- Daily - CERT.at

Tageszusammenfassung - 27.10.2022
by Daily end-of-shift report 27 Oct '22

27 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-10-2022 18:00 − Donnerstag 27-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft fixes Windows vulnerable driver blocklist sync issue ∗∗∗ --------------------------------------------- Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vul… ∗∗∗ Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets ∗∗∗ --------------------------------------------- A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands embedded in packets and new features to evade detection of its infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1… ∗∗∗ How to prevent lateral movement attacks using Microsoft 365 Defender ∗∗∗ --------------------------------------------- Learn how Microsoft 365 Defender can enhance mitigations against lateral movement paths in your environment, stopping attackers from gaining access to privileged and sensitive accounts. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/10/26/how-to-prevent-lat… ∗∗∗ Malware vs Virus: What’s the Difference? ∗∗∗ --------------------------------------------- In today’s article, we’ll be clarifying the difference between viruses and malware while helping to identify the most common types of malware. --------------------------------------------- https://blog.sucuri.net/2022/10/whats-the-difference-malware-virus.html ∗∗∗ New Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Instances ∗∗∗ --------------------------------------------- A new cryptojacking campaign has been uncovered targeting vulnerable Docker and Kubernetes infrastructures as part of opportunistic attacks designed to illicitly mine cryptocurrency. --------------------------------------------- https://thehackernews.com/2022/10/new-cryptojacking-campaign-targeting.html ∗∗∗ Hijacking AUR Packages by Searching for Expired Domains ∗∗∗ --------------------------------------------- The Arch User Repository (AUR) is a software repository for Arch Linux. It differs from the official Arch Linux repositories in that its packages are provided by its users and not officially supported by Arch Linux. --------------------------------------------- https://blog.nietaanraken.nl/posts/aur-packages-expired-domains/ ∗∗∗ Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom ∗∗∗ --------------------------------------------- Industrial organizations continue to be a top target for ransomware attacks, and reports published by cybersecurity companies this week reveal some recent trends. --------------------------------------------- https://www.securityweek.com/industrial-ransomware-attacks-new-groups-emerg… ∗∗∗ Trends in Web Threats in CY Q2 2022: Malicious JavaScript Downloaders Are Evolving ∗∗∗ --------------------------------------------- We examine trends in web threats for the second calendar year quarter of 2022, including how a malicious JavaScript downloader is evolving to evade detection. --------------------------------------------- https://unit42.paloaltonetworks.com/web-threats-malicious-javascript-downlo… ∗∗∗ FormBook Malware Being Distributed as .NET ∗∗∗ --------------------------------------------- FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites. --------------------------------------------- https://asec.ahnlab.com/en/40663/ ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th) ∗∗∗ --------------------------------------------- This week, OpenSSL announced that they will release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability. The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x. --------------------------------------------- https://isc.sans.edu/diary/rss/29192 ∗∗∗ IBM Security Bulletins 2022-10-26 and 2022-10-25 ∗∗∗ --------------------------------------------- IBM SDK, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM i, IBM Robotic Process Automation, IBM Cloud Transformation Advisor, CloudPak for Watson, Netcool Operations Insight. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco AnyConnect: Alte Sicherheitslücken im Visier von Angreifern ∗∗∗ --------------------------------------------- Allerhöchste Zeit, um alte Lücken in Cisco AnyConnect abzudichten: Cisco warnt vor derzeitigen Cyber-Angriffen auf Schwachstellen aus dem Jahr 2020. --------------------------------------------- https://heise.de/-7320917 ∗∗∗ Sicherheitsupdate ArubaOS: Schadcode-Attacken durch präparierte Anfragen möglich ∗∗∗ --------------------------------------------- Die Entwickler des Netzwerkbetriebssystems ArubaOS haben unter anderem eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-7321787 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat9), Oracle (389-ds-base, device-mapper-multipath, firefox, git-lfs, gnutls, kernel, kernel-container, libksba, pki-core, samba, sqlite, and zlib), Red Hat (device-mapper-multipath, kernel, kpatch-patch, libksba, and thunderbird), Slackware (expat and samba), SUSE (bind, buildah, curl, firefox, golang-github-prometheus-node_exporter, grafana, icinga2, python-paramiko, python-waitress, SUSE Manager Client Tools, telnet, and xen), [...] --------------------------------------------- https://lwn.net/Articles/912495/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, bind, expat, java-1.8.0-openjdk, java-11-openjdk, libksba, and squid), Debian (chromium, libdatetime-timezone-perl, tzdata, and wordpress), Fedora (dbus, dhcp, dotnet3.1, jhead, samba, and strongswan), Mageia (virtualbox), Oracle (device-mapper-multipath), Scientific Linux (device-mapper-multipath and thunderbird), Slackware (curl), SUSE (container-suseconnect, curl, kernel, libmad, libtasn1, libtirpc, qemu, rubygem-puppet, [...] --------------------------------------------- https://lwn.net/Articles/912688/ ∗∗∗ Windows (Mark of the Web) 0-day per JavaScript für Ransomware-Angriffe genutzt ∗∗∗ --------------------------------------------- Die Tage hatte ich über eine ungefixte 0-day-Schwachstelle, Mark of the Web (MOTOW), in Windows berichtet, für die es einen inoffiziellen Fix gibt. Nun ist mir ein Bericht unter die Augen gekommen, dass eine 0-day-Schwachstelle in diesem Bereich von Cyberkriminellen per JavaScript ausgenutzt werden kann, um Web-Sicherheitswarnungen zu umgehen und Ransomware-Angriffe zu verschleiern. --------------------------------------------- https://www.borncity.com/blog/2022/10/27/exploited-windows-0-day-mark-of-th… ∗∗∗ ZDI-22-1467: (0Day) IronCAD STP File Parsing Uninitialized Pointer Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1467/ ∗∗∗ VMSA-2022-0027 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0027.html ∗∗∗ K11601010: Intel Processor vulnerability CVE-2021-33149 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11601010 ∗∗∗ Synology-SA-22:20 Samba ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_20 ∗∗∗ Hitachi Energy MicroSCADA X DMS600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-04 ∗∗∗ Johnson Controls CKS CEVAS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-05 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-06 ∗∗∗ AliveCor KardiaMobile ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-298-01 ∗∗∗ Haas Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-01 ∗∗∗ HEIDENHAIN Controller TNC on HARTFORD Machine ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-02 ∗∗∗ Rockwell Automation FactoryTalk Alarm and Events Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-300-01 ∗∗∗ SAUTER Controls moduWeb ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-300-02 ∗∗∗ Rockwell Automation Stratix Devices Containing Cisco IOS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-300-03 ∗∗∗ Trihedral VTScada ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-300-04 ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/10/26/samba-releases-se… ∗∗∗ [R1] Nessus Version 10.3.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-20 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2022
by Daily end-of-shift report 25 Oct '22

25 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 24-10-2022 18:00 − Dienstag 25-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Zero-Day-Fehler im Kernel von iOS und iPadOS wird ausgenutzt ∗∗∗ --------------------------------------------- iOS und iPadOS 16.1 beheben einen schwerwiegenden Kernel-Bug in den Betriebssystemen für iPhone und iPad. Apple hat Berichte über laufende Angriffe. --------------------------------------------- https://heise.de/-7319500 ∗∗∗ Chrome extensions with 1 million installs hijack targets’ browsers ∗∗∗ --------------------------------------------- Researchers at Guardio Labs have discovered a new malvertizing campaign pushing Google Chrome and Microsoft Edge extensions that hijack searches and insert affiliate links into webpages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-mil… ∗∗∗ How the Software Supply Chain Security is Threatened by Hackers ∗∗∗ --------------------------------------------- In many ways, the software supply chain is similar to that of manufactured goods, which we all know has been largely impacted by a global pandemic and shortages of raw materials. However, in the IT world, it is not shortages or pandemics that have been the main obstacles to overcome in recent years, but rather attacks aimed at using them to harm hundreds or even thousands of victims simultaneously. --------------------------------------------- https://thehackernews.com/2022/10/how-software-supply-chain-security-is.html ∗∗∗ Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS). --------------------------------------------- https://thehackernews.com/2022/10/researchers-detail-windows-event-log.html ∗∗∗ Chapter 1 - From Gozi to ISFB: The history of a mythical malware family. ∗∗∗ --------------------------------------------- Disclaimer: This article does not contain any IOCs or infrastructure details. Instead, the aim is to explain the whole business dynamic of a long-lasting malware family. This work is based on almost 10 years of research and intel gatherings and tries its best to stick to the truth and the facts observed around ISFB. Hopefully, it will give some insight on how the top cyber crime groups have been working over the years. --------------------------------------------- https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of… ∗∗∗ Stranger Strings: An exploitable flaw in SQLite ∗∗∗ --------------------------------------------- Trail of Bits is publicly disclosing CVE-2022-35737, which affects applications that use the SQLite library API. CVE-2022-35737 was introduced in SQLite version 1.0.12 (released on October 17, 2000) and fixed in release 3.39.2 (released on July 21, 2022). CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled [...] --------------------------------------------- https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-libr… ∗∗∗ E-Mail von WhatsApp: Gewinn über 900.600,00 USD ist Fake ∗∗∗ --------------------------------------------- Aktuell kursiert ein E-Mail von WhatsApp, in dem Sie über den Gewinn von 900.600,00 USD informiert werden. Um den Gewinn zu erhalten, müssen Sie Ihre Kontaktdaten an account.whatsapp(a)mail.com senden. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-whatsapp-gewinn-ueber-900… ∗∗∗ Windows 10 22H2, Windows 11 22H2: Administrative Vorlagen (.admx); Windows 10 22H2 Security Baseline ∗∗∗ --------------------------------------------- Kleiner Hinweis für Administratoren von Windows-Systemen in Unternehmensumgebungen. Microsoft hat die Security Baseline für das Windows 10 October 2022 Update (Version 22H2) freigegeben. --------------------------------------------- https://www.borncity.com/blog/2022/10/25/windows-10-22h2-windows-11-22h2-ad… ∗∗∗ Rapidly Evolving Magniber Ransomware ∗∗∗ --------------------------------------------- The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed. --------------------------------------------- https://asec.ahnlab.com/en/40422/ ∗∗∗ Analysis on Attack Techniques and Cases Using RDP ∗∗∗ --------------------------------------------- Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems. This post will cover cases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used. --------------------------------------------- https://asec.ahnlab.com/en/40394/ ===================== = Vulnerabilities = ===================== ∗∗∗ Webkonferenzen: Sicherheitslücke in Zoom ermöglicht Sitzungsübernahme ∗∗∗ --------------------------------------------- Zoom warnt vor einer Sicherheitslücke, durch die Angreifer Opfer etwa auf falsche Server locken und so Sitzungen übernehmen könnten. Updates stehen bereit. --------------------------------------------- https://heise.de/-7319974 ∗∗∗ VMSA-2022-00031 ∗∗∗ --------------------------------------------- VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-00031.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libbluray and wkhtmltopdf), Fedora (firefox, libksba, libmodsecurity, libxml2, qemu, and xmlsec1), Red Hat (389-ds-base, 389-ds:1.4, git-lfs, gnutls, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libksba, mysql:8.0, pki-core, postgresql:12, samba, sqlite, and zlib), Scientific Linux (389-ds-base, libksba, and pki-core), SUSE (bluez, firefox, jdom, kernel, libosip2, libxml2, multipath-tools, and python-Mako), and Ubuntu (barbican, mysql-5.7, mysql-8.0, openvswitch, and pillow). --------------------------------------------- https://lwn.net/Articles/912324/ ∗∗∗ Synology-SA-22:19 Presto File Server ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to write arbitrary files or remote authenticated users to bypass security constraint via a susceptible version of Presto File Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_19 ∗∗∗ Synology-SA-22:18 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to read or write arbitrary files or remote authenticated users to access intranet resources via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_18 ∗∗∗ Node.js: OpenSSL and zlib update assessment, and Node.js Assessment workflow ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/openssl-and-zlib-vulnerability-ass… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosure of information that could aid in further system attacks. (CVD-2022-38710) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to CSV Injection (CVE-2022-22425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to incorrect permission assignment ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthorized attacker causing integrity impact (CVE-2021-2163) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2022
by Daily end-of-shift report 24 Oct '22

24 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-10-2022 18:00 − Montag 24-10-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Thousands of GitHub repositories deliver fake PoC exploits with malware ∗∗∗ --------------------------------------------- Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/thousands-of-github-reposito… ∗∗∗ Typosquat campaign mimics 27 brands to push Windows, Android malware ∗∗∗ --------------------------------------------- A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27… ∗∗∗ Kriminalität: Eltern durch Whatsapp-Betrug um Tausende Euro gebracht ∗∗∗ --------------------------------------------- Die Polizei warnt vor Trickbetrügern, die mit einer angeblichen Notlage des Kindes Eltern um ihr Geld bringen. --------------------------------------------- https://www.golem.de/news/kriminalitaet-eltern-durch-whatsapp-betrug-um-tau… ∗∗∗ Securing IoT devices against attacks that target critical infrastructure ∗∗∗ --------------------------------------------- South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, notified its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/10/21/securing-iot-devic… ∗∗∗ rtfdumps Find Option, (Sat, Oct 22nd) ∗∗∗ --------------------------------------------- Due to the nature of the RTF language, malicious RTF files can be very obfuscated. To the point that my tool rtfdump.py and Philippe's tool rtfobj don't find embedded objects. --------------------------------------------- https://isc.sans.edu/diary/rss/29174 ∗∗∗ C2 Communications Through outlook.com, (Mon, Oct 24th) ∗∗∗ --------------------------------------------- Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails. --------------------------------------------- https://isc.sans.edu/diary/rss/29180 ∗∗∗ SCuBA M365 Security Baseline Assessment Tool ∗∗∗ --------------------------------------------- Developed by CISA, this assessment tool verifies that an M365 tenant’s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents. --------------------------------------------- https://github.com/cisagov/ScubaGear ∗∗∗ Cisco ISE: Angreifer könnten Kontrolle übernehmen ∗∗∗ --------------------------------------------- Cisco warnt, dass Angreifer Dateien in der Identity Services Engine lesen und löschen könnten. Die Übernahme der Kontrolle über die Geräte könnte möglich sein. --------------------------------------------- https://heise.de/-7317442 ∗∗∗ Gebrauchtwagen-Kauf: Abwicklung über Treuhandunternehmen ist Betrug ∗∗∗ --------------------------------------------- Sie sind gerade auf der Suche nach einem Gebrauchtwagen? Bedenken Sie: Nicht jedes Inserat ist seriös. Auch Kriminelle nutzen gängige Verkaufsplattformen, um betrügerische Lockangebote zu platzieren. Ein betrügerisches Angebot erkennen Sie an der Kommunikation und der Forderung, Geld an ein Treuhandkonto zu überweisen. --------------------------------------------- https://www.watchlist-internet.at/news/gebrauchtwagen-kauf-abwicklung-ueber… ∗∗∗ So funktioniert Domain Shadowing ∗∗∗ --------------------------------------------- Cyberkriminelle nutzen schwer auffindbare Shadow Domains für verschiedene illegale Aktivitäten, einschließlich Phishing und Botnet-Operationen. --------------------------------------------- https://www.zdnet.de/88404347/so-funktioniert-domain-shadowing/ ∗∗∗ AA22-294A: #StopRansomware: Daixin Team ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-294a ∗∗∗ Treasure trove. Alive and well point-of-sale malware ∗∗∗ --------------------------------------------- Analysis of months-long MajikPOS and Treasure Hunter campaign that infected dozens of terminals. --------------------------------------------- https://blog.group-ib.com/majikpos_treasurehunter_malware ∗∗∗ Attacking Very Weak RC4-Like Ciphers the Hard Way ∗∗∗ --------------------------------------------- RC4 is a popular encryption algorithm. The way it works is that a “Key Scheduling Algorithm” (KSA) takes your key and generates a 256-byte array, and then a “Pseudo-Random Generation Algorithm” (PRGA) uses that byte array to output an endless stream of bytes (the “key stream”), which look like random noise unless you know what the original byte array was. --------------------------------------------- https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-t… ∗∗∗ Uncovering Security Blind Spots in CNC Machines ∗∗∗ --------------------------------------------- Industry 4.0 has given rise to smart factories that have markedly improved machining processes, but it has also opened the doors for cybercriminals looking to abuse networked industrial equipment such as CNC machines. Our research investigates potential cyberthreats to CNC machines and how manufacturers can mitigate the associated risks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/uncovering-security-blind-sp… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-21 and 2022-10-22 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Watson, API Connect, IBM Cloud Pak for Multicloud Management, IBM MQ Appliance, IBM Voice Gateway, Infrastructure Automation, IBM Security Identity Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, kernel, and lava), Fedora (ckeditor, drupal7, moby-engine, php-Smarty, and wavpack), Mageia (bind, e2fsprogs, epiphany, freerdp, kernel, kernel-linus, libconfuse, libosip2, ntfs-3g, perl-Image-ExifTool, and poppler), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-container, and thunderbird), Scientific Linux (firefox, java-1.8.0-openjdk, and java-11-openjdk), SUSE (bluez, firefox, kernel, libxml2, and Ubuntu (linux-gcp). --------------------------------------------- https://lwn.net/Articles/912178/ ∗∗∗ Missing Authentication in ZKTeco ZEM/ZMM Web Interface ∗∗∗ --------------------------------------------- The ZKTeco time attendance device does not require authentication to use theweb interface, exposing the database of employees and their credentials. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-003/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2022
by Daily end-of-shift report 21 Oct '22

21 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-10-2022 18:00 − Freitag 21-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Synology: Kritische Lücken in NAS erlauben Angreifern Ausführen von Schadcode ∗∗∗ --------------------------------------------- Synology warnt vor kritischen Sicherheitslücken in der DSM-Software einiger NAS. Angreifer könnten Schadode ausführen und unbefugt an Informationen gelangen. --------------------------------------------- https://heise.de/-7316623 ∗∗∗ F5 BIG-IP und Nginx: Hersteller stopft teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in den BIG-IP- und Nginx-Systemen von F5 könnten Angreifern etwa das Ausführen von Schadcode ermöglichen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7316039 ∗∗∗ Gefahren für kritische Infrastrukturen: "Uns fehlt eine Schwachstellenanalyse" ∗∗∗ --------------------------------------------- Prof. Norbert Gebbeken, Gründer und Sprecher des Forschungszentrums RISK, über die Gefahren, die unserer kritischen Infrastruktur drohen – und was man tun kann. --------------------------------------------- https://heise.de/-7315119 ∗∗∗ Your Microsoft Exchange Server Is a Security Liability ∗∗∗ --------------------------------------------- Endless vulnerabilities. Massive hacking campaigns. Slow and technically tough patching. Its time to say goodbye to on-premise Exchange. --------------------------------------------- https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/ ∗∗∗ sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st) ∗∗∗ --------------------------------------------- A campaign nicknamed "sczriptzzbn inject" can be identified by script using a variable named sczriptzzbn injected into files returned from a compromised website. This injected script causes a fake browser update page to appear in the victim's browser. The fake browser update page presents the malware payload for download. More information on the campaign can be found here. In previous weeks, this campaign pushed SolarMarker malware. I ran across one such example on 2022-09-27. This month, we've started seeing a payload for NetSupport RAT from the sczriptzzbn inject. --------------------------------------------- https://isc.sans.edu/diary/rss/29170 ∗∗∗ Archive Sidestepping: Emotet Botnet Pushing Self-Unlocking Password-Protected RAR ∗∗∗ --------------------------------------------- Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/archive-sid… ∗∗∗ Wordfence Evasion Malware Conceals Backdoors ∗∗∗ --------------------------------------------- Malware authors, with some notable exceptions, tend to design their malicious code to hide from sight. The techniques they use help their malware stay on the victim’s website for as long as possible and ensure execution. For example — obfuscation techniques, fake code comments, naming conventions for injections that deploy SEO spam, redirect visitors to malicious third party websites, or steal credit card information from eCommerce stores. --------------------------------------------- https://blog.sucuri.net/2022/10/wordfence-evasion-malware-conceals-backdoor… ∗∗∗ Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware ∗∗∗ --------------------------------------------- A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victims resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report. --------------------------------------------- https://thehackernews.com/2022/10/multiple-campaigns-exploit-vmware.html ∗∗∗ Threat Advisory: Monitoring CVE-2022-42889 “Text4Shell” Exploit Attempts ∗∗∗ --------------------------------------------- On October 17, 2022, the Wordfence Threat Intelligence team began monitoring for activity targeting CVE-2022-42889, or “Text4Shell” on our network of 4 million websites. We started seeing activity targeting this vulnerability on October 18, 2022. Text4Shell is a vulnerability in the Apache Commons Text library versions 1.5 through 1.9 that can be used to achieve [...] --------------------------------------------- https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-… ∗∗∗ CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks. --------------------------------------------- https://www.securityweek.com/cisa-tells-organizations-patch-linux-kernel-vu… ∗∗∗ Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool ∗∗∗ --------------------------------------------- Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bl… ∗∗∗ Attackers Abusing Various Remote Control Tools ∗∗∗ --------------------------------------------- Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major programs used by attackers. --------------------------------------------- https://asec.ahnlab.com/en/40263/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-20 ∗∗∗ --------------------------------------------- IBM Security Verify Gateway/Bridge, IBM Enterprise Records, IBM Sterling Order Management Netty, IBM WebSphere Application Server, IBM MQ Operator, IBM Sterling Order Management, IBM Enterprise Records, IBM Netezza Host Management. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SolarWinds Security Advisories 2022-10-19 ∗∗∗ --------------------------------------------- SolarWinds released 4 new Security Advisories (3 high, 1 medium) for SolarWinds Platform 2022.4 RC1. --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ SSA-640732 V1.0: Authentication Bypass Vulnerability in Siveillance Video Mobile Server ∗∗∗ --------------------------------------------- The mobile server component of Siveillance Video 2022 R2 contains an authentication bypass vulnerability that could allow an unauthenticated remote attacker to access the application without a valid account.Siemens has released a hotfix for Siveillance Video 2022 R2 and recommends to apply the hotfix on all installations of the mobile server. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-640732.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (poppler), Oracle (firefox and thunderbird), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk, and java-17-openjdk), SUSE (bind, clone-master-clean-up, grafana, libksba, python3, tiff, and v4l2loopback), and Ubuntu (libreoffice). --------------------------------------------- https://lwn.net/Articles/911989/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2022
by Daily end-of-shift report 20 Oct '22

20 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-10-2022 18:00 − Donnerstag 20-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Forensic Value of Prefetch, (Thu, Oct 20th) ∗∗∗ --------------------------------------------- When a program executes on a Windows system there are many artifacts that are generated which can assist digital forensic investigations. One of particular note is the Windows Prefetch file. Found in C:\Windows\Prefetch by default, prefetch files (.pf) contain a wealth of information that can prove vital to any investigation. --------------------------------------------- https://isc.sans.edu/diary/rss/29168 ∗∗∗ Fantastic Rootkits: And Where to Find Them (Part 1) ∗∗∗ --------------------------------------------- In this blog series, we will cover the topic of rootkits — how they are built and the basics of kernel driver analysis — specifically on the Windows platform. In this first part, we will focus on some implementation examples of basic rootkit functionality and the basics of kernel driver development, as well as Windows Internals background needed to understand the inner workings of rootkits. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-… ∗∗∗ Microsoft liefert Updates gegen SSL-/TLS-Probleme durch Windows-Updates ∗∗∗ --------------------------------------------- Die aktuellen Windows-Updates für Windows 10, 11 und Server könnten Probleme bei SSL- und TLS-Verschlüsselung verursachen. Teils helfen weitere Patches dagegen. --------------------------------------------- https://heise.de/-7314906 ∗∗∗ New Malicious Clicker found in apps installed by 20M+ users ∗∗∗ --------------------------------------------- Cybercriminals are always after illegal advertising revenue. As we have previously reported, we have seen many mobile malwares masquerading as a useful tool or utility, and automatically crawling ads in the background. Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-malicious-clicker-… ∗∗∗ Social Engineering dos and don’ts ∗∗∗ --------------------------------------------- It got me thinking, again, about what makes for good social engineering (SE), and what advice would I give my younger self. These are my thoughts. --------------------------------------------- https://www.pentestpartners.com/security-blog/social-engineering-dos-and-do… ∗∗∗ E-Mail-Konto wird migriert: Kriminelle senden betrügerische Mail an Mitarbeiter:innen ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails und geben sich dabei als „Outlook-E-Mail-Administrator“ Ihres Unternehmens aus. Angeblich sollen die E-Mail-Konten aller Mitarbeiter:innen migriert werden. Klicken Sie nicht auf den Link. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-konto-wird-migriert-kriminell… ∗∗∗ Datenleck bei Microsoft, Kundendaten betroffen (Okt. 2022) ∗∗∗ --------------------------------------------- Bei Microsoft hat es ein größeres Datenleck gegeben, bei dem Kundendaten wohl öffentlich zugreifbar waren. Eine Sicherheitsfirma hat einen fehlkonfigurierten Server mit den Daten im Internet gefunden und Microsoft im September informiert. --------------------------------------------- https://www.borncity.com/blog/2022/10/20/datenleck-bei-microsoft-kundendate… ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Abode Systems home security kit could allow attacker to take over cameras, remotely disable them ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors. --------------------------------------------- http://blog.talosintelligence.com/2022/10/vuln-spotlight-abode-.html ∗∗∗ LofyGang – Software Supply Chain Attackers; Organized, Persistent, and Operating for Over a Year ∗∗∗ --------------------------------------------- Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”. --------------------------------------------- https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organiz… ∗∗∗ New Research: We’re Still Terrible at Passwords; Making it Easy for Attackers ∗∗∗ --------------------------------------------- We look at two of the most popular protocols used for remote administration, SSH and RDP, to get a sense of how attackers are taking advantage of weaker password management to gain access to systems. --------------------------------------------- https://www.rapid7.com/blog/post/2022/10/20/new-research-were-still-terribl… ∗∗∗ Black Basta and the Unnoticed Delivery ∗∗∗ --------------------------------------------- As reported by Check Point at the end of H1 2022, 1 out of 40 organizations worldwide were impacted by ransomware attacks, which constitutes a worrying 59% increase over the past year. The ransomware business continues to grow in gargantuan proportions due to the lucrative payments demanded – and often received – by cybercrime gangs. --------------------------------------------- https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Oracle liefert 370 Sicherheitsupdates im Oktober ∗∗∗ --------------------------------------------- Zum Patchday, Critical Patch Update genannt, liefert Oracle eine lange Liste an Produkten mit Sicherheitslücken. 370 Updates schließen die Schwachstellen. --------------------------------------------- https://heise.de/-7314209 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, OpenShift Container Platform 4.9.50 bug fix and, and rh-nodejs14-nodejs), SUSE (buildah, clone-master-clean-up, go1.18, go1.19, helm, jasper, libostree, nodejs16, php8, qemu, and xen), and Ubuntu (libxdmcp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oem-5.14, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-oem-5.17, and perl). --------------------------------------------- https://lwn.net/Articles/911879/ ∗∗∗ Drupal: Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-059 ∗∗∗ Security Bulletin: IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-an-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache Zookeeper (CVE-2019-0201, CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – [CVE-2021-45105] (affecting v2.16) and [CVE-2021-45046] (affecting v2.15) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vul… ∗∗∗ F5: K24823443: Apache Commons Text vulnerability CVE-2022-42889 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24823443 ∗∗∗ F5: K27155546: BIND vulnerability CVE-2022-38177 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27155546 ∗∗∗ F5: K04712583: Linux kernel vulnerability CVE-2021-40490 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04712583 ∗∗∗ F5: K32615023: Linux kernel vulnerability CVE-2022-2588 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32615023 ∗∗∗ Bentley Systems MicroStation Connect ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-293-01 ∗∗∗ Spring: CVE-2022-31684: Reactor Netty HTTP Server may log request headers ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/10/20/cve-2022-31684-reactor-netty-http-server-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2022
by Daily end-of-shift report 19 Oct '22

