency industry ∗∗∗ --------------------------------------------- Microsoft security researchers investigate an attack where the threat actor, tracked DEV-0139, used chat groups to target specific cryptocurrency investment companies and run a backdoor within their network. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-… ∗∗∗ New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network ∗∗∗ --------------------------------------------- A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software. --------------------------------------------- https://thehackernews.com/2022/12/new-go-based-zerobot-botnet-exploiting.ht… ∗∗∗ ChatGPT shows promise of using AI to write malware ∗∗∗ --------------------------------------------- For even the most skilled hackers, it can take at least an hour to write a script to exploit a software vulnerability and infiltrate their target. Soon, a machine may be able to do it in mere seconds. --------------------------------------------- https://www.cyberscoop.com/chatgpt-ai-malware/ ∗∗∗ So schützen Sie sich vor Scams ∗∗∗ --------------------------------------------- Beim Scamming - auch Vorschussbetrug genannt - versuchen Kriminelle, Sie zu einer Vorauszahlung zu drängen. Sie werden beispielsweise mit einem Millionengewinn, einer Erbschaft oder einem günstigen Kreditangebot geködert. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-scams/ ∗∗∗ OpenSSL punycode – with hindsight ∗∗∗ --------------------------------------------- The next Heartbleeds were about to be announced, two critical vulnerabilities that affect everyone and everything, everywhere. And then they were released. And everyone was let down. --------------------------------------------- https://blog.checkpoint.com/2022/12/07/openssl-punycode-with-hindsight/ ∗∗∗ Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE) ∗∗∗ --------------------------------------------- In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). --------------------------------------------- https://asec.ahnlab.com/en/43518/ ∗∗∗ Industry 4.0: CNC Machine Security Risks Part 3 ∗∗∗ --------------------------------------------- This three-part blog series explores the risks associated with CNC machines --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet schließt Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- Für zahlreiche Produkte aus dem Portfolio hat Fortinet Sicherheitsupdates herausgegeben. Sie schließen teils hochriskante Schwachstellen. --------------------------------------------- https://heise.de/-7368520 ∗∗∗ Dienste-Monitoring: Angreifer können Cacti beliebigen Code unterschieben ∗∗∗ --------------------------------------------- In der Webanwendung Cacti, die etwa zur Diensteüberwachung dient, könnten Angreifer beliebigen Code einschleusen und ausführen. Ein Patch ist verfügbar. --------------------------------------------- https://heise.de/-7369455 ∗∗∗ Jetzt patchen: Fehlkonfiguration in Netgear-Router lässt Angreifer auf das Gerät ∗∗∗ --------------------------------------------- Forscher warnen vor Fremdzugriffen auf den Nighthawk WiFi 6 Router von Netgear. Ein Update ist verfügbar, soll sich aber nicht automatisch installieren. --------------------------------------------- https://heise.de/-7369071 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cgal, ruby-rails-html-sanitizer, and xfce4-settings), Red Hat (dbus, grub2, kernel, pki-core, and usbguard), Scientific Linux (pki-core), SUSE (bcel, LibVNCServer, and xen), and Ubuntu (ca-certificates and u-boot). --------------------------------------------- https://lwn.net/Articles/917208/ ∗∗∗ Cross-Site Scripting in Handy Macros for Confluence (SYSS-2022-049) ∗∗∗ --------------------------------------------- Durch eine Cross-Site Scripting-Schwachstelle im "Handy Tip"-Makro in Handy Macros for Confluence kann ausführbarer Schadcode in Seiten eingebaut werden. --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-in-handy-macros-for-c… ∗∗∗ K35253541: Java vulnerabilities CVE-2020-14779, CVE-2020-14781, CVE-2020-14782, CVE-2020-14797 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35253541 ∗∗∗ K71522481: Java vulnerability CVE-2021-2163 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71522481 ∗∗∗ Sprecher SPRECON-E-C/-E-P/-E-T3: Schwachstelle in der Firmwareverifikation ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2022
by Daily end-of-shift report 06 Dec '22

06 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 05-12-2022 18:00 − Dienstag 06-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers hijack Linux devices using PRoot isolated filesystems ∗∗∗ --------------------------------------------- Hackers are abusing the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that work on many Linux distributions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-linux-devices… ∗∗∗ Sneaky hackers reverse defense mitigations when detected ∗∗∗ --------------------------------------------- A financially motivated threat actor is hacking telecommunication service providers and business process outsourcing firms, actively reversing defensive mitigations applied when the breach is detected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sneaky-hackers-reverse-defen… ∗∗∗ Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers., (Tue, Dec 6th) ∗∗∗ --------------------------------------------- Since 2014, self-replicating variants of DDoS attacks against routers and Linux-based IoT devices have been rampant. Gafgyt botnets target vulnerable IoT devices and use them to launch large-scale distributed denial-of-service attacks. SOHO and IoT devices are ubiquitous, less likely to have secure configurations or routine patches, and more likely to be at the internet edge. --------------------------------------------- https://isc.sans.edu/diary/rss/29304 ∗∗∗ Building A Virtual Machine inside ChatGPT ∗∗∗ --------------------------------------------- Did you know, that you can run a whole virtual machine inside of ChatGPT? --------------------------------------------- https://www.engraved.blog/building-a-virtual-machine-inside/ ∗∗∗ Exploring Prompt Injection Attacks ∗∗∗ --------------------------------------------- Prompt Injection is a new vulnerability that is affecting some AI/ML models and, in particular, certain types of language models using prompt-based learning. --------------------------------------------- https://research.nccgroup.com/2022/12/05/exploring-prompt-injection-attacks/ ∗∗∗ Phishing-Mail „Erneut identifizieren“ im Namen der WKO ignorieren! ∗∗∗ --------------------------------------------- Unternehmerinnen und Unternehmer aufgepasst: Aktuell versenden Kriminelle Phishing-Mails im Namen der Wirtschaftskammer Österreich. Man spielt Ihnen vor, dass eine neuerliche Identifikation notwendig wäre. Ignorieren Sie die Nachricht, denn auf der verlinkten Website eingegebene Daten landen in den Händen Krimineller. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-erneut-identifizieren-… ∗∗∗ Vice Society: Profiling a Persistent Threat to the Education Sector ∗∗∗ --------------------------------------------- Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year. --------------------------------------------- https://unit42.paloaltonetworks.com/vice-society-targets-education-sector/ ∗∗∗ Tractors vs. threat actors: How to hack a farm ∗∗∗ --------------------------------------------- Forget pests for a minute. Modern farms also face another – and more insidious – breed of threat. --------------------------------------------- https://www.welivesecurity.com/2022/12/05/tractors-threat-actors-how-hack-f… ===================== = Vulnerabilities = ===================== ∗∗∗ NETGEAR Nighthawk WiFi6 Router Network Misconfiguration ∗∗∗ --------------------------------------------- A network misconfiguration is present in versions prior to 1.0.9.90 of the NETGEAR RAX30 AX2400 series of routers. --------------------------------------------- https://www.tenable.com/security/research/tra-2022-36 ∗∗∗ Patchday: Schadcode über Bluetooth auf Android-Geräte schieben ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android 10, 11, 12, 12L und 13. Google hat unter anderem vier kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-7367211 ∗∗∗ Virenschutz: Rechteausweitung durch Schwachstelle in AVG und Avast ∗∗∗ --------------------------------------------- Die Virenscanner von AVG und Avast hätten Angreifern ermöglichen können, ihre Rechte im System auszuweiten. Updates zum Beheben des Fehlers sind verfügbar. --------------------------------------------- https://heise.de/-7367529 ∗∗∗ Schwachstelle in Trend Micros Apex One ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Der Virenschutz Apex One von Trend Micro enthält Sicherheitslücken, durch die Angreifer ihre Rechte ausweiten oder Dateien auf dem System löschen lassen können. --------------------------------------------- https://heise.de/-7367824 ∗∗∗ Server-Wartung: Gefährliche BMC-Lücken könnte Supply-Chain-Attacken auslösen ∗∗∗ --------------------------------------------- Sicherheitsforscher sind unter anderem auf eine kritische Sicherheitslücke in Baseboard Management Controllern von American Megatrend gestoßen. --------------------------------------------- https://heise.de/-7367963 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Ubuntu (binutils and ca-certificates). --------------------------------------------- https://lwn.net/Articles/917080/ ∗∗∗ Schwachstelle in Citrix Workspace App for Windows ermöglicht Passwort-Klau ∗∗∗ --------------------------------------------- Der Hersteller Citrix warnt seit September 2022 vor einiger Schwachstelle in seiner Citrix Workspace App. --------------------------------------------- https://www.borncity.com/blog/2022/12/06/schwachstelle-in-citrix-workspace-… ∗∗∗ Vulnerability Spotlight: NVIDIA driver memory corruption vulnerabilities discovered ∗∗∗ --------------------------------------------- Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-nvidia-driver-me… ∗∗∗ Multiple critical vulnerabilities in ILIAS eLearning platform ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ XSA-424 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-424.html ∗∗∗ XSA-423 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-423.html ∗∗∗ Edge 108.0.1462.42 als Sicherheitsupdate ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/12/06/edge-108-0-1462-41-42-als-sicherhe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2022
by Daily end-of-shift report 05 Dec '22

05 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-12-2022 18:00 − Montag 05-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackProxies proxy service increasingly popular among hackers ∗∗∗ --------------------------------------------- A new residential proxy market is becoming popular among hackers, cybercriminals, phishers, scalpers, and scammers, selling access to a million claimed proxy IP addresses worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackproxies-proxy-service-i… ∗∗∗ Hackers use new, fake crypto app to breach networks, steal cryptocurrency ∗∗∗ --------------------------------------------- The North Korean Lazarus hacking group is linked to a new attack spreading fake cryptocurrency apps under the made-up brand, "BloxHolder," to install the AppleJeus malware for initial access to networks and steal crypto assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-new-fake-crypto-… ∗∗∗ If one sheep leaps over the ditch… ∗∗∗ --------------------------------------------- In this report, Kaspersky researchers discuss propagation methods of several ransomware families, and a vulnerable driver abuse case that may become a trend. --------------------------------------------- https://securelist.com/crimeware-report-ransomware-tactics-vulnerable-drive… ∗∗∗ OWASP Top 10 CI/CD Security Risks ∗∗∗ --------------------------------------------- This document helps defenders identify focus areas for securing their CI/CD ecosystem. It is the result of extensive research into attack vectors associated with CI/CD, and the analysis of high profile breaches and security flaws. --------------------------------------------- https://owasp.org/www-project-top-10-ci-cd-security-risks/ ∗∗∗ #StopRansomware: Cuba Ransomware Alert (AA22-335A) ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-335a ∗∗∗ CryWiper: Fake-Ransomware zerstört Daten insbesondere in Russland ∗∗∗ --------------------------------------------- Die Virenanalysten von Kaspersky haben den Schädling CryWiper entdeckt, der sich als Ransomware ausgibt, Daten aber unwiderbringlich zerstört. --------------------------------------------- https://heise.de/-7366160 ===================== = Vulnerabilities = ===================== ∗∗∗ Severe AMI MegaRAC flaws impact servers from AMD, ARM, HPE, Dell, others ∗∗∗ --------------------------------------------- Three vulnerabilities in the American Megatrends MegaRAC Baseboard Management Controller (BMC) software impact server equipment used in many cloud service and data center providers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-ami-megarac-flaws-imp… ∗∗∗ Sicherheitsupdate: Schadcode könnte durch Sophos-Firewalls schlüpfen ∗∗∗ --------------------------------------------- Die Entwickler des Sicherheitssoftware-Anbieters Sophos haben in hauseigenen Firewalls sieben Sicherheitslücken geschlossen. Eine gilt als kritisch. --------------------------------------------- https://heise.de/-7366076 ∗∗∗ Sicherheitslücke: Codeschmuggel mit Ping in FreeBSD ∗∗∗ --------------------------------------------- Angreifer könnten FreeBSD mit manipulierten Ping-Anfragen zum Ausführen untergejubelten Schadcodes bringen. Aktualisierungen stehen bereit. --------------------------------------------- https://heise.de/-7366590 ∗∗∗ Notfall-Update: Zero-Day-Sicherheitslücke in Google Chrome unter Beschuss ∗∗∗ --------------------------------------------- Google hat ein ungeplantes Update für Chrome herausgegeben. Damit schließt der Hersteller eine Sicherheitslücke im Webbrowser, die derzeit angegriffen wird. --------------------------------------------- https://heise.de/-7365415 ∗∗∗ Veritas NetBackup: Update schließt teils kritische Scherheitslücken ∗∗∗ --------------------------------------------- In Veritas NetBackup Flex Scale und Access Appliance könnten Angreifer aus dem Netz ohne Anmeldung Befehle einschleusen. Hotfixes beheben die Fehler. --------------------------------------------- https://heise.de/-7365984 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (awstats, chromium, clamav, g810-led, giflib, http-parser, jhead, libpgjava, node-cached-path-relative, node-fetch, and vlc), Fedora (fastnetmon, kernel, librime, qpress, rr, thunderbird, and wireshark), Red Hat (kernel, kernel-rt, and kpatch-patch), Slackware (mozilla), SUSE (cherrytree and chromium), and Ubuntu (libbpf, libxml2, linux-gcp-5.15, linux-gke, linux-gke-5.15, and linux-gke). --------------------------------------------- https://lwn.net/Articles/916979/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2022
by Daily end-of-shift report 02 Dec '22

02 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-12-2022 18:00 − Freitag 02-12-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Unpatched Redis servers targeted in new Redigo malware attacks ∗∗∗ --------------------------------------------- A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-redis-servers-targ… ∗∗∗ Samsung, Mediatek, LG: Android-Malware mit OEM-Zertifikaten signiert ∗∗∗ --------------------------------------------- Google hat Malware gefunden, die mit den Zertifikaten von Android-Herstellern signiert sind. Das kann für Systemberechtigungen genutzt werden. --------------------------------------------- https://www.golem.de/news/samsung-mediatek-lg-android-malware-mit-oem-zerti… ∗∗∗ obama224 distribution Qakbot tries .vhd (virtual hard disk) images, (Fri, Dec 2nd) ∗∗∗ --------------------------------------------- Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years. During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader. --------------------------------------------- https://isc.sans.edu/diary/rss/29294 ∗∗∗ Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection ∗∗∗ --------------------------------------------- New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool. --------------------------------------------- https://thehackernews.com/2022/11/researchers-find-way-malicious-npm.html ∗∗∗ Flaws in GX Works3 Threaten Mitsubishi Electric Safety PLC Security ∗∗∗ --------------------------------------------- In this blog, we uncover three additional vulnerabilities that affect Mitsubishi Electric GX Works3, tracked under CVE-2022-29831, CVE-2022-29832, and CVE-2022-29833 (Mitsubishi Electric advisory 2022-015, CISA advisory ICSA-22-333-05), and that, in the worst-case scenario, may lead to the compromise of safety PLCs with the only requirement being the possession of associated GX Works3 project files. --------------------------------------------- https://www.nozominetworks.com/blog/flaws-in-gx-works3-threaten-mitsubishi-… ∗∗∗ Jetzt patchen! Angreifer attackieren Firewalls und Proxies von Fortinet ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor Attacken auf Firmen. Der Grund ist eine kritische Lücke in Fortinet-Produkten. --------------------------------------------- https://heise.de/-7364286 ∗∗∗ Wordpress: Attackiert schon während der Installation ∗∗∗ --------------------------------------------- Noch bevor das System live geht, haben Angreifer es oft unbemerkt mit Hintertüren versehen. Die stehen nämlich schon nach wenigen Minuten auf der Matte. --------------------------------------------- https://heise.de/-7364588 ∗∗∗ IBM Cloud Vulnerability Exposed Users to Supply Chain Attacks ∗∗∗ --------------------------------------------- IBM recently patched a vulnerability in IBM Cloud Databases for PostgreSQL that could have exposed users to supply chain attacks. The vulnerability has been named Hell’s Keychain by cloud security firm Wiz, whose researchers discovered the issue. It has been described by the company as a “first-of-its-kind supply-chain attack vector impacting a cloud provider’s infrastructure”. --------------------------------------------- https://www.securityweek.com/ibm-cloud-vulnerability-exposed-users-supply-c… ∗∗∗ Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges ∗∗∗ --------------------------------------------- Qualys’ Threat Research Unit has shown how a new Linux vulnerability could be chained with two other apparently harmless flaws to gain full root privileges on an affected system. --------------------------------------------- https://www.securityweek.com/three-innocuous-linux-vulnerabilities-chained-… ∗∗∗ Blowing Cobalt Strike Out of the Water With Memory Analysis ∗∗∗ --------------------------------------------- Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/ ∗∗∗ Protecting major events: an incident response blueprint ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) is sharing a white paper on the steps organizations should follow to secure any major event. These ten focus areas should help guide any organizing committee or participating businesses in preparation for securing such events. --------------------------------------------- https://blog.talosintelligence.com/protecting-major-events-an-incident-resp… ∗∗∗ Industry 4.0: CNC Machine Security Risks Part 2 ∗∗∗ --------------------------------------------- This three-part blog series explores the risks associated with CNC machines --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-p… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-01 ∗∗∗ --------------------------------------------- IBM Watson, IBM App Connect, Rational Functional Tester, IBM Security Guardium, IBM Cloud Object Storage Systems, IBM API Connect. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (snapd), Fedora (firefox, libetpan, ntfs-3g, samba, thunderbird, and xen), SUSE (busybox, emacs, and virt-v2v), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-hwe, linux-gcp, linux-hwe, linux-oracle, and tiff). --------------------------------------------- https://lwn.net/Articles/916658/ ∗∗∗ BD BodyGuard Pumps ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-335-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-335-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2022
by Daily end-of-shift report 01 Dec '22

01 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-11-2022 18:00 − Donnerstag 01-12-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Windows malware scans victims’ mobile phones for data to steal ∗∗∗ --------------------------------------------- Security researchers found a previously unknown backdoor they call Dophin thats been used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-windows-malware-scans-vi… ∗∗∗ New DuckLogs malware service claims having thousands of ‘customers’ ∗∗∗ --------------------------------------------- A new malware-as-a-service (MaaS) operation named DuckLogs has emerged, giving low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ducklogs-malware-service… ∗∗∗ Making unphishable 2FA phishable ∗∗∗ --------------------------------------------- One of the huge benefits of WebAuthn is that it makes traditional phishing attacks impossible. But what if there was a mechanism for an attacker to direct a user to a legitimate login page, resulting in a happy WebAuthn flow, and obtain valid credentials for that user anyway? --------------------------------------------- https://mjg59.dreamwidth.org/62175.html ∗∗∗ Whats the deal with these router vulnerabilities?, (Thu, Dec 1st) ∗∗∗ --------------------------------------------- Earlier today, I was browser recently made public vulnerabilities for tomorrow's version of our @Risk newsletter. What stuck out was a set of about twenty vulnerabilities in Netgear and DLink routers. --------------------------------------------- https://isc.sans.edu/diary/rss/29288 ∗∗∗ Sirius XM flaw unlocks so-called smart cars thanks to code flaw ∗∗∗ --------------------------------------------- Telematics program doesn't just give you music, but a big security flaw Sirius XMs Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number (VIN). --------------------------------------------- https://www.theregister.com/2022/11/30/siriusxm_connected_cars_hacking/ ∗∗∗ l+f: Sicherheitsforscher legen aus Versehen gesamtes Botnet KmsdBot lahm ∗∗∗ --------------------------------------------- Wie ein Typo kriminellen Machenschaften das Handwerk legt. --------------------------------------------- https://heise.de/-7363007 ∗∗∗ Vorsicht, wenn Sie ein SMS von Amazon erhalten ∗∗∗ --------------------------------------------- Kriminelle geben sich als Amazon aus und versenden gefälschte Benachrichtigungen. Im SMS steht, dass Ihr Amazon-Konto vorübergehend gesperrt wurde und Sie Informationen aktualisieren müssen. Dafür sollten Sie auf einen Link klicken. Achtung: Der Link führt zu einer gefälschten Login-Seite. Kriminelle stehlen damit Ihre Benutzer- und Kreditkartendaten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-sie-ein-sms-von-amazon… ∗∗∗ LastPass-Kundendaten nach Hack eines Cloud-Speicherdiensts abgezogen (Nov. 2022) ∗∗∗ --------------------------------------------- Der Dienst LastPass informierte vor einigen Stunden seine Kunden, dass kürzlich "ungewöhnliche Aktivitäten" bei einem Cloud-Speicherdienst eines Drittanbieters entdeckt wurden. --------------------------------------------- https://www.borncity.com/blog/2022/12/01/lastpass-kundendaten-nach-hack-ein… ∗∗∗ Vulnerability Spotlight: Lansweeper directory traversal and cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several directory traversal and cross-site scripting vulnerabilities in Lansweeper. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-lansweeper-direc… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE bugs in Android remote keyboard apps with 2M installs ∗∗∗ --------------------------------------------- Three Android applications that allow users to use devices as remote keyboards for their computers have critical vulnerabilities that could expose key presses and enable remote code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-rce-bugs-in-android… ∗∗∗ IBM Security Bulletins 2022-11-30 ∗∗∗ --------------------------------------------- IBM API Connect, IBM MQ Operator and Queue manager container images, IBM Security Guardium, IBM Sterling Control Center, IBM Watson Discovery for IBM Cloud Pak for Data, IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps, IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (device-mapper-multipath, firefox, hsqldb, krb5, thunderbird, and xorg-x11-server), Debian (libraw), Fedora (freerdp and grub2), SUSE (bcel, emacs, glib2, glibc, grub2, nodejs10, and tomcat), and Ubuntu (linux-azure-fde and snapd). --------------------------------------------- https://lwn.net/Articles/916443/ ∗∗∗ Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-062 ∗∗∗ Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-061 ∗∗∗ Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-060 ∗∗∗ Horner Automation Remote Compact Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-335-02 ∗∗∗ Replay Angriffe & Darstellung beliebiger Inhalte in Zhuhai Suny Technology ESL Tag / ETAG-TECH protocol (electronic shelf labels) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/replay-attacks-displa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2022
by Daily end-of-shift report 30 Nov '22

30 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-11-2022 18:00 − Mittwoch 30-11-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How Stuff Gets eXposed ∗∗∗ --------------------------------------------- Intel's Software Guard Extension (SGX) promises an isolated execution environment, protected from all software running on the machine. In the past few years, however, SGX has come under heavy fire, threatened by numerous side channel attacks. --------------------------------------------- https://sgx.fail/ ∗∗∗ Looting Microsoft Configuration Manager ∗∗∗ --------------------------------------------- Microsoft Endpoint Configuration Manager (CM), also known as System Center Configuration Manager (SCCM), is widely deployed by companies to manage their Windows environments. It enables simple enrollment of servers and workstations, distributing software and generic management of the Windows systems in the environment. --------------------------------------------- https://labs.withsecure.com/publications/looting-microsoft-configuration-ma… ∗∗∗ Was tun, wenn Sie in einem Fake-Shop bestellt haben? ∗∗∗ --------------------------------------------- Sie haben im Internet eingekauft. Das bestellte Produkt kommt aber nicht an, E-Mails an den vermeintlichen Shop bleiben unbeantwortet. Kommt Ihnen das bekannt vor, haben Sie wahrscheinlich in einem Fake-Shop eingekauft. Wir zeigen Ihnen, was Sie tun können, wenn Sie in die Shopping-Falle getappt sind. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-sie-in-einem-fake-shop-… ∗∗∗ Industry 4.0: CNC Machine Security Risks Part 1 ∗∗∗ --------------------------------------------- This three-part blog series explores the risks associated with CNC machines. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/k/cnc-machine-security-risks-p… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA releases GPU driver update to fix 29 security flaws ∗∗∗ --------------------------------------------- NVIDIA has released a security update for its GPU display driver for Windows, containing a fix for a high-severity flaw that threat actors can exploit to perform, among other things, code execution and privilege escalation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-releases-gpu-driver-u… ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-22-333-01 Mitsubishi Electric GOT2000 * ICSA-22-333-02 Hitachi Energys IED Connectivity Packages and PCM600 Products * ICSA-22-333-03 Hitachi Energys MicroSCADA ProX SYS600 Products * ICSA-22-333-04 Moxa UC Series * ICSA-22-333-05 Mitsubishi Electric FA Engineering Software * ICSA-21-334-02 Mitsubishi MELSEC and MELIPC Series (Update E) * ICSA-19-346-02 Omron PLC CJ --------------------------------------------- https://www.cisa.gov/uscert/ncas/current-activity/2022/11/29/cisa-releases-… ∗∗∗ Kritische Sicherheitslücke in VLC Media Player ∗∗∗ --------------------------------------------- Ein Update steht für den VLC Media Player bereit, mit dem die Entwickler unter anderem eine kritische Sicherheitslücke schließen. --------------------------------------------- https://heise.de/-7362049 ∗∗∗ Webbrowser Chrome 108 dichtet 28 Sicherheitslücken ab ∗∗∗ --------------------------------------------- Das Update auf den Webbrowser Chrome 108 liefert im Wesentlichen Fehlerkorrekturen, die 28 Schwachstellen schließen. --------------------------------------------- https://heise.de/-7361154 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (krb5), Fedora (galera, mariadb, and mingw-python3), Red Hat (389-ds:1.4, kernel, kernel-rt, kpatch-patch, krb5, and usbguard), Scientific Linux (krb5), Slackware (kernel), SUSE (binutils, dbus-1, exiv2, freerdp, git, java-1_8_0-ibm, kernel, libarchive, libdb-4_8, libmspack, nginx, opencc, python, python3, rxvt-unicode, sudo, supportutils, systemd, vim, and webkit2gtk3), and Ubuntu (bind9, gnutls28, libsamplerate, linux-gcp-5.4, perl, pixman, shadow, [...] --------------------------------------------- https://lwn.net/Articles/916346/ ∗∗∗ Delta Electronics Patches Serious Flaws in Industrial Networking Devices ∗∗∗ --------------------------------------------- Taiwan-based Delta Electronics has patched potentially serious vulnerabilities in two of its industrial networking products. The flaws were identified by researchers at CyberDanube, a new industrial cybersecurity company based in Austria, in Delta’s DX-2100-L1-CN 3G cloud router and the DVW-W02W2-E2 industrial wireless access point. --------------------------------------------- https://www.securityweek.com/delta-electronics-patches-serious-flaws-indust… ∗∗∗ Developers Warned of Critical Remote Code Execution Flaw in Quarkus Java Framework ∗∗∗ --------------------------------------------- Developers have been warned that the popular Quarkus framework is affected by a critical vulnerability that could lead to remote code execution. --------------------------------------------- https://www.securityweek.com/developers-warned-critical-remote-code-executi… ∗∗∗ Anker Eufy Door Bell Sicherheitskameras mit Schwachstellen, Daten werden in die Cloud übertragen, Homebase 2 hat auch Schwachstellen ∗∗∗ --------------------------------------------- Anker Eufy Door Bell-Sicherheitskameras werden auch in Deutschland verkauft. Ein Sicherheitsforscher hat nun verschiedene Sicherheitslücken in der Firmware der Eufy-Kameras gefunden. --------------------------------------------- https://www.borncity.com/blog/2022/11/30/anker-eufy-door-bell-sicherheitska… ∗∗∗ Drop What Youre Doing and Update iOS, Android, and Windows ∗∗∗ --------------------------------------------- https://www.wired.com/story/ios-android-windows-vulnerability-patches-novem… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in a Huawei Childrens Watch ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-iaviahcw-… ∗∗∗ Security Bulletin: A Kafka vulnerability affects IBM Operations Analytics Predictive Insights (CVE-2022-34917 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-kafka-vulnerability-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.4ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty profile affects IBM Operations Analytics Predictive Insights(CVE-2022-22393 CVE-2022-22476 CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Netty libraries affect IBM Operations Analytics Predictive Insights (CVE-2021-43797 CVE-2022-24823) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote authenticated attacker to execute arbitrary code on the system due to PostgreSQL (CVE-2022-2625) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Zahlreiche kritische Schwachstellen in Planet Enterprises Ltd - Planet eStream ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/multiple-critical-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2022
by Daily end-of-shift report 29 Nov '22

29 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-11-2022 18:00 − Dienstag 29-11-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Malicious Android app found powering account creation service ∗∗∗ --------------------------------------------- A fake Android SMS application, with 100,000 downloads on the Google Play store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-app-found-… ∗∗∗ Cyber-Threat Group Targets Critical RCE Vulnerability in Bleed You Campaign ∗∗∗ --------------------------------------------- More than 1,000 systems are exposed to a campaign hunting weak Windows servers and more. --------------------------------------------- https://www.darkreading.com/threat-intelligence/cyber-threat-weak-windows-s… ∗∗∗ Subdomain Enumeration with DNSSEC ∗∗∗ --------------------------------------------- In my previous blog post I described how subdomain enumeration and subdomain bruteforce in particular could be enhanced by taking DNS status code into account, rather than relying on the existence of A or AAAA records only. This follow-up post describes what techniques exist to enumerate subdomains in a DNSSEC-enabled zone and what countermeasures exist to prevent it. --------------------------------------------- https://www.securesystems.de/blog/subdomain-enumeration-with-DNSSEC/ ∗∗∗ Angreifer könnten Secure Boot auf bestimmten Acer-Notebooks deaktivieren ∗∗∗ --------------------------------------------- Acers Entwickler haben eine Sicherheitslücke geschlossen. Unter bestimmten Umständen könnten Angreifer UEFI-Einstellungen manipulieren. Updates sind in Sicht. --------------------------------------------- https://heise.de/-7359874 ∗∗∗ #InvisibleChallenge: Malware sucht Opfer mit TikTok-Challenge ∗∗∗ --------------------------------------------- Cyberkriminelle missbrauchen eine Nackt-Tanz-Challenge auf TikTok, um Opfer zum Installieren ihrer Malware zu bewegen. Diese solle einen Filter entfernen. --------------------------------------------- https://heise.de/-7360626 ∗∗∗ Pre-auth RCE in Oracle Fusion Middleware exploited in the wild (CVE-2021-35587) ∗∗∗ --------------------------------------------- A pre-authentication RCE flaw (CVE-2021-35587) in Oracle Access Manager (OAM) that has been fixed in January 2022 is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. --------------------------------------------- https://www.helpnetsecurity.com/2022/11/29/cve-2021-35587-exploited/ ∗∗∗ Project Zero Flags Patch Gap Problems on Android ∗∗∗ --------------------------------------------- Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to be tardy at delivering security fixes to Android-powered devices. --------------------------------------------- https://www.securityweek.com/project-zero-flags-patch-gap-problems-android ∗∗∗ Booking.com: Vorsicht vor gefälschten Angeboten ∗∗∗ --------------------------------------------- Sie haben auf Booking.com eine verlockende Unterkunft gefunden? Der Buchungsprozess verläuft aber nicht wie gewohnt? Vorsicht! Möglicherweise sind Sie auf ein betrügerisches Angebot gestoßen. Wenn Unterkunftgeber:innen Sie von Booking.com auf eine andere Website verweisen, handelt es sich um eine Betrugsmasche. Wir erklären Ihnen, worauf Sie achten sollten! --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-vorsicht-vor-gefaelschten… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-28 ∗∗∗ --------------------------------------------- Digital Certificate Manager for IBM i, IBM App Connect Enterprise Certified Container IntegrationServer operands, IBM Operations Analytics Predictive Insights, IBM Planning Analytics Workspace, IBM Sterling Connect:Direct for UNIX, IBM UrbanCode Deploy (UCD), IBM UrbanCode Deploy (UCD) Agents on zOS, IBM WebSphere Application Server Liberty, ISC BIND on IBM i --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ VMSA-2022-0029 ∗∗∗ --------------------------------------------- CVSSv3 Range: 3.3 CVE(s): CVE-2022-31693 Synopsis: VMware Tools for Windows update addresses a denial-of-service vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0029.html ∗∗∗ K11742512: BIND vulnerability CVE-2022-2795 ∗∗∗ --------------------------------------------- By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. --------------------------------------------- https://support.f5.com/csp/article/K11742512 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (frr, gerbv, mujs, and twisted), Fedora (nodejs and python-virtualbmc), Oracle (dotnet7.0, kernel, kernel-container, krb5, varnish, and varnish:6), SUSE (busybox, python3, tiff, and tomcat), and Ubuntu (harfbuzz). --------------------------------------------- https://lwn.net/Articles/916189/ ∗∗∗ Edge 107.0.1418.62 ∗∗∗ --------------------------------------------- Kurzer Nachtrag: Microsoft hat zum 28. November 2022 den Edge-Browser im Stable Stable Channel auf die Version 107.0.1418.52 aktualisiert. Ist ein Sicherheits-Update, welches gemäß den Release Notes die vom Chromium-Team berichtete Schwachstelle CVE-2022-4135 schließt. --------------------------------------------- https://www.borncity.com/blog/2022/11/29/edge-107-0-1418-62/ ∗∗∗ Festo: Incomplete documentation of remote accessible functions and protocols in Festo products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-041/ ∗∗∗ Festo: Multiple Festo products contain an unsafe default Codesys configuration ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-037/ ∗∗∗ Mitsubishi Electric GOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-333-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2022
by Daily end-of-shift report 28 Nov '22

28 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-11-2022 18:00 − Montag 28-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Win32.Ransom.Conti / Crypto Logic Flaw ∗∗∗ --------------------------------------------- Conti ransomware FAILS to encrypt non PE files that have a ".exe" in the filename. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110044 ∗∗∗ Bring Your Own Key — A Placebo? ∗∗∗ --------------------------------------------- BYOK was envisioned to reduce the risk of using a cloud service provider processing sensitive data, yet there are several deficiencies. --------------------------------------------- https://www.darkreading.com/cloud/bring-your-own-key-a-placebo- ∗∗∗ All You Need to Know About Emotet in 2022 ∗∗∗ --------------------------------------------- For 6 months, the infamous Emotet botnet has shown almost no activity, and now its distributing malicious spam. Lets dive into details and discuss all you need to know about the notorious malware to combat it. --------------------------------------------- https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html ∗∗∗ Hacking Smartwatches for Spear Phishing ∗∗∗ --------------------------------------------- In this article we explain how to hack into a SmartWatch and show a custom text message. --------------------------------------------- https://cybervelia.com/?p=1380 ∗∗∗ Exploiting an N-day vBulletin PHP Object Injection Vulnerability ∗∗∗ --------------------------------------------- vBulletin is one of the most popular proprietary forum solutions over the Internet. It is used by some major websites, and according to the BuildWith website, vBulletin currently ranks at the second place on the Forum Software Usage Distribution in the Top 1 Million Sites, with over 2.000 websites using it among the “top 1 million”. --------------------------------------------- https://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injecti… ∗∗∗ Poking a mobile hotspot ∗∗∗ --------------------------------------------- Ive been playing with an Orbic Speed, a relatively outdated device that only speaks LTE Cat 4, but the towers I can see from here are, uh, not well provisioned so throughput really isnt a concern (and refurbs are $18, so). As usual Im pretty terrible at just buying devices and using them for their intended purpose, and in this case it has the irritating behaviour that if theres a power cut and the battery runs out it doesnt boot again when power returns, so heres what Ive learned so far. --------------------------------------------- https://mjg59.dreamwidth.org/61725.html ∗∗∗ Vorsicht vor gefälschtem FinanzOnline-E-Mail ∗∗∗ --------------------------------------------- „Sie erhalten einen Betrag“ lautet der Betreff eines betrügerischen E-Mail, das angeblich von FinanzOnline kommt. Sie werden informiert, dass Sie eine Rückerstattung von 578,99 Euro erhalten. Um das Geld zu bekommen, müssen Sie auf den Link im E-Mail klicken. Vorsicht: Dieser führt auf eine gefälschte FinanzOnline-Seite. Kriminelle stehlen Ihre Daten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschtem-finanzonli… ∗∗∗ Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- The intrusion began when a user double clicked a LNK file, which then executed encoded Powershell commands to download an Emotet DLL onto the computer. Once executed, Emotet setup a Registry Run Key to maintain persistence on the beachhead host. --------------------------------------------- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to… ∗∗∗ LockBit Ransomware Being Mass-distributed With Similar Filenames ∗∗∗ --------------------------------------------- The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames. --------------------------------------------- https://asec.ahnlab.com/en/42890/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, commons-configuration2, graphicsmagick, heimdal, inetutils, ini4j, jackson-databind, and varnish), Fedora (drupal7-i18n, grub2, kubernetes, and python-slixmpp), Mageia (botan, golang, kernel, kernel-linus, radare2/rizin, and xterm), Red Hat (krb5, varnish, and varnish:6), SUSE (busybox, chromium, erlang, exiv2, firefox, freerdp, ganglia-web, java-1_8_0-openj9, nodejs12, nodejs14, opera, pixman, python3, sudo, tiff, and xen), [...] --------------------------------------------- https://lwn.net/Articles/916135/ ∗∗∗ Cisco ISE Vulnerabilities Can Be Chained in One-Click Exploit ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks. --------------------------------------------- https://www.securityweek.com/cisco-ise-vulnerabilities-can-be-chained-one-c… ∗∗∗ Google Projekt Zero legt Schwachstelle in Mali GPU offen, Millionen Android-Geräte betroffen ∗∗∗ --------------------------------------------- Google Sicherheitsforscher haben im Project Zero eine Schwachstelle (CVE-2022-33917) im Kerneltreiber der in vielen Android-Geräten mit ARM CPU verwendeten Mali GPU offen gelegt. --------------------------------------------- https://www.borncity.com/blog/2022/11/27/google-projekt-zero-legt-schwachst… ∗∗∗ Security Bulletin: IBM Maximo Mobile is vulnerable to Information Disclosure (CVE-2022-41732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-mobile-is-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to arbitrary code execution due to X-Force 237819 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ MISP v2.4.166 ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.166 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2022
by Daily end-of-shift report 25 Nov '22