19 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-10-2022 18:00 − Mittwoch 19-10-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe patcht Illustrator außer der Reihe ∗∗∗ --------------------------------------------- Nach dem großen Patchday letzte Woche legt Adobe nun zwei Updates gegen kritische Lücken im Illustrator nach. --------------------------------------------- https://heise.de/-7314003 ∗∗∗ AMD, Google, Microsoft, Nvidia: Offengelegter Sicherheitsprozessor Caliptra ∗∗∗ --------------------------------------------- Branchenschwergewichte setzen auf RISC-V-Technik für offengelegte Hardware-Security. Sie könnte Black-Box-Umsetzungen wie Microsofts Pluton ersetzen. --------------------------------------------- https://heise.de/-7313272 ∗∗∗ Achtung Betrug: Bewerben Sie sich nicht als „Process Tester“ bei page-rangers.de ∗∗∗ --------------------------------------------- page-rangers.de bietet einen gut bezahlten Minijob als „App-Tester“. Die Arbeit wird von zu Hause aus erledigt und benötigt keine speziellen Anforderungen. Sie erhalten täglich kleine Aufträge, z. B. die Benutzerfreundlichkeit bei der Eröffnung eines Bankkontos zu testen. Doch Vorsicht: Mit diesem Job stehlen Kriminelle Ihre Identität. Mit dem erstellten Bankkonto wird in Ihrem Namen Geld gewaschen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betrug-bewerben-sie-sich-nic… ∗∗∗ Defenders beware: A case for post-ransomware investigations ∗∗∗ --------------------------------------------- The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. --------------------------------------------- https://www.microsoft.com/security/blog/2022/10/18/defenders-beware-a-case-… ∗∗∗ Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk ∗∗∗ --------------------------------------------- Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/10/19/awareness-and-guidance-related-t… ∗∗∗ Are Internet Scanning Services Good or Bad for You?, (Wed, Oct 19th) ∗∗∗ --------------------------------------------- I'm in Luxembourg to attend the first edition of the CTI Summit[1]. There was an interesting keynote performed by Patrice Auffret[2], the founder of Onyphe, about "Ethical Internet Scanning in 2022". They are plenty of online scanners that work 24x7 to build a map of the Internet. They scan the entire IP addresses space and look for interesting devices, vulnerabilities, etc. Big players are Shodan, Onyphe, Censys, ZoomEye, etc. --------------------------------------------- https://isc.sans.edu/diary/rss/29164 ∗∗∗ Fully undetectable Windows backdoor gets detected ∗∗∗ --------------------------------------------- SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/10/18/fully_undete… ∗∗∗ A New Attack Surface on MS Exchange Part 4 - ProxyRelay! ∗∗∗ --------------------------------------------- Hi, this is a long-time-pending article. We could have published this article earlier (the original bug was reported to MSRC in June 2021 with a 90-days Public Disclosure Policy). However, during communications with MSRC, they explained that since this is an architectural design issue, lots of code changes and testings are expected and required, so they hope to resolve this problem with a one-time CU (Cumulative Update) instead of the regular Patch Tuesday. --------------------------------------------- https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4… ∗∗∗ Warning: "FaceStealer" iOS and Android apps steal your Facebook login ∗∗∗ --------------------------------------------- FaceStealer is back. As a seasoned threat to legitimate app stores, expect it to be gone and then back again. --------------------------------------------- https://www.malwarebytes.com/blog/news/2022/10/warning-facestealer-ios-and-… ∗∗∗ TeamTNT Returns – or Does It? ∗∗∗ --------------------------------------------- Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bcel, kernel, node-xmldom, and squid), Mageia (chromium-browser-stable, dhcp, dokuwiki, firefox, golang, python-joblib, sos, and unzip), Oracle (nodejs and nodejs:16), Red Hat (firefox, kernel, kernel-rt, nodejs, nodejs:14, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (git and mozilla), SUSE (amazon-ssm-agent, caasp-release, cri-o, patchinfo, release-notes-caasp, skuba, enlightenment, libreoffice, netty, nodejs12, nodejs14, [...] --------------------------------------------- https://lwn.net/Articles/911723/ ∗∗∗ Oracle Releases 370 New Security Patches With October 2022 CPU ∗∗∗ --------------------------------------------- Oracle on Tuesday announced the release of 370 patches as part of its quarterly set of security updates. The October 2022 Critical Patch Update (CPU) resolves over 50 critical-severity vulnerabilities. More than 200 of the newly released security patches deal with vulnerabilities that are remotely exploitable without authentication. --------------------------------------------- https://www.securityweek.com/oracle-releases-370-new-security-patches-octob… ∗∗∗ Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function UPDATE A ∗∗∗ --------------------------------------------- UPDATE A (19.10.2022): Added Control block-Set CPX-CEC-C1 and Control block-SETCPX-CMXX to affected products. Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-036/ ∗∗∗ K30425568: Overview of F5 vulnerabilities (October 2022) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30425568 ∗∗∗ CVE-2021-3772 Linux Kernel Vulnerability in NetApp DSA E2800 series ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-609377-bt.html ∗∗∗ Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-454166-bt.html ∗∗∗ Cisco Identity Services Engine Unauthorized File Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Golang Go vulnerabilities (CVE-2022-27664 and CVE-2022-32190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by vulnerability in Dojo [CVE-2021-23450] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: CMIS is affected since it uses Spring Framework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cmis-is-affected-since-it… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to information disclosure due to JUnit4 (CVE-2020-15250) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2022
by Daily end-of-shift report 18 Oct '22

18 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 17-10-2022 18:00 − Dienstag 18-10-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2022-42889: Keep Calm and Stop Saying "4Shell" ∗∗∗ --------------------------------------------- [...] The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input. In summary, much like with Spring4Shell, there are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle. --------------------------------------------- https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-st… ∗∗∗ Europol: Festgenommene Autodiebe stahlen Fahrzeuge mittels Software ∗∗∗ --------------------------------------------- In Frankreich wurden 31 Mitglieder einer Diebesbande festgenommen, die Autos mit schlüssellosen Zugangssystemen per Software gestohlen haben sollen. --------------------------------------------- https://www.golem.de/news/europol-festgenommene-autodiebe-stahlen-fahrzeuge… ∗∗∗ Sicherheit: Antivirensoftware blockiert Thunderbird-Updates ∗∗∗ --------------------------------------------- Statt für Sicherheit zu sorgen, blockieren Avast und AVG Thunderbird-Updates. Das soll bereits seit dreieinhalb Monaten der Fall sein. --------------------------------------------- https://www.golem.de/news/sicherheit-antivirensoftware-blockiert-thunderbir… ∗∗∗ Fake-Shop Alarm: Vorsicht vor betrügerischen Solar- und Photovoltaik-Shops ∗∗∗ --------------------------------------------- Shops wie elektrox-solar.at und horizon-shot.com täuschen mit professionellem Design und gestohlenen Impressumsdaten. Lassen Sie sich von diesen Fake-Shops nicht in die Falle locken! So erkennen Sie Fake-Solar-Shops online. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-vor-betrueg… ∗∗∗ Das Salz in der Suppe: Salts als unverzichtbare Zutat bei der Passwortspeicherung für Applikationen ∗∗∗ --------------------------------------------- Die Verwendung eines Salt bei der Passwortspeicherung verhindert die Vorberechnung des Hash. Als zusätzliches Geheimnis kann ein Pepper verwendet werden. --------------------------------------------- https://www.syss.de/pentest-blog/das-salz-in-der-suppe-salts-als-unverzicht… ∗∗∗ WordPress 6.0.3 erschienen ∗∗∗ --------------------------------------------- Gerade habe ich die Meldung erhalten, dass ein Wartungsupdate auf WordPress 6.0.3 erschienen ist. Dieses Update schließt einige Sicherheitslücken, die hier beschrieben sind. --------------------------------------------- https://www.borncity.com/blog/2022/10/18/wordpress-6-0-3-erschienen/ ∗∗∗ FLEXlm and Citrix ADM Denial of Service Vulnerability ∗∗∗ --------------------------------------------- On June 27, 2022, Citrix released an advisory for CVE-2022-27511 and CVE-2022-27512, which affect Citrix ADM (Application Delivery Management). Rapid7 investigated these issues to better understand their impact, and found that the patch is not sufficient to prevent exploitation. We also determined that the worst outcome of this vulnerability is a denial of service - the licensing server can be told to shut down (even with the patch). --------------------------------------------- https://www.rapid7.com/blog/post/2022/10/18/flexlm-and-citrix-adm-denial-of… ∗∗∗ Python Obfuscation for Dummies, (Tue, Oct 18th) ∗∗∗ --------------------------------------------- Recently, I found several malicious Python scripts that looked the same. They all contained the same strings at the end: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/29160 ∗∗∗ I’m in your hypervisor, collecting your evidence ∗∗∗ --------------------------------------------- Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response for the past few years has been to collect small forensic artefact packages using our internal data collection utility, “acquire”, usually deployed using the clients’ preferred method of software deployment. While this method works fine in most cases, we often encounter scenarios where deploying our software is tricky or downright impossible. --------------------------------------------- https://blog.fox-it.com/2022/10/18/im-in-your-hypervisor-collecting-your-ev… ∗∗∗ Zoom for macOS Contains High-Risk Security Flaw ∗∗∗ --------------------------------------------- Video messaging technology powerhouse Zoom has rolled out a high-priority patch for macOS users alongside a warning that hackers could abuse the software flaw to connect to and control Zoom Apps. --------------------------------------------- https://www.securityweek.com/zoom-macos-contains-high-risk-security-flaw ∗∗∗ Dutch Police obtain 155 decryption keys for Deadbolt ransomware victims ∗∗∗ --------------------------------------------- Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation announced last week. In a statement, the Dutch National Police said on Friday that they conducted a targeted operation where they effectively paid a ransom in [...] --------------------------------------------- https://therecord.media/dutch-police-obtain-155-decryption-keys-for-deadbol… ∗∗∗ Alchimist: A new attack framework in Chinese for Mac, Linux and Windows ∗∗∗ --------------------------------------------- Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines. --------------------------------------------- http://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html ∗∗∗ Software Patch Management Policy Best Practices ∗∗∗ --------------------------------------------- Explore the top risk-based patch management policy best practices to mitigate the growing threat of vulnerability exploits in your organization. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/j/software-patch-management-policy… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software ∗∗∗ --------------------------------------------- HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems. --------------------------------------------- https://thehackernews.com/2022/10/critical-rce-vulnerability-discovered.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and libksba), Fedora (dhcp and kernel), Red Hat (.NET 6.0, .NET Core 3.1, compat-expat1, kpatch-patch, and nodejs:16), Slackware (xorg), SUSE (exiv2, expat, kernel, libreoffice, python, python-numpy, squid, and virtualbox), and Ubuntu (linux-azure and zlib). --------------------------------------------- https://lwn.net/Articles/911562/ ∗∗∗ Advantech R-SeeNet ∗∗∗ --------------------------------------------- Successful exploitation of these vulnerabilities could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-291-01 ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to SOAPAction spoofing (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to denial of service due to XStream (CVE-2021-43859) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to remove traversal due to Apache Commons IO (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow – CVE-2022-35279 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2022
by Daily end-of-shift report 17 Oct '22

17 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-10-2022 18:00 − Montag 17-10-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Prestige: Microsoft findet neue Ransomware in Polen und Ukraine ∗∗∗ --------------------------------------------- Das Sicherheitsteam von Microsoft hat eine komplett neue Ransomware-Kampagne gegen den Logistik- und Transportsektor in der Ukraine und Polen entdeckt. --------------------------------------------- https://www.golem.de/news/prestige-microsoft-findet-neue-ransomware-in-pole… ∗∗∗ Office 365: Microsofts E-Mail-Verschlüsselung ist unsicher ∗∗∗ --------------------------------------------- Die E-Mail-Verschlüsselung von Microsoft 365 setzt auf AES in einem unsicheren Modus. Dadurch können Rückschlüsse auf die Inhalte gezogen werden. --------------------------------------------- https://www.golem.de/news/office-365-microsofts-e-mail-verschluesselung-ist… ∗∗∗ Schwachstelle im Linux-Kernel ermöglicht Codeschmuggel via WLAN ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsforscher hat Schwachstellen im Linux-Kernel gefunden. Angreifer könnten durch manipulierte WLAN-Pakete beliebigen Code einschleusen. --------------------------------------------- https://heise.de/-7309762 ∗∗∗ Support-Ende für VMware ESXi 6.5 und 6.7 - noch viele Alt-Systeme aktiv ∗∗∗ --------------------------------------------- Am 15. Oktober hat VMware den Support für VMware ESXi 6.5 und 6.7 eingestellt. Aktuellen Zahlen zufolge sind noch viele veraltete Systeme im Einsatz. --------------------------------------------- https://heise.de/-7310412 ∗∗∗ Neue Ransomware-Gang „Ransom Cartel“ ∗∗∗ --------------------------------------------- Der IT-Sicherheitsanbieter Palo Alto Networks und dessen Malware-Analyseteam Unit42 haben Erkenntnisse zu „Ransom Cartel“ gewonnen. Es handelt sich um eine Ransomware as a Service (RaaS)-Anbieter, der Mitte Dezember 2021 erstmals aufgetaucht ist. --------------------------------------------- https://www.zdnet.de/88404159/neue-ransomware-gang-ransom-cartel/ ∗∗∗ Microsoft bestätigt: Windows patzt bei der Erkennung gefährlicher Treiber – Blocklisten nicht verteilt ∗∗∗ --------------------------------------------- Eigentlich sollte Windows bekannte, bösartige Treiber beim Laden blockieren, so dass diese keinen Schaden anrichten können. Zumindest hat Microsoft dies seit Jahren behauptet. Nun hat Microsoft unter der Hand zugegeben, dass man dort gepatzt hat. --------------------------------------------- https://www.borncity.com/blog/2022/10/17/microsoft-besttigt-windows-patzt-b… ∗∗∗ Unseriöse Werbung auf Pinterest ∗∗∗ --------------------------------------------- Wie in jedem Sozialen Netzwerk gibt es auch auf Pinterest Werbung. In letzter Zeit vermehrt von unseriösen Online-Shops für Haar-Styling-Geräte und Shaping-Hosen. Die Produkte von zevoon.de, valurabeauty.de oder lusto.de wirken zwar vielversprechend, erfahrungsgemäß werden Sie aber enttäuscht und erhalten minderwertigen Schrott aus China. Wir zeigen Ihnen, bei welchen Shops Sie lieber nicht bestellen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-werbung-auf-pinterest/ ∗∗∗ New PHP information-stealing malware targets Facebook accounts ∗∗∗ --------------------------------------------- Threat analysts have spotted a new Ducktail campaign using a new infostealer variant and novel TTPs (tactics, techniques, and procedures), while the Facebook users it targets are no longer limited to holders of business accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-php-information-stealing… ∗∗∗ Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4 ∗∗∗ --------------------------------------------- The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week. --------------------------------------------- https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html ∗∗∗ Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis ∗∗∗ --------------------------------------------- On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft. In the September Tuesday patch, Microsoft fixed this vulnerability that was identified as CVE-2022-37969, which is a Windows Common Log File System Driver elevation of privilege vulnerability. An attacker who successfully exploits this vulnerability may gain SYSTEM privileges. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-windows-… ∗∗∗ Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files (0day) ∗∗∗ --------------------------------------------- In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key. Mark of the Web (MOTW) is an important security mechanism in Windows: Windows will show a security warning before launching an executable file with MOTW; --------------------------------------------- https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-mark-of.html ∗∗∗ New Black Lotus UEFI Rootkit Provides APT-Level Capabilities to Cybercriminals ∗∗∗ --------------------------------------------- A threat actor is promoting on underground criminal forums a vendor-independent UEFI rootkit that can disable security software and controls, cybersecurity veteran Scott Scheferman warns. --------------------------------------------- https://www.securityweek.com/new-black-lotus-uefi-rootkit-provides-apt-leve… ∗∗∗ Detecting Emerging Network Threats From Newly Observed Domains ∗∗∗ --------------------------------------------- We discuss how to discover potential threats among newly observed domains at the time they begin to carry attack traffic. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/ ∗∗∗ CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool ∗∗∗ --------------------------------------------- CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/10/14/cisa-releases-red… ∗∗∗ Stories from the SOC: Feeling so foolish – SocGholish drive by compromise ∗∗∗ --------------------------------------------- SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals’ and organizations’ sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-14 ∗∗∗ --------------------------------------------- IBM InfoSphere Information Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct for HP NonStop, IBM Sterling File Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ MiniDVBLinux 5.4 Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Arbitrary File Read Vulnerability, Remote Root Command Execution Vulnerability, Remote Root Command Injection Vulnerability, Unauthenticated Stream Disclosure Vulnerability, Change Root Password PoC, Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit, Config Download Exploit --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults ∗∗∗ --------------------------------------------- Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with [...] --------------------------------------------- https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (python-django), Fedora (apptainer, kernel, python3.6, and vim), Gentoo (assimp, deluge, libvirt, libxml2, openssl, rust, tcpreplay, virglrenderer, and wireshark), Slackware (zlib), SUSE (chromium, python3, qemu, roundcubemail, and seamonkey), and Ubuntu (linux-aws-5.4 and linux-ibm). --------------------------------------------- https://lwn.net/Articles/911461/ ∗∗∗ WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-042/ ∗∗∗ WAGO: Multiple Vulnerabilities in Controller with WAGO I/O-Pro / CODESYS 2.3 Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-040/ ∗∗∗ TRUMPF TruTops prone to improper access control ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-023/ ∗∗∗ Gitea: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1742 ∗∗∗ Linux Kernel: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1741 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2022
by Daily end-of-shift report 14 Oct '22

14 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-10-2022 18:00 − Freitag 14-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Infostealer: Was ist das, wie werden sie verbreitet und wie lassen sie sich aufhalten? ∗∗∗ --------------------------------------------- Infostealer sind eine schädliche Software, die darauf ausgelegt ist, Ihre vertraulichen Daten zu stehlen. Hier erfahren Sie, was genau sie sind, wie sie verbreitet werden und wie sie sich aufhalten lassen. --------------------------------------------- https://blog.emsisoft.com/de/41944/infostealer-was-ist-das-wie-werden-sie-v… ∗∗∗ Magniber ransomware now infects Windows users via JavaScript files ∗∗∗ --------------------------------------------- A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magniber-ransomware-now-infe… ∗∗∗ What the Uber Hack can teach us about navigating IT Security ∗∗∗ --------------------------------------------- The recent Uber cyberattack shows us the myriad tactics employed by threat actors to breach corporate networks. Learn more about these tactics used and how to navigate IT Security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/what-the-uber-hack-can-teach… ∗∗∗ Microsoft 365 Message Encryption Can Leak Sensitive Info ∗∗∗ --------------------------------------------- The default email encryption used in Microsoft Offices cloud version is leaky, which the company acknowledged but said it wouldnt fix. --------------------------------------------- https://www.darkreading.com/application-security/microsoft-365-message-encr… ∗∗∗ Hunting for Cobalt Strike: Mining and plotting for fun and profit ∗∗∗ --------------------------------------------- Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you have Cobalt Strike [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/10/13/hunting-for-cobalt-strike-mining… ∗∗∗ Improvements in Security Update Notifications Delivery - And a New Delivery Method ∗∗∗ --------------------------------------------- At MSRC, we are passionate about ensuring our customers have a positive experience when they use the Microsoft Security Update Guide (SUG). A big part of improving that experience is ensuring that customers have timely and easily accessible notifications. As such we have two important announcements to share about changes to the way we provide notifications. --------------------------------------------- https://msrc-blog.microsoft.com/2022/10/12/14921/ ∗∗∗ Analysis of a Malicious HTML File (QBot), (Thu, Oct 13th) ∗∗∗ --------------------------------------------- Reader Eric submitted a malicious HTML page that contains BASE64 images with malware. --------------------------------------------- https://isc.sans.edu/diary/rss/29146 ∗∗∗ Firefoxs New Service Gives You a Burner Phone Number To Cut Down on Spam ∗∗∗ --------------------------------------------- Firefox Relay, a Mozilla service designed to hide your "real" email address by giving you virtual ones to hand out, is expanding to offer virtual phone numbers. From a report: In a blog post Mozilla product manager Tony Amaral-Cinotto explains that the relay service generates a phone number for you to give out to companies if you suspect they might use it to send you spam messages in the future, or if you think they might share it with others who will. --------------------------------------------- https://news.slashdot.org/story/22/10/13/1124240/firefoxs-new-service-gives… ∗∗∗ PiRogue Tool Suite Mobile forensic & network analysis on a Raspberry Pie ∗∗∗ --------------------------------------------- PiRogue tool suite (PTS) is an open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform targeting mobile devices both Android and iOS, internet of things devices (devices that are connected to the user mobile apps), and in general any device using wi-fi to connect to the Internet. --------------------------------------------- https://pts-project.org/ ∗∗∗ PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin ∗∗∗ --------------------------------------------- Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts. --------------------------------------------- https://www.securityweek.com/poc-published-fortinet-vulnerability-mass-expl… ∗∗∗ Ransom Cartel Ransomware: A Possible Connection With REvil ∗∗∗ --------------------------------------------- Ransom Cartel is ransomware as a service (RaaS) that exhibits several similarities to and technical overlaps with REvil ransomware. Read our overview. --------------------------------------------- https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/ ∗∗∗ Seven tips to run effective security awareness campaigns ∗∗∗ --------------------------------------------- Planning large-scale security awareness campaigns throws up many questions to grapple with. How can you make sure your campaign reaches the right people? What’s the best way to inspire them to take action? And how do you run a security awareness campaign so realistic it gets banned by the national post office? --------------------------------------------- https://connect.geant.org/2022/10/14/seven-tips-to-run-effective-security-a… ∗∗∗ Shodan Verified Vulns 2022-10-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-10-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2022/10/shodan-verified-vulns-2022-10-01 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Performance Management, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Cloud Pak System --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (dbus, dhcp, expat, kernel, thunderbird, vim, and weechat), Mageia (libofx, lighttpd, mediawiki, and python), Oracle (.NET 6.0 and .NET Core 3.1), Slackware (python3), SUSE (chromium, kernel, libosip2, python-Babel, and python-waitress), and Ubuntu (gThumb, heimdal, linux-aws, linux-gcp-4.15, linux-aws-hwe, linux-gcp, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, postgresql-9.5, and xmlsec1). --------------------------------------------- https://lwn.net/Articles/911168/ ∗∗∗ Hitachi Energy Lumada Asset Performance Management Prognostic Model Executor Service ∗∗∗ --------------------------------------------- This advisory contains mitigations for Allocation of Resources Without Limits or Throttling and Code Injection vulnerabilities in versions of Hitachi Energy Lumada Asset Performance Manager (APM) software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-286-05 ∗∗∗ OpenSSL Infinite loop when parsing certificates CVE-2022-0778 ∗∗∗ --------------------------------------------- Version: 1.7, Date: 14-Oct-2022, Description: Fixed product(s) lists are updated: GMS, Analytics, SonicWave, SonicSwitch, Connect Tunnel Client. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002 ∗∗∗ Joomla KSAdvertiser 2.5.37 Cross Site Scripting ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022100035 ∗∗∗ Android App "IIJ SmartKey" vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN74534998/ ∗∗∗ Pulse Secure Pulse Connect Secure: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1717 ∗∗∗ Red Hat Enterprise Linux (Advanced Cluster Management): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1715 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1719 ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1720 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2022
by Daily end-of-shift report 13 Oct '22

13 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-10-2022 18:00 − Donnerstag 13-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Alchimist attack framework targets Windows, macOS, Linux ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new attack and C2 framework called Alchimist, which appears to be actively used in attacks targeting Windows, Linux, and macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-alchimist-attack-framewo… ∗∗∗ SiteCheck Malware Trends Report – Q3 2022 ∗∗∗ --------------------------------------------- Our free SiteCheck remote website scanner provides immediate insights about malware infections, blocklisting, website anomalies, and errors for millions of webmasters every month. Best of all, conducting a remote website scan is one of the easiest ways to identify security issues. --------------------------------------------- https://blog.sucuri.net/2022/10/sitecheck-malware-trends-report-2022-q3.html ∗∗∗ Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers ∗∗∗ --------------------------------------------- Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail. --------------------------------------------- https://thehackernews.com/2022/10/researchers-uncover-custom-backdoors.html ∗∗∗ VPN-Problem: Apple-Apps leaken Daten unter iOS ∗∗∗ --------------------------------------------- Der iPhone-VPN-Dienst scheint noch immer nicht sauber zu laufen. Ein Sicherheitsforscher warnt vor Leaks insbesondere aus Apple-eigenen Apps. --------------------------------------------- https://heise.de/-7307198 ∗∗∗ Top 5 ransomware detection techniques: Pros and cons of each ∗∗∗ --------------------------------------------- In the fight against ransomware, much of the discussion revolves around prevention and response. Actually detecting the ransomware, however, is just as important to securing your business. To understand why, just consider the following example. --------------------------------------------- https://www.malwarebytes.com/blog/business/2022/10/top-5-ransomware-detecti… ∗∗∗ MS Enterprise app management service RCE. CVE-2022-35841 ∗∗∗ --------------------------------------------- TL;DR A remote command execution and local privilege escalation vulnerability has been fixed by Microsoft as part of September’s patch Tuesday. The vulnerability, filed under CVE-2022-35841, affects the Enterprise App Management Service which handles the installation of enterprise applications deployed via MDM. --------------------------------------------- https://www.pentestpartners.com/security-blog/ms-enterprise-app-management-… ∗∗∗ Some Vulnerabilities Don’t Have a Name ∗∗∗ --------------------------------------------- There is a common assumption that all open source vulnerabilities hold a CVE. Still, others believe that the National Vulnerability Database (NVD) has the final word when deciding what is a vulnerability and what is not. However, can a vulnerability exist that isn’t tracked by a CVE, or is not in the NVD? --------------------------------------------- https://checkmarx.com/blog/some-vulnerabilities-dont-have-a-name/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Kritische Lücken in WAN-Managementsystem von Aruba ∗∗∗ --------------------------------------------- Zwei kritische Schwachstellen in Aruba EdgeConnect Orchestrator gefährden Netzwerke. --------------------------------------------- https://heise.de/-7307059 ∗∗∗ CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface ∗∗∗ --------------------------------------------- An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0030 ∗∗∗ Juniper Security Bulletins 2022-10-12 ∗∗∗ --------------------------------------------- Juniper has released 37 security advisories. --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… ∗∗∗ Schwachstelle in JavaScript-Sandbox vm2 erlaubt Ausbruch aus der Isolation ∗∗∗ --------------------------------------------- Wer eine Version kleiner 3.9.11 von vm2 verwendet, sollte die Sandbox aktualisieren, da eine Schwachstelle das Ausführen von Remote-Code auf dem Host erlaubt. --------------------------------------------- https://heise.de/-7306752 ∗∗∗ Groupware Zimbra: Updates stopfen mehrere Sicherheitslecks ∗∗∗ --------------------------------------------- In der Groupware Zimbra beheben die Entwickler mehrere sicherheitsrelevante Fehler. Angreifer könnten die Instanz kompromittieren oder ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-7307521 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice, rexical, ruby-nokogiri, and squid), Fedora (wavpack), Red Hat (expat), SUSE (gdcm, orthanc, orthanc-gdcm, orthanc-webviewer and rubygem-puma), and Ubuntu (GMP and unzip). --------------------------------------------- https://lwn.net/Articles/911042/ ∗∗∗ Trellix ePolicy Orchestrator: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Trellix ePolicy Orchestrator ausnutzen, um Dateien zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1700 ∗∗∗ Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. --------------------------------------------- http://blog.talosintelligence.com/2022/10/vuln-spotlight-robustel-router.ht… ∗∗∗ Sonicwall: GMS File Path Manipulation ∗∗∗ --------------------------------------------- An unauthenticated attacker can gain access to web directory containing applications binaries and configuration files through file path manipulation vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0021 ∗∗∗ Drupal: Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-058 ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Hortonworks DataFlow product has log messages vulnerable to arbitrary code execution, denial of service, and remote code execution due to Apache Log4j vulnerabilities [CVE-2021-44228], [CVE-2021-45105], and [CVE-2021-45046] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hortonworks-dataflow-prod… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affect IBM WIoTP MessageGateway (CVE-2021-213) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Dell BIOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1705 ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1702 ∗∗∗ Mitel MiVoice Connect: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1706 ∗∗∗ Pulse Secure SA45520 - CVEs (CVE-2022-35254,CVE-2022-35258) may lead to DoS attack ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2022
by Daily end-of-shift report 12 Oct '22

12 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-10-2022 18:00 − Mittwoch 12-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ein guter Tag für Freund:innen von Adobe Software und gepflegtem Patchen ∗∗∗ --------------------------------------------- Da kann man sich nicht beschweren: nicht nur eine kritische Lücke in Adobe Commerce und Magento Open Source (CVSS 10.0 - Highscore-verdächtig), sondern auch gleich deren mehrere in Adobe ColdFusion (unter Anderem 4x mit CVSS 9.8 und 1x mit 8.1). Nutzer:innen von Adobe Acrobat/Acrobat Reader kommen ebenfalls nicht zu kurz, auch wenn man dort dank Auto-Updates vielleicht nicht selbst so viel Spass mit dem Patchen hat. Und auch wenn ich nicht weiß, was (eine) Adobe Dimension ist: Admins haben dort 4x CVSS 7.8 - Freude. --------------------------------------------- https://cert.at/de/blog/2022/10/ein-guter-tag-fur-freundinnen-von-adobe-sof… ∗∗∗ New npm timing attack could lead to supply chain attacks ∗∗∗ --------------------------------------------- Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-npm-timing-attack-could-… ∗∗∗ Malicious WhatsApp mod distributed through legitimate apps ∗∗∗ --------------------------------------------- The malicious version of YoWhatsApp messenger, containing Triada trojan, was spreading through ads in the popular Snaptube app and the Vidmate apps internal store. --------------------------------------------- https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimat… ∗∗∗ Userland Execution of Binaries Directly from Python ∗∗∗ --------------------------------------------- TL;DR: If you are familiar with what a userland binary execution tool does and you just want to see the code and/or test it, skip the rest of this post and go to the project GitHubs page. --------------------------------------------- https://www.anvilsecure.com/blog/userland-execution-of-binaries-directly-fr… ∗∗∗ A deep dive into CVE-2021–42847 - arbitrary file write and XXE in ManageEngine ADAudit Plus before 7006 ∗∗∗ --------------------------------------------- After coming across a vulnerable instance during a pentest, and discovering that no root cause analysis or PoC has ever been made available for this vulnerability, I decided to have a closer look myself. --------------------------------------------- https://medium.com/@erik.wynter/pwning-manageengine-from-endpoint-to-exploi… ∗∗∗ Brute-Force-Angriffe: Microsoft rüstet Schutzmechanismus nach ∗∗∗ --------------------------------------------- Die Windows-Updates zum Oktober-Patchday haben auch eine neue Funktion mitgebracht. Sie sperrt lokale Administratorkonten bei fehlerhaften Log-in-Versuchen. --------------------------------------------- https://heise.de/-7306276 ∗∗∗ Abo-Falle bei der Wohnungssuche auf rentola.at ∗∗∗ --------------------------------------------- Sind Sie gerade auf Wohnungssuche? Dann nehmen Sie sich vor einem undurchsichtigen Abo-Vertrag auf rentola.at in Acht. Geworben wird mit unzähligen Wohnungen in ganz Österreich und auf der ganzen Welt. Für eine erste Nachricht an Vermieter:innen müssen Sie jedoch 1 Euro bezahlen. Ein versteckter Kostenhinweis verrät: Hier landen Sie in einem teuren Abonnement! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-bei-der-wohnungssuche-auf-… ∗∗∗ Qakbot Being Distributed as ISO Files Instead of Excel Macro ∗∗∗ --------------------------------------------- There is a recent increase in the distribution method of malware through ISO files. Among the malware, it has been identified that Qakbot, an online banking malware, has had its distribution method changed from Excel 4.0 Macro to ISO files. --------------------------------------------- https://asec.ahnlab.com/en/39537/ ∗∗∗ VMware vCenter Server bug disclosed last year still not patched ∗∗∗ --------------------------------------------- VMware informed customers today that vCenter Server 8.0 (the latest version) is still waiting for a patch to address a high-severity privilege escalation vulnerability disclosed in November 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-vcenter-server-bug-di… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Magento Open Source und Adobe Commerce - Updates verfügbar ∗∗∗ --------------------------------------------- Adobe hat Updates für die E-Commerce Software Suites Magento Open Source und Adobe Commerce herausgegeben. CVE-Nummer(n): CVE-2022-35698 CVSS Base Score: 10.0. Angreifer:innen können beliebigen Code auf betroffenen Systemen ausführen (vermutlich mit den Rechten des Webservers), und haben Zugriff auf alle Daten die im E-Commerce System gespeichert sind. --------------------------------------------- https://cert.at/de/warnungen/2022/10/kritische-sicherheitslucke-in-magento-… ∗∗∗ Microsoft Security Update Summary (11. Oktober 2022) ∗∗∗ --------------------------------------------- Am 11. Oktober 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 84 Schwachstellen … --------------------------------------------- https://www.borncity.com/blog/2022/10/11/microsoft-security-update-summary-… ∗∗∗ Exchange Server Sicherheitsupdates (11. Oktober 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 11. Oktober 2022 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Updates sollen Schwachstellen, die von externen Sicherheitspartnern gemeldet oder durch Microsoft gefunden wurden, schließen. Die seit Ende September 2022 bekannten 0-day-Schwachstellen (ProxyNotShell) werden aber nicht beseitigt. --------------------------------------------- https://www.borncity.com/blog/2022/10/12/exchange-server-sicherheitsupdates… ∗∗∗ IBM Security Bulletins 2022-10-11 ∗∗∗ --------------------------------------------- IBM Robotic Process Automation, IBM App Connect Enterprise, IBM Security Identity Management, IBM Security Guardium, IBM Cloud Pak, Rational Change, IBM Navigator Mobile Android, Rational Synergy. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schneider Elecronic Security Advisories 2022-10-11 ∗∗∗ --------------------------------------------- 4 new, 8 updated --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Webbrowser: Google schließt sechs Sicherheitslücken in Chrome ∗∗∗ --------------------------------------------- Google hat ein Update für den Webbrowser Chrome veröffentlicht. Es schließt insgesamt sechs Sicherheitslücken, von denen ein hohes Risiko ausgeht. --------------------------------------------- https://heise.de/-7305732 ∗∗∗ Fortinet-Patchday: Mehrere kritische Lücken geschlossen ∗∗∗ --------------------------------------------- Nachdem am Wochenende eine kritische Sicherheitslücke in Fortinet-Produkten bekannt wurde, hat das Unternehmen nun weitere Updates bereitgestellt. --------------------------------------------- https://heise.de/-7306400 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and twig), Oracle (expat, gnutls and nettle, and kernel), Red Hat (expat, kernel, and kpatch-patch), and Ubuntu (advancecomp and dotnet6). --------------------------------------------- https://lwn.net/Articles/910953/ ∗∗∗ Zoom Video Communications: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder lokalerAngreifer kann mehrere Schwachstellen in Zoom Video Communications Zoom Client und Zoom Video Communications On-Premise ausnutzen, um einen Denial of Service Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1677 ∗∗∗ LibreOffice: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in LibreOffice ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1679 ∗∗∗ bingo!CMS vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN74592196/ ∗∗∗ The installer of Sony Content Transfer may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN40620121/ ∗∗∗ VMSA-2022-0026 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0026.html ∗∗∗ WAGO: FTP-Server - Denial-of-Service ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-047/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2022
by Daily end-of-shift report 11 Oct '22

11 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 10-10-2022 18:00 − Dienstag 11-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Your Publicly Accessible Google API Key Could Be Giving Hackers Access to Your Files and Photos! ∗∗∗ --------------------------------------------- We’ve all seen them before, those long, seemingly random strings of characters starting with AIza. Yes, that’s right, the ubiquitous Google API key. --------------------------------------------- https://spidersilk.com/news/your-publicly-accessible-google-api-key-could-b… ∗∗∗ Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack ∗∗∗ --------------------------------------------- Fortinet has confirmed that the critical vulnerability whose existence came to light last week is a zero-day flaw that has been exploited in at least one attack. --------------------------------------------- https://www.securityweek.com/fortinet-confirms-zero-day-vulnerability-explo… ∗∗∗ Siemens Not Ruling Out Future Attacks Exploiting Global Private Keys for PLC Hacking ∗∗∗ --------------------------------------------- Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future. --------------------------------------------- https://www.securityweek.com/siemens-not-ruling-out-future-attacks-exploiti… ∗∗∗ Living off the Cloud. Cloudy with a Chance of Exfiltration ∗∗∗ --------------------------------------------- Unless default settings are changed, typical Office 365 (O365) licences come loaded with various services that are all usable by end users without special permissions. Power Automate can be used maliciously by compromised users or insider threats to systematically capture and exfiltrate data without having to contend with network safeguards. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-cloud-cloudy-w… ∗∗∗ Betrügerisches Jobangebot auf santo-vermoegen.com ∗∗∗ --------------------------------------------- Auf „santo-vermoegen.com/infofolder“ sind aktuell freie Stellen als „Back Office Mitarbeiter“ ausgeschrieben. Der Job ist auch auf diversen Jobportalen inseriert. Die Beschreibung der Tätigkeit ist vage. Es geht lediglich hervor, dass Sie auf Ihrem privaten Bankkonto Zahlungen empfangen, protokollieren und weiterleiten. Vorsicht: Dabei handelt es sich um Geldwäsche, Sie machen sich strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-jobangebot-auf-santo… ∗∗∗ Exchange Server: Neue 0-day (nicht NotProxyShell, CVE-2022-41040, CVE-2022-41082) ∗∗∗ --------------------------------------------- AhnLabs schreibt, dass theoretisch die Möglichkeit besteht, dass die von dem vietnamesischen Sicherheitsunternehmen GTSC am 28. September offengelegten Schwachstellen von Microsoft Exchange Server(CVE-2022-41040, CVE-2022-41082) für die Infektion ausgenutzt wurden. Aber die Angriffsmethode, der generierte WebShell-Dateiname, und nachfolgende Angriffe nach der Installation der WebShell lassen vermuten, dass ein anderer Angreifer eine andere Zero-Day-Schwachstelle ausgenutzt hat. --------------------------------------------- https://www.borncity.com/blog/2022/10/11/exchange-server-neue-0-day-nicht-n… ∗∗∗ Persistent PHP payloads in PNGs: How to inject PHP code in an image – and keep it there ! ∗∗∗ --------------------------------------------- During the assessment of a PHP application, we recently came across a file upload vulnerability allowing the interpretation of PHP code inserted into valid PNG files. However, the image processing performed by the application forced us to dig deeper into the different techniques available to inject PHP payloads into this particular file format - and to make it persist through image transformations. --------------------------------------------- https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-… ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- 16 new, 11 updated --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-10#Sec… ∗∗∗ IBM Security Bulletins 2022-10-10 ∗∗∗ --------------------------------------------- IBM Process Mining, z/Transaction Processing Facility, Content Manager OnDemand z/OS, IBM Sterling Connect. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Exchange Zero-Day-Lücke: Nochmals nachgebesserter Workaround ∗∗∗ --------------------------------------------- Microsoft bessert den Workaround für die Zero-Day-Lücke in Exchange noch mal nach. Admins bleibt nur zu hoffen, dass die jetzige Regel bis zum Update hält. --------------------------------------------- https://heise.de/-7304522 ∗∗∗ SAP-Patchday: 15 neue Sicherheitswarnungen im Oktober ∗∗∗ --------------------------------------------- Die von SAP zum Oktober-Patchday verfügbaren Updates schließen unter anderem zwei kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-7305149 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman, dbus, git, isc-dhcp, strongswan, and wordpress), Fedora (rubygem-pdfkit and seamonkey), Red Hat (gnutls, nettle, rh-ruby27-ruby, and rh-ruby30-ruby), SUSE (libgsasl, python, and snakeyaml), and Ubuntu (graphite2, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-raspi, linux, linux-aws, linux-bluefield, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe, linux-oracle, openssh, and pcre3). --------------------------------------------- https://lwn.net/Articles/910828/ ∗∗∗ iOS 16.0.3 freigegeben ∗∗∗ --------------------------------------------- Apple hat zum 10. Oktober 2022 iOS 16.0.3 für neuere iPhone-Modelle freigegeben. Es handelt sich um ein Sicherheitsupdate, welches die Sicherheitslücke CVE-2022-22658 in Mail beseitigen soll. --------------------------------------------- https://www.borncity.com/blog/2022/10/11/ios-16-0-3-freigegeben/ ∗∗∗ OpenSSL Security Advisory [11 October 2022] ∗∗∗ --------------------------------------------- https://www.openssl.org/news/secadv/20221011.txt ∗∗∗ Xen Security Advisory CVE-2022-33749 / XSA-413 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-413.html ∗∗∗ Xen Security Advisory CVE-2022-33748 / XSA-411 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-411.html ∗∗∗ Xen Security Advisory CVE-2022-33746 / XSA-410 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-410.html ∗∗∗ Xen Security Advisory CVE-2022-33747 / XSA-409 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-409.html ∗∗∗ PHOENIX CONTACT: Multiple Linux component vulnerabilities in PLCnext Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-046/ ∗∗∗ Hashicorp Vagrant: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1669 ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1663 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-33748 & CVE-2022-33749 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX465146/citrix-hypervisor-security-bul… ∗∗∗ Altair HyperView Player ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-284-01 ∗∗∗ Daikin Holdings Singapore Pte Ltd. SVMPC1 and SVMPC2 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-284-02 ∗∗∗ Sensormatic Electronics C-CURE 9000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-284-03 ∗∗∗ Lenovo: IPV6 VLAN Stacking Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500520-IPV6-VLAN-STACKING-VULN… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2022
by Daily end-of-shift report 10 Oct '22

10 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-10-2022 18:00 − Montag 10-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Fake adult sites push data wipers disguised as ransomware ∗∗∗ --------------------------------------------- Malicious adult websites push fake ransomware which, in reality, acts as a wiper that quietly tries to delete almost all of the data on your device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-adult-sites-push-data-w… ∗∗∗ Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server ∗∗∗ --------------------------------------------- A correction was made to the string in step 6 and step 9 in the URL Rewrite rule mitigation Option 3. Steps 8, 9, and 10 have updated images. --------------------------------------------- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-z… ∗∗∗ That thing to help protect internet traffic from hijacking? Its broken ∗∗∗ --------------------------------------------- RPKI is supposed to verify network routes. Instead, heres how it could be subverted. An internet security mechanism called Resource Public Key Infrastructure (RPKI), intended to safeguard the routing of data traffic, is broken, according to security experts from Germanys ATHENE, the National Research Center for Applied Cybersecurity. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/10/09/internet_tra… ∗∗∗ Groupware: Kritische Codeschmuggel-Lücke in Zimbra wird angegriffen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Groupware Zimbra erlaubt Angreifern, Schadcode einzuschleusen. Die Schwachstelle wird inzwischen angegriffen. Ein Workaround hilft. --------------------------------------------- https://heise.de/-7289104 ∗∗∗ Intel-CPU "Alder Lake": BIOS-Quellcode-Leak öffnet potenzielle Einfallstore ∗∗∗ --------------------------------------------- Rund 6 GByte BIOS-Daten für die CPU-Generation Core i-12000 sind Intel abhandengekommen. Darin enthalten ist Code für Sicherheitsmechanismen wie Boot Guard. --------------------------------------------- https://heise.de/-7289262 ∗∗∗ How to protect your Firefox saved passwords with a Primary Password ∗∗∗ --------------------------------------------- For better security, dont rely on browser syncing to manage your passwords. Heres a better way. --------------------------------------------- https://www.zdnet.com/article/how-to-protect-your-firefox-saved-passwords-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Fortinet Produkten - Updates verfügbar ∗∗∗ --------------------------------------------- Kritische Schwachstellen in Fortinet Produkten erlauben es Angreifenden, die Authentisierung zu umgehen und Aktionen mit Admin-Rechten auszuführen. CVE-Nummer(n): CVE-2022-40684 CVSS Base Score: 9.6. --------------------------------------------- https://cert.at/de/warnungen/2022/10/kritische-sicherheitslucken-in-fortine… ∗∗∗ IBM Security Bulletins 2022-10-07 and 2022-10-08 ∗∗∗ --------------------------------------------- IBM Partner Engagement Manager, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Cloud, IBM Business Automation Workflow, IBM Security Verify Governance, IBM TXSeries, IBM Security Network Threat Analytics, IBM Security Verify Governance, IBM Jazz. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver and libpgjava), Fedora (booth, dotnet3.1, expat, nheko, php-twig, php-twig2, php-twig3, poppler, python-joblib, and seamonkey), Mageia (colord, dbus, enlightenment, kitty, libvncserver, php, python3, and unbound), Slackware (libksba), SUSE (cyrus-sasl, ImageMagick, and xmlgraphics-commons), and Ubuntu (nginx and thunderbird). --------------------------------------------- https://lwn.net/Articles/910724/ ∗∗∗ Critical Remote Code Execution Vulnerability Found in vm2 Sandbox Library ∗∗∗ --------------------------------------------- A critical vulnerability in vm2 may allow a remote attacker to escape the sandbox and execute arbitrary code on the host. A highly popular JavaScript sandbox library with more than 16 million monthly downloads, vm2 supports the execution of untrusted code synchronously in a single process. --------------------------------------------- https://www.securityweek.com/critical-remote-code-execution-vulnerability-f… ∗∗∗ MISP 2.4.164 released with new tag relationship feature, improvements and a security fix ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.164 with a new tag relationship features, many improvements and a security fix. --------------------------------------------- https://www.misp-project.org/2022/10/10/MISP.2.4.164.released.html/ ∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler oder entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Trend Micro Apex One ausnutzen, um seine Privilegien zu erhöhen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1649 ∗∗∗ ZDI-22-1399: Centreon Poller Broker SQL Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1399/ ∗∗∗ ZDI-22-1398: Centreon Contact Group SQL Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1398/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2022
by Daily end-of-shift report 07 Oct '22

07 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-10-2022 18:00 − Freitag 07-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Powershell Backdoor with DGA Capability, (Fri, Oct 7th) ∗∗∗ --------------------------------------------- DGA ("Domain Generation Algorithm") is a popular tactic used by malware to make connections with their C2 more stealthy and difficult to block. The idea is to generate domain names periodically and use them during the defined period. An alternative is to generate a lot of domains and loop across them to find an available C2 server. Attackers just register a few domain names and can change them very quickly. --------------------------------------------- https://isc.sans.edu/diary/rss/29122 ∗∗∗ What is a Malware Attack? ∗∗∗ --------------------------------------------- A malware attack is the act of injecting malicious software to infiltrate and execute unauthorized commands within a victim’s system without their knowledge or authorization. The objectives of such an attack can vary – from stealing client information to sell as lead sources, obtaining system information for personal gain, bringing a site down to stop business or even just placing the mark of a cyber-criminal on a public domain. --------------------------------------------- https://blog.sucuri.net/2022/10/what-is-a-malware-attack.html ∗∗∗ Loads of PostgreSQL systems are sitting on the internet without SSL encryption ∗∗∗ --------------------------------------------- They probably shouldnt be connected in the first place, says database expert. Only a third of PostgreSQL databases connected to the internet use SSL for encrypted messaging, according to a cloud database provider. --------------------------------------------- https://www.theregister.com/2022/10/07/postgresql_no_ssl/ ∗∗∗ Top CVEs Actively Exploited By [..] State-Sponsored Cyber Actors ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by [..] state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-279a ∗∗∗ So schützen Sie sich vor Kleinanzeigen-Betrug ∗∗∗ --------------------------------------------- Egal ob Sie kaufen oder verkaufen: Schützen Sie sich auf Kleinanzeigen-Plattformen wie Willhaben, ebay, Vinted und Co. vor Kriminellen. Mit Fake-Profilen, gefälschten Zahlungsbestätigungen oder unechten Zahlungsplattformen zocken Kriminelle immer wieder Nutzer:innen ab. Wir geben Ihnen Tipps zum sicheren Kaufen und Verkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-kleinanzei… ∗∗∗ Exchange Hacks: Achtung, gut gemachte, bösartige Mails im Umlauf (7. Oktober 2022) ∗∗∗ --------------------------------------------- Die Woche wurden Administratoren von Exchange-Servern ja durch die Ende September 2022 bekannt gewordene 0-day-Schwachstellen und die Workarounds von Microsoft ziemlich gefordert. Inzwischen versuchen Cyber-Kriminelle aus dieser Situation Kapital zu schlagen. --------------------------------------------- https://www.borncity.com/blog/2022/10/07/exchange-hacks-achtung-gut-gemacht… ===================== = Vulnerabilities = ===================== ∗∗∗ Remote Code Execution in Zimbra Collaboration Suite - Workaround verfügbar ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in Zimbra Collaboration Suite erlaubt potentiell entfernten, unauthorisierten Angreifer:innen das Ausführen von beliebigem Code. Laut diversen Berichten wird diese Schwachstelle bereits aktiv ausgenutzt. Das Ausnützen der Schwachstelle durch senden einer Email mit speziell präparierten Anhängen in den Formaten .cpio, .tar, .rpm kann zu einer vollständigen Kompromittierung des Systems führen. --------------------------------------------- https://cert.at/de/warnungen/2022/10/remote-code-execution-in-zimbra-collab… ∗∗∗ Fortinet warns admins to patch critical auth bypass bug immediately ∗∗∗ --------------------------------------------- Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-pat… ∗∗∗ Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes ∗∗∗ --------------------------------------------- An attacker may trivially bypass the use of InetAddress::getAllByName to validate inputs. Note: As input validation is not an appropriate mechanism to protect against injection attacks — as opposed to output encoding and Harvard architecture-style APIs — this issue is itself considered to be of Low risk as code relying on the documented validation for such purposes should be considered insecure regardless of this issue. --------------------------------------------- https://research.nccgroup.com/2022/10/06/technical-advisory-openjdk-weak-pa… ∗∗∗ Angreifer könnten Cisco-Admins manipulierte Updates unterschieben ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem Cisco Expressway Series und TelePresence Video Communication Server erschienen. --------------------------------------------- https://heise.de/-7286880 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dbus, isc-dhcp, and strongswan), Fedora (booth, php, php-twig, php-twig2, and php-twig3), Oracle (expat, prometheus-jmx-exporter, and squid), Red Hat (expat, openvswitch2.11, and squid), Scientific Linux (expat and squid), SUSE (exiv2, LibVNCServer, postgresql-jdbc, protobuf, python-PyJWT, python3, slurm, squid, and webkit2gtk3), and Ubuntu (libreoffice). --------------------------------------------- https://lwn.net/Articles/910606/ ∗∗∗ VMware Patches Code Execution Vulnerability in vCenter Server ∗∗∗ --------------------------------------------- Virtualization giant VMware on Thursday announced patches for a vCenter Server vulnerability that could lead to arbitrary code execution. A centralized management utility, the vCenter Server is used for controlling virtual machines and ESXi hosts, along with their dependent components. Tracked as CVE-2022-31680 (CVSS score of 7.2), the security bug is described as an unsafe deserialization vulnerability in the platform services controller (PSC). --------------------------------------------- https://www.securityweek.com/vmware-patches-code-execution-vulnerability-vc… ∗∗∗ Growi vulnerable to improper access control ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN00845253/ ∗∗∗ IPFire WebUI vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN15411362/ ∗∗∗ Security Bulletin: IBM InfoSphere Information Server Low Level Authenticated User Can View Higher Level User And Group Listing (CVE-2022-36772) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a session management vulnerability (CVE-2022-41291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1638 ∗∗∗ Avaya Aura Application Enablement Services: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1645 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2022
by Daily end-of-shift report 06 Oct '22

06 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-10-2022 18:00 − Donnerstag 06-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast ∗∗∗ --------------------------------------------- With just one malformed Zigbee frame, attackers could take over certain Ikea smart lightbulbs, leaving users unable to turn the lights down. --------------------------------------------- https://www.darkreading.com/application-security/ikea-smart-light-system-fl… ∗∗∗ Ransomware: Sicherheitssoftware mit legitimem Treiber deaktiviert ∗∗∗ --------------------------------------------- Die Ransomware Blackbyte nutzt die Angriffstechnik Bring your own vulnerable Driver, um Antivirensoftware zu deaktivieren. --------------------------------------------- https://www.golem.de/news/ransomware-sicherheitssoftware-mit-legitimem-trei… ∗∗∗ A look at the 2020–2022 ATM/PoS malware landscape ∗∗∗ --------------------------------------------- We looked at the number of affected ATMs and PoS terminals, geography of attacks and threat families used by cybercriminals to target victims in 2020-2022. --------------------------------------------- https://securelist.com/atm-pos-malware-landscape-2020-2022/107656/ ∗∗∗ Detecting and preventing LSASS credential dumping attacks ∗∗∗ --------------------------------------------- In this blog, we share examples of various threat actors that we’ve recently observed using the LSASS credential dumping technique. [..] Finally, we offer additional recommendations to further harden systems and prevent attackers from taking advantage of possible misconfigurations should they fail to leverage credential dumping. --------------------------------------------- https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing… ∗∗∗ MSSQL, meet Maggie ∗∗∗ --------------------------------------------- Continuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. [Keine kompromittierten Systeme in AT angeführt, Anm. d. Red.] --------------------------------------------- https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 ∗∗∗ CVE-2022–36635 — A SQL Injection in ZKSecurityBio to RCE ∗∗∗ --------------------------------------------- This is a write-up of CVE-2022–36635: SQLInjection found in a platform of physical security (access control, elevator control, guest management, patrol and parking management) called ZKSecurity Bio v4.1.3 and how it was used to obtain a RCE. --------------------------------------------- https://medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-… ∗∗∗ Exchange Zero-Day: Microsoft bessert Workaround erneut nach ∗∗∗ --------------------------------------------- Nachdem der erste Workaround für eine Exchange Zero-Day-Lücke wirkungslos war und Microsoft nachbesserte, hat der Hersteller abermals eine Korrektur vorgelegt. --------------------------------------------- https://heise.de/-7285558 ∗∗∗ Gratis Entschlüsselungstool: Lücke in Ransomwares der Hades-Familie entdeckt ∗∗∗ --------------------------------------------- Opfer einiger Erpressungstrojan der der Hades-Familie wie MafiaWare666 können unter bestimmten Voraussetzungen wieder auf ihre Daten zugreifen. --------------------------------------------- https://heise.de/-7285784 ∗∗∗ Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style ∗∗∗ --------------------------------------------- Hidden DNS resolvers and how to compromise your infrastructure --------------------------------------------- https://sec-consult.com/blog/detail/melting-the-dns-iceberg-taking-over-you… ∗∗∗ ESET Threat Report T2 2022 ∗∗∗ --------------------------------------------- Ein Blick auf die Bedrohungslandschaft im zweiten Drittel des Jahres 2022 aus Sicht der ESET-Telemetrie und aus der Perspektive der ESET-Experten. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/10/05/eset-threat-report-t2-202… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2022-41343 - RCE via Phar Deserialisation (Dompdf) ∗∗∗ --------------------------------------------- Dompdf is a popular library in PHP used for rendering PDF files from HTML. Tanto Security disclosed a vulnerability in Dompdf affecting version 2.0.0 and below. The vulnerability was patched in Dompdf v2.0.1. We recommend all Dompdf users update to the latest version as soon as possible. --------------------------------------------- https://tantosec.com/blog/cve-2022-41343/ ∗∗∗ Cisco Security Advisories 2022-10-05 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (2 High, 7 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and nodejs), Red Hat (prometheus-jmx-exporter and squid), Slackware (dhcp), SUSE (pngcheck and sendmail), and Ubuntu (isc-dhcp, kitty, and linux-gcp-5.4). --------------------------------------------- https://lwn.net/Articles/910492/ ∗∗∗ Internet Systems Consortium DHCP: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Internet Systems Consortium DHCP ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1634 ∗∗∗ Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-busines… ∗∗∗ Security Bulletin: IBM QRadar DNS Analyzer App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-31129, CVE-2022-24785, CVE-2017-18214) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-dns-analyzer-a… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2021-40690, CVE-2022-25647, XFID: 233967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM HTTP Server is vulnerable to arbitrary code execution due to Expat (CVE-2022-40674) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulner… ∗∗∗ K10812540: OpenJDK vulnerability CVE-2019-18197 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10812540?utm_source=f5support&utm_mediu… ∗∗∗ Rockwell Automation FactoryTalk VantagePoint ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-279-01 ∗∗∗ HIWIN Robot System Software (HRSS) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-279-02 ∗∗∗ Schwachstelle in SPRECON-V460 Visualisierungssoftware ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2022
by Daily end-of-shift report 05 Oct '22