25 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-11-2022 18:00 − Freitag 25-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Docker Hub repositories hide over 1,650 malicious containers ∗∗∗ --------------------------------------------- Over 1,600 publicly available Docker Hub images hide malicious behavior, including cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-hub-repositories-hide… ∗∗∗ Redacted Documents Are Not as Secure as You Think ∗∗∗ --------------------------------------------- Popular redaction tools don’t always work as promised, and new attacks can reveal hidden information, researchers say. --------------------------------------------- https://www.wired.com/story/redact-pdf-online-privacy/ ∗∗∗ Alte Social-Media-Konten löschen: Sicherheit durch weniger eigener Daten im Netz ∗∗∗ --------------------------------------------- Ungenutzte Social-Media-Accounts beinhalten persönliche Daten und bergen Sicherheitsrisiken. Unser Ratgeber zeigt, wie Sie veraltete Konten finden und löschen. --------------------------------------------- https://heise.de/-7321954 ∗∗∗ UEFI-BIOS mit bekannt unsicherem Code gespickt ∗∗∗ --------------------------------------------- In einem BIOS-Update fanden Experten mehrere OpenSSL-Versionen, teils mit uralten Sicherheitslücken. Das wirft ein Schlaglicht auf Risiken von PC-Firmware. --------------------------------------------- https://heise.de/-7351884 ∗∗∗ Word Documents Disguised as Normal MS Office URLs Being Distributed ∗∗∗ --------------------------------------------- Recently, there has been a case of malware disguised as a Word document being distributed through certain paths (e.g. KakaoTalk group chats). The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users. --------------------------------------------- https://asec.ahnlab.com/en/42554/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), Mageia (dropbear, freerdp, java, libx11, and tumbler), Slackware (ruby), SUSE (erlang, grub2, libdb-4_8, and tomcat), and Ubuntu (exim4, jbigkit, and tiff). --------------------------------------------- https://lwn.net/Articles/915984/ ∗∗∗ Chrome 107.0.5304.121/122 Sicherheitsupdates ∗∗∗ --------------------------------------------- Google hat zum 24. November 2022 einen Schwung an Sicherheitsupdates des Google Chrome im 107er Zweig im Stable Channel für Mac, Linux und Windows sowie für Android freigegeben. Es werden dabei bereits ausgenutzte Schwachstellen geschlossen. --------------------------------------------- https://www.borncity.com/blog/2022/11/25/chrome-107-0-5304-121-122-sicherhe… ∗∗∗ Canon: Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers (CVE-2022-43608) – 25 November 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2022
by Daily end-of-shift report 24 Nov '22

24 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-11-2022 18:00 − Donnerstag 24-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Investigating a backdoored PyPi package targeting FastAPI applications ∗∗∗ --------------------------------------------- On November 23rd, 2022, the Datadog Security Labs team identified a utility Python package on PyPI related to FastAPI, fastapi-toolkit, that has likely been compromised by a malicious actor. --------------------------------------------- https://securitylabs.datadoghq.com/articles/malicious-pypi-package-fastapi-… ∗∗∗ THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies ∗∗∗ --------------------------------------------- In this threat alert, the Cybereason team describes one attack scenario that started from a QBot infection, resulting in multiple key machines loading Cobalt Strike, which finally led to the global deployment of Black Basta ransomware. --------------------------------------------- https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and… ∗∗∗ MSI Afterburner: Vorsicht vor Fake-Software mit Trojaner im Gepäck ∗∗∗ --------------------------------------------- Immer wieder versuchen Kriminelle Opfern Schadcode unter dem Deckmantel von legitimen Tools, wie aktuell dem GPU-Tool MSI Afterburner, unterzuschieben. --------------------------------------------- https://heise.de/-7351380 ∗∗∗ In eine Phishing-Falle getappt? Das können Sie tun: ∗∗∗ --------------------------------------------- Wurden Sie über ein betrügerisches E-Mail oder SMS auf eine gefälschte Login-Seiten gelockt? Haben Sie dort Ihre Daten eingetippt? Dann haben Kriminelle Zugriff auf Ihr Konto. Wir zeigen Ihnen, was Sie tun können, wenn Sie Ihre Benutzerdaten preisgegeben haben. --------------------------------------------- https://www.watchlist-internet.at/news/in-eine-phishing-falle-getappt-das-k… ∗∗∗ Neue Betrugsmasche: Kriminelle stehlen Kreditkartendaten und hinterlegen sie für Apple Pay ∗∗∗ --------------------------------------------- Kriminelle erschleichen sich mit Phishing-Nachrichten per SMS oder E-Mail Kreditkartendaten und hinterlegen diese für Apple Pay. Betroffene werden dann unter falschen Vorwänden verleitet, den Aktivierungscode für Apple Pay an die Kriminellen weiterzugeben. --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-kriminelle-stehle… ∗∗∗ Bahamut cybermercenary group targets Android users with fake VPN apps ∗∗∗ --------------------------------------------- Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram. --------------------------------------------- https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targ… ∗∗∗ IBM: RansomExx becomes latest ransomware group to create Rust variant ∗∗∗ --------------------------------------------- The RansomExx ransomware group has become the latest gang to create a variant in the Rust programming language, according to IBM Security X-Force Threat researchers. --------------------------------------------- https://therecord.media/ibm-ransomexx-becomes-latest-ransomware-group-to-cr… ===================== = Vulnerabilities = ===================== ∗∗∗ TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input ∗∗∗ --------------------------------------------- tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash. --------------------------------------------- https://jvn.jp/en/jp/JVN29657972/ ∗∗∗ Security update available in Foxit PDF Editor for Mac 11.1.4 ∗∗∗ --------------------------------------------- Foxit has released Foxit PDF Editor for Mac 11.1.4, which addresses potential security and stability issues. --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ SolarWinds Security Advisories 2022-11-22 ∗∗∗ --------------------------------------------- SolarWinds published 7 Security Advisories (3 High, 1 Medium, 3 Low Severity). --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (vim), Fedora (drupal7-context, drupal7-link, firefox, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (container-tools:ol8, device-mapper-multipath, dotnet7.0, firefox, hsqldb, keylime, podman, python3.9, python39:3.9, thunderbird, and xorg-x11-server), SUSE (exiv2-0_26, keylime, libarchive, net-snmp, nginx, opensc, pixman, python-joblib, strongswan, and webkit2gtk3), and Ubuntu (expat, imagemagick, mariadb-10.3, mariadb-10.6, [...] --------------------------------------------- https://lwn.net/Articles/915929/ ∗∗∗ Security Bulletin: IBM Sterling Control Center vulnerable to multiple issues to due IBM Cognos Analystics (CVE-2022-4160, CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service due to Websphere Liberty (CVE-2022-24839) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to HTTP header injection due to Websphere Liberty (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affects Cloud Pak System [CVE-2021-28167] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to unauthenticated data manipulation due to Java SE (CVE-2021-2163) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: For IBM Cloudpak for Watson AIOPS 3.5.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-for-ibm-cloudpak-for-wats… ∗∗∗ Security Bulletin: Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-mari… ∗∗∗ Pilz: PAS 4000 prone to ZipSlip ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-045/ ∗∗∗ Pilz: Multiple products affected by ZipSlip ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-044/ ∗∗∗ Pilz: PASvisu and PMI affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-033/ ∗∗∗ 2022-18Multiple vulnerabilities in BAT-C2 ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15087-sour… ∗∗∗ 2022-21Authenticated Command Injection in Hirschmann BAT-C2 ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-sour… ∗∗∗ 2022-20TinyXML vulnerability in Hirschmann HiLCOS products ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15089-sour… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2022
by Daily end-of-shift report 23 Nov '22

23 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-11-2022 18:00 − Mittwoch 23-11-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Backdoored Chrome extension installed by 200,000 Roblox players ∗∗∗ --------------------------------------------- Chrome browser extension SearchBlox installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/backdoored-chrome-extension-… ∗∗∗ Ducktail Malware Operation Evolves with New Malicious Capabilities ∗∗∗ --------------------------------------------- The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign."The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victims Facebook account," ... --------------------------------------------- https://thehackernews.com/2022/11/ducktail-malware-operation-evolves-with.h… ∗∗∗ Mind the Gap ∗∗∗ --------------------------------------------- Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but at the time of publication, these fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo and others). Devices with a Mali GPU are currently vulnerable. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html ∗∗∗ Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice ∗∗∗ --------------------------------------------- In September 2022, Proofpoint researchers identified initial delivery of a penetration testing framework called Nighthawk. Launched in late 2021 by MDSec, Nighthawk is similar to other frameworks such as Brute Ratel and Cobalt Strike and, like those, could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pent… ∗∗∗ Kritische Infrastruktur: EU-Richtlinie nimmt Betreiber in die Pflicht ∗∗∗ --------------------------------------------- Das EU-Parlament hat eine Richtlinie zur Resilienz kritischer Einrichtungen beschlossen. Sie gilt für elf Branchen. Manche Betreiber sind besonders wichtig. --------------------------------------------- https://heise.de/-7349574 ∗∗∗ Google will Missbrauch des Pentesting-Tools Cobalt Strike eindämmen ∗∗∗ --------------------------------------------- Damit Admins Netzwerk-Attacken durch Cobalt-Strike-Missbrauch besser erkennen können, hat Google unter anderem Erkennungsregeln auf Yara-Basis veröffentlicht. --------------------------------------------- https://heise.de/-7349813 ∗∗∗ Standard für maschinenlesbare Sicherheitshinweise verabschiedet ∗∗∗ --------------------------------------------- Das Common Security Advisory Framework soll Administratoren die Arbeit erleichtern und aktuelle Sicherheitsinformationen leichter auffindbar machen. --------------------------------------------- https://heise.de/-7350491 ∗∗∗ Angriffe auf Boa Web Server gefährden IoT ∗∗∗ --------------------------------------------- Anfällige SDK-Komponenten führen zu Lieferkettenrisiken in IoT- und OT-Umgebungen, insbesondere durch den veralteten Boa Web Server, warnt Microsoft Security Threat Intelligence (MSTI). --------------------------------------------- https://www.zdnet.de/88405186/angriffe-auf-boa-web-server-gefaehrden-iot/ ∗∗∗ Web Application Firewalls umgehen ∗∗∗ --------------------------------------------- Web Application Firewalls (WAFs) sind beliebte Infrastrukturkomponenten, die verwendet werden, um Angriffe auf Webanwendungen zu erschweren. Was bieten WAFs wirklich? Können sie auch nur theoretisch perfekt sein, um jede Art von Webangriff zu verhindern? Lassen Sie uns WAFs entmystifizieren! --------------------------------------------- https://certitude.consulting/blog/de/web-application-firewalls-umgehen/ ∗∗∗ CVE-2022-23088: Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack ∗∗∗ --------------------------------------------- In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. [..] The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug. --------------------------------------------- https://www.thezdi.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-over… ∗∗∗ CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products. --------------------------------------------- https://www.thezdi.com/blog/2022/11/22/cve-2022-40300-sql-injection-in-mana… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-22 ∗∗∗ --------------------------------------------- IBM Operations Analytics, IBM QRadar, IBM SDK, IBM Sterling Connect, Rational Service Tester, Rational Performance Tester, IBM HTTP Server, IBM Security Verify Governance, IBM InfoSphere DataStage, IBM Cloud Pak for Security --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitslücke in HPE-Switches OfficeConnect gefährdet Netzwerke ∗∗∗ --------------------------------------------- Angreifer könnten Switches von Hewlett Packard Enterprise attackieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-7350116 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (heimdal, libarchive, and nginx), Fedora (varnish-modules and xterm), Red Hat (firefox), Scientific Linux (firefox, hsqldb, and thunderbird), SUSE (Botan, colord, containerized-data-importer, ffmpeg-4, java-1_8_0-ibm, krb5, nginx, redis, strongswan, tomcat, and xtrabackup), and Ubuntu (apr-util, freerdp2, and sysstat). --------------------------------------------- https://lwn.net/Articles/915802/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Original release date: November 22, 2022CISA has released eight (8) Industrial Control Systems (ICS) advisories on 22 November 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. - ICSA-22-326-01 AVEVA Edge - ICSA-22-326-02 Digital Alert Systems DASDEC - ICSA-22-326-03 Phoenix Contact Automation Worx - ICSA-22-326-04 GE Cimplicity - ICSA-22-326-05 Moxa Multiple ARM-Based Computers - ICSMA-21-152-01 Hillrom Medical Device Management (Update C) - ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update I) - ICSA-21-049-02 Mitsubishi Electric FA Engineering Software Products (Update G) --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/11/22/cisa-releases-eig… ∗∗∗ WordPress BeTheme 26.5.1.4 PHP Object Injection ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110040 ∗∗∗ Security Advisory - Improper Input Validation Vulnerability in a Huawei Childrens Watch ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-iivviahcw… ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in some Huawei Band Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20221130-… ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247053-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2022
by Daily end-of-shift report 22 Nov '22

22 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-11-2022 18:00 − Dienstag 22-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Google Chrome extension used to steal cryptocurrency, passwords ∗∗∗ --------------------------------------------- An information-stealing Google Chrome browser extension named VenomSoftX is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-chrome-extension-used… ∗∗∗ Android file manager apps infect thousands with Sharkbot malware ∗∗∗ --------------------------------------------- A new collection of malicious Android apps posing as harmless file managers had infiltrated the official Google Play app store, infecting users with the Sharkbot banking trojan. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-file-manager-apps-in… ∗∗∗ ICS cyberthreats in 2023 – what to expect ∗∗∗ --------------------------------------------- The coming year looks to be much more complicated. In the post we share some of our thoughts on potential developments of 2023, though we cannot claim to be providing either a complete picture or a high degree of precision. --------------------------------------------- https://securelist.com/ics-cyberthreats-in-2023/108011/ ∗∗∗ Crimeware and financial cyberthreats in 2023 ∗∗∗ --------------------------------------------- This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023. --------------------------------------------- https://securelist.com/crimeware-financial-cyberthreats-2023/108005/ ∗∗∗ Log4Shell campaigns are using Nashorn to get reverse shell on victims machines, (Mon, Nov 21st) ∗∗∗ --------------------------------------------- Almost one year later, Log4Shell attacks are still alive and making victims. --------------------------------------------- https://isc.sans.edu/diary/rss/29266 ∗∗∗ Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware ∗∗∗ --------------------------------------------- A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of campaigns designed to steal sensitive information from compromised hosts. --------------------------------------------- https://thehackernews.com/2022/11/researchers-warn-of-cyber-criminals.html ∗∗∗ Werbung für beheizbare Jacken auf TikTok ∗∗∗ --------------------------------------------- Haben Sie beim Durchscrollen von TikTok Werbung für eine beheizbare Jacke gesehen? Dann sind Sie wohl über die Marke „Mont Gerrard“ gestolpert. Die Jacken dürften bei TikTok-Nutzer:innen sehr beliebt sein, denn es gibt bereits Fake-Shops, die die Jacken zu einem günstigeren Preis anbieten und auf TikTok und Instagram bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-beheizbare-jacken-auf-t… ∗∗∗ Vulnerability Spotlight: Callback Technologies CBFS Filter denial-of-service vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three denial-of-service vulnerabilities in Callback Technologies CBFS Filter. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-callback-technol… ∗∗∗ What is EPSS? A new rating system for vulnerabilities to replace CVSS. ∗∗∗ --------------------------------------------- LunaSec Security Researchers give a quick look at the EPSS scoring system, a new rating system for vulnerabilities that aims to replace CVSS. --------------------------------------------- https://www.lunasec.io/docs/blog/what-is-epss ===================== = Vulnerabilities = ===================== ∗∗∗ Attacken auf Backuplösung IBM Spectrum Protect Plus Container Backup möglich ∗∗∗ --------------------------------------------- Sicherheitslücken in der Programmiersprache Golang Go bedrohen IBM-Software. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7348556 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ntfs-3g), Fedora (krb5 and samba), Gentoo (firefox-bin, ghostscript-gpl, pillow, sudo, sysstat, thunderbird-bin, and xterm), Red Hat (firefox, hsqldb, and thunderbird), SUSE (cni, cni-plugins, and krb5), and Ubuntu (isc-dhcp and sqlite3). --------------------------------------------- https://lwn.net/Articles/915708/ ∗∗∗ BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks ∗∗∗ --------------------------------------------- Researchers at industrial cybersecurity firm Nozomi Networks have discovered more than a dozen vulnerabilities in baseboard management controller (BMC) firmware. --------------------------------------------- https://www.securityweek.com/bmc-firmware-vulnerabilities-expose-ot-iot-dev… ∗∗∗ ZDI-22-1615: TP-Link TL-WR940N httpd Incorrect Implementation of Authentication Algorithm Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1615/ ∗∗∗ ZDI-22-1614: TP-Link TL-WR940N httpd Use of Insufficiently Random Values Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1614/ ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of dom4j (CVE-2018-1000632) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: Potential Vulnerability in Apache HttpClient used by Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics – Log Analysis (CVE-2018-17196) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis susceptible to vulnerability in Apache Tika (CVE-2022-25169) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Vulnerabilities in SnakeYAML used by Logstash affects IBM Operations Analytics – Log Analysis (CVE-2022-25857, CVE-2017-18640) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-snakey… ∗∗∗ Security Bulletin: IBM DataPower Gateway does not invalidate active sessions on a password change (CVE-2022-40228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-doe… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to HTTP request smuggling ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-pot… ∗∗∗ Security Bulletin: Vulnerability in Bouncy Castle used by Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2017-13098) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bouncy-c… ∗∗∗ Vulnerability Summary for the Week of November 14, 2022 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/bulletins/sb22-325 ∗∗∗ Advisory: Impact of Vulnerability in WIBU CodeMeter Runtime to B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16677451… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2022
by Daily end-of-shift report 21 Nov '22