05 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-10-2022 18:00 − Mittwoch 05-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange Zero-Day: Microsoft korrigiert Workaround ∗∗∗ --------------------------------------------- Der zuerst vorgeschlagene Workaround für die Zero-Day-Lücke ProxyNotShell in Exchange ließ sich einfach umgehen. Microsoft liefert eine korrigierte Fassung. --------------------------------------------- https://heise.de/-7284241 ∗∗∗ Ende von Basic Auth: Brute-Force-Angriffe auf Microsoft Exchange nehmen zu ∗∗∗ --------------------------------------------- Microsoft berichtet von vielen Angriffen auf E-Mail-Konten, die noch die einfache Authentifizierung nutzen. Kunden sollen rasch handeln. --------------------------------------------- https://www.golem.de/news/ende-von-basic-auth-brute-force-angriffe-auf-micr… ∗∗∗ Post-Exploitation Persistent Email Forwarder in Outlook Desktop ∗∗∗ --------------------------------------------- There is an exploitation method that can automatically forward emails CC’d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploi… ∗∗∗ GandCrab bedroht Deutschland ∗∗∗ --------------------------------------------- Die Ransomware GandCrab dominiert in Deutschland, Österreich und der Schweiz die ESET Erkennungsstatistiken. Nahezu jeder vierte Ransomware-Fund geht auf GandCrab zurück. --------------------------------------------- https://www.zdnet.de/88403902/gandcrab-bedroht-deutschland/ ∗∗∗ Vorsicht vor Blackout-Shops wie dyn-amo.de und dynamos.at! ∗∗∗ --------------------------------------------- Immer wieder wird aktuell von der Möglichkeit kurzzeitiger Blackouts, also großflächiger Strom-, Internet- oder Heizungsausfälle berichtet. Unseriöse Online-Shops wie jene von ECOM4YOU, HAPPY SHOPPING oder Shopfactory24 GmbH bauen auf die Ängste ihrer Kundinnen und Kunden und bieten Notfall-Sets für Blackouts an. Vorsicht, wir haben es getestet: Die Produkte sind überteuert, die Lieferzeiten lang, die Qualität teils minderwertig und [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-blackout-shops-wie-dyn-… ∗∗∗ Shadowserver Alliance Launch ∗∗∗ --------------------------------------------- The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowservers freely provided internet security services and enables partners, [...] --------------------------------------------- https://www.shadowserver.org/news/shadowserver-alliance-launch/ ∗∗∗ Credential Harvesting with Telegram API, (Tue, Oct 4th) ∗∗∗ --------------------------------------------- Phishing emails are a daily occurrence and many times it ends with credential harvesting. An email initially lures a user to a website that promised an anticipated file. The landing page taunts a user to click on an additional link and enter their credentials. In this case, the credentials entered by the user are not sent back to the bad actor using a simple web form but using the Telegram API [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/29112 ∗∗∗ How to Secure & Harden Your Joomla! Website in 12 Steps ∗∗∗ --------------------------------------------- At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, advice can often be too broad; different content management systems (CMS) exist in this ecosystem and each require a unique security configuration. --------------------------------------------- https://blog.sucuri.net/2022/10/how-to-secure-harden-your-joomla-website-in… ∗∗∗ Securing Developer Tools: A New Supply Chain Attack on PHP ∗∗∗ --------------------------------------------- Supply chain attacks are a hot topic for development organizations today. Last year, in the largest ever software supply chain attack, a backdoor infected 18,000 SolarWinds customers. Earlier this year, a security researcher was able to breach Apple, Microsoft, Paypal, and other tech giants using a new supply chain attack technique. --------------------------------------------- https://blog.sonarsource.com/securing-developer-tools-a-new-supply-chain-at… ∗∗∗ Our Fox-IT Dissect framework for forensic data collection, now open source ∗∗∗ --------------------------------------------- Dissect is a framework for collecting and analysing large amounts of forensic data. A game changer in cyber incident response, it enables data acquisition on thousands of systems within hours, regardless of the nature and size of the IT environment to be investigated after an attack. --------------------------------------------- https://www.mynewsdesk.com/nccgroup/pressreleases/our-fox-it-dissect-framew… ∗∗∗ Change in Magniber Ransomware (*.js → *.wsf) – September 28th ∗∗∗ --------------------------------------------- The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection [...] --------------------------------------------- https://asec.ahnlab.com/en/39489/ ∗∗∗ How Water Labbu Exploits Electron-Based Applications ∗∗∗ --------------------------------------------- In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-ele… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Angreifer könnten ihre Rechte unter Android 10 bis 13 hochstufen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen zum Teil kritische Lücken in verschiedenen Android-Versionen. --------------------------------------------- https://heise.de/-7284409 ∗∗∗ Aruba: Kritische Sicherheitslücke in Access Points ∗∗∗ --------------------------------------------- Aruba warnt vor kritischen Sicherheitslücken in den eigenen Access Points. --------------------------------------------- https://heise.de/-7284335 ∗∗∗ IBM Security Bulletins 2022-10-04 ∗∗∗ --------------------------------------------- IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manage, IBM Tivoli Monitoring, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM Security Guardium, Rational Business Developer, IBM Cloud Pak for Watson, IBM i Modernization Engine, IBM CICS TX Advanced, IBM Planning Analytics Workspace, IBM Security Guardium. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (barbican, mediawiki, and php-twig), Fedora (bash, chromium, lighttpd, postgresql-jdbc, and scala), Mageia (bash, chromium-browser-stable, and golang), Oracle (bind, bind9.16, and squid:4), Red Hat (bind, bind9.16, RHSSO, and squid:4), Scientific Linux (bind), SUSE (cifs-utils, libjpeg-turbo, nodejs14, and nodejs16), and Ubuntu (jackd2, linux-gke, and linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/910395/ ∗∗∗ SA45476 - Client Side Desync Attack (Informational) ∗∗∗ --------------------------------------------- The deprecated Pulse Collaboration feature is vulnerable to Client-Side Desync attacks on versions of PCS 9.1R15 and below. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-D… ∗∗∗ OpenSSH: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1621 ∗∗∗ Keycloak: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1624 ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1625 ∗∗∗ Matomo: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1626 ∗∗∗ BD Totalys MultiProcessor ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-277-01 ∗∗∗ Johnson Controls Metasys ADX Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-01 ∗∗∗ Hitachi Energy Modular Switchgear Monitoring (MSM) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-03 ∗∗∗ OMRON CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2022
by Daily end-of-shift report 04 Oct '22

04 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 03-10-2022 18:00 − Dienstag 04-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Live support service hacked to spread malware in supply chain attack ∗∗∗ --------------------------------------------- The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/live-support-service-hacked-… ∗∗∗ Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub ∗∗∗ --------------------------------------------- Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-exchange-prox… ∗∗∗ OnionPoison: infected Tor Browser installer distributed through popular YouTube channel ∗∗∗ --------------------------------------------- Kaspersky researchers detected OnionPoison campaign: malicious Tor Browser installer spreading through a popular YouTube channel and targeting Chinese users. --------------------------------------------- https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/1… ∗∗∗ CISA verdonnert US-Behörden zu besserer Netzwerkkontrolle ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA hat eine verbindliche Direktive erlassen. Nach der müssen alle Bundesbehörden ihre Netzwerke regelmäßig untersuchen. --------------------------------------------- https://heise.de/-7283699 ∗∗∗ Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices ∗∗∗ --------------------------------------------- NXP’s HABv4 API documentation references a now-mitigated defect in ROM-resident High Assurance Boot (HAB) functionality present in devices with HAB version < 4.3.7. I could find no further public documentation on whether this constituted a vulnerability or an otherwise “uninteresting” errata item, so I analyzed it myself! --------------------------------------------- https://research.nccgroup.com/2022/10/03/shining-new-light-on-an-old-rom-vu… ∗∗∗ Mit tragbaren Heizgeräten Strom sparen? Fallen Sie nicht auf dieses Fake-Produkt herein! ∗∗∗ --------------------------------------------- Online-Shops wie ultraheatpro.com und valty-heater.com bewerben aktuell einen Stecker, der Räume in weniger als 2 Minuten aufheizt. Die sehr kleinen und kabellosen Heizgeräte verbrauchen angeblich kaum Strom, reduzieren Heizkosten und verursachen keinen Lärm. Beim Kauf dieser „Wundergeräte“ verschwenden Sie aber Ihr Geld, denn Sie bekommen, wenn überhaupt, ein funktionsloses Gerät zugesendet. --------------------------------------------- https://www.watchlist-internet.at/news/mit-tragbaren-heizgeraeten-strom-spa… ∗∗∗ Developer account body snatchers pose risks to the software supply chain ∗∗∗ --------------------------------------------- Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research. Developer account takeovers present a substantial risk to the software supply chain because attackers who successfully compromise a developer account could conceal malicious code in software packages used by others. --------------------------------------------- http://blog.talosintelligence.com/2022/10/developer-account-body-snatchers-… ∗∗∗ Tracking Earth Aughisky’s Malware and Changes ∗∗∗ --------------------------------------------- For over 10 years, security researchers have been observing and keeping tabs of APT group Earth Aughisky’s malware families and the connections, including previously documented malware that have yet to be attributed. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-mal… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-03 ∗∗∗ --------------------------------------------- IBM Robotic Process Automation, IBM WebSphere Application Server Liberty, IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, Content Manager OnDemand z/OS, IBM Spectrum Copy Data Management, CloudPak for Watson AIOPs, IBM MaaS360, Tivoli Netcool/OMNIbus WebGUI, CP4D Match 360. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (barbican), Fedora (libdxfrw, librecad, and python-oauthlib), Oracle (bind), Red Hat (bind and rh-python38-python), SUSE (bind, chromium, colord, libcroco, libgit2, lighttpd, nodejs12, python, python3, slurm, slurm_20_02, and webkit2gtk3), and Ubuntu (linux-azure, python-django, strongswan, and wayland). --------------------------------------------- https://lwn.net/Articles/910300/ ∗∗∗ Aruba ArubaOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Aruba ArubaOS ausnutzen, um beliebigen Programmcode auszuführen, einen Denial-of-Service-Zustand herbeizuführen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1606 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1604 ∗∗∗ Hitachi Storage: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Hitachi Storage ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1601 ∗∗∗ FasterXML Jackson: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in FasterXML Jackson ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1608 ∗∗∗ Netgate pfSense: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Netgate pfSense ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1609 ∗∗∗ Android-Sicherheitsbulletin – Oktober 2022 ∗∗∗ --------------------------------------------- https://source.android.com/docs/security/bulletin/2022-10-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2022
by Daily end-of-shift report 03 Oct '22

03 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-09-2022 18:00 − Montag 03-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server ∗∗∗ --------------------------------------------- October 2, 2022 updates: Added to the Mitigations section: we strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is here. Updated Detection section to refer to Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-z… ∗∗∗ Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 ∗∗∗ --------------------------------------------- MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-… ∗∗∗ Achtung, Phishing boomt! Security-Checkliste zu den 6 meist verbreiteten Methoden ∗∗∗ --------------------------------------------- Dass Phishing derzeit besonders häufig von Cyberkriminellen eingesetzt wird, um in IT-Systeme einzudringen, belegen viele aktuelle Statistiken. --------------------------------------------- https://sec-consult.com/de/blog/detail/6-common-types-of-phishing-attacks/ ∗∗∗ Sicherheitsupdate Drupal: Angreifer könnten auf Zugangsdaten zugreifen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das Content Management System Drupal. --------------------------------------------- https://heise.de/-7282401 ∗∗∗ Jetzt patchen! Attacken auf Atlassian Bitbucket Server ∗∗∗ --------------------------------------------- Sicherheitsforscher und eine US-Sicherheitsbehörde warnen davor, dass Angreifer Bitbucket Server im Visier haben. --------------------------------------------- https://heise.de/-7282369 ∗∗∗ Backdoor in Windows-Logo versteckt ∗∗∗ --------------------------------------------- Eine Hackergruppe hat bei Angriffen auf Regierungen Steganografie verwendet, um Schadsoftware über harmlos aussehende Bitmaps nachzuladen. --------------------------------------------- https://heise.de/-7282730 ∗∗∗ Fake-Shops fälschen Klarna-Zahlungsprozess ∗∗∗ --------------------------------------------- Die Online-Shops schmitt-drogerie.com und ohnesorge-fachhandel.com sind betrügerisch. Produkte, die Sie hier bestellen, werden nicht geliefert. Die Bezahlung erfolgt angeblich per „Klarna Sofortüberweisung“. Doch Vorsicht: Der Zahlungsprozess wurde gefälscht. Sie sind nicht auf der echten Klarna-Zahlungsseite, sondern auf einer nachgebauten Website, mit der Ihre Bankdaten gestohlen werden. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-faelschen-klarna-zahlungs… ∗∗∗ 11 old software bugs that took way too long to squash ∗∗∗ --------------------------------------------- In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years old—and there was no patch available, and no expectation that one would be forthcoming. Fortunately, thats because the system in question was Marvin Minskys 1967 implementation of a Universal Turing Machine, [...] --------------------------------------------- https://www.csoonline.com/article/3620948/10-old-software-bugs-that-took-wa… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-30 ∗∗∗ --------------------------------------------- IBM MQ, IBM Tivoli Monitoring Basic Services, IBM Event Streams, The IBM® Engineering Requirements Management, Rational Change Fix Pack, BM Tivoli Monitoring Data Provider, IBM Virtualization Engine, IBM Content Manager OnDemand, IBM Security Identity Governance and Intelligence, IBM Robotic Process Automation, IBM Jazz Technology, IBM Tivoli Composite Application Manager, IBM Case Manager, IBM Cloud Pak for Business Automation, Rational Synergy. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ macOS: Apps können Festplattenvollzugriff des Terminals missbrauchen ∗∗∗ --------------------------------------------- Programme, die nicht in einer Sandbox laufen, können den Systemschutz TCC von macOS umgehen, sobald man dem Terminal Festplattenvollzugriff gestattet. --------------------------------------------- https://heise.de/-7282104 ∗∗∗ Thunderbird: Angreifer könnten Absender verschlüsselter Nachrichten fälschen ∗∗∗ --------------------------------------------- Sicherheitslücken im Matrix-Chat-SDK machen den Mail-Client Thunderbird verwundbar. Eine aktualisierte Version schafft Abhilfe. --------------------------------------------- https://heise.de/-7282339 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gdal, kernel, libdatetime-timezone-perl, libhttp-daemon-perl, lighttpd, mariadb-10.3, node-thenify, snakeyaml, tinyxml, and tzdata), Fedora (enlightenment, kitty, and thunderbird), Mageia (expat, firejail, libjpeg, nodejs, perl-HTTP-Daemon, python-mako, squid, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (buildah, connman, cosign, expat, ImageMagick, python36, python39, slurm, and webkit2gtk3), and Ubuntu (linux, [...] --------------------------------------------- https://lwn.net/Articles/910161/ ∗∗∗ K21600298: OpenSSL vulnerabilities CVE-2022-1292 and CVE-2022-2068 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21600298?utm_source=f5support&utm_mediu… ∗∗∗ Update - 0-day Exploit Remote Code Execution in Microsoft Exchange On-Premise – Workaround verfügbar ∗∗∗ --------------------------------------------- https://cert.at/de/warnungen/2022/10/0-day-exploit-remote-code-execution-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2022
by Daily end-of-shift report 30 Sep '22

30 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-09-2022 18:00 − Freitag 30-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zero-Day-Attacken auf Microsoft Exchange Server – Sicherheitspatches fehlen ∗∗∗ --------------------------------------------- Aufgrund von Angriffen und bislang fehlenden Patches sollten Admins Exchange Server über einen Workaround absichern. --------------------------------------------- https://heise.de/-7280460 ∗∗∗ Microsoft warnt: Angriffe mit Linkedin und präparierter Open-Source-Software ∗∗∗ --------------------------------------------- Laut Microsoft führen staatliche Hacker derzeit Angriffe auf Linkedin durch. Dabei arbeiten sie mit um Schadfunktionen erweiterter Open-Source-Software. --------------------------------------------- https://www.golem.de/news/microsoft-warnt-angriffe-mit-linkedin-und-praepar… ∗∗∗ Hacking group hides backdoor malware inside Windows logo image ∗∗∗ --------------------------------------------- Security researchers have discovered a malicious campaign by the Witchetty hacking group, which uses steganography to hide a backdoor malware in a Windows logo. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacking-group-hides-backdoor… ∗∗∗ Detecting Mimikatz with Busylight ∗∗∗ --------------------------------------------- In 2015 Raphael Mudge released an article [1] that detailed that versions of mimikatz released after 8th of October, 2015 had a new module that was utilising certain types of external USB devices to flash lights in different colours if mimikatz was executed. The technique presented in the article required certain kind of busylights that [...] --------------------------------------------- https://research.nccgroup.com/2022/09/30/detecting-mimikatz-with-busylight/ ∗∗∗ CISA Publishes User Guide to Prepare for Nov. 1 Move to TLP 2.0 ∗∗∗ --------------------------------------------- CISA has published its Traffic Light Protocol 2.0 User Guide and Traffic Light Protocol: Moving to Version 2.0 fact sheet in preparation for its November 1, 2022 move from Traffic Light Protocol (TLP) Version 1.0 to TLP 2.0. Managed by the Forum of Incident Response and Security Teams (FIRST), TLP is a system of markings that communicates information sharing permissions. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/29/cisa-publishes-us… ∗∗∗ Mandiant, VMware und US-CERT warnen vor Malware, die auf VMware ESXi Server zielt ∗∗∗ --------------------------------------------- Der von Google übernommene Sicherheitsanbieter Mandiant ist auf eine neue Malware-Familie (VirtualPITA, VirtualPIE und VirtualGATE) gestoßen, die es auf Virtualisierunglösungen wie VMware ESXi Server abgesehen hat und spezialisierte Techniken zum Eindringen verwendet. VMware hat einen entsprechenden Sicherheitshinweis veröffentlicht, [...] --------------------------------------------- https://www.borncity.com/blog/2022/09/30/mandiant-vmware-und-us-cert-warnen… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1325: SolarWinds Network Performance Monitor UpdateActionsDescriptions SQL Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1325/ ∗∗∗ IBM Security Bulletins 2022-09-29 ∗∗∗ --------------------------------------------- IBM Robotic Process Automation, Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint, Content Collector for IBM Connections, IBM Spectrum Fusion HCI, IBM MQ, IBM MQ Blockchain bridge, IBM QRadar User Behavior Analytics. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsndfile and libvncserver), Fedora (bash), Red Hat (httpd24-httpd, java-1.7.1-ibm, and java-1.8.0-ibm), and SUSE (krb5-appl, libjpeg-turbo, python310, and slurm_20_02). --------------------------------------------- https://lwn.net/Articles/909947/ ∗∗∗ GitLab: Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1582 ∗∗∗ vim: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1584 ∗∗∗ F-Secure und WithSecure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in F-Secure und WithSecure Produkten ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1591 ∗∗∗ BookStack vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78862034/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2022
by Daily end-of-shift report 29 Sep '22

29 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-09-2022 18:00 − Donnerstag 29-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New Royal Ransomware emerges in multi-million dollar attacks ∗∗∗ --------------------------------------------- A new ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges… ∗∗∗ The secrets of Schneider Electric’s UMAS protocol ∗∗∗ --------------------------------------------- Kaspersky ICS CERT report on vulnerabilities in Schneider Electrics engineering software that enables UMAS protocol abuse. --------------------------------------------- https://securelist.com/the-secrets-of-schneider-electrics-umas-protocol/107… ∗∗∗ Report Shows How Long It Takes Ethical Hackers to Execute Attacks ∗∗∗ --------------------------------------------- A survey of more than 300 ethical hackers conducted by cybersecurity companies Bishop Fox and SANS Institute found that many could execute an end-to-end attack in less than a day. --------------------------------------------- https://www.securityweek.com/report-shows-how-long-it-takes-ethical-hackers… ∗∗∗ Exchange Health Checker – Script-Erweiterungen von Frank Zöchling ∗∗∗ --------------------------------------------- Von Microsoft gibt es den Exchange Health Checker, ein PowerShell-Script zur Überprüfung von On-Premises Exchange-Installationen auf Probleme. Das Script wird durch Microsoft wohl kontinuierlich weiter entwickelt. Frank Zöchling hat sich das Thema jetzt mal vorgenommen und das Ganze um ein Script erweitert, um wichtige Einstellungen beim Prüfen einer Exchange-Installation automatisch vorzunehmen. --------------------------------------------- https://www.borncity.com/blog/2022/09/29/exchange-health-checker-script-erw… ===================== = Vulnerabilities = ===================== ∗∗∗ New malware backdoors VMware ESXi servers to hijack virtual machines ∗∗∗ --------------------------------------------- Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malware-backdoors-vmware… ∗∗∗ Root-Lücke: Selbstheilungsfunktion gefährdet Cisco-Netzwerkhardware ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken in Ciscos Netzwerkbetriebssystem IOS und weiterer Software. --------------------------------------------- https://heise.de/-7279116 ∗∗∗ Matrix chat encryption sunk by five now-patched holes ∗∗∗ --------------------------------------------- You take the green pill, youll spend six hours in a dont roll your own crypto debate. Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. --------------------------------------------- https://www.theregister.com/2022/09/28/matrix_encryption_flaws/ ∗∗∗ IBM Security Bulletins 2022-09-28 ∗∗∗ --------------------------------------------- IBM Content Manager OnDemand, SPSS Collaboration and Deployment Services, IBM Decision Optimization Center, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, IBM Spectrum Protect for Virtual Environments, IBM MQ Operator and Queue manager container images, TXSeries, Rational Service Tester, IBM ILOG CPLEX Optimization Studio, IBM CICS TX Standard and Advanced, IBM SDK, Enterprise Content Management System Monitor, AIX, IBM Robotic Process Automation, IBM WebSphere Application Server Liberty. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, lighttpd, and webkit2gtk), Fedora (firefox, gajim, libofx, and python-nbxmpp), Gentoo (bluez, chromium, expat, firefox, go, graphicsmagick, kitty, php, poppler, redis, thunderbird, and zutty), Oracle (firefox and thunderbird), Red Hat (kernel), Slackware (xorg), SUSE (expat, libostree, lighttpd, python3-lxml, rust1.62, slurm, slurm_18_08, and vsftpd), and Ubuntu (libxi, linux-gcp, postgresql-9.5, and sqlite3). --------------------------------------------- https://lwn.net/Articles/909870/ ∗∗∗ Drupal Updates Patch Vulnerability in Twig Template Engine ∗∗∗ --------------------------------------------- Updates announced for Drupal this week address a severe vulnerability in Twig that could lead to the leakage of sensitive information. --------------------------------------------- https://www.securityweek.com/drupal-updates-patch-vulnerability-twig-templa… ∗∗∗ PHP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um einen Denial of Service Angriff durchzuführen und um Sicherheitsmechanismen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1567 ∗∗∗ Notepad++: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Notepad++ ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1559 ∗∗∗ Apache Tomcat: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Tomcat ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1558 ∗∗∗ xpdf: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in xpdf ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1570 ∗∗∗ Thunderbird 102.3.1 freigegeben ∗∗∗ --------------------------------------------- Die Entwickler des Thunderbird haben zum 28. September 2022 ein weiteres Update des E-Mail Client auf die Version 102.3.1 freigegeben. Es ist ein Bug-Fix-Update, welches eine Reihe an Problemen und Schwachstellen beheben soll. --------------------------------------------- https://www.borncity.com/blog/2022/09/29/thunderbird-102-3-1-freigegeben/ ∗∗∗ CVE-2022-37461: Two Reflected XSS Vulnerabilities in Canon Medical’s Vitrea View ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-37… ∗∗∗ Hitachi Energy MicroSCADA Pro X SYS600_8DBD000107 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-272-02 ∗∗∗ Hitachi Energy MicroSCADA Pro X SYS600_8DBD000106 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-272-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2022
by Daily end-of-shift report 28 Sep '22

28 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-09-2022 18:00 − Mittwoch 28-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft to retire Exchange Online client access rules in a year ∗∗∗ --------------------------------------------- Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-exchang… ∗∗∗ Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks ∗∗∗ --------------------------------------------- The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-us… ∗∗∗ Prilex: the pricey prickle credit card complex ∗∗∗ --------------------------------------------- Prilex is a Brazilian threat actor focusing on ATM and PoS attacks. In this report, we provide an overview of its PoS malware. --------------------------------------------- https://securelist.com/prilex-atm-pos-malware-evolution/107551/ ∗∗∗ New Malware Variants Serve Bogus CloudFlare DDoS Captcha ∗∗∗ --------------------------------------------- When attackers shift up their campaigns, change their payload or exfiltration domains, and put some extra effort into hiding their malware it’s usually a telltale sign that they are making some money off of their exploits. One such campaign is the fake CloudFlare DDoS pages which we reported on last month. --------------------------------------------- https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare… ∗∗∗ Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems ∗∗∗ --------------------------------------------- A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. --------------------------------------------- https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html ∗∗∗ Zielscheibe Open-Source-Paket: Angriffe 700 Prozent häufiger als vor drei Jahren ∗∗∗ --------------------------------------------- Open-Source-Repositories werden immer häufiger zum Angriffsziel Krimineller. Allein im letzten Jahr hat Sonatype über 55.000 infizierte Pakete identifiziert. --------------------------------------------- https://heise.de/-7278355 ∗∗∗ Attacking Encrypted HTTP Communications ∗∗∗ --------------------------------------------- The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers. --------------------------------------------- https://www.pentestpartners.com/security-blog/attacking-encrypted-http-comm… ∗∗∗ Decrypt “encrypted stub data” in Wireshark ∗∗∗ --------------------------------------------- I often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC But I’m often interrupted in my enthusiasm by the payload dissected as “encrypted stub data”: Can we decrypt this “encrypted stub data?” --------------------------------------------- https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshar… ∗∗∗ Stories from the SOC - C2 over port 22 ∗∗∗ --------------------------------------------- The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#855201: L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers ∗∗∗ --------------------------------------------- OverviewLayer-2 (L2) network security controls provided by various devices, such as switches, routers, and operating systems, can be bypassed by stacking Ethernet protocol headers. An attacker can send crafted packets through vulnerable devices to cause Denial-of-service (DoS) or to perform a man-in-the-middle (MitM) attack against a target network. This vulnerability exists within Ethernet encapsulation protocols that allow for stacking of Virtual Local Area Network (VLAN) headers. --------------------------------------------- https://kb.cert.org/vuls/id/855201 ∗∗∗ Cisco Security Advisories 2022-09-27 - 2022-09-28 ∗∗∗ --------------------------------------------- Cisco published 23 Security Advisories (13 High, 10 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Webbrowser Chrome 106: Neue Funktionen und 20 abgedichtete Sicherheitslecks ∗∗∗ --------------------------------------------- Google bessert 20 teils hochriskante Sicherheitslücken im Webbrowser Chrome aus. Zudem erhält der Browser neue Funktionen und Verbesserungen. --------------------------------------------- https://heise.de/-7277825 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15). --------------------------------------------- https://lwn.net/Articles/909676/ ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1552 ∗∗∗ Security Bulletin: A Security Vulnerability was fixed in IBM Application Gateway. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2022-35282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM QRadar User Behavior Analytics (CVE-2022-36771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to identity spoofing by an authenticated user using a specially crafted request. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to HTTP header injection, caused by improper validation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin:IBM TRIRIGA Application Platform discloses possible path command execution(CVE-2021-41878) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-tririga-application-pl… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1549 ∗∗∗ Moodle: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1546 ∗∗∗ Check Point ZoneAlarm Extreme Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1544 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2022
by Daily end-of-shift report 27 Sep '22

27 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 26-09-2022 18:00 − Dienstag 27-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers use PowerPoint files for mouseover malware delivery ∗∗∗ --------------------------------------------- The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-powerpoint-files… ∗∗∗ New Erbium password-stealing malware spreads as game cracks, cheats ∗∗∗ --------------------------------------------- The new Erbium information-stealing malware is being distributed as fake cracks and cheats for popular video games to steal victims credentials and cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing… ∗∗∗ Pass-the-Hash Attacks and How to Prevent them in Windows Domains ∗∗∗ --------------------------------------------- Hackers often start out with nothing more than a low-level user account and then work to gain additional privileges that will allow them to take over the network. One of the methods that is commonly used to acquire these privileges is a pass-the-hash attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pass-the-hash-attacks-and-ho… ∗∗∗ Anlagebetrug: Vorsicht vor Diensten, die Ihnen helfen wollen, Ihr verlorenes Geld zurückzubekommen ∗∗∗ --------------------------------------------- Haben Sie bei einer betrügerischen Investmentplattform Geld verloren? Dann nehmen Sie sich vor Folgebetrug in Acht. Kriminelle bewerben Dienstleistung, die Ihnen angeblich dabei helfen, Ihr verlorenes Geld zurückzubekommen. Angebote von finanzaufsicht.com oder firstmoneyback.com sind aber Fake! Sie werden erneut betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-vorsicht-vor-diensten-d… ∗∗∗ More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID ∗∗∗ --------------------------------------------- Polyglot files, such as the malicious CHM file analyzed here, can be abused to hide from anti-malware systems that rely on file format identification. --------------------------------------------- https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/ ∗∗∗ What happens with a hacked Instagram account – and how to recover it ∗∗∗ --------------------------------------------- Had your Instagram account stolen? Don’t panic – here’s how to get your account back and how to avoid getting hacked (again). --------------------------------------------- https://www.welivesecurity.com/2022/09/26/what-happens-hacked-instagram-acc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot and firefox-esr), Fedora (firefox and grafana), Red Hat (firefox and thunderbird), Slackware (dnsmasq and vim), SUSE (dpdk, firefox, kernel, libarchive, libcaca, mariadb, openvswitch, opera, permissions, podofo, snakeyaml, sqlite3, unzip, and vsftpd), and Ubuntu (expat, libvpx, linux-azure-fde, linux-oracle, squid, squid3, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/909576/ ∗∗∗ SECURITY - ABB Central Licensing System Vulnerabilities, impact on ABB Ability SCADAvantage ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A3198&Lan… ∗∗∗ Security Bulletin: A vulnerability in Apache Commons Fileupload affects IBM Tivoli Business Service Manager (CVE-2013-2186, CVE-2013-0248, CVE-2016-3092, CVE-2014-0050, 220723) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: A vulnerability in FasterXML Woodstox affects IBM Tivoli Business Service Manager (220573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-faster… ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1541 ∗∗∗ Publish SBA-ADV-20220328-01: Vtiger CRM Stored Cross-Site Scripting ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/28e164f1cb73e4885a58616d1b… ∗∗∗ Hitachi Energy APM Edge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-02 ∗∗∗ Rockwell Automation ThinManager ThinServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-03 ∗∗∗ Hitachi Energy AFS660/AFS665 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-01 ∗∗∗ September 23rd 2022 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2022
by Daily end-of-shift report 26 Sep '22

26 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-09-2022 18:00 − Montag 26-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NullMixer: oodles of Trojans in a single dropper ∗∗∗ --------------------------------------------- NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others. --------------------------------------------- https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/1074… ∗∗∗ Maldoc Analysis Info On MalwareBazaar, (Sat, Sep 24th) ∗∗∗ --------------------------------------------- When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump. --------------------------------------------- https://isc.sans.edu/diary/rss/29084 ∗∗∗ Downloading Samples From Takendown Domains, (Sun, Sep 25th) ∗∗∗ --------------------------------------------- Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down). --------------------------------------------- https://isc.sans.edu/diary/rss/29086 ∗∗∗ Easy Python Sandbox Detection , (Mon, Sep 26th) ∗∗∗ --------------------------------------------- Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this, but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism? --------------------------------------------- https://isc.sans.edu/diary/rss/29090 ∗∗∗ 13,8 Millionen Downloads: Malware-Apps unter Android und iOS ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsunternehmen hat Werbebetrugs-Apps in Google Play und im Apple Store gefunden, die auf insgesamt 13,8 Millionen Downloads kommen. --------------------------------------------- https://heise.de/-7275295 ∗∗∗ Ransomware: Nach Verschlüsseln kommt jetzt Kopieren & Zerstören ∗∗∗ --------------------------------------------- Das mit dem Verschlüsseln ist aufwendig und fehleranfällig – das denken sich wohl auch Cybercrime-Banden, die zuvor kopierte Daten unbrauchbar machen. --------------------------------------------- https://heise.de/-7275667 ∗∗∗ Microsoft Edge mit SOCKS Proxy über PuTTY / SSH nutzen ∗∗∗ --------------------------------------------- Microsoft Edge (dzt. geprüfte Versionen bis v107) bietet in den Einstellungen leider keine Nutzung von SOCKS-Proxys an. Edge unterstützt dies aber (obwohl sich hierzu in der offiziellen Doku leider nichts findet) über das CmdLine-Argument “--proxy-server“. --------------------------------------------- https://hitco.at/blog/microsoft-edge-socks-proxy-putty-ssh/ ∗∗∗ Betrügerisches Post-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie auf WhatsApp ein Gewinnspiel mit dem Titel „Österreichische Post Staatliche Förderung“ erhalten. Dabei handelt es sich um Fake. Sie tappen entweder in eine Abo-Falle oder laden Schadsoftware herunter. Klicken Sie nicht auf den Link und löschen Sie die Nachricht. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-post-gewinnspiel-auf… ∗∗∗ Hunting for Unsigned DLLs to Find APTs ∗∗∗ --------------------------------------------- Hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. Our examples include well-known APTs. --------------------------------------------- https://unit42.paloaltonetworks.com/unsigned-dlls/ ∗∗∗ BumbleBee: Round Two ∗∗∗ --------------------------------------------- In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. --------------------------------------------- https://thedfirreport.com/2022/09/26/bumblebee-round-two/ ∗∗∗ MISP 2.4.163 released with improved periodic notification system and many improvements ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.163 with an updated periodic notification systemand many improvements. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.163 ∗∗∗ Tell Me Where You Live and I Will Tell You About Your P@ssw0rd: Understanding the Macrosocial Factors Influencing Password’s Strength ∗∗∗ --------------------------------------------- Free Person Holding World Globe Facing Mountain Stock PhotoTo explore how a user’s environment influences password creation strategies, we present a blogpost series in which we consider several different perspectives – the macrosocial influence of your country (where you live), the influence of your peers (who your friends are), and a technical understanding of how they are attacked – to improve password security and mitigate the risk of poorly secured passwords. --------------------------------------------- https://www.gosecure.net/blog/2022/09/26/tell-me-where-you-live-and-i-will-… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Windows Shift F10 Bypass and Autopilot privilge escalation ∗∗∗ --------------------------------------------- This post demonstrates full chained exploitation, and it contains two steps. The second step is a known vulnerability, but there are other ways. --------------------------------------------- https://k4m1ll0.com/ShiftF10Bypass-and-privesc.html ∗∗∗ Sophos Firewalls: Kritische Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- Angreifer nutzen eine Schwachstelle in Sophos Firewalls aus, durch die sie eigenen Code auf verwundbare Maschinen schieben. Softwareflicken dichten das Leck ab. --------------------------------------------- https://heise.de/-7275195 ∗∗∗ Angreifer nisten sich in Exchange Online ein – mit bösartigen OAuth-Apps ∗∗∗ --------------------------------------------- Microsoft hat Angriffe auf Cloud-Exchange analysiert, bei denen Angreifer mit bösartigen OAuth-Apps nachhaltig Zugang erlangten und ihn für Spam missbrauchen. --------------------------------------------- https://heise.de/-7275757 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat and poppler), Fedora (dokuwiki), Gentoo (fetchmail, grub, harfbuzz, libaacplus, logcheck, mrxvt, oracle jdk/jre, rizin, smarty, and smokeping), Mageia (tcpreplay, thunderbird, and webkit2), SUSE (dpdk, permissions, postgresql14, puppet, and webkit2gtk3), and Ubuntu (linux-gkeop and sosreport). --------------------------------------------- https://lwn.net/Articles/909439/ ∗∗∗ Trend Micro Deep Security Agent: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Trend Micro Deep Security Agent ausnutzen, um Informationen offenzulegen oder seine Rechte zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1534 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1535 ∗∗∗ WhatsApp: Zwei Schwachstellen ermöglichen Remote Code-Ausführung ∗∗∗ --------------------------------------------- Meta-Tochter WhatsApp warnt vor zwei Schwachstellen in seinen Apps für Android und iOS, die die Sicherheit der Benutzer gefährden. Beide Schwachstellen ermöglichen eine Remote Code-Ausführung – die Apps sollten also zeitnah aktualisiert werden. --------------------------------------------- https://www.borncity.com/blog/2022/09/26/whatsapp-zwei-schwachstellen-ermgl… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager vulnerable to denial of service due to Apache Shiro (CVE-2022-32532) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: Due to RPM, AIX is vulnerable to arbitrary code execution (CVE-2021-20271), RPM database corruption (CVE-2021-3421), and denial of service (CVE-2021-20266) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-rpm-aix-is-vulnera… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to a denial of service due to Vmware Tanzu Spring Framework (CVE-2022-22971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-029/ ∗∗∗ CISA Has Added One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/23/cisa-has-added-on… ∗∗∗ Node.js: September 22nd 2022 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2022
by Daily end-of-shift report 23 Sep '22

23 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-09-2022 18:00 − Freitag 23-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schadsoftware: Betrüger verteilen Malware mit gefälschten Zoom-Webseiten ∗∗∗ --------------------------------------------- Die Webseiten geben sich als Downloadseite für Zoom aus, doch verteilen sie eine Schadsoftware, die es auf Bankdaten abgesehen hat. --------------------------------------------- https://www.golem.de/news/schadsoftware-betrueger-verteilen-malware-mit-gef… ∗∗∗ Google Play Store: Trojaner Harly kommt auf 4,8 Millionen Downloads ∗∗∗ --------------------------------------------- Im Google Play Store entdeckt Kaspersky zahlreiche trojanisierte Apps, die den Schädling Harly enthalten. Der schließt kostenpflichtige Dienste-Abos ab. --------------------------------------------- https://heise.de/-7273522 ∗∗∗ Fingerabdruck & Co. - Wie funktionieren biometrische Anmeldeverfahren? ∗∗∗ --------------------------------------------- Ihre Augen können das Fenster zu Ihrer Seele sein, aber sie können auch Ihre Bordkarte für das Flugzeug oder der Schlüssel zum Entsperren Ihres Telefons sein. Welche Vor- und Nachteile birgt die Verwendung biometrischer Merkmale für die Authentifizierung? --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/09/22/fingerabdruck-co-wie-funk… ∗∗∗ Microsoft: Windows KB5017383 preview update added to WSUS by mistake ∗∗∗ --------------------------------------------- Microsoft says that KB5017383, this months Windows preview update, has been accidentally listed in Windows Server Update Services (WSUS) and may lead to security update install problems in some managed environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5017383… ∗∗∗ Malicious OAuth applications used to compromise email servers and spread spam ∗∗∗ --------------------------------------------- Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange servers to launch spam runs. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applicat… ∗∗∗ Kids Like Cookies, Malware Too!, (Fri, Sep 23rd) ∗∗∗ --------------------------------------------- Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won't discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user. --------------------------------------------- https://isc.sans.edu/diary/rss/29082 ∗∗∗ Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts ∗∗∗ --------------------------------------------- GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted "many victim organizations. --------------------------------------------- https://thehackernews.com/2022/09/hackers-using-fake-circleci.html ∗∗∗ WAF bypasses via 0days ∗∗∗ --------------------------------------------- In May, I participated in 1337up0522 from Intigriti which was about hacking OWASP ModSecurity Core Rule Set (CRS). I’ve got 13 findings accepted including 3 exceptional, 2 critical, and 8 high severity vulnerabilities. In this article, I will showcase a couple of interesting findings. --------------------------------------------- https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec ∗∗∗ Surge in Magento 2 template attacks ∗∗∗ --------------------------------------------- The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In this article we share our findings of 3 template hacks, and hope it will help you if you are confronted with a similar attack. --------------------------------------------- https://sansec.io/research/magento-2-template-attacks ∗∗∗ Cross-Site Scripting: The Real WordPress Supervillain ∗∗∗ --------------------------------------------- Vulnerabilities are a fact of life for anyone managing a website, even when using a well-established content management system like WordPress. Not all vulnerabilities are equal, with some allowing access to sensitive data that would normally be hidden from public view, while others could allow a malicious actor to take full control of an affected [...] --------------------------------------------- https://www.wordfence.com/blog/2022/09/cross-site-scripting-the-real-wordpr… ∗∗∗ CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned of cyberattacks targeting a recently addressed vulnerability in Zoho ManageEngine. --------------------------------------------- https://www.securityweek.com/cisa-warns-zoho-manageengine-rce-vulnerability… ∗∗∗ NSA and CISA: Heres how hackers are going after critical systems, and what you need to do about it ∗∗∗ --------------------------------------------- NSA and CISA offer some advice for critical infrastructure operators to protect their industrial control systems. --------------------------------------------- https://www.zdnet.com/article/nsa-and-cisa-heres-how-hackers-are-going-afte… ∗∗∗ Experts fear LockBit spread after ransomware builder leaked ∗∗∗ --------------------------------------------- A toolkit to create DIY versions of the LockBit ransomware has leaked, raising alarms among incident responders and cybersecurity experts warning of more widespread use in attacks. The leak, for the LockBit 3.0 ransomware encryptor, was announced on Wednesday by security researcher 3xp0rt. Several experts and researchers confirmed to The Record that the builder works [...] --------------------------------------------- https://therecord.media/experts-fear-lockbit-spread-after-ransomware-builde… ∗∗∗ FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers ∗∗∗ --------------------------------------------- The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. --------------------------------------------- https://asec.ahnlab.com/en/39152/ ===================== = Vulnerabilities = ===================== ∗∗∗ HP-Drucker: Kritische Lücke erlaubt Codeschmuggel in diversen Modellen ∗∗∗ --------------------------------------------- HP warnt vor Sicherheitslücken in zahlreichen Druckermodellen, die Angreifern das Einschleusen von Schadcode ermöglichen. Der Hersteller stellt Updates bereit. --------------------------------------------- https://heise.de/-7250538 ∗∗∗ IBM Security Bulletins 2022-09-22 ∗∗∗ --------------------------------------------- IBM CICS TX Advanced, IBM CICS TX Standard, IBM Common Cryptographic Architecture (CCA), IBM InfoSphere Information Server, IBM Jazz for Service Management, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM Partner Engagement Manager, IBM Security Guardium, IBM Spectrum Control, Operations Dashboard, TXSeries for Multiplatforms, Watson Explorer and Watson Explorer Content Analytics Studio, z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, expat, firefox-esr, mediawiki, and unzip), Fedora (qemu and thunderbird), Oracle (webkit2gtk3), SUSE (ardana-ansible, ardana-cobbler, ardana-tempest, grafana, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-neutron-gbp, openstack-nova, python-Django1, rabbitmq-server, rubygem-puma, ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma, dpdk, [...] --------------------------------------------- https://lwn.net/Articles/909208/ ∗∗∗ New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access ∗∗∗ --------------------------------------------- Firmware security company Binarly has discovered another round of potentially serious firmware vulnerabilities that could allow an attacker to gain persistent access to any of the millions of affected devices. --------------------------------------------- https://www.securityweek.com/new-firmware-vulnerabilities-affecting-million… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2022
by Daily end-of-shift report 22 Sep '22

22 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-09-2022 18:00 − Donnerstag 22-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackCat ransomware’s data exfiltration tool gets an upgrade ∗∗∗ --------------------------------------------- The BlackCat ransomware (aka ALPHV) isnt showing any signs of slowing down, and the latest example of its evolution is a new version of the gangs data exfiltration tool used for double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-s-data-e… ∗∗∗ Critical Magento vulnerability targeted in new surge of attacks ∗∗∗ --------------------------------------------- Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-magento-vulnerabili… ∗∗∗ RAT Delivered Through FODHelper , (Thu, Sep 22nd) ∗∗∗ --------------------------------------------- I found a simple batch file that drops a Remcos RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). --------------------------------------------- https://isc.sans.edu/diary/rss/29078 ∗∗∗ Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure ∗∗∗ --------------------------------------------- Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. --------------------------------------------- https://thehackernews.com/2022/09/researchers-disclose-critical.html ∗∗∗ Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions ∗∗∗ --------------------------------------------- Recently (in August of 2022), the Sysinternals team released Sysmon 14.0 – a notable update of a powerful and configurable tool for monitoring Windows machines. While Sysmon already included a few valuable detection capabilities, the update introduced the first preventive measure – the FileBlockExecutable event (ID 27). --------------------------------------------- https://www.huntandhackett.com/blog/bypassing-sysmon ∗∗∗ A technical analysis of the leaked LockBit 3.0 builder ∗∗∗ --------------------------------------------- This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022. --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-buil… ∗∗∗ You can’t stop me. MS Teams session hijacking and bypass ∗∗∗ --------------------------------------------- How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-cant-stop-me-ms-teams-ses… ∗∗∗ Webinar: Love Scams im Internet erkennen ∗∗∗ --------------------------------------------- Am Mittwoch, den 28.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Love Scams" statt. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-love-scams-im-internet-erken… ∗∗∗ Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics ∗∗∗ --------------------------------------------- New version of Exmatter, and Eamfo malware, used by attackers deploying the Rust-based ransomware. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/no… ∗∗∗ AA22-265A: Control System Defense: Know the Opponent ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-265a ∗∗∗ MindShaRE: Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja ∗∗∗ --------------------------------------------- Disclosure of uninitialized memory is one of the common problems faced when copying data across trust boundaries. This can happen between the hypervisor and guest OS, kernel and user space, or across the network. --------------------------------------------- https://www.thezdi.com/blog/2022/9/19/mindshare-analyzing-bsd-kernels-with-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-21 ∗∗∗ --------------------------------------------- IBM Security Guardium, IBM Cloud Pak for Multicloud Management Managed Services, IBM Tivoli Netcool Impact, IBM Maximo Asset Management, IBM Spectrum Protect Plus SQL. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Notfallpatch für Microsoft Endpoint Configuration Manager erschienen ∗∗∗ --------------------------------------------- Admins sollten die IT-Managementlösung Endpoint Configuration Manager von Microsoft aktualisieren. Es könnten Attacken bevorstehen. --------------------------------------------- https://heise.de/-7272195 ∗∗∗ Python: 15 Jahre alte Schwachstelle betrifft potenziell 350.000 Projekte ∗∗∗ --------------------------------------------- Das Issue zu der Directory-Traversal-Schwachstelle in dem Modul tarfile existiert seit 2007. Geschlossen wurde es mit einem Hinweis in der Dokumentation. --------------------------------------------- https://heise.de/-7272186 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e17, fish, mako, and tinygltf), Fedora (mingw-poppler), Mageia (firefox, google-gson, libxslt, open-vm-tools, redis, and sofia-sip), Oracle (dbus-broker, kernel, kernel-container, mysql, and nodejs and nodejs-nodemon), Slackware (bind), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, [...] --------------------------------------------- https://lwn.net/Articles/909051/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/09/22/technical-advisory-multiple-vulner… ∗∗∗ HP LaserJet: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1499 ∗∗∗ Measuresoft ScadaPro Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-265-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2022
by Daily end-of-shift report 21 Sep '22

21 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-09-2022 18:00 − Mittwoch 21-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Angreifer könnten eigenen Code im Kontext von Thunderbird und Firefox ausführen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken im E-Mail-Client Thunderbird und den Webbrowsern Firefox und Firefox ESR. --------------------------------------------- https://heise.de/-7270944 ∗∗∗ Hinter Massenmails zu Paketzustellung und Lagergebühr steckt Betrug! ∗∗∗ --------------------------------------------- Aktuell erhalten unzählige Menschen eine personalisierte E-Mail zu einem Paket mit dem Betreff „Label/abgerissen/Zustellung“. Wegen unlesbarer Adresse sollen Sie einen Chat öffnen und Daten ergänzen, um eine Lagergebühr über 29,99 Euro zu vermeiden. Folgen Sie dem Link nicht, geben Sie keine Daten bekannt und bezahlen Sie nichts. Es handelt sich um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/hinter-massenmails-zu-paketzustellun… ∗∗∗ Windows 11 22H2 adds kernel exploit protection to security baseline ∗∗∗ --------------------------------------------- Microsoft has released the final version of security configuration baseline settings for Windows 11, version 22H2, downloadable today using the Microsoft Security Compliance Toolkit. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-22h2-adds-kernel… ∗∗∗ Identifying file manipulation in system files ∗∗∗ --------------------------------------------- Sometimes people send files to us that seem to be legitimate Microsoft system files at first glance, yet closer inspection reveals, that they have in fact been modified. Are those manipulations always malicious? And how can file manipulations be identified? Here are seven different ways to do that. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/09/37511-detecting-file-manipulatio… ∗∗∗ New Windows 11 security features are designed for hybrid work ∗∗∗ --------------------------------------------- With Windows 11, you can protect your valuable data and enable secure hybrid work with the latest advanced security. Were proud to announce the new security features you heard about this spring are now available. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/20/new-windows-11-security-… ∗∗∗ Defense-in-Depth Updates for Azure Identity SDK and Azure Key Vault SDK plus Best Practice Implementation Guidance ∗∗∗ --------------------------------------------- Today, Microsoft released a new version of the Azure Key Vault Software Development Kit (SDK) and Azure Identity SDK that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for processing. --------------------------------------------- https://msrc-blog.microsoft.com/2022/09/20/defense-in-depth-updates-for-azu… ∗∗∗ Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286) ∗∗∗ --------------------------------------------- This post covers a slightly different topic than my usual content: application vulnerability discovery and exploit development. --------------------------------------------- https://www.x86matthew.com/view_post?id=windows_seagate_lpe ∗∗∗ Open Source Tool to Collect Volatile Data for Incident Response ∗∗∗ --------------------------------------------- Varc collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident. --------------------------------------------- https://github.com/cado-security/varc ∗∗∗ How we Abused Repository Webhooks to Access Internal CI Systems at Scale ∗∗∗ --------------------------------------------- As adoption of CI systems and processes becomes more prevalent, organizations opt for a CI/CD architecture which combines SaaS-based source control management systems (like GitHub or GitLab) with an internal, self-hosted CI solution (e.g. Jenkins, TeamCity). [...] To allow the webhook requests to access the internally-hosted CI system, the SaaS-based SCM vendors provide IP ranges from which their webhooks requests arrive, so these ranges can be allowed in the organization’s firewall. In this blog post, we’ll dive into the potential security pitfalls of this control, and explain why it provides organizations with a false sense of security. --------------------------------------------- https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhook… ∗∗∗ Securing Developer Tools: OneDev Remote Code Execution ∗∗∗ --------------------------------------------- OneDev is a self-hosted Git server that comes with a lot of development-oriented features such as CI/CD, code search, and static analysis integration. With almost 10,000 stars on GitHub, it is gaining popularity and becoming an open-source and low-maintenance alternative to GitHub, GitLab, and Bitbucket. [...] In this article, we describe the vulnerabilities we found in OneDev that could be used by attackers to take over vulnerable instances. --------------------------------------------- https://blog.sonarsource.com/onedev-remote-code-execution/ ∗∗∗ Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers ∗∗∗ --------------------------------------------- Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers. --------------------------------------------- https://www.securityweek.com/hundreds-ecommerce-domains-infected-google-tag… ∗∗∗ Penetration testing is in the eye of the beholder ∗∗∗ --------------------------------------------- "Beauty is in the eye of the beholder." A famous phrase known to all indicates that our perceptions influence our definitions. The same can be said about penetration testing. Often when clients approach us for what they believe to be a penetration test, their definition and needs do not necessarily meet the accepted approach of those within the security field. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/penetration-testing… ∗∗∗ Authentication methods: choosing the right type ∗∗∗ --------------------------------------------- Recommended authentication models for organisations looking to move beyond passwords. --------------------------------------------- https://www.ncsc.gov.uk/guidance/authentication-methods-choosing-the-right-… ∗∗∗ Native function and Assembly Code Invocation ∗∗∗ --------------------------------------------- For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level language, this is not always feasible, and [...] --------------------------------------------- https://research.checkpoint.com/2022/native-function-and-assembly-code-invo… ∗∗∗ Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware ∗∗∗ --------------------------------------------- Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnera… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libconfuse, moodle, rizin, and thunderbird), Oracle (ELS kernel, gnupg2, ruby, and webkit2gtk3), Red Hat (booth, dbus-broker, gnupg2, kernel, kernel-rt, kpatch-patch, mysql, nodejs, nodejs-nodemon, ruby, and webkit2gtk3), Slackware (expat and mozilla), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and vsftpd), and Ubuntu (bind9, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-kvm, linux-lowlatency, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, lnux-hwe, inux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe-5.15, linux-lowlatency-hwe-5.15, and mako). --------------------------------------------- https://lwn.net/Articles/908893/ ∗∗∗ Information Disclosure in VIDEOJET Decoder and Operator Client application in BVMS ∗∗∗ --------------------------------------------- BOSCH-SA-464066-BT: BVMS Operator Client application or the VIDEOJET Decoder VJD-7513 may receive an *unencrypted* live-stream from a camera which allows a man-in-the-middle attacker to compromise the confidential video streams. This happens only in combination with cameras of platform CPP13 or CPP14.x when encrypted UDP connection is configured. Please be aware that encrypted UDP connection is default setting («Secure Connection» setting) for all cameras added into BVMS. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-464066-bt.html ∗∗∗ [R1] Nessus Network Monitor 6.1.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. Several third-party components (OpenSSL and moment.js) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2022-19 ∗∗∗ Security Bulletin: Rational Performance Tester contains a vulnerability which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate this vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-performance-test… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to multiple Golang Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to authentication bypass (CVE-2022-40616) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Microsoft Endpoint Configuration Manager: Schwachstelle ermöglicht Umgehen von Sicherheitseinstellungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1488 ∗∗∗ TIBCO Spotfire: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1487 ∗∗∗ Grafana: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1486 ∗∗∗ Hashicorp Vault: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1485 ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1492 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2022
by Daily end-of-shift report 20 Sep '22

20 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 19-09-2022 18:00 − Dienstag 20-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches ∗∗∗ --------------------------------------------- Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favo… ∗∗∗ Handling WebAuthn over remote SSH connections ∗∗∗ --------------------------------------------- Being able to SSH into remote machines and do work there is great. Using hardware security tokens for 2FA is also great. But trying to use them both at the same time doesnt work super well, because if you hit a WebAuthn request on the remote machine it doesnt matter how much you mash your token - its not going to work. But could it? --------------------------------------------- https://mjg59.dreamwidth.org/61232.html ∗∗∗ LastPass source code breach – incident response report released ∗∗∗ --------------------------------------------- Wondering how youd handle a data breach report if the worst happened to you? Heres a useful example. --------------------------------------------- https://nakedsecurity.sophos.com/2022/09/19/lastpass-source-code-breach-inc… ∗∗∗ Chainsaw: Hunt, search, and extract event log records, (Mon, Sep 19th) ∗∗∗ --------------------------------------------- Chainsaw is a standalone tool that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. --------------------------------------------- https://isc.sans.edu/diary/rss/29066 ∗∗∗ E-Mail von „GMX Sicherheit“ ist Fake ∗∗∗ --------------------------------------------- GMX-Nutzer:innen aufgepasst: Das E-Mail vom Absender „GMX Sicherheit“ ist nicht von GMX. Im betrügerischen E-Mail werden Sie aufgefordert, Ihre Kontoinformationen zu vervollständigen. Ansonsten wird angeblich Ihr Konto innerhalb von 24 Stunden gelöscht. Verschieben Sie das Mail in Ihren Spam-Ordner und klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-gmx-sicherheit-ist-fake/ ∗∗∗ Security Risks in Logistics APIs Used by E-Commerce Platforms ∗∗∗ --------------------------------------------- Our research examines the security flaws that we found in the logistics API implementation of e-commerce platforms that can potentially expose the consumers’ personal information. We discuss the security risks that such flaws present for software engineers, e-commerce platform providers, and consumers. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/security-risks-in-logistics-… ===================== = Vulnerabilities = ===================== ∗∗∗ Most common SAP vulnerabilities attackers try to exploit ∗∗∗ --------------------------------------------- Unpatched vulnerabilities, common misconfigurations and hidden flaws in custom code continue to make enterprise SAP applications a target rich environment for attackers at a time when threats like ransomware and credential theft have emerged as major concerns for organizations. --------------------------------------------- https://www.csoonline.com/article/3674119/most-common-sap-vulnerabilities-a… ∗∗∗ Vulnerabilities Identified in EZVIZ Smart Cams ∗∗∗ --------------------------------------------- As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. --------------------------------------------- https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-ezviz-s… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dokuwiki and rizin), SUSE (libcontainers-common, permissions, sqlite3, and wireshark), and Ubuntu (tiff, vim, and xen). --------------------------------------------- https://lwn.net/Articles/908779/ ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Dateien zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1475 ∗∗∗ Hitachi Energy PROMOD IV ICS Advisory (ICSA-22-263-01) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-01 ∗∗∗ Hitachi Energy AFF660/665 Series ICS Advisory (ICSA-22-263-02) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-02 ∗∗∗ Medtronic NGP 600 Series Insulin Pumps ICS Medical Advisory (ICSMA-22-263-01) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsma-22-263-01 ∗∗∗ Dataprobe iBoot-PDU ICS Advisory (ICSA-22-263-03) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03 ∗∗∗ Host Engineering Communications Module ICS Advisory (ICSA-22-263-04) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-04 ∗∗∗ Security Bulletin: A security vulnerability in react-scripts affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Due to use of Apache Commons, IBM Cloud PAK for Watson AI Ops is vulnerable to remote code execution (CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-comm… ∗∗∗ Security Bulletin: A security vulnerability in Nodejs marked affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-provision-to-add-https-an… ∗∗∗ Security Bulletin: Vulnerabilities in libcurl affect IBM Spectrum Protect Plus SQL, File Indexing, and Windows Host agents ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-libcur… ∗∗∗ Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js dicer affects IBM Cloud Pak for Watson AIOps Infrastructure Automation Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.13.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-39/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/ ∗∗∗ Security Vulnerabilities fixed in Firefox 105 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-40/ ∗∗∗ Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-036/ ∗∗∗ JetBrains IntelliJ IDEA: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1474 ∗∗∗ Apache Kafka: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1473 ∗∗∗ Budibase: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1472 ∗∗∗ Spring Data REST Vulnerability (CVE-2022-31679) ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/09/19/spring-data-rest-vulnerability-cve-2022-3… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2022
by Daily end-of-shift report 19 Sep '22