21 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-11-2022 18:00 − Montag 21-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New AxLocker ransomware encrypts files, then steals your Discord account ∗∗∗ --------------------------------------------- The new AXLocker ransomware family is not only encrypting victims files and demanding a ransom payment but also stealing the Discord accounts of infected users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-axlocker-ransomware-encr… ∗∗∗ Apps with over 3 million installs leak Admin search API keys ∗∗∗ --------------------------------------------- Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apps-with-over-3-million-ins… ∗∗∗ Google releases 165 YARA rules to detect Cobalt Strike attacks ∗∗∗ --------------------------------------------- The Google Cloud Threat Intelligence team has open-sourced YARA Rules and a VirusTotal Collection of indicators of compromise (IOCs) to help defenders detect Cobalt Strike components in their networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-releases-165-yara-rul… ∗∗∗ McAfee Fake Antivirus Phishing Campaign is Back!, (Sat, Nov 19th) ∗∗∗ --------------------------------------------- Yesterday I received this email that my McAfee antivirus subscription is expired and that my computer is already infected with 5 viruses (how do they know?). --------------------------------------------- https://isc.sans.edu/diary/rss/29264 ∗∗∗ Vulnerable Code Snippets ∗∗∗ --------------------------------------------- YesWeHack present code snippets containing several different vulnerabilities to practice your code analysis. The code snippets are beginner friendly but suitable for all levels! --------------------------------------------- https://github.com/yeswehack/vulnerable-code-snippets ∗∗∗ A Confused Deputy Vulnerability in AWS AppSync ∗∗∗ --------------------------------------------- We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync. This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts. --------------------------------------------- https://securitylabs.datadoghq.com/articles/appsync-vulnerability-disclosur… ∗∗∗ 5 free resources from the Cybersecurity and Infrastructure Security Agency (CISA) ∗∗∗ --------------------------------------------- To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services. --------------------------------------------- https://www.helpnetsecurity.com/2022/11/21/5-free-resources-cybersecurity-a… ∗∗∗ Gefälschtes SMS von Netflix droht mit Kontosperrung ∗∗∗ --------------------------------------------- Aktuell macht ein Netflix-SMS die Runde. Darin steht, dass Sie eine Rechnung nicht bezahlt haben. Daher droht man Ihnen mit einer Kontosperrung. Im SMS befindet sich auch ein Link. Klicken Sie nicht auf den Link, Kriminelle stehlen Ihre Netflix-Zugangsdaten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-sms-von-netflix-droht-m… ∗∗∗ An AI Based Solution to Detecting the DoubleZero .NET Wiper ∗∗∗ --------------------------------------------- Unit 42 presents a machine learning model to predict maliciousness of .NET samples based on file structures, by analyzing the DoubleZero .NET wiper. --------------------------------------------- https://unit42.paloaltonetworks.com/doublezero-net-wiper/ ∗∗∗ Reputationsverlust durch Cyberangriffe ∗∗∗ --------------------------------------------- Die am meisten befürchteten Schäden durch Cyberangriffe sind finanzielle Schäden sowie Verlust von Reputation und Kundenvertrauen. Bei der Umsetzung von Cybersicherheitsmaßnahmen stehen jedoch Schutz von Geschäftskontinuität, Daten und Kunden im Vordergrund. --------------------------------------------- https://www.zdnet.de/88405082/reputationsverlust-durch-cyberangriffe/ ∗∗∗ Luna Moth: Erfolg mit Callback-Phishing ∗∗∗ --------------------------------------------- Die Luna Moth/Silent Ransom Kriminellen erbeuteten durch Callback-Phishing Hunderttausende von Euro, wie eine Analyse von Palo Alto Networks aufdeckt. --------------------------------------------- https://www.zdnet.de/88405109/luna-moth-erfolg-mit-callback-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Exploit released for actively abused ProxyNotShell Exchange bug ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-activel… ∗∗∗ New attacks use Windows security bypass zero-day to drop malware ∗∗∗ --------------------------------------------- New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-secu… ∗∗∗ IBM Security Bulletins 2022-11-18 ∗∗∗ --------------------------------------------- Power HMC, InfoSphere Information Server, IBM Operations Analytics, IBM i Access Client Solutions, IBM DataPower Gateway, IBM Tivoli, IBM Spectrum Protect Plus --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick and krb5), Fedora (dotnet6.0, js-jquery-ui, kubernetes, and xterm), Gentoo (php and postgresql), Mageia (php-pear-CAS, sysstat, varnish, vim, and x11-server), Red Hat (thunderbird), SUSE (389-ds, binutils, dpkg, firefox, frr, grub2, java-11-openjdk, java-17-openjdk, kernel, kubevirt stack, libpano, nodejs16, openjpeg, php7, php74, pixman, python-Twisted, python39, rubygem-loofah, sccache, sudo, thunderbird, tor, and tumbler), [...] --------------------------------------------- https://lwn.net/Articles/915623/ ∗∗∗ PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability ∗∗∗ --------------------------------------------- A security researcher has published details and proof-of-concept (PoC) code for a macOS vulnerability that could be exploited to escape a sandbox and execute code within Terminal. --------------------------------------------- https://www.securityweek.com/poc-code-published-high-severity-macos-sandbox… ∗∗∗ Typora fails to properly neutralize JavaScript code ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN26044739/ ∗∗∗ MISP 2.4.165 released with many improvements, bugs fixed and security fixes. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2022/11/21/MISP.2.4.165.released.html/ ∗∗∗ Miele: Vulnerability in ease2pay cloud service used by appWash ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-052/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2022
by Daily end-of-shift report 18 Nov '22

18 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-11-2022 18:00 − Freitag 18-11-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zeppelin: Heimlich die Schlüssel einer Ransomware geknackt ∗∗∗ --------------------------------------------- Eine Sicherheitsfirma ist es gelungen die Ransomware Zeppelin zu knacken. Sie half heimlich mehreren Organisationen, wieder an ihre Daten zu gelangen. --------------------------------------------- https://www.golem.de/news/zeppelin-heimlich-die-schluessel-einer-ransomware… ∗∗∗ Security baseline for Microsoft Edge v107 ∗∗∗ --------------------------------------------- We have reviewed the settings in Microsoft Edge version 107 and updated our guidance with the addition of one new setting. We’re also highlighting three settings we would like you to consider based on your organizational needs. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Successful Hack of Time-Triggered Ethernet ∗∗∗ --------------------------------------------- Time-triggered Ethernet (TTE) is used in spacecraft, basically to use the same hardware to process traffic with different timing and criticality. Researchers have defeated it. --------------------------------------------- https://www.schneier.com/blog/archives/2022/11/successful-hack-of-time-trig… ∗∗∗ Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware ∗∗∗ --------------------------------------------- A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns. --------------------------------------------- https://www.securityweek.com/microsoft-warns-cybercrime-group-delivering-ro… ∗∗∗ CISA, NSA, and ODNI Release Guidance for Customers on Securing the Software Supply Chain ∗∗∗ --------------------------------------------- Today, CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI), published the third of a three-part series on securing the software supply chain: Securing Software Supply Chain Series - Recommended Practices Guide for Customers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/11/17/cisa-nsa-and-odni… *** #StopRansomware: Hive Ransomware *** --------------------------------------------- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022. --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, firefox-esr, php-phpseclib, phpseclib, python-django, and thunderbird), Fedora (grub2, samba, and thunderbird), Mageia (firefox, sudo, systemd, and thunderbird), Slackware (freerdp), SUSE (firefox, go1.18, go1.19, kernel, openvswitch, python-Twisted, systemd, and xen), and Ubuntu (expat, git, multipath-tools, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/915378/ ∗∗∗ WordPress Plugin "WordPress Popular Posts" accepts untrusted external inputs to update certain internal variables ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13927745/ ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis vulnerable to multiple vulnerabilities in Apache Tika (CVE-2022-30126, CVE-2022-33879, CVE-2022-30973) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel affect IBM Cloud Object Storage Systems (August 2022v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: Rational Asset Analyzer is vulnerable to HTTP header injection (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics – Log Analysis (CVE-2019-17571, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-22488 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics – Log Analysis (CVE-2021-44832, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Rational Asset Analyzer is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Potential vulnerability in Eclipse Jetty affects IBM Operations Analytics – Log Analysis (CVE-2022-2047) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by multiple vulnerabilities in libcurl (CVE-2022-42915, CVE-2022-42916, CVE-2022-32221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: IBM Transform Services for IBM i is vulnerable to denial of service, buffer overflow, and allowing attacker to obtain sensitive information due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transform-services-fo… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2022
by Daily end-of-shift report 17 Nov '22

17 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-11-2022 18:00 − Donnerstag 17-11-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Evil Maid Attacks - Remediation for the Cheap, (Wed, Nov 16th) ∗∗∗ --------------------------------------------- The so-called evil maid attack is an attack against hardware devices utilizing hard- and/or software. It is carried out when the hardware is left unattended, e.g., in a hotel room when you're out for breakfast. The attacker manipulates the device in a malicious way. --------------------------------------------- https://isc.sans.edu/diary/rss/29256 ∗∗∗ WASP malware stings Python developers ∗∗∗ --------------------------------------------- Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages. --------------------------------------------- https://www.theregister.com/2022/11/16/wasp_python_malware_checkmarx/ ∗∗∗ Disneyland Malware Team: It’s a Puny World After All ∗∗∗ --------------------------------------------- A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic and Ukrainian. --------------------------------------------- https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-worl… ∗∗∗ Onlinebetrug-Simulator: Testen Sie Ihr Wissen zu Betrugsmaschen im Internet ∗∗∗ --------------------------------------------- Um Sie für die Gefahren von Fake-Shops und Phishing-Emails zu sensibilisieren und Sie im Bereich der Cyber-Sicherheit zu schulen, hat die AK Niederösterreich in Kooperation mit der Universität Wien den Onlinebetrug-Simulator ins Leben gerufen. --------------------------------------------- https://www.watchlist-internet.at/news/onlinebetrug-simulator-testen-sie-ih… ∗∗∗ Domain Controller gegen Angriffe absichern ∗∗∗ --------------------------------------------- Active Directory ist eine kritische Infrastruktur und sollte als solche behandelt werden. Aber wie sichert man als Administrator seine Domain Controller gegen Angriffe? --------------------------------------------- https://www.borncity.com/blog/2022/11/17/domain-controller-gegen-angriffe-a… ∗∗∗ Get a Loda This: LodaRAT meets new friends ∗∗∗ --------------------------------------------- LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta. Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild. --------------------------------------------- https://blog.talosintelligence.com/get-a-loda-this/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode-Attacken auf Bitbucket Server und Data Center möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke bedroht mehrere Versionen von Atlassians Versionsverwaltungssoftware. --------------------------------------------- https://heise.de/-7343226 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (expat, xen, and xorg-x11-server), Oracle (kernel, kernel-container, qemu, xorg-x11-server, and zlib), Scientific Linux (xorg-x11-server), Slackware (firefox, krb5, samba, and thunderbird), SUSE (ant, apache2-mod_wsgi, jsoup, rubygem-nokogiri, samba, and tomcat), and Ubuntu (firefox and linux, linux-aws, linux-aws-hwe, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/915245/ ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/11/16/samba-releases-se… ∗∗∗ Security Bulletin: IBM Partner Engagement Manager is vulnerable to sensitive data exposure (CVE-2022-34354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-partner-engagement-ma… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by a vulnerability [CVE-2022-31129] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: CVE-2022-3676 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2022-3676-may-affect-… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow – CVE-2022-38390 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: Tivoli Business Service Manager is vulnerable to cross-site scripting due to improper validation in Angular (CVE-2022-25869) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-business-service-m… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) is vulnerable to Insufficiently Protected LDAP Search Credentials ( CVE-2022-40751 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: Apache Tomcat could allow a remote attacker to obtain sensitive information (CVE-2021-43980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-could-allow… ∗∗∗ Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/11/17/cve-2022-45163/ ∗∗∗ Red Lion Crimson ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-321-01 ∗∗∗ Cradlepoint IBR600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-321-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2022
by Daily end-of-shift report 16 Nov '22

16 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-11-2022 18:00 − Mittwoch 16-11-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Forscher erraten Passwörter via Wärmebild mit Machine Learning und KI ∗∗∗ --------------------------------------------- In einem Versuchsaufbau haben Sicherheitsforscher auf einer Tastatur eingetippte zwölfstellige Passwörter mit einer Erfolgsquote von 83 Prozent rekonstruiert. --------------------------------------------- https://heise.de/-7341957 ∗∗∗ ESET APT Activity Report T2 2022 ∗∗∗ --------------------------------------------- Ein Überblick über die Aktivitäten ausgewählter APT-Gruppen, die von ESET Research in T2 2022 untersucht und analysiert wurden. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/11/16/apt-activity-report-t2-20… ∗∗∗ Fake Black Friday Gewinnspiele auf WhatsApp und Instagram im Umlauf ∗∗∗ --------------------------------------------- Vorsicht vor betrügerischen Gewinnspielen rund um den Black Friday. Zahlreiche WhatsApp- und Instagram-Nutzer:innen erhalten aktuell betrügerische Nachrichten von Unbekannten, aber auch eigenen Kontakten, die beispielsweise Gewinnspiele im Namen Amazons bewerben. Achtung: Es handelt sich um einen Versuch, Sie in eine Abo-Falle zu locken. Folgen Sie keinen Links in solchen Nachrichten und geben Sie keine Kreditkartendaten bekannt! --------------------------------------------- https://www.watchlist-internet.at/news/fake-black-friday-gewinnspiele-auf-w… ∗∗∗ Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend ∗∗∗ --------------------------------------------- By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as “DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC”. After successful validation, it was immediately submitted to Microsoft. They patched both bugs along with several other Exchange vulnerabilities in the November Patch Tuesday release. It is a beautiful chain, with an ingenious vector [...] --------------------------------------------- https://www.thezdi.com/blog/2022/11/14/control-your-types-or-get-pwned-remo… ∗∗∗ CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures ∗∗∗ --------------------------------------------- Rapid7 discovered several vulnerabilities and exposures in specific F5 BIG-IP and BIG-IQ devices in August 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response. --------------------------------------------- https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-418… ∗∗∗ Magento stores targeted in massive surge of TrojanOrders attacks ∗∗∗ --------------------------------------------- At least seven hacking groups are behind a massive surge in TrojanOrders attacks targeting Magento 2 websites, exploiting a vulnerability that allows the threat actors to compromise vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-m… ∗∗∗ Token tactics: How to prevent, detect, and respond to cloud token theft ∗∗∗ --------------------------------------------- As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-… ∗∗∗ Packet Tuesday: Network Traffic Analysis for the Whole Family, (Tue, Nov 15th) ∗∗∗ --------------------------------------------- A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below. --------------------------------------------- https://isc.sans.edu/diary/rss/29252 ∗∗∗ New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques ∗∗∗ --------------------------------------------- Readers of this blog should already be familiar with SocGholish: a widespread, years-long malware campaign aimed at pushing fake browser updates to unsuspecting web users. Once installed, fake browser updates infect the victim’s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware attacks against corporations and other organizations. --------------------------------------------- https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-com… ∗∗∗ Researchers Discover Hundreds of Amazon RDS Instances Leaking Users Personal Data ∗∗∗ --------------------------------------------- "Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot," Amazon cautions in its documentation. "When a snapshot is shared publicly, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it." --------------------------------------------- https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Secure Email Gateway Malware Detection Evasion ∗∗∗ --------------------------------------------- This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame. As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110021 ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks. For more information about these vulnerabilities, see the Details section of this advisory. Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2, nginx, and wordpress), Red Hat (389-ds-base, bind, buildah, curl, device-mapper-multipath, dnsmasq, dotnet7.0, dpdk, e2fsprogs, grafana-pcp, harfbuzz, ignition, Image Builder, kernel, keylime, libguestfs, libldb, libtiff, libvirt, logrotate, mingw-zlib, mutt, openjpeg2, podman, poppler, python-lxml, qt5, rsync, runc, samba, skopeo, toolbox, unbound, virt-v2v, wavpack, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), SUSE (389-ds, bluez, dhcp, freerdp, jackson-databind, kernel, LibVNCServer, libX11, nodejs12, nodejs16, php7, php8, python-Mako, python-Twisted, python310, sudo, systemd, and xen), and Ubuntu (mako). --------------------------------------------- https://lwn.net/Articles/915097/ ∗∗∗ RICOH Aficio SP 4210N vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN24659622/ ∗∗∗ Multiple vulnerabilities in Movable Type ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN37014768/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update July 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.2ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2022
by Daily end-of-shift report 15 Nov '22