19 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-09-2022 18:00 − Montag 19-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gratis-Entschlüsselungstool: Opfer von Ransomware LockerGoga können aufatmen ∗∗∗ --------------------------------------------- Wer sich den Erpressungstrojaner LockerGoga unter Windows eingefangen hat, kann seine Daten nun ohne Lösegeldzahlung entschlüsseln. --------------------------------------------- https://heise.de/-7268170 ∗∗∗ Umfrage zu Cyberattacken: Viele Unternehmen haben keinen Notfallplan ∗∗∗ --------------------------------------------- Cyberangriff auf ein Unternehmen - und nun? 46 Prozent der Unternehmen in Deutschland haben dafür keinen Plan, sagt eine Studie des Digitalverbands Bitkom. --------------------------------------------- https://heise.de/-7268938 ∗∗∗ Gold kaufen: Gold-Handel-sofort.de ist Fake ∗∗∗ --------------------------------------------- Sie überlegen sich, in Gold zu investieren und suchen nach einem passenden Anbieter? Vorsicht: Nicht jeder Gold-Händler ist seriös. Gold-Handel-sofort.de wirkt zwar professionell, ist aber Fake. Wenn Sie dort bestellen, erhalten Sie trotz Bezahlung keine Ware. Wir zeigen Ihnen, wie Sie einen Online-Shop für Gold überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/gold-kaufen-gold-handel-sofortde-ist… ∗∗∗ Chrome & Edge senden persönliche Daten (u.a. Passwörter) an Google bzw. Microsoft ∗∗∗ --------------------------------------------- Neue, und irgendwie unschöne, aber erwartbare Entdeckung, die ein Sicherheitsforscher die Tage öffentlich gemacht hat. Der Google Chrome-Browser, und auch der auf Chromium basierende Microsoft Edge-Browser, übermitteln persönliche Daten aus Formularen an Google bzw. Microsoft (beim Edge). --------------------------------------------- https://www.borncity.com/blog/2022/09/19/chrome-edge-senden-persnliche-date… ∗∗∗ Preventing ISO Malware , (Sun, Sep 18th) ∗∗∗ --------------------------------------------- In the last few weeks, Ive seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things. --------------------------------------------- https://isc.sans.edu/diary/rss/29062 ∗∗∗ Can reflections in eyeglasses actually leak info from Zoom calls? Heres a study into it ∗∗∗ --------------------------------------------- About time someone shone some light onto this Boffins at the University of Michigan in the US and Zhejiang University in China want to highlight how bespectacled video conferencing participants are inadvertently revealing sensitive on-screen information via reflections in their eyeglasses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/09/17/glasses_refl… ∗∗∗ A Guide to Improving Security Through Infrastructure-as-Code ∗∗∗ --------------------------------------------- Modern organizations evolved and took the next step when they became digital. Organizations are using cloud and automation to build a dynamic infrastructure to support more frequent product release and faster innovation. This puts pressure on the IT department to do more and deliver faster. --------------------------------------------- https://research.nccgroup.com/2022/09/19/a-guide-to-improving-security-thro… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-15 and 2022-09-16 ∗∗∗ --------------------------------------------- IBM Spectrum Protect Plus, IBM Spectrum Copy Data Management, IBM Spectrum Plus Container Backup, Restore for Kubernetes, Red Hat OpenShift, IBM Spectrum Protect Operations Center, Client Management Service, IBM Spectrum Protect Server, IBM Security QRadar Network Threat Analytics, IBM Sterling Control Center, Rational Test Control Panel, Rational Test Workbench. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ High severity vulnerabilities found in Harbor open-source artifact registry ∗∗∗ --------------------------------------------- Oxeye security researchers have uncovered several new high severity variants of the IDOR (Insecure Director Object Reference) vulnerabilities (CVE-2022-31671, CVE-2022-31666, CVE-2022-31670, CVE-2022-31669, CVE-2022-31667) in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware. --------------------------------------------- https://www.helpnetsecurity.com/2022/09/19/vulnerabilities-harbor-open-sour… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman and e17), Fedora (curl, open-vm-tools, pcs, and python-lxml), Mageia (curl, dpkg, freecad, gimp, libtar, libtiff, mediawiki, ostree, python-lxml, schroot, SDL12, sdl2, wireshark, and zlib), Oracle (kernel and php:7.4), Red Hat (php:7.4), Slackware (vim), SUSE (chromium, kernel, libarchive, libtirpc, mupdf, python-rsa, ruby2.5, and virtualbox), and Ubuntu (linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/908627/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0009 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2022-32886, CVE-2022-32891,CVE-2022-32912. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0009.html ∗∗∗ Lexmark Firmware-Update schließt Schwachstelle und korrigiert Windows-Druckerproblem ∗∗∗ --------------------------------------------- Gute Nachrichten für Besitzer von Lexmark-Druckern. Der Hersteller hat endlich die Firmware-Updates für diverse Modelle bereitgestellt. Diese sollen einerseits eine Schwachstelle in mehr als Hundert Lexmark-Druckermodellen beseitigen, vor der Lexmark bereits im Juni 2022 gewarnt hat [...] --------------------------------------------- https://www.borncity.com/blog/2022/09/19/lexmark-firmware-update-schliet-sc… ∗∗∗ Netgear Routers impacted by FunJSQ Game Acceleration Module flaw ∗∗∗ --------------------------------------------- https://securityaffairs.co/wordpress/135887/security/netgear-game-accelerat… ∗∗∗ Mattermost: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1455 ∗∗∗ Kubernetes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1458 ∗∗∗ WithSecure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1464 ∗∗∗ Dell NetWorker: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1460 ∗∗∗ HPE Integrated Lights-Out: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1459 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2022
by Daily end-of-shift report 16 Sep '22

16 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-09-2022 18:00 − Freitag 16-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke in WordPress-Plug-in WPGateway macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Angreifer attackieren WordPress-Websites mit WPGateway. Sicherheitsupdates sind noch nicht verfügbar. --------------------------------------------- https://heise.de/-7265906 ∗∗∗ Update für Exchange Extended Protection-Script, aber weiterhin Fehler ∗∗∗ --------------------------------------------- Mit den Sicherheitsupdates vom August 2022 für Microsoft Exchange (On-Premises-Lösung) ist es erforderlich, Extended Protection (EP) zu aktivieren, um alle Schwachstellen zu schließen. Die Aktivierung erfolgt per Script, welches Microsoft bereitgestellt hat – was aber zu Problemen führte. --------------------------------------------- https://www.borncity.com/blog/2022/09/16/update-fr-exchange-extended-protec… ∗∗∗ PS2 Emulator: Exploit in PS4 und PS5 soll nicht behebbar sein ∗∗∗ --------------------------------------------- Eine Lücke im integrierten PS2-Emulator der Playstation 4 und 5 soll sich "grundsätzlich" nicht beheben lassen. Das reicht, um Code auszuführen. --------------------------------------------- https://www.golem.de/news/ps2-emulator-exploit-in-ps4-und-ps5-soll-nicht-be… ∗∗∗ Bitdefender releases free decryptor for LockerGoga ransomware ∗∗∗ --------------------------------------------- Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-de… ∗∗∗ Microsoft Edge’s News Feed ads abused for tech support scams ∗∗∗ --------------------------------------------- An ongoing malvertising campaign is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-edge-s-news-feed-a… ∗∗∗ Water Tank Management System Used Worldwide Has Unpatched Security Hole ∗∗∗ --------------------------------------------- A water tank management system used by organizations worldwide is affected by a critical vulnerability that can be exploited remotely and the vendor does not appear to want to patch it.read more --------------------------------------------- https://www.securityweek.com/water-tank-management-system-used-worldwide-ha… ∗∗∗ Word Maldoc With CustomXML and Renamed VBAProject.bin, (Fri, Sep 16th) ∗∗∗ --------------------------------------------- Friend and colleague 0xThiebaut just gave me a heads up for this interesting sample: 2056b52f8c2f62e222107e6fb6ca82708cdae73a91671d40e61aef8698e3e139 --------------------------------------------- https://isc.sans.edu/diary/rss/29056 ∗∗∗ Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies ∗∗∗ --------------------------------------------- Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware. --------------------------------------------- https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bzip2, chromium, glib2.0, libraw, mariadb-10.3, and mod-wsgi), Fedora (kdiskmark, wordpress, and zlib), Oracle (.NET 6.0, .NET Core 3.1, mariadb:10.3, nodejs:14, nodejs:16, ruby:2.7, and ruby:3.0), Red Hat (.NET 6.0, php:7.4, and webkit2gtk3), SUSE (389-ds, flatpak, kernel, libgit2, and thunderbird), and Ubuntu (sqlite3, vim, and wayland). --------------------------------------------- https://lwn.net/Articles/908297/ ∗∗∗ Synology-SA-22:15 GLPI ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers or remote authenticated users to obtain sensitive information, inject arbitrary web script or HTML or inject SQL command via a susceptible version of GLPI. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_15 ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/15/cisa-adds-six-kno… ∗∗∗ Achtung: Backdoor in TechLogix Networx Power Delivery-Unit, vom Internet isolieren und patchen ∗∗∗ --------------------------------------------- In Stromversorgungskomponenten (Power Delivery-Units) des US-Herstellers TechLogix Networx gibt es eine gravierende Schwachstelle in deren Firmware. Die Firmware nimmt in älteren Versionen (vor Version 2.0.2a) keine Authentifizierung vor, d.h. man kann über Netzwerk die Power Delivery-Unit abschalten. --------------------------------------------- https://www.borncity.com/blog/2022/09/16/achtung-backdoor-in-techlogix-netw… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX container is vulnerable to obtain sensitive information due to OpenSSL (CVE-2022-2097) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Dell BSAFE: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1452 ∗∗∗ xpdf: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1451 ∗∗∗ NGINX: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1450 ∗∗∗ Nextcloud: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1449 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2022
by Daily end-of-shift report 15 Sep '22

15 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-09-2022 18:00 − Donnerstag 15-09-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Gesetzentwurf: EU-Kommission will Sicherheitsupdates vorschreiben ∗∗∗ --------------------------------------------- Mit einem Entwurf für ein Cyberresilienzgesetz möchte die EU-Kommission für mehr IT-Sicherheit sorgen. --------------------------------------------- https://www.golem.de/news/gesetzentwurf-eu-kommission-will-sicherheitsupdat… ∗∗∗ Self-spreading stealer attacks gamers via YouTube ∗∗∗ --------------------------------------------- A malicious bundle containing the RedLine stealer and a miner is distributed on YouTube through cheats and cracks ads for popular games. --------------------------------------------- https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/10… ∗∗∗ Supply-Chain-Attacke: Trojaner in FishPig-Software bedroht Onlineshops ∗∗∗ --------------------------------------------- Derzeit platzieren Angreifer Hintertüren über kompromittierte Shop-Software unter anderem auf WordPress-Websites. --------------------------------------------- https://heise.de/-7265052 ∗∗∗ SideWalk Backdoor mit neuer Linux‑Variante ∗∗∗ --------------------------------------------- ESET-Forscher haben ein weiteres Tool im bereits umfangreichen Arsenal der SparklingGoblin APT-Gruppe entdeckt: eine Linux-Variante der SideWalk-Backdoor. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/09/14/sidewalk-backdoor-mit-neu… ∗∗∗ Vorsicht vor Bitcoin-Scams auf Discord ∗∗∗ --------------------------------------------- Es scheint verlockend – reich werden nur mit ein paar Klicks. Kriminelle verwenden Schlagwörter wie Bitcoin“ oder „Crypto", um immer mehr Menschen abzuzocken. In einer Nachricht auf Discord wird behauptet, Sie hätten Bitcoin gewonnen? Finger weg, bei diesem Scam verlieren Sie Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bitcoin-scams-auf-disco… ∗∗∗ Change in Magniber Ransomware (*.cpl → *.jse) – September 8th ∗∗∗ --------------------------------------------- After Magniber changed its method of distribution from an MSI format to a CPL format on July 20th, it has been monitored to show decreased distribution activity as of mid-August. --------------------------------------------- https://asec.ahnlab.com/en/38808/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Microsoft Teams entdeckt ∗∗∗ --------------------------------------------- Angreifer*innen könnten die Login-Daten der Desktop-App stehlen, auch bei aktiver Multifaktor-Authentifizierung. --------------------------------------------- https://futurezone.at/digital-life/schwere-sicherheitsluecke-microsoft-team… ∗∗∗ IBM Security Bulletins 2022-09-14 ∗∗∗ --------------------------------------------- FileNet Content Manager, IBM Call Center, IBM Cloud PAK for Watson AI Ops, IBM SDK (Java Technology Edition), IBM Semeru Runtime, IBM Sterling Connect, IBM Sterling Control Center, IBM Sterling Order Management, IBM Tivoli Application Dependency Discovery Manager, Transaction Processing Facility --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ ZDI: (0Day) Vulnerabilities (RCE) in NIKON NIS-Elements Viewer ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1211/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1212/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1213/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1214/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1215/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1216/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1217/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1218/ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1219/ ∗∗∗ Sicherheitsupdates: BIOS-Lücken gefährden unzählige Lenovo-PCs ∗∗∗ --------------------------------------------- Lenovo hat BIOS-Updates für praktisch sein gesamtes PC-Modell-Portfolio bereitgestellt. Unter anderem werden Schadcode-Lücken geschlossen. --------------------------------------------- https://heise.de/-7264659 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nova, pcs, and rails), Fedora (firejail, moby-engine, and pspp), Oracle (.NET 6.0, gnupg2, kernel, python3, and rsyslog rsyslog7), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (kernel), and Ubuntu (intel-microcode, poppler, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/908137/ ∗∗∗ ZDI-22-1210: (0Day) Ansys SpaceClaim X_T File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1210/ ∗∗∗ Cisco IOS XR Software Broadband Network Gateway PPP over Ethernet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Cisco Discovery Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Network Convergence System 4000 Series TL1 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ (Non-US) DIR-2150 :: Rev Rx :: FW v4.0.1 :: Multiple Vulnerabiltiies ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ ffmpeg: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1433 ∗∗∗ Google Chrome und Microsoft Edge: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1432 ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1431 ∗∗∗ genua genugate: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1438 ∗∗∗ Denial of Service in Printanista Hub / Printscout (SYSS-2022-042) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/codeausfuehrung-ueber-unsicheren-diagnosed… ∗∗∗ PAN-SA-2022-0005 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0005 ∗∗∗ PAN-SA-2022-0004 Informational: Cortex XDR Agent: Allow List is Visible to Low Privileged Users (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0004 ∗∗∗ CVE-2022-0029 Cortex XDR Agent: Improper Link Resolution Vulnerability When Generating a Tech Support File (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2022
by Daily end-of-shift report 14 Sep '22

14 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-09-2022 18:00 − Mittwoch 14-09-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Securing your IoT devices against cyber attacks in 5 steps ∗∗∗ --------------------------------------------- How is IoT being used in the enterprise, and how can it be secured? We will demonstrate important security best practices and how a secure password policy is paramount to the security of devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/securing-your-iot-devices-ag… ∗∗∗ Easy Process Injection within Python, (Wed, Sep 14th) ∗∗∗ --------------------------------------------- Process injection is a common technique used by malware to cover their tracks. What looks more legit than a process called "notepad.exe" or "explorer.exe"? --------------------------------------------- https://isc.sans.edu/diary/rss/29048 ∗∗∗ Neue Phishing-Masche: Fake-Konversationen für mehr Glaubwürdigkeit ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einer neuen Taktik, die Phishing-Mails noch glaubhafter erscheinen lässt. --------------------------------------------- https://heise.de/-7263942 ∗∗∗ Passengers Exposed to Hacking via Vulnerabilities in Airplane Wi-Fi Devices ∗∗∗ --------------------------------------------- Researchers have discovered two potentially serious vulnerabilities in wireless LAN devices that they say are often used in airplanes. --------------------------------------------- https://www.securityweek.com/passengers-exposed-hacking-vulnerabilities-air… ∗∗∗ Malware Infects Magento-Powered Stores via FishPig Distribution Server ∗∗∗ --------------------------------------------- For the past several weeks, Magento stores have been injected with malware via a supply chain attack that targeted the FishPig distribution server. --------------------------------------------- https://www.securityweek.com/malware-infects-magento-powered-stores-fishpig… ∗∗∗ Mail „Energiekosten: Jetzt 475,00 Euro erhalten“ ist Betrug! ∗∗∗ --------------------------------------------- In Zeiten von 150 Euro Energiegutschein oder 500 Euro Klimabonus kann eine E-Mail mit dem Betreff „Energiekosten: Jetzt 475,00 Euro erhalten“ durchaus für echt gehalten werden. Doch Vorsicht: Die Nachricht leitet auf eine Website zum „Lars Meyer Geld-System“ weiter – eine betrügerische Investment-Plattform, auf der Sie nicht investieren dürfen. --------------------------------------------- https://www.watchlist-internet.at/news/mail-energiekosten-jetzt-47500-euro-… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/14/cisa-adds-two-kno… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs ∗∗∗ --------------------------------------------- Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-… ∗∗∗ IBM Security Bulletins 2022-09-13 ∗∗∗ --------------------------------------------- IBM WebSphere Application Server, IBM SPSS Statistics, IBM Maximo Asset Management, IBM Maximo Manage, IBM App Connect Enterprise, IBM Integration Bus, IBM App Connect Professional. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Angreifer attackieren Windows 7 bis 11 ∗∗∗ --------------------------------------------- Kritische Lücken bedrohen Microsoft Dynamics 365 und Windows. Sicherheitsupdates stehen zur Installation bereit. --------------------------------------------- https://heise.de/-7263140 ∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign, Photoshop & Co. möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Anwendungen von Adobe. Derzeit sind keine dokumentierten Attacken bekannt. --------------------------------------------- https://heise.de/-7263205 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (open-vm-tools), Debian (freecad and sqlite3), Fedora (qt5-qtwebengine and vim), SUSE (firefox, kernel, libzapojit, perl, postgresql14, and samba), and Ubuntu (dotnet6, dpdk, gdk-pixbuf, rust-regex, and systemd). --------------------------------------------- https://lwn.net/Articles/907983/ ∗∗∗ Zero-day in WPGateway Wordpress plugin actively exploited in attacks ∗∗∗ --------------------------------------------- https://www.bleepingcomputer.com/news/security/zero-day-in-wpgateway-wordpr… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1422 ∗∗∗ Delta Industrial Automation DIAEnergie ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-256-03 ∗∗∗ Kingspan TMS300 CS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-256-04 ∗∗∗ Honeywell SoftMaster ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-256-02 ∗∗∗ Hitachi Energy TXpert Hub CoreTec 4 Sudo Vulnerability ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-256-01 ∗∗∗ Multi-Vendor BIOS Security Vulnerabilities (September 2022) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500519-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ Quectel Wireless WAN Driver Command Injection Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500515 ∗∗∗ genua genucenter: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1412 ∗∗∗ Zoom Video Communications On-Premise: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1420 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2022
by Daily end-of-shift report 13 Sep '22

13 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 12-09-2022 18:00 − Dienstag 13-09-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New PsExec spinoff lets hackers bypass network security defenses ∗∗∗ --------------------------------------------- Security researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a network using a less monitored port. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hack… ∗∗∗ Security pros get ability to manually add incidents to Microsoft Sentinel ∗∗∗ --------------------------------------------- Microsoft is introducing a feature to Sentinel to enable security analysts to manually create an incident report and the ability to manually delete the incident if needed. --------------------------------------------- https://www.theregister.com/2022/09/12/microsoft_sentinel_manual_siem_repor… ∗∗∗ Letting off steam ∗∗∗ --------------------------------------------- In July alone, CERT-GIB specialists identified more than 150 fraudulent resources mimicking Steam, a major online gaming platform. To steal Steam credentials, hackers have been using a new phishing technique called browser-in-the-browser, which tricks users into thinking that a fake webpage is a legal resource. --------------------------------------------- https://blog.group-ib.com/steam ∗∗∗ Tool Release – Monkey365 ∗∗∗ --------------------------------------------- Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start. --------------------------------------------- https://research.nccgroup.com/2022/09/07/tool-release-monkey365/ ∗∗∗ OriginLogger: A Look at Agent Tesla’s Successor ∗∗∗ --------------------------------------------- We provide an overview of the OriginLogger keylogger, including info on a dropper lure and OriginLogger’s configuration and infrastructure. --------------------------------------------- https://unit42.paloaltonetworks.com/originlogger/ ∗∗∗ How to tighten your security in Microsoft Edge ∗∗∗ --------------------------------------------- Edge offers several options to help protect you from malicious websites and other online hazards. --------------------------------------------- https://www.zdnet.com/article/how-to-tighten-your-security-in-microsoft-edg… ∗∗∗ MISP 2.4.162 released with a new periodic notification system, workflow updates and many improvements ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.162 with a new periodic notification system, workflow updates and many improvements. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.162 ===================== = Vulnerabilities = ===================== ∗∗∗ Trend Micro warns of actively exploited Apex One RCE vulnerability ∗∗∗ --------------------------------------------- Security software firm Trend Micro warned customers today to patch an actively exploited Apex One security vulnerability as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-activel… ∗∗∗ Firmware: Etliche HP-Rechner mit Sicherheitslücken, aber ohne Patches ∗∗∗ --------------------------------------------- Gemeldet wurden die Sicherheitslücken vor vielen Monaten, doch etliche Businessgeräte von HP haben noch keine Updates erhalten. --------------------------------------------- https://www.golem.de/news/firmware-etliche-hp-rechner-mit-sicherheitsluecke… ∗∗∗ iPadOS, macOS Monterey und altes iOS: Apple patcht Lücken ∗∗∗ --------------------------------------------- iPadOS 16 ist noch nicht fertig, dafür kommt ein Sicherheitsupdate. Auf dem Mac gibts nun Safari 16 – und ebenfalls viele Patches. Auch iOS 15 wird bedacht. --------------------------------------------- https://heise.de/-7261410 ∗∗∗ Lorenz Ransomware nutzt VoIP-Telefone MiVoice Connect von Mitel als Sprungbrett ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Sicherheitslücke in Telefonsystemen von Mitel aus. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7261947 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman and python-oslo.utils), Fedora (libapreq2), Red Hat (booth, gnupg2, kernel, kernel-rt, mariadb:10.3, nodejs:14, nodejs:16, python3, ruby:2.7, and ruby:3.0), SUSE (chromium, opera, python2-numpy, and rubygem-kramdown), and Ubuntu (poppler). --------------------------------------------- https://lwn.net/Articles/907869/ ∗∗∗ FBI warns of vulnerabilities in medical devices following several CISA alerts ∗∗∗ --------------------------------------------- The FBI on Monday warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks. --------------------------------------------- https://therecord.media/fbi-warns-of-vulnerabilities-in-medical-devices-fol… ∗∗∗ SSA-638652 V1.0: Authentication Bypass Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-638652.txt ∗∗∗ SSA-637483 V1.0: Third-Party Component Vulnerabilities in SINEC INS before V1.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-637483.txt ∗∗∗ SSA-589975 V1.0: Improper Access Control Vulnerability in CoreShield OWG Software ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-589975.txt ∗∗∗ SSA-518824 V1.0: Multiple File Parsing Vulnerabilities in Simcenter Femap and Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-518824.txt ∗∗∗ SSA-459643 V1.0: Denial of Service Vulnerability in RUGGEDCOM ROS before V5.6.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-459643.txt ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: Vulnerability in MIT Kerberos 5 affects PowerSC (CVE-2021-37750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-mit-kerb… ∗∗∗ Security Bulletin: AIX is vulnerable to a privilege escalation vulnerability due to invscout (CVE-2022-36768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-pr… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2022-34336) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-provision-to-add-https-an… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to identity spoofing with authenticated user and ability to bypass security restrictions due to Eclipse Paho Java client (CVE-2019-11777, CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: AIX is vulnerable to a privilege escalation vulnerability (CVE-2022-34356) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-pr… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ SAP Patchday September 2022 ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1400 ∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1402 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2020-35498 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX463901/citrix-hypervisor-security-bul… ∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500518-AMI-MEGARAC-SP-X-BMC-VU… ∗∗∗ Brocade Fabric OS - Security Update ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500517-BROCADE-FABRIC-OS-SECUR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2022
by Daily end-of-shift report 12 Sep '22

12 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-09-2022 18:00 − Montag 12-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Krypto-Malware Shikitega überlistet den herkömmlichen Linux-Schutz ∗∗∗ --------------------------------------------- AT&T Alien Labs hat eine Analyse zur neuen Linux-Malware Shikitega veröffentlicht. Der Schädling verschafft sich Root-Zugriff, seine Entdeckung ist schwierig. --------------------------------------------- https://heise.de/-7260803 ∗∗∗ Bericht: Um nicht erwischt zu werden, verschlüsselt Ransomware Daten partiell ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten bei Erpressungstrojanern einen Trend zur schnelleren Verschlüsselung. --------------------------------------------- https://heise.de/-7261001 ∗∗∗ SMS von der Post? Klicken Sie nicht auf den Link! ∗∗∗ --------------------------------------------- „Die Zustellung Ihres letzten Pakets hat sich aufgrund zusätzlicher Zollgebühren verzögert“ lautet eine SMS-Benachrichtigung von der Post. Im SMS ist ein Link, den Sie anklicken sollten, um das Problem zu lösen. Wir raten zur Vorsicht: Diese Nachricht ist nicht von der Post. Wer auf den Link klickt, tappt in eine Internetfalle! --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-der-post-klicken-sie-nicht-a… ∗∗∗ SharkBot-Trojaner im Play Store – Risiko "Antivirus-Apps" ∗∗∗ --------------------------------------------- Im Google Play Store ist erneut der Banking-Trojaner SharkBot aufgetaucht und hat sich als Antiviren- und Cleaner-App getarnt. Sicherheitsforscher von CyberNews schreiben: Android-Nutzer sollten es sich zweimal überlegen, bevor sie kostenlose Apps zur Reinigung ihres Mobiltelefons und zum "Schutz" vor Viren herunterladen - denn viele von ihnen enthalten Daten-Tracker und einige scheinen sogar Links zu potenziell bösartigen Domains zu beinhalten. --------------------------------------------- https://www.borncity.com/blog/2022/09/12/sharkbot-trojaner-im-play-store-ri… ∗∗∗ Maldoc With Decoy BASE64, (Fri, Sep 9th) ∗∗∗ --------------------------------------------- There is also a video for this analysis: "Maldoc Analysis: Rehearsed vs. Unrehearsed". I analysed this maldoc. It contains an old exploit for the equation editor. Nothing special. And it's easy to analyze. But there is one more thing: it contains a very long BASE64 string, 800,000+ characters, and it turns out to be a decoy. --------------------------------------------- https://isc.sans.edu/diary/rss/29032 ∗∗∗ WMI Internals Part 3 ∗∗∗ --------------------------------------------- In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as an example and how when an instance of this class is created the COM method ITaskServices:NewTask is invoked. This blog will take this process a step further and look at what happens after the COM method ITaskServices:NewTask. --------------------------------------------- https://posts.specterops.io/wmi-internals-part-3-38e5dad016be?source=rss---… ∗∗∗ Dead or Alive? An Emotet Story ∗∗∗ --------------------------------------------- In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after [...] --------------------------------------------- https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/ ∗∗∗ Ransomware attacks on retail increase, average retail payment grows to more than $200K ∗∗∗ --------------------------------------------- More than 300 organizations in the retail industry said they were hit with ransomware attacks in 2021, according to a survey conducted by security company Sophos. Sophos researchers spoke to 422 IT workers at mid-sized organizations in the retail sector across 31 countries, finding startling increases in the number of respondents who said their organizations [...] --------------------------------------------- https://therecord.media/ransomware-attacks-on-retail-increase-average-retai… ∗∗∗ Security Breaks: TeamTNT’s DockerHub Credentials Leak ∗∗∗ --------------------------------------------- One of our honeypots based on exposed Docker REST APIs showed cybercriminal group TeamTNT’s potential attack scenario and leak of container registry credentials for docker-abuse malware. The full version of this research will be presented at the c0c0n XV Hacking and Cyber Security Conference in September 2022. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-doc… ===================== = Vulnerabilities = ===================== ∗∗∗ Firmware bugs in many HP computer models left unfixed for over a year ∗∗∗ --------------------------------------------- A set of six high-severity firmware vulnerabilities impacting a broad range of HP devices used in enterprise environments are still waiting to be patched, although some of them were publicly disclosed since July 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-com… ∗∗∗ Patchday: Ansatzpunkte für Angreifer in Android 10, 11 und 12 geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten sich auf Android-Geräten weitreichende Nutzerrechte erschleichen. In Googles Pixel-Serie wurden kritische Lücken ausgebessert. --------------------------------------------- https://heise.de/-7260572 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdk-pixbuf, libxslt, linux-5.10, paramiko, and zlib), Fedora (webkit2gtk3), Mageia (gstreamer1.0-plugins-good, jupyter-notebook, kernel, and rpm), Slackware (vim), SUSE (bluez, clamav, freetype2, frr, gdk-pixbuf, keepalived, libyang, nodejs16, python-PyYAML, qpdf, samba, and vim), and Ubuntu (linux-azure-fde and tiff). --------------------------------------------- https://lwn.net/Articles/907770/ ∗∗∗ Critical KEPServerEX Flaws Can Put Attackers in Powerful Position in OT Networks ∗∗∗ --------------------------------------------- Critical KEPServerEX vulnerabilities that impact the products of several major industrial automation vendors can put attackers in a powerful position in OT networks.read more --------------------------------------------- https://www.securityweek.com/critical-kepserverex-flaws-can-put-attackers-p… ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1376 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375 ∗∗∗ Jenkins: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Jenkins ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1373 ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Liberty affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: qs (QueryString) package in the Service Portal of IBM Control Desk is vulnerable (CVE-2014-7191 and CVE-2017-1000048) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-qs-querystring-package-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2022
by Daily end-of-shift report 09 Sep '22

09 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-09-2022 18:00 − Freitag 09-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Bumblebee malware adds post-exploitation tool for stealthy infections ∗∗∗ --------------------------------------------- A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-… ∗∗∗ GIFShell attack creates reverse shell using Microsoft Teams GIFs ∗∗∗ --------------------------------------------- A new attack technique called GIFShell allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using ... GIFs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reve… ∗∗∗ What Is Clickjacking and How Do I Prevent It? ∗∗∗ --------------------------------------------- There are a plethora of techniques that attackers use to redirect site visitors and harvest sensitive information on compromised websites. But when most webmasters think about securing their website, they often don’t think about how attackers can inject clicks on it from another site. --------------------------------------------- https://blog.sucuri.net/2022/09/what-is-clickjacking-and-how-do-i-prevent-i… ∗∗∗ Credential Gathering From Third-Party Software ∗∗∗ --------------------------------------------- Users often store passwords in third-party software for convenience – but credential gathering techniques can target this behavior. --------------------------------------------- https://unit42.paloaltonetworks.com/credential-gathering-third-party-softwa… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts ∗∗∗ --------------------------------------------- A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said. --------------------------------------------- https://thehackernews.com/2022/09/hackers-exploit-zero-day-in-wordpress.html ∗∗∗ Sicherheitslücke in vorinstalliertem Tool HP Support Assistant geschlossen ∗∗∗ --------------------------------------------- HP Support Assistant ist standardmäßig auf HP-Computern installiert. Eine Schwachstelle gefährdet nun Systeme. --------------------------------------------- https://heise.de/-7258790 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mediawiki), SUSE (libEMF, libnl-1_1, libnl3, mariadb, nodejs16, php8-pear, postgresql12, and rubygem-rake), and Ubuntu (linux-raspi, linux-raspi-5.4, and tiff). --------------------------------------------- https://lwn.net/Articles/907573/ ∗∗∗ CISA Adds Twelve Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added twelve new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/08/cisa-adds-twelve-… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Oracle April 2022 CPU for Java 8 shipped with IBM® Intelligent Operations Center(CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability foud in IBM Installation Manager which is shipped with IBM® Intelligent Operations Center(CVE-2021-36374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-foud-in-i… ∗∗∗ Security Bulletin: A vulnerability have been identified in Java 8 shipped with IBM® Intelligent Operations Center (CVE-2021-35561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulneraqbility in Zlib affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-zlib-… ∗∗∗ Security Bulletin: A vulnerability foud in IBM Installation Manager which is shipped with IBM® Intelligent Operations Center(CVE-2021-36373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-foud-in-i… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for i5/OS is vulnerable to denial of service due to Zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities found in IBM DB2 which is shipped with IBM® Intelligent Operations Center(CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability found in Apache HttpClient which is shipped with IBM® Intelligent Operations Center (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-found-in-… ∗∗∗ Security Bulletin: XML vulnerability found in IBM Java 8.0 which is shipped with IBM® Intelligent Operations Center (CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xml-vulnerability-found-i… ∗∗∗ Security Bulletin: A vulnerability found in XMLBeans which hipped with IBM® Intelligent Operations Center (CVE-2021-23926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-found-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities found in IBM MQ and Java 8 which is shipped with IBM® Intelligent Operations Center(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability have been identified in IBM Java 8 shipped with IBM® Intelligent Operations Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulneraqbility in Zlib affects IBM Tivoli Composite Application Manager for Transactions Response Time agents (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-zlib-… ∗∗∗ Security Bulletin: A vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM® Intelligent Operations Center (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-have-be… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2022
by Daily end-of-shift report 08 Sep '22

08 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-09-2022 18:00 − Donnerstag 08-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ RAID-Manager von Hitachi könnte Ansatzpunkt für Schadcode-Attacken sein ∗∗∗ --------------------------------------------- Für einige Versionen von Hitachi RAID Manager SRA sind Sicherheitsupdates erschienen. Für einige Ausgaben gibt es jedoch keinen Support mehr. --------------------------------------------- https://heise.de/-7257664 ∗∗∗ Threat landscape for industrial automation systems for H1 2022 ∗∗∗ --------------------------------------------- This report is based on an analysis of statistical data collected through the Kaspersky Security Network (KSN), a distributed antivirus network. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-f… ∗∗∗ Profiling DEV-0270: PHOSPHORUS’ ransomware operations ∗∗∗ --------------------------------------------- Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosp… ∗∗∗ Analyzing Obfuscated VBS with CyberChef, (Thu, Sep 8th) ∗∗∗ --------------------------------------------- I took a closer look at this sample on MalwareBazaar, because it had no tags (now it has a VBS tag). --------------------------------------------- https://isc.sans.edu/diary/rss/29028 ∗∗∗ HTTPS-Zertifikate: Die Rückkehr der Sperrlisten ∗∗∗ --------------------------------------------- Zukünftig soll es endlich wieder möglich sein, kompromittierte Zertifikate einfach zu sperren. Apple und Mozilla preschen vor und Lets Encrypt zieht mit. --------------------------------------------- https://heise.de/-7257554 ∗∗∗ Tensel-markt.de ist Fake! ∗∗∗ --------------------------------------------- Vorsicht vor Fake-Elektronik und Technik-Shops! Tensel-markt.de, gohlke-shop.de und Techno-max.de locken mit ihrem professionellen Design zahlreiche Konsument:innen in die Falle. Bestellen Sie nicht bei diesen Shops, Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/tensel-marktde-ist-fake/ ∗∗∗ Lazarus and the tale of three RATs ∗∗∗ --------------------------------------------- Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations. --------------------------------------------- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html ∗∗∗ How Malicious Actors Abuse Native Linux Tools in Attacks ∗∗∗ --------------------------------------------- Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-n… ===================== = Vulnerabilities = ===================== ∗∗∗ HP fixes severe bug in pre-installed Support Assistant tool ∗∗∗ --------------------------------------------- HP issued a security advisory alerting users about a newly discovered vulnerability in HP Support Assistant, a software tool that comes pre-installed on all HP laptops and desktop computers, including the Omen sub-brand. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-i… ∗∗∗ Cisco Security Advisories 2022-09-07 ∗∗∗ --------------------------------------------- Cisco published 4 security advisories (2 high, 2 medium severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ VPN-Lücke in älteren Cisco-Routern wird nicht mehr geschlossen ∗∗∗ --------------------------------------------- Für einige Cisco-Router ist der Support ausgelaufen. Es gibt wichtige Sicherheitsupdates für unter anderem Webex. --------------------------------------------- https://heise.de/-7257206 ∗∗∗ IBM Security Bulletins 2022-09-07 ∗∗∗ --------------------------------------------- IBM Java 8, IBM Aspera Faspex, IBM WebSphere Application Server, IBM WebSphere Application Server Liberty, Enterprise Content Management System Monitor, IBM DB2, IBM Semeru Runtime, IBM Robotic Process Automation for Cloud Pak, IBM Intelligent Operations Center --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgoogle-gson-java), Fedora (autotrace, insight, and open-vm-tools), Oracle (open-vm-tools), Red Hat (open-vm-tools, openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, ovirt-host, and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), Scientific Linux (open-vm-tools), Slackware (python3), SUSE (clamav, gdk-pixbuf, gpg2, icu, ImageMagick, java-1_8_0-ibm, libyajl, mariadb, udisks2, webkit2gtk3, and yast2-samba-provision), and Ubuntu (dnsmasq). --------------------------------------------- https://lwn.net/Articles/907508/ ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Nagios Enterprises Nagios XI ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Daten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1338 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1335 ∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Drupal ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1341 ∗∗∗ Aruba ClearPass Policy Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Aruba ClearPass Policy Manager ausnutzen, um Daten zu manipulieren oder offenzulegen, seine Rechte zu erweitern, Code auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1340 ∗∗∗ MZ Automation libIEC61850 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-251-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2022
by Daily end-of-shift report 07 Sep '22

07 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-09-2022 18:00 − Mittwoch 07-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ So schützen Sie sich vor Schadsoftware! ∗∗∗ --------------------------------------------- Auf dubiosen Websites, in betrügerischen E-Mails, in scheinbar harmlosen Chat-Nachrichten oder durch Sicherheitslücken in nicht aktualisierten Programmen: Schadsoftware kann auf unterschiedlichen Wegen auf Ihren Computer gelangen, um dort beispielsweise sensible Daten auszulesen und zu stehlen oder gar ganze Systeme lahmzulegen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-schadsoftw… ∗∗∗ Worok: The big picture ∗∗∗ --------------------------------------------- Focused mostly on Asia, this new cyberespionage group uses undocumented tools, including steganographically extracting PowerShell payloads from PNG files. --------------------------------------------- https://www.welivesecurity.com/2022/09/06/worok-big-picture/ ∗∗∗ Wie Cyberkriminelle USB missbrauchen ∗∗∗ --------------------------------------------- Den Fluch des Universal Serial Bus (USB) und die Attraktion für Cyberkriminelle untersucht Andrew Rose, Resident CISO, EMEA bei Proofpoint, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88403293/wie-cyberkriminelle-usb-missbrauchen/?utm_sou… ∗∗∗ AA22-249A: #StopRansomware: Vice Society ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-249a ∗∗∗ Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues ∗∗∗ --------------------------------------------- Since Aug. 20, 2022, Cisco Talos has been monitoring suspected distributed denial-of-service (DDoS) attacks resulting in intermittent downtime and outages affecting several ransomware-as-a-service (RaaS) data leak sites. --------------------------------------------- http://blog.talosintelligence.com/2022/09/ransomware-leaksite-ddos.html ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-06 ∗∗∗ --------------------------------------------- IBM Elastic Storage System, IBM Planning Analytics Workspace, IBM Rational Asset analyzer, IBM App Connect Enterprise, IBM Integration Bus, IBM WebSphere Application Server Liberty, IBM Sterling Connect, IBM Spectrum Scale, IBM SPSS Analytic Server, IBM Business Automation Workflow. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Auf NAS-Systeme von Zyxel könnte Schadcode gelangen ∗∗∗ --------------------------------------------- Aktualisierte Firmware-Versionen schließen eine kritische Sicherheitslücke in mehreren NAS-Modellen des Herstellers Zyxel. --------------------------------------------- https://heise.de/-7255585 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, protobuf-c, and vim) and SUSE (gimp, java-1_8_0-openj9, libostree, openvswitch, python-bottle, python-Flask-Security-Too, and zabbix). --------------------------------------------- https://lwn.net/Articles/907382/ ∗∗∗ K12055286: Intel CPU vulnerability CVE-2021-33060 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12055286 ∗∗∗ Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-039/ ∗∗∗ Helmholz: Unauthenticated user enumeration in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-017/ ∗∗∗ MB connect line: Unauthenticated user enumeration in mbCONNECT24 and mymbCONNECT24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-011/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.21.0: Patch SC-202209.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2022
by Daily end-of-shift report 06 Sep '22

06 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 05-09-2022 18:00 − Dienstag 06-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New EvilProxy service lets all hackers use advanced phishing tactics ∗∗∗ --------------------------------------------- A reverse-proxy Phishing-as-a-Service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-a… ∗∗∗ Mythic Case Study: Assessing Common Offensive Security Tools ∗∗∗ --------------------------------------------- Having covered the Sliver C2 framework in a previous post (May 2022), this blog will continue our examination of Cobalt Strike “alternatives”, focusing on the Mythic C2 framework. --------------------------------------------- https://team-cymru.com/blog/2022/09/06/mythic-case-study-assessing-common-o… ∗∗∗ Analysis of an Encoded Cobalt Strike Beacon, (Tue, Sep 6th) ∗∗∗ --------------------------------------------- Someone reached out to me for the analysis of a Cobalt Strike beacon. This is the sample. --------------------------------------------- https://isc.sans.edu/diary/rss/29014 ∗∗∗ TA505 Groups TeslaGun In-Depth Analysis ∗∗∗ --------------------------------------------- TA505 is a financially motivated threat group that has been active since 2014. The group frequently changes its malware attack strategies in response to global cybercrime trends. It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on. --------------------------------------------- https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-… ∗∗∗ Vorsicht vor gefälschten PayPal-Nachrichten ∗∗∗ --------------------------------------------- Gefälschte PayPal-Nachrichten befinden sich momentan vermehrt im Umlauf. Sie haben eine angebliche Rechnung von PayPal erhalten, über ein Produkt, das Sie nicht bestellt haben? Oder es wird eine Vorabzahlung für eine angebliche Transaktion gefordert? Ignorieren Sie diese Nachrichten, sie sind Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-paypal-nac… ∗∗∗ Mirai Variant MooBot Targeting D-Link Devices ∗∗∗ --------------------------------------------- Attackers are leveraging known vulnerabilities in D-Link devices to deliver MooBot, a Mirai variant, potentially leading to further DDoS attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/moobot-d-link-devices/ ∗∗∗ Shikitega - New stealthy malware targeting Linux ∗∗∗ --------------------------------------------- Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-ma… ∗∗∗ Over Half of Global Firms Supply Chains Compromised by Ransomware ∗∗∗ --------------------------------------------- Cybersecurity leader Trend Micro announced new research today that reveals global organizations are increasingly at risk of ransomware compromise via their extensive supply chains. --------------------------------------------- https://newsroom.trendmicro.com/2022-09-06-Over-Half-of-Global-Firms-Supply… ∗∗∗ Play Ransomwares Attack Playbook Similar to that of Hive, Nokoyawa ∗∗∗ --------------------------------------------- Play is a new ransomware that takes a page out of Hive and Nokoyawas playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-pla… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2022-09-06 ∗∗∗ --------------------------------------------- On Sep 06, 2022, Fortinet has released 12 advisories for issues resolved in Fortinet products. (Severity: Low (2), Medium (9), High (1)) --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=09-2022 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (pcs), SUSE (389-ds and firefox), and Ubuntu (linux-hwe-5.4 and linux-oracle). --------------------------------------------- https://lwn.net/Articles/907275/ ∗∗∗ Hitachi Storage: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Hitachi Storage ausnutzen, um Informationen offenzulegen und beliebigen Code zur Ausführung zu bringen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1292 ∗∗∗ Hitachi Energy TXpert Hub CoreTec 4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-04 ∗∗∗ Triangle Microworks Libraries ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-01 ∗∗∗ AVEVA Edge 2020 R2 SP1 and all prior versions ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-02 ∗∗∗ Cognex 3D-A1000 Dimensioning System ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2022
by Daily end-of-shift report 05 Sep '22

05 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-09-2022 18:00 − Montag 05-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware dev open-sources CodeRAT after being exposed ∗∗∗ --------------------------------------------- The source code of a remote access trojan (RAT) dubbed CodeRAT has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-dev-open-sources-cod… ∗∗∗ Quickie: Grep & Tail -f With Notepad++, (Mon, Sep 5th) ∗∗∗ --------------------------------------------- Notepad++ is a free and open source text editor for Windows. You can simulate grep-like functionality with Notepad++ in 2 steps. --------------------------------------------- https://isc.sans.edu/diary/rss/29018 ∗∗∗ Prynt Stealer Contains a Backdoor to Steal Victims Data Stolen by Other Cybercriminals ∗∗∗ --------------------------------------------- Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a copy of victims exfiltrated data when used by other cybercriminals. --------------------------------------------- https://thehackernews.com/2022/09/prynt-stealer-contains-backdoor-to.html ∗∗∗ Win32/Hive.ZY: Update stoppt Fehlalarmserie von Microsoft Defender unter Windows ∗∗∗ --------------------------------------------- Die Windows-Virenabwehr Defender hat fälschlicherweise Chrome, Edge & Co. als Trojaner eingestuft. --------------------------------------------- https://heise.de/-7253919 ∗∗∗ Ransomware: Der Trend geht zum Angriff auf Linux-Server ∗∗∗ --------------------------------------------- Trend Micro sieht im ersten Halbjahr 2022 ein Wachstum bei Ransomware-Angriffen. Linux-Umgebungen sind 75 Prozent häufiger ein Ziel als im Vorjahreszeitraum. --------------------------------------------- https://heise.de/-7254059 ∗∗∗ There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities ∗∗∗ --------------------------------------------- As part of this research, NCC Group focused on the secure boot chain implemented by UNISOC processors used in Android phones and tablets. Several vulnerabilities in the Boot ROM were discovered which could persistently undermine secure boot. --------------------------------------------- https://research.nccgroup.com/2022/09/02/theres-another-hole-in-your-soc-un… ∗∗∗ Was tun, wenn mein Gerät mit Schadsoftware infiziert wurde? ∗∗∗ --------------------------------------------- Schadsoftware (auch Malware) kann viele Formen annehmen und mit unterschiedlichen Bedrohungen für Sie und Ihr Gerät einhergehen. Schäden, die dabei entstehen können, bewegen sich vom Datendiebstahl, über das Zuspammen mit Werbung bis hin zu Lösegeldforderungen. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-mein-geraet-mit-schadso… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Google warnt vor möglichen Attacken auf Chrome ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt eine Lücke im Webbrowser Chrome. --------------------------------------------- https://heise.de/-7253510 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flac, ghostscript, libmodbus, qemu, rails, ruby-rack, and thunderbird), Fedora (kernel, kernel-headers, kernel-tools, libtar, qt5-qtwebengine, subscription-manager-cockpit, tcpreplay, and vim), Mageia (chromium-browser-stable, webkit2, and ytnef), SUSE (curl, firefox, freerdp, gdk-pixbuf, ImageMagick, json-c, libgda, php-composer2, and python-pyxdg), and Ubuntu (libzstd, linux-aws, linux-aws-5.4, linux-azure-5.4, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/907201/ ∗∗∗ DeadBolt Ransomware ∗∗∗ --------------------------------------------- QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-24 ∗∗∗ Security Bulletin: DataStage on Cloud Pak for Data Is Vulnerable to Sensitive Information Disclosure Error (CVE-2022-38714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datastage-on-cloud-pak-fo… ∗∗∗ Security Bulletin: Information Disclosure and Denial of Service Vulnerabilities in the IBM Spectrum Protect Backup-Archive Client may affect IBM Spectrum Protect for Space Management (CVE-2022-22478, CVE-2022-22474) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-an… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for August 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Prototype pollution vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – [CVE-2021-23450] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-prototype-pollution-vulne… ∗∗∗ Security Bulletin: Persistent Cross-Site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-35644 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-persistent-cross-site-scr… ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1286 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2022
by Daily end-of-shift report 02 Sep '22

02 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-09-2022 18:00 − Freitag 02-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft will disable Exchange Online basic auth next month ∗∗∗ --------------------------------------------- Microsoft warned customers today that it will finally disable basic authentication in random tenants worldwide to improve Exchange Online security starting October 1, 2022. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-exch… ∗∗∗ Sharkbot is back in Google Play ∗∗∗ --------------------------------------------- This new dropper doesn’t rely Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware. Instead, this new version ask the victim to install the malware as a fake update for the antivirus to stay protected against threats. --------------------------------------------- https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/ ∗∗∗ NSA gibt Sicherheitstipps gegen Supply-Chain-Attacken ∗∗∗ --------------------------------------------- Die Cybersecurity and Infrastructure Agency (CISA), die National Security Agency (NSA) und das Office of the Director of National Intelligence (ODNI) haben wichtige Tipps zum Entwickeln von sicherer Software veröffentlicht. --------------------------------------------- https://heise.de/-7251765 ∗∗∗ Unverschlüsselte Access Tokens: Sicherheitslücke in tausenden Apps ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor unverschlüsselten Access Tokens in Apps. Oft holen sich Entwickler Probleme ungewollt ins Haus. Besonders betroffen: iOS-Apps. --------------------------------------------- https://heise.de/-7252134 ∗∗∗ When disclosure goes wrong. People ∗∗∗ --------------------------------------------- My experience of vulnerability disclosure is that it is rarely as easy or simple as it could be. I had hoped that bug bounty programmes and vulnerability disclosure programmes (VDPs) would help matters. Broadly that doesn’t seem to be the case, often for unexpected reasons. --------------------------------------------- https://www.pentestpartners.com/security-blog/when-disclosure-goes-wrong-pe… ∗∗∗ Ransomware auf IoT: Anderer Sicherheitsansatz bei IoT-Geräten erforderlich ∗∗∗ --------------------------------------------- Wir haben uns vermutlich an die täglichen Ransomware-Angriffe auf IT-Systeme gewöhnt. Aber mit der Zunahme von IoT-Geräten droht eine wachsende Gefahr für solche Sicherheitsvorfälle. CheckPoint meint, dass IoT-Geräte einen anderen Sicherheitsansatz brauchen, um dieser Gefahr (z.B. Infektionen durch Ransomware) zu begegnen. --------------------------------------------- https://www.borncity.com/blog/2022/09/02/ransomware-auf-iot-anderer-sicherh… ∗∗∗ Architecting for Extortion: Acting on the IST’s Blueprint for Ransomware Defense ∗∗∗ --------------------------------------------- Last month, the Institute for Security and Technology’s Ransomware Task Force launched the Blueprint for Ransomware Defense. --------------------------------------------- https://www.rapid7.com/blog/post/2022/09/02/architecting-for-extortion-acti… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, rsync, systemd, and thunderbird), Debian (chromium, dpdk, and sofia-sip), Fedora (kernel, thunderbird, and zlib), Red Hat (pcs and rh-mariadb103-galera and rh-mariadb103-mariadb), Slackware (poppler), SUSE (cifs-utils, curl, dwarves and elfutils, firefox, flatpak, gnutls, gpg2, harfbuzz, ignition, kernel, ldb, samba, libslirp, libsolv, libzypp, zypper, libtirpc, logrotate, mozilla-nss, ncurses, open-vm-tools, openssl-1_1, p11-kit, pcre, pcre2, podman, postgresql12, postgresql13, postgresql14, python-M2Crypto, python3, rsync, salt, spice, systemd-presets-common-SUSE, tiff, ucode-intel, xen, and zlib), and Ubuntu (curl, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-snapdragon, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux-aws-hwe). --------------------------------------------- https://lwn.net/Articles/906973/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1263 ∗∗∗ Security Bulletin: Vulnerability in IBM® Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2022 CPU plus deferred CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, GnuTLS affect IBM Cloud Object Storage Systems (August 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2022
by Daily end-of-shift report 01 Sep '22

01 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-08-2022 18:00 − Donnerstag 01-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Apple backports fix for actively exploited iOS zero-day to older iPhones ∗∗∗ --------------------------------------------- Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-backports-fix-for-activel… ∗∗∗ Underscores and DNS: The Privacy Story, (Wed, Aug 31st) ∗∗∗ --------------------------------------------- The use of underscores in DNS records can easily trigger DNS purists into a rage. Since the beginning of (DNS) time, only the letters a-z, numbers, and dashes are allowed in DNS labels (RFC 1035 section 2.3.1). After all, we want to remain compatible with ARPANET. --------------------------------------------- https://isc.sans.edu/diary/rss/29002 ∗∗∗ Jolokia Scans: Possible Hunt for Vulnerable Apache Geode Servers (CVE-2022-37021), (Thu, Sep 1st) ∗∗∗ --------------------------------------------- On Tuesday, the Apache project released an update for Geode. The update patches a typical deserialization issue we often see in Java software like Geode (CVE-2022-37021). [...] But the vulnerability has a few dependencies: [...] JMX and RMI are used for the attack. [...] And here comes Jolokia. "JMX on Capsaicin," as it calls itself. It provides a simple HTTP to JMX gateway. So it is somewhat interesting that I also saw some scans for Jol[o]kia starting yesterday. --------------------------------------------- https://isc.sans.edu/diary/rss/29006 ∗∗∗ Authority-Scam: Neue Welle von Fake-Mails der Polizei ∗∗∗ --------------------------------------------- Kriminelle geben dem Authority-Scam einen neuen Anstrich: Momentan befinden sich wieder viele gefälschte E-Mails der Polizei im Umlauf. Die Empfänger:innen werden beschuldigt eine Straftat begangen zu haben. Die Anschuldigungen umfassen Pädophilie, Cyberpornographie und Exhibitionismus. Antworten Sie nicht und ignorieren Sie das Schreiben, es ist Fake! --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-neue-welle-von-fake-m… ∗∗∗ Over 900K Kubernetes clusters are misconfigured! Is your cluster a target? ∗∗∗ --------------------------------------------- Kubernetes is an amazing platform for managing containers at scale. However, a recent study found that over 900,000 Kubernetes clusters are vulnerable to attack because they are misconfigured! This means that your Kubernetes cluster could be a target for malicious actors if it is not properly secured. In this blog post, we will discuss how to secure your Kubernetes cluster and protect it from attack. --------------------------------------------- https://grahamcluley.com/feed-sponsor-teleport-4/ ∗∗∗ Android TikTok-App: Microsoft findet 1-Klick-Schwachstelle, die Kontenübernahme erlaubte ∗∗∗ --------------------------------------------- Microsoft hat eine gefährliche Sicherheitslücke in der TikTok-App für Android entdeckt, die es ermöglichte, Benutzerkonten mit einem einzigen Klick zu kompromittieren. Inzwischen wurde diese Schwachstelle in der TikTok-App für Android geschlossen. --------------------------------------------- https://www.borncity.com/blog/2022/09/01/android-tiktok-app-microsoft-finde… ∗∗∗ RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of a RAT Tool disguised as a solution file (*.sln) on GitHub. As shown in Figure 1, the malware distributor is sharing a source code on GitHub titled “Jpg Png Exploit Downloader Fud Cryter Malware Builder Cve 2022”. The file composition looks normal, but the solution file (*.sln) is actually a RAT tool. It is through methods like this that the malware distributor lures users to run the RAT tool by disguising it as a solution file (*.sln). Generally, programmers who receive the code that includes the solution file run the file in order to open the project. Users should take caution against social engineering techniques that take advantage of such a thought process. --------------------------------------------- https://asec.ahnlab.com/en/38150/ ∗∗∗ Azure Synapse: Local Privilege Escalation Vulnerability in Spark ∗∗∗ --------------------------------------------- The story of a simple race condition leading to a Local Privilege Escalation, and how we discovered, in retrospect, that we crossed paths with another researcher and a previous Microsoft case. --------------------------------------------- https://orca.security/resources/blog/synapse-local-privilege-escalation-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücke in zlib-Bibliothek ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In der weit verbreiteten Kompressionsbibliothek zlib könnten Angreifer unter Umständen Schadcode einschleusen und ausführen. Erste Patches sind verfügbar. --------------------------------------------- https://heise.de/-7250044 ∗∗∗ Sicherheitsupdate: Präparierte Mails könnten Thunderbird gefährlich werden ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für den Mailclient Thunderbird erschienen. Damit haben die Entwickler vier Lücken geschlossen. --------------------------------------------- https://heise.de/-7250566 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (pdns-recursor, thunderbird, and vim), Gentoo (firefox, thunderbird-bin, virtualbox, and webkit-gtk), Red Hat (convert2rhel), SUSE (gstreamer-plugins-good, open-vm-tools, postgresql12, rsync, and ucode-intel), and Ubuntu (linux-azure, linux-gcp, linux-hwe). --------------------------------------------- https://lwn.net/Articles/906778/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in libTIFF ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1250 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um Code auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1253 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1251 ∗∗∗ Security Advisory - Out-of-bounds Read and Write Vulnerability in Some Huawei Headset Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220826-… ∗∗∗ Security Bulletin:IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl, pcre2 and Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-mq-operator-and-queue-… ∗∗∗ Security Bulletin: CVE-2021-2163 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2163-may-affect-… ∗∗∗ Security Bulletin: Netcool Operations Insight v1.6.5 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8, affect IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-244-01 ∗∗∗ Contec Health CMS8000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-244-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2022
by Daily end-of-shift report 31 Aug '22