15 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-11-2022 18:00 − Dienstag 15-11-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ DTrack activity targeting Europe and Latin America ∗∗∗ --------------------------------------------- DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. [..] So, what’s new? DTrack itself hasn’t changed much over the course of time. Nevertheless, there are some interesting modifications that we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts. --------------------------------------------- https://securelist.com/dtrack-targeting-europe-latin-america/107798/ ∗∗∗ ABI compatibility in Python: How hard could it be? ∗∗∗ --------------------------------------------- This post will cover just one tiny piece of Python packaging’s complexity: the CPython stable ABI. We’ll see what the stable ABI is, why it exists, how it’s integrated into Python packaging, and how each piece goes terribly wrong to make accidental ABI violations easy. --------------------------------------------- https://blog.trailofbits.com/2022/11/15/python-wheels-abi-abi3audit/ ∗∗∗ Checkmk: Remote Code Execution by Chaining Multiple Bugs ∗∗∗ --------------------------------------------- Within the series of articles, we take a detailed look at multiple vulnerabilities we identified in Checkmk and its NagVis integration, which can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk. --------------------------------------------- https://blog.sonarsource.com/checkmk-rce-chain-3/ ∗∗∗ Organizations Warned of Critical Vulnerability in Backstage Developer Portal Platform ∗∗∗ --------------------------------------------- Backstage is affected by a critical vulnerability related to a security hole found earlier this year by Oxeye in the popular sandbox library VM2. The VM2 flaw, dubbed SandBreak and tracked as CVE-2022-36067, can allow a remote attacker to escape the sandbox and execute arbitrary code on the host. Backstage has been using VM2 and Oxeye researchers discovered that CVE-2022-36067 can be exploited for unauthenticated remote code execution in Backstage by abusing its software templates. --------------------------------------------- https://www.securityweek.com/organizations-warned-critical-vulnerability-ba… ∗∗∗ Kreditbetrug: Vorsicht vor darlehenexpert.com ∗∗∗ --------------------------------------------- darlehenexpert.com gibt sich als Kreditgeber aus und ermöglicht angeblich Privat- und Autokredite, Hypotheken sowie Darlehen. Interessierte füllen online ein Kreditantragsformular aus und erhalten nach kurzer Zeit eine Zusage. Doch Vorsicht: darlehenexpert.com ist betrügerisch. Sie werden aufgefordert, vorab unterschiedliche Gebühren zu überweisen. Wenn Sie überweisen, verlieren Sie Ihr Geld und erhalten keinen Kredit! --------------------------------------------- https://www.watchlist-internet.at/news/kreditbetrug-vorsicht-vor-darlehenex… ∗∗∗ Android malware: A million people downloaded these malicious apps before they were finally removed from Google Play ∗∗∗ --------------------------------------------- Cybersecurity researchers identify an aggressive adware campaign. The developer is now banned from Google Play - but if youve not uninstalled the apps, youre still infected. [..] The four apps that have been identified as malicious were from a developer called Mobile apps Group and were called 'Bluetooth Auto Connect', 'Bluetooth App Sender', 'Mobile transfer: smart switch', and 'Driver: Bluetooth, Wi-Fi, USB'. --------------------------------------------- https://www.zdnet.com/article/android-warning-these-malicious-apps-had-over… ∗∗∗ Windows Server 2012 R2: Sophos User-Authentifizierung mittels Heartbeat auf RDS-Servern abgeschaltet ∗∗∗ --------------------------------------------- Kurzer Hinweis für Administratoren, die Windows Server 2012 R2 einsetzen und sich auf die Sophos User-Authentifizierung per Sophos Security Heartbeats verlassen. Sophos hat ein Update verteilt, welches die Funktion auf Windows Server 2012 R2 stillschweigend außer Kraft setzt. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/windows-server-2012-r2-sophos-user… ∗∗∗ LKA warnt vor Betrugsmasche mit digitalen Kreditkarten (Nov. 2022) ∗∗∗ --------------------------------------------- Das LKA Niedersachsen warnt vor einer neue Betrugsmasche, die Cyber-Kriminelle erdacht haben. Mittels Phishing-E-Mails, gefälschten Webseiten und digitalen Kreditkarten versuchen sie an Zahlungsdaten der Opfer heranzukommen. Die Daten der digitalen Kreditkarte werden dann für eigene Einkäufe auf Kosten des Opfers missbraucht. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/lka-warnt-vor-betrugsmasche-mit-di… ∗∗∗ Firmware- und BIOS-Updates: AMD, Intel, Lenovo, HP (Nov. 2022) ∗∗∗ --------------------------------------------- Die Hersteller Lenovo und HP stopfen mit Firmware-Updates entdeckte Schwachstellen im BIOS (und in der Software) ihrer Systeme. Und die Prozessorhersteller AMD sowie Intel haben ebenfalls Sicherheitslücken in ihrer Firmware per Update im November 2022 geschlossen. Hier ein kompakter Überblick über diese Updates. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/firmware-und-bios-updates-amd-inte… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel and webkit2gtk3), Red Hat (dhcp, dovecot, flac, freetype, fribidi, frr, gimp, grafana, guestfs-tools, httpd, kernel-rt, libtirpc, mingw-gcc, mingw-glib2, pcs, php, protobuf, python3.9, qemu-kvm, redis, speex, and swtpm), SUSE (chromium, containerized-data-importer, jhead, kubevirt stack, nodejs14, nodejs16, python-Werkzeug, and xen), and Ubuntu (golang-1.13, nginx, and vim). --------------------------------------------- https://lwn.net/Articles/914952/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.5 ∗∗∗ --------------------------------------------- In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.5 ∗∗∗ --------------------------------------------- CVE-2022-45403: Service Workers might have learned size of cross-origin media files CVE-2022-45404: Fullscreen notification bypass CVE-2022-45405: Use-after-free in InputStream implementation CVE-2022-45406: Use-after-free of a JavaScript Realm CVE-2022-45408: Fullscreen notification bypass via windowName CVE-2022-45409: Use-after-free in Garbage Collection CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/ ∗∗∗ Security Vulnerabilities fixed in Firefox 107 ∗∗∗ --------------------------------------------- CVE-2022-45407: Loading fonts on workers was not thread-safe CVE-2022-45403: Service Workers might have learned size of cross-origin media files CVE-2022-45404: Fullscreen notification bypass CVE-2022-45405: Use-after-free in InputStream implementation CVE-2022-45406: Use-after-free of a JavaScript Realm CVE-2022-45408: Fullscreen notification bypass via windowName CVE-2022-45409: Use-after-free in Garbage Collection CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/ ∗∗∗ TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN54728399/ ∗∗∗ ZDI-22-1592: Parse Server _expandResultOnKeyPath Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1592/ ∗∗∗ ZDI-22-1591: Parse Server buildUpdatedObject Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1591/ ∗∗∗ ZDI-22-1590: Parse Server transformUpdate Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1590/ ∗∗∗ ABB PCM600 Cleartext Credentials Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001518 ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulner… ∗∗∗ Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics – Log Analysis (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-051/ ∗∗∗ Mitsubishi Electric GT SoftGOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-319-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2022
by Daily end-of-shift report 14 Nov '22

14 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-11-2022 18:00 − Montag 14-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt deinstallieren! Sicherheitslücken, aber keine Patches für VMware Hyperic ∗∗∗ --------------------------------------------- Der Support für die IT-Managementsoftware VMware Hyperic ist ausgelaufen. Admins sollten umsteigen. --------------------------------------------- https://heise.de/-7339160 ∗∗∗ Neue Betrugsmasche auf Amazon: Betrügerische Marketplace-Händler stornieren Bestellungen und empfehlen Kauf bei „Amazon-Partnershops“ ∗∗∗ --------------------------------------------- Sabine sucht auf Amazon nach einer Kaffeemaschine. Bei einem Marketplace-Händler findet sie ein günstiges Angebot. Sie bestellt und wartet nun auf die Lieferung. Kurz nach der Bestellung wird der Kauf aber vom Händler storniert. Sie bekommt ein Mail, indem sich der Händler entschuldigt und ihr einen Shop nennt, bei dem sie die Kaffeemaschine zum gleichen Preis bestellen kann. Vorsicht: Dabei handelt es sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-amazon-betrue… ∗∗∗ Extracting HTTP CONNECT Requests with Python, (Mon, Nov 14th) ∗∗∗ --------------------------------------------- Seeing abnormal Suricata alerts isnt too unusual in my home environment. In many cases it may be a TLD being resolved that at one point in time was very suspicious. With the increased legitimate adoption of some of these domains, these alerts have been less useful, although still interesting to investigate. I ran into a few of these alerts one night and when diving deeper there was an unusual amount, frequency, and source of the alerts. --------------------------------------------- https://isc.sans.edu/diary/rss/29246 ∗∗∗ Extracting Information From "logfmt" Files With CyberChef, (Sat, Nov 12th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/29244 ∗∗∗ KmsdBot: The Attack and Mine Malware ∗∗∗ --------------------------------------------- Akamai Security Research has observed a new malware that infected our honeypot, which we have dubbed KmsdBot. The botnet infects systems via an SSH connection that uses weak login credentials. --------------------------------------------- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-m… ∗∗∗ Discover 2022’s Nastiest Malware ∗∗∗ --------------------------------------------- For the past year, hackers have been following close behind businesses and families just waiting for the right time to strike. In other words, 2022 has been an eventful year in the threat landscape, with malware continuing to take center stage. The 6 Nastiest Malware of 2022 Since the mainstreaming of ransomware payloads and the [...] --------------------------------------------- https://www.webroot.com/blog/2022/10/14/discover-2022s-nastiest-malware/ ∗∗∗ Typhon Reborn With New Capabilities ∗∗∗ --------------------------------------------- Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn. --------------------------------------------- https://unit42.paloaltonetworks.com/typhon-reborn-stealer/ ∗∗∗ BumbleBee Zeros in on Meterpreter ∗∗∗ --------------------------------------------- In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. --------------------------------------------- https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ ∗∗∗ Stories from the SOC: Fortinet authentication bypass observed in the wild ∗∗∗ --------------------------------------------- Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, is put a big target on the back’s of unpatched and exposed Fortinet devices. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ HP-BIOS: Pufferüberlauf ermöglicht Rechteausweitung, Update ist verfügbar ∗∗∗ --------------------------------------------- HP warnt vor einer Sicherheitslücke im BIOS zahlreicher Notebooks und PC. Angreifer könnten dadurch ihre Rechte ausweiten oder beliebigen Code ausführen. --------------------------------------------- https://heise.de/-7339122 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dropbear, php7.4, pixman, sysstat, and xorg-server), Fedora (mingw-expat, mingw-libtasn1, and mingw-pixman), Mageia (binutils/gdb, chromium-browser-stable, exiv2, libtiff, nodejs, pcre, pixman, wayland, and webkit2), Red Hat (device-mapper-multipath and libksba), SUSE (autotrace, busybox, libmodbus, php72, python-numpy, rustup, samba, varnish, xen, and xterm), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/914811/ ∗∗∗ Path Traversal Schwachstelle in Payara Platform ∗∗∗ --------------------------------------------- Aufgrund einer fehlerhaften Pfadüberprüfung in der Payara Software ist es möglich, die Konfigurations- oder Sourcecode-Dateien von Webanwendungen in den Verzeichnissen WEB-INF und META-INF über eine Path Traversal Schwachstelle zu lesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/path-traversal-vulner… ∗∗∗ Vielfältige Schwachstellen in BACKCLICK Professional (SYSS-2022-026 bis -037) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-p… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru traces sensitive data (CVE-2022-35719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2022
by Daily end-of-shift report 11 Nov '22

11 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-11-2022 18:00 − Freitag 11-11-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ US Health Dept warns of Venus ransomware targeting healthcare orgs ∗∗∗ --------------------------------------------- The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks are also targeting the countrys healthcare organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-venu… ∗∗∗ Microsoft fixes Windows zero-day bug exploited to push malware ∗∗∗ --------------------------------------------- Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-zer… ∗∗∗ NIS2-Richtlinie: Domaininhaber müssen künftig Adressdaten hinterlegen ∗∗∗ --------------------------------------------- Die neue EU-Richtlinie zur IT-Sicherheit (NIS2) untersagt die anonyme Registrierung von Domains. --------------------------------------------- https://www.golem.de/news/nis2-richtlinie-domaininhaber-muessen-kuenftig-ad… ∗∗∗ Sicherheitslücke: Sperrbildschirm von Pixel-Smartphones ließ sich umgehen ∗∗∗ --------------------------------------------- Einem Forscher ist es gelungen, ein Pixel-Smartphone von Google ohne PIN zu entsperren. Doch Fix und Bug Bounty ließen lange auf sich warten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-sperrbildschirm-von-pixel-smart… ∗∗∗ Cisco dichtet Sicherheitslecks in ASA und Firepower ab ∗∗∗ --------------------------------------------- Cisco dichtet teils hochriskante Sicherheitslücken in der Software der Adaptive Security Appliance und Firepower Threat Defense. Admins sollten aktiv werden. --------------------------------------------- https://heise.de/-7336757 ∗∗∗ Digitalbarometer 2022: Weiter leichtes Spiel für Cyber-Kriminelle ∗∗∗ --------------------------------------------- BSI und Polizeiliche Kriminalprävention der Länder und des Bundes (ProPK) veröffentlichen die vierte gemeinsame Bürgerbefragung: Viele Bürgerinnen und Bürger vernachlässigen grundlegende Maßnahmen, um sich vor Angriffen im Netz zu schützen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced the release of a Stakeholder-Specific Vulnerability Categorization (SSVC) guide that can help organizations prioritize vulnerability patching using a decision tree model. --------------------------------------------- https://www.securityweek.com/cisa-releases-decision-tree-model-help-compani… ∗∗∗ Phishing-resistente Multifaktor Authentifizierung ∗∗∗ --------------------------------------------- Multifaktor Authentifizierung (MFA) kann durch Phishing ausgehebelt werden. Es kommt darauf an, MFA widerstandsfähiger zu machen, betont Lance Spitzner, SANS Security Awareness Director, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88404820/phishing-resistente-multifaktor-authentifizie… ∗∗∗ HackHound IRC Bot Being Distributed via Webhards ∗∗∗ --------------------------------------------- Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. --------------------------------------------- https://asec.ahnlab.com/en/41806/ ∗∗∗ CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS ∗∗∗ --------------------------------------------- This blog entry details our investigation of CVE-2019-8561, a vulnerability that exists in the macOS PackageKit framework, a component used to install software installer packages (PKG files). --------------------------------------------- https://www.trendmicro.com/en_us/research/22/k/cve-2019-8561-a-hard-to-bani… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and exiv2), Fedora (curl, device-mapper-multipath, dotnet6.0, mediawiki, mingw-gcc, and php-pear-CAS), Gentoo (lesspipe), Slackware (php), SUSE (git, glibc, kernel, libarchive, python, python-rsa, python3-lxml, rpm, sudo, xen, and xwayland), and Ubuntu (wavpack). --------------------------------------------- https://lwn.net/Articles/914571/ ∗∗∗ Preisgabe von sensiblen Informationen in Zoom (SYSS-2022-048) ∗∗∗ --------------------------------------------- Bei einer Videokonferenz über Zoom werden Chatnachrichten im Installationsverzeichnis gespeichert. Ein Angreifer kann diese Nachrichten entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/preisgabe-von-sensiblen-informationen-in-z… ∗∗∗ Rapid7’s Impact from OpenSSL Buffer Overflow Vulnerabilities (CVE-2022-3786 & CVE-2022-3602) ∗∗∗ --------------------------------------------- CVE-2022-3786 & CVE-2022-3602 vulnerabilities affecting OpenSSL’s 3.0.x versions both rely on a maliciously crafted email address in a certificate. --------------------------------------------- https://www.rapid7.com/blog/post/2022/11/11/rapid7s-impact-from-openssl-buf… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime used by the IBM Installation Manager and IBM Packaging Utility – CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Omron NJ/NX-series Machine Automation Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-314-07 ∗∗∗ Omron NJNX-series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-314-08 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2022
by Daily end-of-shift report 10 Nov '22

10 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-11-2022 18:00 − Donnerstag 10-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New StrelaStealer malware steals your Outlook, Thunderbird accounts ∗∗∗ --------------------------------------------- A new information-stealing malware named StrelaStealer is actively stealing email account credentials from Outlook and Thunderbird, two widely used email clients. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-strelastealer-malware-st… ∗∗∗ VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations ∗∗∗ --------------------------------------------- Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks. --------------------------------------------- https://kb.cert.org/vuls/id/434994 ∗∗∗ Windows breaks under upgraded IceXLoader malware ∗∗∗ --------------------------------------------- Were the malware of Nim! A malware loader deemed in June to be a "work in progress" is now fully functional and infecting thousands of Windows corporate and home PCs.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/11/10/icexloader_m… ∗∗∗ [SANS ISC] Do you collect “Observables” or “IOCs”? ∗∗∗ --------------------------------------------- Indicators of Compromise, or IOCs, are key elements in blue team activities. IOCs are mainly small pieces of technical information that have been collected during investigations, threat hunting activities or malware analysis. --------------------------------------------- https://blog.rootshell.be/2022/11/10/sans-isc-do-you-collect-observables-or… ∗∗∗ Phishing-Resistant MFA Does Not Mean Un-Phishable ∗∗∗ --------------------------------------------- Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse “phishing-resistant” with being impossible to phish or socially engineer. --------------------------------------------- https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishabl… ∗∗∗ The Case of Cloud9 Chrome Botnet ∗∗∗ --------------------------------------------- The Zimperium zLabs team recently discovered a malicious browser extension, which not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device. In this blog, we will take a deeper look into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author. --------------------------------------------- https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/ ∗∗∗ Certificates and Pwnage and Patches, Oh My! ∗∗∗ --------------------------------------------- A lot has happened since we released the “Certified Pre-Owned” blog post and whitepaper in June of last year. [...] A lot of organizations (and a lot of pentesters ;) definitely realized how pervasive misconfigurations in Active Directory Certificate Service are and how easy it is now to enumerate and abuse these issues. [...] With all of these changes, we wanted to revisit some of the offensive AD CS attacks, detail how the patch has affected some of the existing escalations, and --------------------------------------------- https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f… ∗∗∗ The November 2022 Security Update Review ∗∗∗ --------------------------------------------- Welcome to the penultimate Patch Tuesday of 2021. As expected, Adobe and Microsoft have released their latest security updates and fixes to the world. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2022/11/8/the-november-2022-security-update-rev… ∗∗∗ How LNK Files Are Abused by Threat Actors ∗∗∗ --------------------------------------------- LNK files are based on the Shell Link Binary file format, also known as Windows shortcuts. But what seems a relatively simple ability to execute other binaries on the system can inflict great harm when abused by threat actors. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-f… ∗∗∗ Penetration and Distribution Method of Gwisin Attacker ∗∗∗ --------------------------------------------- The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. --------------------------------------------- https://asec.ahnlab.com/en/41565/ ===================== = Vulnerabilities = ===================== ∗∗∗ Bios: Sicherheitslücken im UEFI etlicher Lenovo-Laptops ∗∗∗ --------------------------------------------- Lenovo hat Treiber verwendet, die nur für die Produktion vorgesehen waren. Dadurch lässt sich Secure Boot aus dem Betriebssystem heraus deaktivieren. --------------------------------------------- https://www.golem.de/news/bios-sicherheitsluecken-im-uefi-etlicher-lenovo-l… ∗∗∗ Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure ∗∗∗ --------------------------------------------- Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN75437943/ ∗∗∗ Cisco Security Advisories 2022-11-09 ∗∗∗ --------------------------------------------- Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2022-11-09 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Security, IBM Master Data Management, IBM Planning Analytics, IBM Planning Analytics Workspace, IBM QRadar, IBM Tivoli Business Service Manager --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ HTML Injection in BMC Remedy ITSM-Suite ∗∗∗ --------------------------------------------- Die Anwendung BMC Remedy erlaubt es Benutzern Incidents über Email weiterzuleiten. Im Email Editor ist es möglich HTML-Code in das "To" Feld einzufügen. Danach zeigt die Anwendung an, dass der Incident an Empfänger weitergeleitet wurde. Durch Klicken auf die Anzahl der Empfänger wird der eingefügte HTML-Code geladen und ausgeführt. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/html-injection-in-bmc… ∗∗∗ CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine ∗∗∗ --------------------------------------------- A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system allows a local attacker with shell access to the engine to execute programs with elevated privileges. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0031 ∗∗∗ Bugfix-Updates: Apple stellt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 bereit ∗∗∗ --------------------------------------------- Fehlerbehebungen und gestopfte Sicherheitslücken außer der Reihe: Apple legt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 für Mac, iPad und iPhone vor. --------------------------------------------- https://heise.de/-7335516 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libjettison-java and xorg-server), Slackware (sysstat and xfce4), SUSE (python3 and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/914347/ ∗∗∗ Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server ∗∗∗ --------------------------------------------- Unit 42 discovered three vulnerabilities in OpenLiteSpeed Web Server and LiteSpeed Web Server that could be used together for remote code execution. --------------------------------------------- https://unit42.paloaltonetworks.com/openlitespeed-vulnerabilities/ ∗∗∗ [R1] Nessus Version 8.15.7 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, zlib) were found to contain vulnerabilities, and updated versions have been made available by the providers.Out of caution and in line with good practice, Tenable has opted to upgrade these components to address the potential impact of the issues. --------------------------------------------- https://www.tenable.com/security/tns-2022-26 ∗∗∗ 2022-12 Multiple Java SE vulnerabilities in Belden/Hirschmann software products ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14996&mediaformat…" target="_blank -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2022
by Daily end-of-shift report 09 Nov '22

09 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-11-2022 18:00 − Mittwoch 09-11-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Intel, AMD Address Many Vulnerabilities With Patch Tuesday Advisories ∗∗∗ --------------------------------------------- Intel and AMD have announced fixes for many vulnerabilities on this Patch Tuesday, including for flaws that have been assigned a ‘high severity’ rating. --------------------------------------------- https://www.securityweek.com/intel-amd-address-many-vulnerabilities-patch-t… ∗∗∗ Microsoft: Windows 10 21H1 reaches end of service next month ∗∗∗ --------------------------------------------- Microsoft has reminded customers today that all editions of Windows 10 21H1 (also known as the May 2021 Update) are reaching the end of service (EOS) next month. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-21h1-r… ∗∗∗ Lenovo fixes flaws that can be used to disable UEFI Secure Boot ∗∗∗ --------------------------------------------- Lenovo has fixed two high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models that could allow an attacker to deactivate UEFI Secure Boot. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lenovo-fixes-flaws-that-can-… ∗∗∗ Phishing-Resistant MFA Does Not Mean Un-Phishable ∗∗∗ --------------------------------------------- Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse “phishing-resistant” with being impossible to phish or socially engineer. --------------------------------------------- https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishabl… ∗∗∗ SMS „Hallo Mama, mein Handy ist kaputt“ ist betrügerisch! ∗∗∗ --------------------------------------------- Eine großangelegte SMS-Betrugsmasche sorgt aktuell für Verunsicherung bei Empfänger:innen. Der Inhalt der „Hallo Mama“ oder „Hallo Papa“ SMS soll vermitteln, dass das eigene Kind eine neue Nummer hätte. Das Kind bittet deshalb um Kontaktaufnahme über WhatsApp. Wer hier antwortet, wird schon bald vom vermeintlichen Kind zu Zahlungen aufgefordert. Ignorieren Sie die Nachrichten und führen Sie auf keinen Fall Überweisungen durch. --------------------------------------------- https://www.watchlist-internet.at/news/sms-hallo-mama-mein-handy-ist-kaputt… ∗∗∗ Massive ois[.]is Black Hat Redirect Malware Campaign ∗∗∗ --------------------------------------------- Since September 2022, our research team has tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines. PublicWWW results show nearly 15,000 websites have been affected by this malware so far. --------------------------------------------- https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-c… ∗∗∗ Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns ∗∗∗ --------------------------------------------- The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors. Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks. --------------------------------------------- https://blog.talosintelligence.com/ipfs-abuse/ ∗∗∗ Check Point CloudGuard Spectral exposes new obfuscation techniques for malicious packages on PyPI ∗∗∗ --------------------------------------------- Check Point Research (CPR) detects a new and unique malicious package on PyPI, the leading package index used by developers for the Python programming language The new malicious package was designed to hide code in images and infect through open-source projects on Github CPR responsibly disclosed this information to PyPI, who removed the packages. --------------------------------------------- https://research.checkpoint.com/2022/check-point-cloudguard-spectral-expose… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks ∗∗∗ --------------------------------------------- Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-proxynotshe… ∗∗∗ Kritische Sicherheitslücken in VMware Workspace ONE - Updates verfügbar ∗∗∗ --------------------------------------------- VMware hat Updates für drei kritische Authentication Bypass Sicherheitslücken im Remote-Access-Tool VMware Workspace ONE veröffentlicht. Entfernte, anonyme Angreifer:innen können die Authentifizierung in erreichbaren VMware Workspace ONE Instanzen umgehen und Administratorrechte auf den betroffenen Systemen erlangen. --------------------------------------------- https://cert.at/de/warnungen/2022/11/kritische-sicherheitslucken-in-vmware-… ∗∗∗ Citrix Gateway und ADC: Kritische Lücke ermöglicht unbefugten Zugriff ∗∗∗ --------------------------------------------- Citrix schließt Sicherheitslücken, durch die Angreifer etwa unberechtigt auf die Gerätefunktionen zugreifen können. Administratoren sollten zügig aktualisieren. --------------------------------------------- https://heise.de/-7334851 ∗∗∗ Multiple vulnerabilities in WordPress ∗∗∗ --------------------------------------------- WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature. --------------------------------------------- https://jvn.jp/en/jp/JVN09409909/ ∗∗∗ IBM Security Bulletins 2022-11-08 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Cloud Application Business Insights, IBM Security Guardium, IBM Security Verify Access --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lenovo Product Security Advisories 2022-11-08 ∗∗∗ --------------------------------------------- AMD Graphics Driver, AMD IBPB Return Branch Predictions, Brocade EZSwitch, Elan UltraNav and MiniPort Driver, Intel AMT SDK, Intel EMA, Intel MC, Intel Chipset Firmware, Intel PROSet Wireless WiFi, Intel vPro CSME WiFi, Killer WiFi, Intel SGX SDK, Lenovo Diagnostics, Lenovo Notebook BIOS, Lenovo Vantage Component, Multi-Vendor BIOS --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Cisco Security Advisories 2022-11-09 ∗∗∗ --------------------------------------------- Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Webbrowser: Zehn Sicherheitslücken weniger in Google Chrome ∗∗∗ --------------------------------------------- In dem jetzt verfügbaren Update für den Webbrowser Chrome schließt Google 10 Sicherheitslücken. Mit manipulierten Webseiten könnten Angreifer Code ausführen. --------------------------------------------- https://heise.de/-7334255 ∗∗∗ Foxit PDF Reader: Schadcode-Attacken über präparierte PDFs möglich ∗∗∗ --------------------------------------------- Die Foxit-Entwickler haben in ihren PDF-Anwendungen unter macOS und Windows Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7334993 ∗∗∗ Patchday: SAP stopft neun zum Teil kritische Schwachstellen ∗∗∗ --------------------------------------------- Am November-Patchday dichtet SAP teils kritische Sicherheitslücken in mehreren Produkten ab. Administratoren sollten sie zügig auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-7334573 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (vim, webkit2gtk, and wpewebkit), Fedora (mingw-python3, vim, webkit2gtk3, webkitgtk, and xen), Mageia (389-ds-base, bluez, ffmpeg, libtasn1, libtiff, libxml2, and mbedtls), Red Hat (kpatch-patch and linux-firmware), SUSE (conmon, containerized data importer, exim, expat, ganglia-web, gstreamer-0_10-plugins-base, gstreamer-0_10-plugins-good, gstreamer-plugins-base, gstreamer-plugins-good, kernel, kubevirt, protobuf, sendmail, and vsftpd), and Ubuntu (libzstd, openjdk-8, openjdk-lts, openjdk-17, openjdk-19, php7.2, php7.4, php8.1, and pixman). --------------------------------------------- https://lwn.net/Articles/914221/ ∗∗∗ Zahlreiche kritische Schwachstellen in Simmeth System GmbH Lieferantenmanager ∗∗∗ --------------------------------------------- Die Software Lieferantenmanager der Simmeth System GmbH ist von mehreren kritischen Schwachstellen betroffen. Durch diese lassen sich beliebige Befehle ohne Authentifizierung auf dem SQL Server ausführen. Des Weiteren können beliebige Dateien auf dem Webserver gelesen und Nutzersessions gestohlen werden. Außerdem wurde das E-Mail Passwort der Firma Simmeth mithilfe eines unauthentifizierten Requests ausgelesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/multiple-critical-vul… ∗∗∗ [R1] Nessus Network Monitor Version 6.1.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2022-25 ∗∗∗ Xen Security Advisory CVE-2022-23824 / XSA-422 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-422.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2022
by Daily end-of-shift report 08 Nov '22

08 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-11-2022 18:00 − Dienstag 08-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How to mimic Kerberos protocol transition using reflective RBCD ∗∗∗ --------------------------------------------- We know that a delegation is dangerous if an account allows delegating third-party user authentication to a privileged resource. In the case of constrained delegation, all it takes is to find a privileged account in one of the SPN (Service Principal Name) set in the msDS-AllowedToDelegateTo attribute of a compromised service account. --------------------------------------------- https://medium.com/tenable-techblog/how-to-mimic-kerberos-protocol-transiti… ∗∗∗ Azov-Malware zerstört Dateien in 666-Byte-Schritten ∗∗∗ --------------------------------------------- Der Windows-Schädling Azov ist ein Wiper und vernichtet Dateien unwiderruflich. Sicherheitsforscher beobachten ein erhöhtes Aufkommen. --------------------------------------------- https://heise.de/-7333231 ∗∗∗ Open Bug Bounty: Eine Million Sicherheitslücken im Web behoben ∗∗∗ --------------------------------------------- Eine offene Plattform für das Offenlegen von Sicherheitslücken im Web hat einen Meilenstein erreicht. Open Bug Bounty verzeichnet über 1,3 Mio. Entdeckungen. --------------------------------------------- https://heise.de/-7333872 ∗∗∗ Achtung Fake-Shop: marktstores.com gibt sich als Media Markt aus ∗∗∗ --------------------------------------------- Die Playstation 5 ist momentan überall ausverkauft. Vorsicht, wenn Sie im Internet dennoch einen Anbieter finden, der sie angeblich liefern kann. Dieser könnte sich als Fake-Shop herausstellen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-marktstorescom-gib… ∗∗∗ LockBit 3.0 Being Distributed via Amadey Bot ∗∗∗ --------------------------------------------- The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. --------------------------------------------- https://asec.ahnlab.com/en/41450/ ∗∗∗ Prepare, respond & recover: Battling complex Cybersecurity threats with fundamentals ∗∗∗ --------------------------------------------- The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/prepare-respond-rec… ∗∗∗ Cracking 2.3M Attackers-Supplied Credentials: What Can We Learn from RDP Attacks ∗∗∗ --------------------------------------------- To study credentials attacks on RDP, we operate high-interaction honeypots on the Internet. We analyzed over 2.3 million connections that supplied hashed credentials and attempted to crack them. --------------------------------------------- https://www.gosecure.net/blog/2022/11/08/cracking-2-3m-attackers-supplied-c… ∗∗∗ DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework ∗∗∗ --------------------------------------------- This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-a… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-07 ∗∗∗ --------------------------------------------- IBM Tivoli Monitoring, IBM App Connect Enterprise Certified Container, IBM Operations Analytics - Log Analysis --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Siemens Security Advisories 2022-11-08 ∗∗∗ --------------------------------------------- Siemens released 9 new and 8 updated Advisories. (CVSS Scores 5.3-9.9) --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-11#Sec… ∗∗∗ Patchday: Angreifer könnten Android-Geräte über Attacken lahmlegen ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für Android 10 bis 13 veröffentlicht. Einige andere Hersteller bieten ebenfalls Patches an. --------------------------------------------- https://heise.de/-7333334 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pixman and sudo), Fedora (mingw-binutils and mingw-gdb), Red Hat (bind, bind9.16, container-tools:3.0, container-tools:4.0, container-tools:rhel8, dnsmasq, dotnet7.0, dovecot, e2fsprogs, flatpak-builder, freetype, fribidi, gdisk, grafana, grafana-pcp, gstreamer1-plugins-good, httpd:2.4, kernel, kernel-rt, libldb, libreoffice, libtiff, libxml2, mingw-expat, mingw-zlib, mutt, nodejs:14, nodejs:18, openblas, openjpeg2, osbuild, pcs, php:7.4, php:8.0, [...] --------------------------------------------- https://lwn.net/Articles/914119/ ∗∗∗ ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric have released their Patch Tuesday advisories for November 2022. Siemens has released nine new security advisories covering a total of 30 vulnerabilities, but Schneider has only published one new advisory. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-critical-v… ∗∗∗ Varnish HTTP/2 Request Forgery ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00011/ ∗∗∗ Open Source Varnish Request Smuggling ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00010/ ∗∗∗ PHOENIX CONTACT: Automationworx BCP File Parsing Vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-048/ ∗∗∗ Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-… ∗∗∗ McAfee Total Protection: Update fixt Schwachstelle CVE-2022-43751 ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/11/08/mcafee-total-protection-update-fix… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2022
by Daily end-of-shift report 07 Nov '22

07 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-11-2022 18:00 − Montag 07-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Malware with VHD Extension, (Sat, Nov 5th) ∗∗∗ --------------------------------------------- Windows 10 supports various virtual drives natively and can recognize and use ISO, VHD and VHDX files. The file included as an attachment with this email, when extracted appears in the email as a PDF but is is in fact a VHD file. --------------------------------------------- https://isc.sans.edu/diary/rss/29222 ∗∗∗ IPv4 Address Representations, (Sun, Nov 6th) ∗∗∗ --------------------------------------------- A reader asked for help with this maldoc. Not with the analysis itself, but how to understand where the URL is pointing to. --------------------------------------------- https://isc.sans.edu/diary/rss/29224 ∗∗∗ Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data ∗∗∗ --------------------------------------------- Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. "Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022. --------------------------------------------- https://thehackernews.com/2022/11/experts-find-urlscan-security-scanner.html ∗∗∗ AWS Organizations Defaults ∗∗∗ --------------------------------------------- [...] These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator. For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise. --------------------------------------------- https://hackingthe.cloud/aws/general-knowledge/aws_organizations_defaults/ ∗∗∗ Kommentar: Angriffe lassen sich nicht vermeiden – übernehmt die Verantwortung! ∗∗∗ --------------------------------------------- Shit happens, ebenso wie Sicherheitsvorfälle. Die Frage kann also nur sein, wie damit umzugehen ist - vorher wie nachher. --------------------------------------------- https://heise.de/-7328918 ∗∗∗ Versteckte Kosten für Kündigungen auf stornierenbei.de ∗∗∗ --------------------------------------------- Wenn Sie einen Vertrag kündigen wollen und dazu über Ihre Suchmaschine recherchieren, stoßen Sie womöglich auf stornierenbei.de. Dort wird eine einfache Kündigung von Verträgen unterschiedlichster Anbieter als Dienstleistung angeboten. Achtung: Statt der Kündigung des angegebenen Vertrages, kommen versteckte Kosten auf Sie zu, die auch eingemahnt werden! Bezahlen Sie nichts. Es besteht kein gültiger Vertrag mit stornierenbei.de. --------------------------------------------- https://www.watchlist-internet.at/news/versteckte-kosten-fuer-kuendigungen-… ∗∗∗ BYODC - Bring Your Own Domain Controller ∗∗∗ --------------------------------------------- BYODC or bring your own domain controller is a post-exploitation technique and another option for performing a DCSync in a more opsec safe manner. --------------------------------------------- https://blog.zsec.uk/byodc-attack/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-04 ∗∗∗ --------------------------------------------- AIX LPARs in IBM PureData System for Operational Analytics, IBM App Connect Enterprise, IBM MQ, IBM WebSphere Application Server Liberty / CICS Transaction Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, libxml2, python-django, python-scciclient, and xen), Fedora (ghc-cmark-gfm, java-latest-openjdk, and vim), Mageia (expat, ntfs-3g, and wkhtmltopdf), Oracle (kernel), Slackware (sudo), and SUSE (expat, libxml2, rubygem-loofah, and xmlbeans). --------------------------------------------- https://lwn.net/Articles/914012/ ∗∗∗ Shodan Verified Vulns 2022-11-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-11-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2022/11/shodan-verified-vulns-2022-11-01 ∗∗∗ Nov 3 2022 Security Releases ∗∗∗ --------------------------------------------- (Update 04-November-2022) Security releases available Updates are now available for v14,x, v16.x, v18.x and v19.x Node.jsrelease lines for the following issues. [...] --------------------------------------------- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases ∗∗∗ WebKit HTMLSelectElement Use-After-Free ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110007 ∗∗∗ TRUMPF: Multiple products prone to X.Org server vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-049/ ∗∗∗ Wiesemann &Theis: Multiple Vulnerabilities in the Com-Server Family ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-043/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2022
by Daily end-of-shift report 04 Nov '22