31 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-08-2022 18:00 − Mittwoch 31-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers hide malware in James Webb telescope images ∗∗∗ --------------------------------------------- Threat analysts have spotted a new malware campaign dubbed GO#WEBBFUSCATOR that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hide-malware-in-jame… ∗∗∗ Watering Hole Attacks Push ScanBox Keylogger ∗∗∗ --------------------------------------------- Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool. --------------------------------------------- https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/ ∗∗∗ Infoblox Threat Intelligence: IOCs related to the Russia-Ukraine conflict ∗∗∗ --------------------------------------------- This folder contains IOCs related to the Russian invasion of Ukraine. The majority of the content is based on Infoblox internal analytics and validation analysis, though some OSINT is also included. --------------------------------------------- https://github.com/infobloxopen/threat-intelligence/tree/main/ukraine ∗∗∗ Webinar: Betrugsfallen im Internet erkennen ∗∗∗ --------------------------------------------- Am Dienstag, den 06.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Betrugsfallen im Internet erkennen" statt. Melden Sie sich jetzt an! --------------------------------------------- https://www.watchlist-internet.at/news/webinar-betrugsfallen-im-internet-er… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-08-30 ∗∗∗ --------------------------------------------- IBM TRIRIGA Application Platform, IBM b-type SAN directors and switches, IBM Integration Bus, IBM App Connect Enterprise, IBM Watson Assistant for IBM Cloud Pak for Data, IBM Engineering Lifecycle Engineering, IBM Cloud Transformation Advisor, IBM Cloud Object Storage Systems. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten WordPress-Websites attackieren ∗∗∗ --------------------------------------------- Die WordPress-Entwickler haben drei Lücken im Content-Management-System geschlossen. --------------------------------------------- https://heise.de/-7249431 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, net-snmp, php-horde-mime-viewer, php-horde-turba, and webkit2gtk), Fedora (rsync), Oracle (openssl and systemd), Red Hat (booth, kernel, kernel-rt, and openssl), Slackware (vim), SUSE (bluez, java-1_8_0-ibm, postgresql10, and zlib), and Ubuntu (kernel, linux, linux-raspi, linux-aws, and linux-oem-5.14). --------------------------------------------- https://lwn.net/Articles/906579/ ∗∗∗ Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220831-… ∗∗∗ Grafana: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1221 ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1239 ∗∗∗ ArubaOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1238 ∗∗∗ GNU libc: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1234 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1230 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1228 ∗∗∗ Chrome 105.0.5195.5x fixt 24 Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/08/31/chrome-105-0-5195-5x-fixt-24-schwa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2022
by Daily end-of-shift report 30 Aug '22

30 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 29-08-2022 18:00 − Dienstag 30-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows malware delays coinminer install by a month to evade detection ∗∗∗ --------------------------------------------- A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-malware-delays-coinm… ∗∗∗ Two things that will never die: bash scripts and IRC!, (Tue, Aug 30th) ∗∗∗ --------------------------------------------- Last week, Brock Perry, one of our SANS.edu undergraduate students, came across a neat bash script uploaded to the honeypot as part of an attack. I am sure this isn't new, but I never quite saw something like this before myself. --------------------------------------------- https://isc.sans.edu/diary/rss/28998 ∗∗∗ Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users ∗∗∗ --------------------------------------------- A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuff… ∗∗∗ Keine „Testzahlungen“ auf Kleinanzeigen-Plattformen durchführen! ∗∗∗ --------------------------------------------- Auf Kleinanzeigen-Plattformen wie Willhaben, Vinted, eBay Kleinanzeigen und Co finden Sie tolle Schnäppchen oder können Gebrauchtes zu Geld machen. Doch Vorsicht: Auch Kriminelle, die Ihnen das Geld aus der Tasche ziehen wollen, tummeln sich dort zuhauf. Bei einer aktuellen Masche fälschen diese die Zahlungsseiten der Plattformen und fordern zu Testzahlungen auf. Brechen Sie sofort den Kontakt ab. Man will Sie betrügen! --------------------------------------------- https://www.watchlist-internet.at/news/keine-testzahlungen-auf-kleinanzeige… ∗∗∗ ModernLoader delivers multiple stealers, cryptominers and RATs ∗∗∗ --------------------------------------------- Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. --------------------------------------------- http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in Foxit PDF Editor und Reader ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Angreifer könnten etwa mit manipulierten Dokumenten in Foxit PDF Editor und Reader Schadcode einschleusen. Aktualisierte Software schließt die Sicherheitslücke. --------------------------------------------- https://heise.de/-7247760 ∗∗∗ Sicherheitslücke: Zwischenablage in Chromium-basierten Browsern frei zugreifbar ∗∗∗ --------------------------------------------- Webseiten können derzeit in aktuellen Chromium-basierten Webbrowsern beliebig auf die Zwischenablage zugreifen. Das ermöglicht etwa Angriffe auf Nutzer. --------------------------------------------- https://heise.de/-7248070 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (ctk, dcmtk, OpenImageIO, and varnish-modules), Red Hat (systemd), SUSE (libslirp, open-vm-tools, and opera), and Ubuntu (jupyter-notebook, libsdl1.2, and systemd). --------------------------------------------- https://lwn.net/Articles/906461/ ∗∗∗ [20220801] - Core - Multiple Full Path Disclosures because of missing _JEXEC or die check ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/884-20220801-core-multiple… ∗∗∗ Security Bulletin: Tririga is vulnerable to remote hacker due to dom4j open source ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tririga-is-vulnerable-to-… ∗∗∗ Security Bulletin: A security vulnerability has been fixed in IBM Security Identity Manager (CVE-2021-29864) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-3999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Linux Kernel vulnerability may affect IBM Elastic Storage System (CVE-2021-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Due to use of OpenSSL, IBM Virtualization Engine TS7700 is vulnerable to denial of service (CVE-2022-0778) and privilege escalation (CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-openssl-ibm… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-45346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ K00994461: GSON vulnerability CVE-2022-25647 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00994461 ∗∗∗ poppler: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1214 ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1212 ∗∗∗ Hitachi Energy FACTS Control Platform (FCP) Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-01 ∗∗∗ Hitachi Energy Gateway Station (GWS) Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-02 ∗∗∗ Hitachi Energy MSM Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-03 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-04 ∗∗∗ Fuji Electric D300win ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-05 ∗∗∗ Honeywell ControlEdge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-06 ∗∗∗ Honeywell Experion LX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-07 ∗∗∗ Honeywell Trend Controls Inter-Controller Protocol ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-08 ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-09 ∗∗∗ PTC Kepware KEPServerEX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2022
by Daily end-of-shift report 29 Aug '22

29 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-08-2022 18:00 − Montag 29-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Cthulhu World P2E project used to push info-stealing malware ∗∗∗ --------------------------------------------- Hackers have created a fake Cthulhu World play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-cthulhu-world-p2e-proje… ∗∗∗ HTTP/2 Packet Analysis with Wireshark, (Fri, Aug 26th) ∗∗∗ --------------------------------------------- I have been getting these queries in my honeypot logs since end of December 2021 and decided to a diary on some of these packets using some basic analysis with Wireshark. --------------------------------------------- https://isc.sans.edu/diary/rss/28986 ∗∗∗ Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01, (Sun, Aug 28th) ∗∗∗ --------------------------------------------- Both Sysinternals utilities (Sysmon and ZoomIt) received updates that significantly extends their scope: Sysmon can now also block actions, and ZoomIt can record videos. --------------------------------------------- https://isc.sans.edu/diary/rss/28988 ∗∗∗ Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons, (Sun, Aug 28th) ∗∗∗ --------------------------------------------- I updated my Cobalt Strike beacon analysis tool 1768.py to deal with false positives in Windows system's memory dumps. --------------------------------------------- https://isc.sans.edu/diary/rss/28990 ∗∗∗ Aggressive Adware: PDF-Reader für Android mit Millionen Downloads ∗∗∗ --------------------------------------------- Ein PDF-Reader im Google Play-Store kommt auf über eine Million Downloads. Es handelt sich jedoch um Adware, die sogar ungenutzt Vollbild-Werbung einblendet. --------------------------------------------- https://heise.de/-7246842 ∗∗∗ Fake Wohnungsinserate auf eBay und Co.! ∗∗∗ --------------------------------------------- Fake-Inserate finden Sie auf allen gängigen Portalen zur Wohnungssuche. Kriminelle kontaktieren Sie auch direkt, wenn Sie eine „Gesucht-Anzeige“ veröffentlicht haben. Gefälschte Wohnungsinserate erkennen Sie an zwei Merkmalen: Die gebotenen Wohnungen sind sehr günstig und Sie müssen noch vor der Besichtigung die Kaution und erste Monatsmiete bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-wohnungsinserate-auf-ebay-und-c… ∗∗∗ Tor 101: How Tor Works and its Risks to the Enterprise ∗∗∗ --------------------------------------------- The Tor project provides one of the most well-known tools that users can leverage to stay anonymous on the internet. People use Tor for many different reasons, both benign and malicious. However, allowing Tor traffic on enterprise networks opens the door to a variety of potential abuses and security risks. --------------------------------------------- https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/ ∗∗∗ Lookout: Wie man sich vor SMS-Phishing und ähnlichen Angriffen schützt ∗∗∗ --------------------------------------------- Momentan gibt fast jede Woche ein anderes bekanntes Unternehmen bekannt, dass es Opfer eines Hacks geworden ist, bei dem Daten abgeflossen sind. Für Administratoren in Unternehmen stellt sich die Frage, wie man die internen Systeme vor SMS-Phishing und ähnlichen Angriffen, die auf Mitarbeiter zielen, schützen kann. --------------------------------------------- https://www.borncity.com/blog/2022/08/28/lookout-wie-man-sich-vor-sms-phish… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Bitbucket Server vulnerable to critical RCE vulnerability ∗∗∗ --------------------------------------------- Atlassian has published a security advisory warning Bitbucket Server and Data Center users of a critical security flaw that attackers could leverage to execute arbitrary code on vulnerable instances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atlassian-bitbucket-server-v… ∗∗∗ Lexmark: Angreifer können sich durch Firmware-Lücke einnisten ∗∗∗ --------------------------------------------- In über 100 Drucker-Modellen von Lexmark steckt eine kritische Lücke in der Firmware. Angreifer könnten sich nach einem Einbruch in den Geräten einnisten. --------------------------------------------- https://heise.de/-7247068 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, exim4, maven-shared-utils, ndpi, puma, webkit2gtk, and wpewebkit), Fedora (dotnet3.1, firefox, and webkit2gtk3), Mageia (clamav, mariadb, net-snmp, postgresql, python-ldap, and thunderbird), SUSE (freeciv, gnutls, keepalived, libyang, nim, python-Django, and varnish), and Ubuntu (schroot). --------------------------------------------- https://lwn.net/Articles/906355/ ∗∗∗ Security Bulletin: Custom "Execution States" names on IBM Engineering Test Management TCER pages are vulnerable to XSS ( CVE-2021-38934 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-custom-execution-states-n… ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1203 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2022
by Daily end-of-shift report 26 Aug '22

26 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-08-2022 18:00 − Freitag 26-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Living off the land, AD CS style ∗∗∗ --------------------------------------------- Unless you have been living under a rock for the last year or so, Active Directory Certificate Services (AD CS) abuse continues to be a hot topic in offensive security, ever since the excellent research released by Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_). --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-ad-cs-sty… ∗∗∗ Threat Assessment: Black Basta Ransomware ∗∗∗ --------------------------------------------- Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomwar… ∗∗∗ Automatic Execution of Code Upon Package Download on Python Package Manager ∗∗∗ --------------------------------------------- Automatic code execution is triggered upon downloading approximately one third of the packages on PyPi. A worrying feature in pip/PyPi allows code to automatically run when developers are merely downloading a package. --------------------------------------------- https://checkmarx.com/blog/automatic-execution-of-code-upon-package-downloa… ===================== = Vulnerabilities = ===================== ∗∗∗ Lücken in Ciscos FXOS und NX-OS ermöglichen Übernahme der Kontrolle ∗∗∗ --------------------------------------------- In Ciscos Router- und Firewall-Betriebssystemen FXOS und NX-OS hätten Angreifer beliebigen Code mit root-Rechten ausführen können. Updates stehen bereit. --------------------------------------------- https://heise.de/-7244032 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (zlib), Fedora (dotnet3.1, firefox, java-1.8.0-openjdk-aarch32, thunderbird, and zlib), Mageia (canna, chromium-browser-stable, dovecot, firefox/nss, freeciv, freetype2, gnutls, kernel, kernel-linus, kicad, ldb/samba/sssd, libgsasl, microcode, nodejs, rsync, thunderbird, and unbound), Oracle (php:7.4 and systemd), Scientific Linux (firefox, rsync, systemd, and thunderbird), Slackware (vim), and SUSE (bluez, gstreamer-plugins-good, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libcroco, postgresql10, postgresql13, python-lxml, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/906232/ ∗∗∗ CISA Adds Ten Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisa-adds-ten-kno… ∗∗∗ [R1] Nessus Agent Version 8.3.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Custom audit files bring tremendous power and flexibility when assessing the configuration of your assets. Two separate vulnerabilities that utilize this custom Audit functionality were identified, reported and fixed. With the release of Nessus Agent 8.3.4, Tenable has mitigated the reported issues by enabling the ability to sign and verify custom audit files. --------------------------------------------- https://www.tenable.com/security/tns-2022-17 ∗∗∗ ABB Security Advisory: ARM600 Cyber Security Notification: UEFI vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001477&Language… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime(CVE-2021-35603) affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to issues with libcurl (CVE-2022-27780, CVE-2022-30115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-i… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Directory Integrator as shipped with IBM Security Directory Suite is affected by Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-in… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in Java SE related to the JSSE component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ F5: K42795243: Apache Xalan Java Library vulnerability CVE-2022-34169 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42795243 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0008.html ∗∗∗ vBulletin Connect: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1190 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2022
by Daily end-of-shift report 25 Aug '22

25 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-08-2022 18:00 − Donnerstag 25-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PyPI packages hijacked after developers fall for phishing emails ∗∗∗ --------------------------------------------- A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry. Python packages exotel and spam are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after… ∗∗∗ More hackers adopt Sliver toolkit as a Cobalt Strike alternative ∗∗∗ --------------------------------------------- Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative. --------------------------------------------- https://www.bleepingcomputer.com/news/security/more-hackers-adopt-sliver-to… ∗∗∗ Twilio hackers hit over 130 orgs in massive Okta phishing attack ∗∗∗ --------------------------------------------- Threat analysts have discovered the phishing kit responsible for thousands of attacks against 136 high-profile organizations that have compromised 9,931 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-… ∗∗∗ MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone ∗∗∗ --------------------------------------------- Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-… ∗∗∗ whids - Open Source EDR for Windows ∗∗∗ --------------------------------------------- EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules. --------------------------------------------- https://github.com/0xrawsec/whids ∗∗∗ EDR: Nachfolger der Antiviren-Software kämpfen mit altbekannten Problemen ∗∗∗ --------------------------------------------- Die Security-Industrie preist Endpoint Detection & Response als das bessere Antivirus an. Tests zeigen, dass es oft an den gleichen Problemen scheitert. --------------------------------------------- https://heise.de/-7241955 ∗∗∗ Firefox ESR, Thunderbird: Angreifer könnten Nutzereingaben abfangen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für den Mailclient Thunderbird und den Webbrowser Firefox ESR. --------------------------------------------- https://heise.de/-7242897 ∗∗∗ Doxing – was ist das und wie schützt man sich davor? ∗∗∗ --------------------------------------------- Doxing kann jeden treffen - hier erfahren Sie, wie Sie die Wahrscheinlichkeit verringern können, dass Ihre persönlichen Daten als Waffe gegen Sie eingesetzt werden. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/08/25/doxing-was-ist-das-und-wi… ∗∗∗ Vorsicht vor Coin-Fallen auf Dating-Portalen ∗∗∗ --------------------------------------------- Sie wollen herausfinden, ob es Ihrer Internetbekanntschaft wirklich ernst ist? Haben Sie Geld für Coins oder Guthaben investiert, um mit Ihrer Bekanntschaft zu chatten, es kommt aber nie zu einem persönlichen Treffen? Hier erfahren Sie alles über die Maschen von moderierten Dating-Portalen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-coin-fallen-auf-dating-… ∗∗∗ Preparing Critical Infrastructure for Post-Quantum Cryptography ∗∗∗ --------------------------------------------- CISA has released CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography, which outlines the actions that critical infrastructure stakeholders should take now to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/24/preparing-critica… ∗∗∗ Palo Alto warns of firewall vulnerability used in DDoS attack on service provider ∗∗∗ --------------------------------------------- Palo Alto Networks is urging customers to patch a line of firewall products after finding that the vulnerability was used in a distributed denial-of-service (DDoS) attack. On August 19, the company made all patches available for CVE-2022-0028 – which affects the PA-Series, VM-Series and CN-Series of the PAN-OS firewall software. --------------------------------------------- https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-d… ∗∗∗ New Golang Ransomware Agenda Customizes Attacks ∗∗∗ --------------------------------------------- A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass ∗∗∗ --------------------------------------------- The following vendor-specific bootloaders were found vulnerable: Inherently vulnerable bootloader to bypass Secure Boot New Horizon Datasys Inc (CVE-2022-34302) UEFI Shell execution to bypass Secure Boot CryptoPro Secure Disk (CVE-2022-34301) Eurosoft (UK) Ltd (CVE-2022-34303) Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX). --------------------------------------------- https://kb.cert.org/vuls/id/309662 ∗∗∗ Movable Type XMLRPC API vulnerable to command injection ∗∗∗ --------------------------------------------- Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN57728859/ ∗∗∗ Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053 ∗∗∗ --------------------------------------------- Project: Commerce Elavon Security risk: Moderately critical Vulnerability: Access bypass Description: This module enables you to accept payments from the Elavon payment provider. [..] This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-053 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libxslt, and open-vm-tools), Fedora (dotnet6.0 and firefox), Oracle (curl, firefox, rsync, and thunderbird), Red Hat (curl, firefox, php:7.4, rsync, systemd, and thunderbird), SUSE (bluez, chromium, freerdp, glibc, gnutls, kernel, postgresql10, raptor, rubygem-rails-html-sanitizer, and spice), and Ubuntu (firefox, linux, linux-kvm, linux-lts-xenial, linux-aws, linux-azure-fde, open-vm-tools, and varnish). --------------------------------------------- https://lwn.net/Articles/906055/ ∗∗∗ Atlassian Bitbucket: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Bitbucket ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1185 ∗∗∗ HCL Notes und Domino: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HCL Notes und HCL Domino ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1180 ∗∗∗ Mattermost security updates 7.1.3 (ESR), 7.0.2, 6.3.10 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses a medium-level severity vulnerability. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.1.3 (Extended Support Release), 7.0.2, and 6.3.10 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-1-3-esr-7-0-2-6-3… ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates for vulnerabilities affecting ACI Multi-Site Orchestrator, FXOS, and NX-OS software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisco-releases-se… ∗∗∗ SMA100 Exposure of Sensitive Information to an Unauthorized Actor ∗∗∗ --------------------------------------------- A vulnerability in the SonicWall SMA100 appliance could potentially expose sensitive information i.e., third-party packages and library versions used in the appliance firmware to a pre-authenticated actor.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0020 ∗∗∗ SonicWall SMA100 Post-Auth Heap-based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A Heap-based Buffer Overflow vulnerability in the SonicWall SMA100 appliance allows a remote authenticated attacker to cause Denial of Service (DoS) on the appliance or potentially lead to code execution. This vulnerability impacts 10.2.1.5-34sv and earlier versions.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. CVE: CVE-2022-2915 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0019 ∗∗∗ Security Bulletin: IBM Connect:Direct Web Services vulnerable to remote security bypass due to PostgreSQL (CVE-2022-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-connectdirect-web-ser… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service due to Linux Kernel (CVE-2020-35513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-237-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2022
by Daily end-of-shift report 24 Aug '22

24 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-08-2022 18:00 − Mittwoch 24-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake Chrome extension Internet Download Manager has 200,000 installs ∗∗∗ --------------------------------------------- Google Chrome extension Internet Download Manager installed by more than 200,000 users is adware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-chrome-extension-intern… ∗∗∗ Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams ∗∗∗ --------------------------------------------- A new business email compromise (BEC) campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle (AiTM) tactics to hack corporate executives Microsoft 365 accounts, even those protected by MFA. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-m… ∗∗∗ Ransomware updates & 1-day exploits ∗∗∗ --------------------------------------------- In this report, we discuss the new multi-platform ransomware RedAlert (aka N13V) and Monster, as well as private 1-day exploits for the CVE-2022-24521 vulnerability. --------------------------------------------- https://securelist.com/ransomware-updates-1-day-exploits/107291/ ∗∗∗ Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC, (Wed, Aug 24th) ∗∗∗ --------------------------------------------- On Monday, 2022-08-22, I generated an IcedID (Bokbot) infection based on Monster Libra (also known as TA551 or Shathak). --------------------------------------------- https://isc.sans.edu/diary/rss/28974 ∗∗∗ Bomber is an application that scans SBoMs for security vulnerabilities. ∗∗∗ --------------------------------------------- So youve asked a vendor for an Software Bill of Materials (SBOM) for one of their products, and they provided one to you in a JSON file... now what? --------------------------------------------- https://github.com/devops-kung-fu/bomber ∗∗∗ Cyber-Angriff: Griechischer Gasnetzbetreiber Desfa Opfer von Ransomware-Gang ∗∗∗ --------------------------------------------- Die Ransomware-Gang hinter Ragnar Locker ist in die Netze des Betreibers des griechischen Erdgas-Netzes Desfa eingebrochen. Die Versorgung bleibt gesichert. --------------------------------------------- https://heise.de/-7241322 ∗∗∗ Einbruch bei Plex: Daten abgezogen, Passwortänderung nötig ∗∗∗ --------------------------------------------- Bösartige Akteure sind offenbar in die Datenbanken des Streaming-Dienstes und Medienservers Plex eingebrochen. Dort konnten sie persönliche Daten stehlen. --------------------------------------------- https://heise.de/-7241975 ∗∗∗ Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems ∗∗∗ --------------------------------------------- A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices. --------------------------------------------- https://www.securityweek.com/ethernet-leds-can-be-used-exfiltrate-data-air-… ∗∗∗ Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity ∗∗∗ --------------------------------------------- Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT). --------------------------------------------- https://www.securityweek.com/old-inconspicuous-vulnerabilities-commonly-tar… ∗∗∗ HavanaCrypt Ransomware tarnt sich als Google Update ∗∗∗ --------------------------------------------- Die neu entdeckte HavanaCrypt Ransomware nutzt ausgefeilte Techniken und verkleidet sich als Google Update. Lösegeldforderungen gab es bisher nicht. --------------------------------------------- https://www.zdnet.de/88403049/havanacrypt-ransomware-tarnt-sich-als-google-… ∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Sandbox (Part 2) ∗∗∗ --------------------------------------------- In this blog post, we discuss a second prototype pollution vulnerability that allowed the execution of attacker-controlled JavaScript in the privileged parent process, escaping the sandbox. --------------------------------------------- https://www.thezdi.com/blog/2022/8/23/but-you-told-me-you-were-safe-attacki… ∗∗∗ BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool. --------------------------------------------- https://asec.ahnlab.com/en/37939/ ∗∗∗ AsyncRAT Being Distributed in Fileless Form ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. --------------------------------------------- https://asec.ahnlab.com/en/37954/ ===================== = Vulnerabilities = ===================== ∗∗∗ Gefährliche Lücken bedrohen Sicherheit von kritischen Infrastrukturen ∗∗∗ --------------------------------------------- Angreifer könnten Industrie-Steuerungssysteme attackieren und im schlimmsten Fall die volle Kontrolle erlangen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7241733 ∗∗∗ Updates für GitLab schließen kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Für die GitLab Community- und Enterprise-Edition haben die Entwickler aktualisierte Versionen veröffentlicht, die eine kritische Sicherheitslücke schließen. --------------------------------------------- https://heise.de/-7241481 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (vim), SUSE (cosign, dpdk, freeciv, gfbgraph, kernel, nim, p11-kit, perl-HTTP-Daemon, python-lxml, and python-treq), and Ubuntu (linux-oem-5.14, open-vm-tools, and twisted). --------------------------------------------- https://lwn.net/Articles/905853/ ∗∗∗ Oracle SBC: Multiple Security Vulnerabilities Leading to Unauthorized Access and Denial of Service ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/oracle-sbc-… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: A security vulnerability has been identified in in IBM Java SDK shipped with IBM Tivoli Business Service Manager (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-includes-… ∗∗∗ VMSA-2022-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0024.html ∗∗∗ vim: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1157 ∗∗∗ Jenkins Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1166 ∗∗∗ F-Secure Produkte: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1165 ∗∗∗ tribe29 checkmk: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1160 ∗∗∗ Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/23/mozilla-releases-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2022
by Daily end-of-shift report 23 Aug '22

23 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 22-08-2022 18:00 − Dienstag 23-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Internet-Kernprotokoll: Das Transmission Control Protocol erhält Update ∗∗∗ --------------------------------------------- TCP ist der Motor des Internet. Mit einem gerade aktualisierten RFC bekommt er eine Generalüberholung. Aber kann er sich gegen neue Konkurrenz behaupten? --------------------------------------------- https://heise.de/-7239713 ∗∗∗ Cyber-Attacken: CISA warnt vor Angriffen auf neu entdeckte Sicherheitslücken ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA warnt vor einigen erst seit Kurzem bekannten Sicherheitslücken. Cyberkriminelle greifen diese bereits aktiv an. --------------------------------------------- https://heise.de/-7240372 ∗∗∗ Whos Looking at Your security.txt File? ∗∗∗ --------------------------------------------- In April 2022, the RFC related to the small file “security.txt” was released. It was already popular for a while, but an RFC is always a good way to “promote” some best practices! If you're unaware of this file, it helps to communicate security contacts (email addresses, phone, ...) to people who would like to contact you to report an issue with your website or your organization. --------------------------------------------- https://isc.sans.edu/diary/rss/28972 ∗∗∗ Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts ∗∗∗ --------------------------------------------- Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps. --------------------------------------------- https://thehackernews.com/2022/08/researchers-find-counterfeit-phones.html ∗∗∗ New Air-Gap