04 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-11-2022 18:00 − Freitag 04-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WLAN-Sicherheitslücke: Für Spezialdrohnen sind Wände wie Glas ∗∗∗ --------------------------------------------- Kanadische Forscher haben eine Funktion entdeckt, die es Angreifern ermöglicht, durch Wände zu sehen - trotz Passwortschutz. --------------------------------------------- https://www.golem.de/news/wlan-sicherheitsluecke-fuer-eine-spezialdrohne-si… ∗∗∗ A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain ∗∗∗ --------------------------------------------- Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later. As defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the “ground truth” data about the vulnerabilities and exploit techniques they’re using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. To do this, we need to know that the vulnerabilities and exploit samples were found in-the-wild. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-sa… ∗∗∗ What Is Cross-Origin Resource Sharing (CORS)? ∗∗∗ --------------------------------------------- Thanks to the rapid growth of JavaScript frameworks like Angular, React, and Vue, Cross-Origin Resource Sharing (CORS) has become a popular word in the developer’s vocabulary — and for good reason. It’s common practice for modern web applications to load resources from multiple domains. But accessing these website resources from different origins requires a thorough understanding of CORS. In this post, we’ll take a look at what CORS is and why proper implementation is an important component of building secure websites and applications. We’ll also examine some common examples of how to use CORS, dive into preflight requests, and discuss how to protect your website against attacks. --------------------------------------------- https://blog.sucuri.net/2022/11/what-is-cross-origin-resource-sharing-cors.… ∗∗∗ Multi-factor auth fatigue is real – and its why you may be in the headlines next ∗∗∗ --------------------------------------------- Overwhelmed by waves of push notifications, worn-down users inadvertently let the bad guys in Analysis The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/11/03/mfa_fatigue_… ∗∗∗ Inside the V1 Raccoon Stealer’s Den ∗∗∗ --------------------------------------------- Team Cymru’s S2 Research Team has blogged previously on the initial Raccoon stealer command and control methodology (Raccoon Stealer - An Insight into Victim “Gates”), which utilized “gate” IP addresses to proxy victim traffic / data to static threat actor-controlled infrastructure. Since the publication of our previous blog, the following timeline of events has occurred: [...] --------------------------------------------- https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den ∗∗∗ Cisco-Sicherheitsupdates: Angreifer könnten durch Lücken in Netzwerke eindringen ∗∗∗ --------------------------------------------- Die Softwareentwickler von Cisco haben unter anderem in Identity Services Engine und Email Security Appliance Schwachstellen geschlossen. --------------------------------------------- https://heise.de/-7329978 ∗∗∗ UK-Cybersicherheitsbehörde startet landesweites Schwachstellen-Scanning ∗∗∗ --------------------------------------------- Die IT-Sicherheitsbehörde des Vereinigten Königreichs startet einen Schwachstellen-Scanner-Dienst. Der untersucht alle Systeme des Landes auf Sicherheitslücken. --------------------------------------------- https://heise.de/-7330532 ∗∗∗ Apple Rolls Out Xcode Update Patching Git Vulnerabilities ∗∗∗ --------------------------------------------- Apple this week announced a security update for the Xcode macOS development environment, to resolve three Git vulnerabilities, including one leading to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/apple-rolls-out-xcode-update-patching-git-vuln… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-03 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM InfoSphere Information server, IBM Operations Analytics - Log Analysis, IBM Security Verify Governance, IBM WebSphere Application Server Liberty --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Big-Data-Spezialist Splunk dichtet zwölf Schwachstellen ab ∗∗∗ --------------------------------------------- Der Big-Data-Experte Splunk aktualisiert die gleichnamige Software Splunk Enterprise und Cloud. Nach den Updates klaffen darin zwölf Schwachstellen weniger. --------------------------------------------- https://heise.de/-7329933 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pypy3), Fedora (drupal7, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and php), Oracle (kernel, lua, openssl, pcs, php-pear, pki-core, python3.9, and zlib), Red Hat (kernel, kernel-rt, kpatch-patch, lua, openssl-container, pcs, php-pear, pki-core, python3.9, and zlib), Scientific Linux (kernel, pcs, and php-pear), SUSE (EternalTerminal, hsqldb, ntfs-3g_ntfsprogs, privoxy, rubygem-actionview-4_2, sqlite3, and xorg-x11-server), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/913771/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clickhouse, distro-info-data, and ntfs-3g), Fedora (firefox), Oracle (kernel), Slackware (mozilla), and SUSE (python-Flask-Security-Too). --------------------------------------------- https://lwn.net/Articles/913849/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0010 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-32888 Versions affected: WebKitGTK and WPE WebKit before 2.38.0. Credit to P1umer (@p1umer). Impact: Processing maliciously crafted web content may lead toarbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0010.html ∗∗∗ CVE Report Published for Spring Tools ∗∗∗ --------------------------------------------- We have released STS 4.16.1 for Eclipse and Spring VSCode extensions 1.40.0 to address the following CVE report: - CVE-2022-31691: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode Please review the information in the CVE report and upgrade immediately. --------------------------------------------- https://spring.io/blog/2022/11/03/cve-report-published-for-spring-tools -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2022
by Daily end-of-shift report 03 Nov '22

03 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-11-2022 18:00 − Donnerstag 03-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet botnet starts blasting malware again after 5 month break ∗∗∗ --------------------------------------------- The Emotet malware operation is again spamming malicious emails after almost a five-month "vacation" that saw little activity from the notorious cybercrime operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blastin… ∗∗∗ Hundreds of U.S. news sites push malware in supply-chain attack ∗∗∗ --------------------------------------------- The compromised infrastructure of an undisclosed media company is being used by threat actors to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hundreds-of-us-news-sites-pu… ∗∗∗ Was tun, wenn ich Opfer von Cybercrime geworden bin? ∗∗∗ --------------------------------------------- Die Online-Identität kann schnell gestohlen werden, wenn jemand seine Daten auf unseriösen Websites eingibt. Dann kann es zu weiteren Konsequenzen kommen. --------------------------------------------- https://futurezone.at/digital-life/cybercrime-identitaetsdiebstahl-phishing… ∗∗∗ The OpenSSL security update story – how can you tell what needs fixing? ∗∗∗ --------------------------------------------- How to Hack! Finding OpenSSL library files and accurately identifying their version numbers... --------------------------------------------- https://nakedsecurity.sophos.com/2022/11/03/the-openssl-security-update-sto… ∗∗∗ P2P Botnets: Review - Status - Continuous Monitoring ∗∗∗ --------------------------------------------- P2P networks are more scalable and robust than traditional C/S structures, and these advantages were recognized by the botnet authors early on and used in their botnets. --------------------------------------------- https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/ ∗∗∗ Breakpoints in Burp, (Wed, Nov 2nd) ∗∗∗ --------------------------------------------- No, this is not a story about the Canadian Thanksgiving long weekend, it's about web application testing. I recently had a web application to assess, and I used Burp Suite Pro as part of that project. --------------------------------------------- https://isc.sans.edu/diary/rss/29214 ∗∗∗ Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT ∗∗∗ --------------------------------------------- The operators of RomCom RAT are continuing to evolve their campaigns with rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro. --------------------------------------------- https://thehackernews.com/2022/11/hackers-using-rogue-versions-of-keepass.h… ∗∗∗ Researchers discover security loophole allowing attackers to use Wi-Fi to see through walls ∗∗∗ --------------------------------------------- The Wi-Peep exploits a loophole the researchers call polite Wi-Fi. Even if a network is password protected, smart devices will automatically respond to contact attempts from any device within range. The Wi-Peep sends several messages to a device as it flies and then measures the response time on each, enabling it to identify the devices location to within a meter. --------------------------------------------- https://techxplore.com/news/2022-11-loophole-wi-fi-walls.html ∗∗∗ Passwörter: 64 Prozent der User verwenden Kennwörter mehrmals ∗∗∗ --------------------------------------------- Eine Umfrage unter 3750 Angestellten auch aus deutschen Organisationen fördert bedenkliche Passwortnutzung zutage. Und das trotz besseren Wissens. --------------------------------------------- https://heise.de/-7328871 ∗∗∗ BSI-Lagebericht 2022: Gefährdungslage im Cyber-Raum hoch wie nie ∗∗∗ --------------------------------------------- Im Berichtszeitraum hat sich die bereits zuvor angespannte Lage weiter zugespitzt. Grund dafür sind anhaltende Aktivitäten im Bereich der Cyber-Kriminalität, Cyber-Angriffe im Kontext des russischen Angriffs auf die Ukraine und eine unzureichende Produktqualität von IT- und Software-Produkten. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ A new crop of malicious modules found on PyPI ∗∗∗ --------------------------------------------- Phylum has posted anarticle with a detailed look at a set of malicious packages discoveredby an automated system they have developed. Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase. --------------------------------------------- https://lwn.net/Articles/913555/ ∗∗∗ Vorsicht vor Scam-Versuchen auf Telegram ∗∗∗ --------------------------------------------- Eine Nachricht auf Telegram erreicht Sie aus heiterem Himmel: Jemand, den Sie nicht kennen bietet Ihnen eine lukrative Investment-Möglichkeit an, oder sogar eine große Summe Geld. Vorsicht, bei diesen Nachrichten handelt es sich um Betrugsversuche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-scam-versuchen-auf-tele… ∗∗∗ Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild ∗∗∗ --------------------------------------------- We present new techniques that leverage active probing and network fingerprint technology to help you detect Cobalt Strike’s Team Servers. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-team-server/ ∗∗∗ ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/41139/ ===================== = Vulnerabilities = ===================== ∗∗∗ Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) ∗∗∗ --------------------------------------------- Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services. --------------------------------------------- https://msrc-blog.microsoft.com/2022/11/02/microsoft-guidance-related-to-op… ∗∗∗ IBM Security Bulletins 2022-11-02 ∗∗∗ --------------------------------------------- Content Collector for Email in Content Search Services container, IBM Business Automation Workflow, IBM Business Process Manager (BPM), IBM InfoSphere DataStage, IBM MQ, IBM Operations Analytics - Log Analysis, IBM SPSS Modeler, IBM Security SOAR, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwachstellenscanner Nessus: Updates schließen mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Der Netzwerk-Schwachstellenscanner Nessus behebt mit neuen Versionen mehrere Schwachstellen in Drittherstellerkomponenten. Admins sollten sie installieren. --------------------------------------------- https://heise.de/-7328440 ∗∗∗ Patchday Fortinet: FortiSIEM speichert Log-in-Daten unverschlüsselt ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für Sicherheitsprodukte von Fortinet. Darunter etwa FortiADC und FortiOS. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-7328476 ∗∗∗ (Non-US) DIR-1935 : Rev. Ax : F/W v1.03b02 :: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product ∗∗∗ --------------------------------------------- https://www.securityweek.com/splunk-patches-9-high-severity-vulnerabilities… ∗∗∗ ETIC Telecom Remote Access Server (RAS) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-01 ∗∗∗ Nokia ASIK AirScale System Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-02 ∗∗∗ Delta Industrial Automation DIALink ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2022
by Daily end-of-shift report 02 Nov '22

02 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 31-10-2022 18:00 − Mittwoch 02-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücken: OpenSSL korrigiert Fehler im Zertifikatsparser ∗∗∗ --------------------------------------------- Zwei Buffer Overflows bei der Verarbeitung von Punycode können OpenSSL zum Absturz bringen - und möglicherweise Codeausführung ermöglichen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-openssl-korrigiert-fehler-im-z… ∗∗∗ Lenovo kündigt gegen Schadcode-Attacken abgesicherte BIOS-Versionen an ∗∗∗ --------------------------------------------- Der Computer-Hersteller Lenovo will mehrere BIOS-Lücken in verschiedenen Laptop-Modellen schließen. Einige Updates sind aber erst für Anfang 2023 angekündigt. --------------------------------------------- https://heise.de/-7327115 ∗∗∗ Eine Million Downloads: Bösartige Android-Apps leiten auf Phishing-Seiten ∗∗∗ --------------------------------------------- Ein App-Entwickler fällt wiederholt auf, verseuchte Apps in Google Play anzubieten. Die derzeitig problematischen Apps kommen auf über eine Million Downloads. --------------------------------------------- https://heise.de/-7327239 ∗∗∗ Ausweiskopien mit Wasserzeichen versehen ∗∗∗ --------------------------------------------- Zahlreiche Betrugsmaschen zielen auf eine Kopie Ihres Ausweises ab. Damit können Kriminelle sich bei anderen Betrugsmaschen als Sie ausgeben, in Ihrem Namen Verträge abschließen oder andere Straftaten begehen. Versenden Sie Ausweiskopien daher nur, wenn es unbedingt notwendig ist. Gibt es keine andere Möglichkeit, sollten Sie die Ausweiskopie mit einem Wasserzeichen versehen. Wir zeigen Ihnen, wie Sie unkompliziert ein Wasserzeichen erstellen. --------------------------------------------- https://www.watchlist-internet.at/news/ausweiskopien-mit-wasserzeichen-vers… ∗∗∗ Raspberry Robin Wurm transportiert Malware ∗∗∗ --------------------------------------------- Laut den Sicherheitsforschern von Microsoft verbreitet die bisher vor allem auf USB-Laufwerken bekannte Malware Raspberry Robin jetzt auch die Ransomware Clop. --------------------------------------------- https://www.zdnet.de/88404569/raspberry-robin-wurm-transportiert-malware/ ∗∗∗ Windows PowerShell-Backdoor entdeckt; gibt sich als Teil des Windows Update-Prozesses aus ∗∗∗ --------------------------------------------- Sicherheitsforscher von SafeBreach sind kürzlich auf eine bisher unbekannte PowerShell-Backdoor in Windows gestoßen. Diese verwendet ein bösasartiges Word-Dokument, um die PowerShell-Scripte einzuschleusen. Die Backdoor kann Active Directory-Benutzer und Remote-Desktops auflisten und soll vermutlich zu einem späteren Zeitpunkt zur Ausbreitung in [...] --------------------------------------------- https://www.borncity.com/blog/2022/11/01/windows-powershell-backdoor-als-te… ∗∗∗ Gregor Samsa: Exploiting Javas XML Signature Verification ∗∗∗ --------------------------------------------- Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an integer truncation bug in this JIT compiler resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/11/gregor-samsa-exploiting-java… ∗∗∗ Server-side attacks, C&C in public clouds and other MDR cases we observed ∗∗∗ --------------------------------------------- This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. We hope that it helps you to stay up to date on the modern threat landscape and to be better prepared for attacks. --------------------------------------------- https://securelist.com/server-side-attacks-cc-in-public-clouds-mdr-cases/10… ∗∗∗ SHA-3 code execution bug patched in PHP – check your version! ∗∗∗ --------------------------------------------- As everyone waits for news of a bug in OpenSSL, heres a reminder that other cryptographic code in your life may also need patching! --------------------------------------------- https://nakedsecurity.sophos.com/2022/11/01/sha-3-code-execution-bug-patche… ∗∗∗ Ransomware: Not enough victims are reporting attacks, and thats a problem for everyone ∗∗∗ --------------------------------------------- The true impact of ransomware is unclear because some victims arent disclosing that theyve been attacked. --------------------------------------------- https://www.zdnet.com/article/ransomware-not-enough-victims-are-reporting-a… ∗∗∗ A technical analysis of Pegasus for Android – Part 3 ∗∗∗ --------------------------------------------- Pegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and we recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out that vendors wrongly attributed [...] --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB ∗∗∗ --------------------------------------------- Microsoft recently fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB (currently in preview) reported by Orca Security. Customers not using Jupyter Notebooks (99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks) were not susceptible to this vulnerability. The bug was introduced on August 12th and fully patched worldwide [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/11/01/microsoft-mitigates-vulnerabilit… ∗∗∗ Multiple Vulnerabilities Reported in Checkmk IT Infrastructure Monitoring Software ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been disclosed in Checkmk IT Infrastructure monitoring software that could be chained together by an unauthenticated, remote attacker to fully take over affected servers. --------------------------------------------- https://thehackernews.com/2022/11/multiple-vulnerabilities-reported-in.html ∗∗∗ Xcode 14.1 ∗∗∗ --------------------------------------------- This document describes the security content of Xcode 14.1. --------------------------------------------- https://support.apple.com/kb/HT213496 ∗∗∗ Cisco Security Advisories 2022-11-02 ∗∗∗ --------------------------------------------- Security Impact Rating: 4x High, 7x Medium --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022 ∗∗∗ --------------------------------------------- On November 1, 2022, the OpenSSL Project announced the following vulnerabilities: CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow For a description of these vulnerabilities, see OpenSSL Security Advisory [Nov 1 2022]. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- AIX, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Cloud Object Storage Systems, IBM Cloud Pak for Integration, IBM Cloud Pak for Security, IBM DataPower Gateway, IBM Elastic Storage System, IBM Event Streams, IBM FlashSystem, IBM FlashSystem models FS900 and V9000, IBM InfoSphere Information Server, IBM MQ, IBM QRadar SIEM, IBM SAN Volume Controller, IBM Security Guardium, IBM Security Verify Access, IBM Spectrum Virtualize, IBM Storwize, IBM Voice Gateway, IBM WebSphere Application Server, IBM WebSphere Application Server used by IBM Master Data Management, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Power System, Zlib for IBM i --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ An Update on the OpenSSL vulnerability CVE-2022-3602 ∗∗∗ --------------------------------------------- November 1, 2022: IBM is responding to the reported buffer overflow vulnerability that the OpenSSL open-source community disclosed for OpenSSL versions 3.0.0 – 3.0.6. We are taking action as an enterprise, and for IBM products and services that may potentially be impacted, as we do for all vulnerabilities rated High. --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-preparing-to-respond-to-the-upcoming-op… ∗∗∗ FortiGuard PSIRT Advisories 2022-11-01 ∗∗∗ --------------------------------------------- AV Engine, FortiADC, FortiClient (MAC), FortiDeceptor, FortiEDR CollectorWindows, FortiMail, FortiManager/FortiAnalyzer, FortiOS, FortiSIEM, FortiSOAR, FortiTester --------------------------------------------- https://fortiguard.fortinet.com/psirt ∗∗∗ Xen Security Advisories 2022-11-01 ∗∗∗ --------------------------------------------- Xen released 10 Security Advisories. --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Bitdefender: Löschen von Registry-Keys durch Sicherheitslücke möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in den Virenscannern von Bitdefender ermöglicht Angreifern, Registry-Schlüssel zu löschen. Bitdefender verteilt Aktualisierungen dagegen. --------------------------------------------- https://heise.de/-7327061 ∗∗∗ Kritische Sicherheitslücke in IT-Managementsoftware von Hitachi geschlossen ∗∗∗ --------------------------------------------- Admins sollten die aktuellen Versionen von Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer und Hitachi Ops Center Viewpoint installieren. --------------------------------------------- https://heise.de/-7327825 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (batik, chromium, expat, libxml2, ncurses, openvswitch, pysha3, python-django, thunderbird, and tomcat9), Fedora (cacti, cacti-spine, curl, mbedtls, mingw-expat, and xen), Gentoo (apptainer, bind, chromium, exif, freerdp, gdal, gitea, hiredis, jackson-databind, jhead, libgcrypt, libksba, libtirpc, lighttpd, net-snmp, nicotine+, open-vm-tools, openexr, rpm, schroot, shadow, sofia-sip, tiff, and xorg-server), Mageia (libreoffice), Oracle (expat), Red [...] --------------------------------------------- https://lwn.net/Articles/913261/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python3.7), Gentoo (android-tools, expat, firefox, libjxl, libxml2, pjproject, sqlite, thunderbird, and zlib), Oracle (compat-expat1), Slackware (php8 and vim), SUSE (kernel, libtasn1, podman, and pyenv), and Ubuntu (libtasn1-6). --------------------------------------------- https://lwn.net/Articles/913352/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg and linux-5.10), Fedora (libksba, openssl, and php), Gentoo (openssl), Mageia (curl, gdk-pixbuf2.0, libksba, nbd, php, and virglrenderer), Red Hat (kernel, kernel-rt, libksba, and openssl), SUSE (gnome-desktop, hdf5, hsqldb, kernel, nodejs10, openssl-3, php7, podofo, python-Flask-Security, python-lxml, and xorg-x11-server), and Ubuntu (backport-iwlwifi-dkms, firefox, ntfs-3g, and openssl). --------------------------------------------- https://lwn.net/Articles/913504/ ∗∗∗ Nov 3 2022 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, 18.x, 19.xreleases lines on or shortly after Thursday, November 3, 2022 in order to address: One medium severity issues. Two high severity issues that affect OpenSSL as per secadv/20221101.txt These security releases are driven by the OpenSSL security release as announced in OpenSSL November Security Release as well as an additional vulnerability that affects all supported release lines. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases ∗∗∗ Chromium: CVE-2022-3723 Type Confusion in V8 ∗∗∗ --------------------------------------------- This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3723 ∗∗∗ Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN46345126/ ∗∗∗ Security Advisory - Path Traversal Vulnerability in a Huawei Childrens Watch ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20221102-… ∗∗∗ K44454157: Expat vulnerability CVE-2022-40674 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44454157 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-42316, CVE-2022-42317 & CVE-2022-42318 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX472851/citrix-hypervisor-security-bul… ∗∗∗ [R1] Nessus Agent Version 10.2.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-22 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2022
by Daily end-of-shift report 31 Oct '22

31 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-10-2022 18:00 − Montag 31-10-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Es könnten Attacken auf VMware Cloud Foundation bevorstehen ∗∗∗ --------------------------------------------- Für eine kritische Sicherheitslücke in Cloud Foundation von VMware ist Exploit-Code in Umlauf. --------------------------------------------- https://heise.de/-7324777 ∗∗∗ Apple räumt ein: Nur aktuelles macOS stopft alle bekannten Sicherheitslücken ∗∗∗ --------------------------------------------- Apple hat zum ersten Mal bestätigt, dass der Hersteller in früheren macOS-Versionen nicht alle Schwachstellen beseitigt. Dasselbe gilt offensichtlich für iOS. --------------------------------------------- https://heise.de/-7324991 ∗∗∗ Backup-Software von ConnectWise für Ransomware-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit Recover oder R1Soft Server Backup Manager von ConnectWise attackieren. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7324856 ∗∗∗ Gefälschtes A1-Mail im Umlauf ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail von A1 behaupten Kriminelle, dass Sie bereits 80% Ihres Postfach-Speicherplatzes aufgebraucht haben. Sie werden aufgefordert, auf einen Link zu klicken, um zusätzlichen Speicherplatz freizuschalten. Klicken Sie nicht auf den Link, Sie landen auf einer manipulierten Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-a1-mail-im-umlauf/ ∗∗∗ 2022 OpenSSL vulnerability ∗∗∗ --------------------------------------------- This repo contains operational information regarding the recently announced vulnerability in OpenSSL 3. [...] Currently no complete overview of vulnerable products is available. Please see https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md for a list of products that are known to be vulnerable. The list is a work in progress. --------------------------------------------- https://github.com/NCSC-NL/OpenSSL-2022 ∗∗∗ Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th) ∗∗∗ --------------------------------------------- Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open-source projects to rethink how they address security issues and communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time. This week, OpenSSL announced they would release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/29192 ∗∗∗ APT10: Tracking down LODEINFO 2022, part I ∗∗∗ --------------------------------------------- The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor. --------------------------------------------- https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/ ∗∗∗ APT10: Tracking down LODEINFO 2022, part II ∗∗∗ --------------------------------------------- In the second part of this report, we discuss improvements made to the LODEINFO backdoor shellcode in 2022. --------------------------------------------- https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/ ∗∗∗ NMAP without NMAP - Port Testing and Scanning with PowerShell, (Mon, Oct 31st) ∗∗∗ --------------------------------------------- Ever needed to do a portscan and didn't have nmap installed? I've had this more than once on an internal pentest or more often just on run-rate "is that port open? / is there a host firewall in the way?" testing. --------------------------------------------- https://isc.sans.edu/diary/rss/29202 ∗∗∗ WordPress Vulnerability & Patch Roundup October 2022 ∗∗∗ --------------------------------------------- [...] To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2022/10/wordpress-vulnerability-patch-roundup-octob… ∗∗∗ Hardware Trojans Under a Microscope ∗∗∗ --------------------------------------------- While the security industry generally focuses on software cyber attacks, we can’t forget the security impact of lower level hardware flaws, such as those that affect semiconductors. --------------------------------------------- https://ryancor.medium.com/hardware-trojans-under-a-microscope-bf542acbcc29 ∗∗∗ What I learnt from reading 217* Subdomain Takeover bug reports. ∗∗∗ --------------------------------------------- My two prior blogs, What I Learnt From Reading 220 IDOR bug reports, and What I Learnt From Reading 126 Information Disclosure Writeups*, were well received, so I’m continuing the series. I once more scraped ALL 143 SDTO bug reports from hackerone, and 74 detailed write-ups, then went into hiding as I read and took notes on them. I’m here to show you my actionable findings, and show you how to properly hunt for SDTOs. --------------------------------------------- https://medium.com/@nynan/what-i-learnt-from-reading-217-subdomain-takeover… ∗∗∗ Free Micropatches For Bypassing MotW Security Warning with Invalid Signature (0day) ∗∗∗ --------------------------------------------- Nine days ago we issued micropatches for a vulnerability that allows attackers to bypass the warning Windows normally present to users when they try to open a document or executable obtained from an untrusted source (Internet, email, USB key, network drive). That vulnerability, affecting all supported and many legacy Windows versions, still has no official patch from Microsoft so our (free!) patches are the only actual patches in existence as of this writing. On the very same day we issued these micropatches, Will Dormann - who researched said vulnerability - replied to a tweet by another security researcher, Patrick Schläpfer. Patrick works at HP Wolf Security where they analyzed the Magniber Ransomware and wrote a detailed analysis of its working. Will asked Patrick about the ZIP files used in the malware campaign to see if they were exploiting the same vulnerability or employing some other trick to bypass the "Mark of the Web". [...] And so a new 0day - already exploited in the wild - was revealed. --------------------------------------------- https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-motw.html ∗∗∗ The Defender’s Guide to the Windows Registry ∗∗∗ --------------------------------------------- Welcome to the Defender’s Guide. This is a series of blog posts designed to give you a ground-up start to defending a specific technology from potential attackers. While a lot of this information may be redundant to a more seasoned information security personnel, even the best of us rely on Google and blog posts to get information. These posts are designed to be a one-stop shop, bringing a lot of that information together. --------------------------------------------- https://posts.specterops.io/the-defenders-guide-to-the-windows-registry-feb… ∗∗∗ Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure ∗∗∗ --------------------------------------------- Learning about the variety of techniques used by banking Trojans can help us detect other activities of financially motivated threat groups. --------------------------------------------- https://unit42.paloaltonetworks.com/banking-trojan-techniques/ ∗∗∗ Follina Exploit Leads to Domain Compromise ∗∗∗ --------------------------------------------- In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. --------------------------------------------- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compro… ∗∗∗ Vulnerabilities in Apache Batik Default Security Controls – SSRF and RCE Through Remote Class Loading ∗∗∗ --------------------------------------------- I stumbled upon the Apache Batik library while researching other Java-based products. It immediately caught my attention, as this library parses Scalable Vector Graphics (SVG) files and transforms them into different raster graphics formats (i.e., PNG, PDF, or JPEG). I was even more encouraged when I looked at the Batik documentation. It was obvious that such a library could be prone to Server-Side Request Forgery (SSRF) issues (e.g., loading of images from remote resources). --------------------------------------------- https://www.thezdi.com/blog/2022/10/28/vulnerabilities-in-apache-batik-defa… ∗∗∗ AgentTesla Being Distributed via VBS ∗∗∗ --------------------------------------------- The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing. --------------------------------------------- https://asec.ahnlab.com/en/40890/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- App Connect Professional, IBM Business Automation Manager Open Editions 8.0.1, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Cloud Pak for Business Automation, IBM Cloud Pak for Security, IBM Event Streams, IBM Host Access Transformation Services, IBM MQ Appliance --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client ∗∗∗ --------------------------------------------- Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible. --------------------------------------------- https://spring.io/blog/2022/10/31/cve-2022-31690-privilege-escalation-in-sp… ∗∗∗ CVE-2022-31692: Authorization rules can be bypassed via forward or include in Spring Security ∗∗∗ --------------------------------------------- Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for [CVE-2022-31692](https://tanzu.vmware.com/security/cve-2022-31692) affecting the AuthorizationFilter. Users are encouraged to update as soon as possible. --------------------------------------------- https://spring.io/blog/2022/10/31/cve-2022-31692-authorization-rules-can-be… ∗∗∗ CISA Has Added One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/10/28/cisa-has-added-on… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2022
by Daily end-of-shift report 28 Oct '22

28 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-10-2022 18:00 − Freitag 28-10-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows: Gefährliche, IE-basierende Schwachstellen ∗∗∗ --------------------------------------------- Sicherheitsforscher der Varonis Threat Labs haben zwei Windows-Sicherheitslücken aufgedeckt, die große blinde Flecken für Sicherheits-Software erzeugen und Rechner mittels DoS-Angriffe außer Betrieb setzen können. LogCrusher und OverLog nutzen dabei das Internet Explorer-spezifische Ereignisprotokoll MS-EVEN, das auf allen aktuellen Windows-Betriebssystemen vorhanden ist, unabhängig davon, ob der Browser genutzt wurde oder wird. Während OverLog mittlerweile gefixt ist, hat Microsoft für LogCrusher kürzlich nur einen partiellen Patch herausgegeben: Cyberkriminelle können deshalb immer noch Angriffe durchführen, wenn sie sich einen Administrator-Zugang zum Netzwerk des Opfers verschaffen. --------------------------------------------- https://www.borncity.com/blog/2022/10/28/windows-gefhrliche-ie-basierende-s… ∗∗∗ Neue Website: Apple erleichtert Sicherheitsforschung ∗∗∗ --------------------------------------------- Ein zentrales neues Portal erklärt das Bug–Bounty-Programm und ermöglicht es, schneller und direkter mit dem Security-Team des Konzerns in Kontakt zu kommen. --------------------------------------------- https://heise.de/-7323634 ∗∗∗ macOS 13: Anti-Malware-Tools nach Upgrade zahnlos ∗∗∗ --------------------------------------------- Antivirus-Software und andere Sicherheits-Tools funktionieren durch einen Apple-Bug in macOS Ventura nicht mehr richtig. Das Problem kann behoben werden. --------------------------------------------- https://heise.de/-7322669 ∗∗∗ Vorsicht vor dieser Fake-Raiffeisen Investmentfalle ∗∗∗ --------------------------------------------- Geld verdienen mit Raiffeisen, angeboten werden angeblich Aktien einer der größten Banken Österreichs. Das Versprechen klingt gut, doch es handelt sich um eine gut getarnte Phishing-Seite. Investieren Sie nicht auf lps.snowgross.com, Sie tappen in eine Anlagebetrugsfalle! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-raiffeisen-… ∗∗∗ One-Time Programs ∗∗∗ --------------------------------------------- One of the things I like to do on this blog is write about new research that has a practical angle. Most of the time (I swear) this involves writing about other folks’ research: it’s not that often that I write about work that comes out of my own lab. Today I’m going make an [...] --------------------------------------------- https://blog.cryptographyengineering.com/2022/10/27/one-time-programs/ ∗∗∗ Apple clarifies security update policy: Only the latest OSes are fully patched ∗∗∗ --------------------------------------------- New document confirms what security researchers have observed for a few years. --------------------------------------------- https://arstechnica.com/?p=1893235 ∗∗∗ Android malware droppers with 130K installs found on Google Play ∗∗∗ --------------------------------------------- A set of Android malware droppers were found infiltrating the Google Play store to install malicious programs by pretending to be app updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-droppers-wit… ∗∗∗ Exploit released for critical VMware RCE vulnerability, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Researchers Expose Over 80 ShadowPad Malware C2 Servers ∗∗∗ --------------------------------------------- As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022. Thats according to VMwares Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications. --------------------------------------------- https://thehackernews.com/2022/10/researchers-expose-over-80-shadowpad.html ∗∗∗ Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints ∗∗∗ --------------------------------------------- The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up. --------------------------------------------- https://thehackernews.com/2022/10/raspberry-robin-operators-selling.html ∗∗∗ TCP/IP Vulnerability CVE-2022–34718 PoC Restoration and Analysis ∗∗∗ --------------------------------------------- The patch released by Microsoft last month contained a vulnerability in the TCP/IP protocol that allowed for code execution. To ascertain the impact of the vulnerability, Numen’s security research team conducted an in-depth analysis of the vulnerability and restored the PoC through patch comparison. --------------------------------------------- https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol… ∗∗∗ Defeating Guloader Anti-Analysis Technique ∗∗∗ --------------------------------------------- Unit 42 is providing a script to deobfuscate a recently discovered Guloader variant that uses anti-analysis techniques, and other samples like it. --------------------------------------------- https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/ ∗∗∗ Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign ∗∗∗ --------------------------------------------- Group uses novel method of reading commands from legitimate IIS logs. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/cranefly… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates für älteres iOS und iPadOS ∗∗∗ --------------------------------------------- iPadOS 15.7.1 und iOS 15.7.1 stopfen problematische Sicherheitslücken für alle, die nicht auf iPadOS 16 und iOS 16 aktualisieren wollen - oder können. --------------------------------------------- https://heise.de/-7323199 ∗∗∗ Webbrowser: Entwickler schließen hochriskante Sicherheitslücke in Chrome ∗∗∗ --------------------------------------------- Google hat ein Update für den Webbrowser Chrome veröffentlicht. Darin dichten die Programmierer eine Schwachstelle mit hohem Risiko ab. --------------------------------------------- https://heise.de/-7322963 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- CP4D Match 360, IBM Answer Retrieval for Watson Discovery versions 2.8 and earlier, IBM Cloud Pak System, IBM Db2 On Openshift, IBM Db2® on Cloud Pak for Data, Db2 Warehouse® on Cloud Pak for Data, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM QRadar SIEM, IBM TXSeries for Multiplatforms, IBM Voice Gateway, IBM Watson Assistant for IBM Cloud Pak for Data, IBM® SDK, Java™ Technology Edition, Liberty for Java for IBM Cloud, node.js --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, ruby-sinatra, and thunderbird), Fedora (glances), Mageia (cups, firefox, git, heimdal, http-parser, krb5-appl, minidlna, nginx, and thunderbird), Oracle (389-ds:1.4, device-mapper-multipath, firefox, mysql:8.0, postgresql:12, and thunderbird), SUSE (dbus-1, libconfuse0, libtasn1, openjpeg2, qemu, and thunderbird), and Ubuntu (dbus, linux-azure-fde, and tiff). --------------------------------------------- https://lwn.net/Articles/912873/ ∗∗∗ Corel Coreldraw graphics suite vulnerabilities ∗∗∗ --------------------------------------------- https://secalerts.co/vulnerabilities/corel/coreldraw_graphics_suite ∗∗∗ Case update: DIVD-2022-00020 - Multiple injection vulnerabilities identified within Feathers.js ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00020/ ∗∗∗ Case update: DIVD-2022-00045 - Injection vulnerability found within Socket.io ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00045/ ∗∗∗ [R1] Nessus Version 10.4.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily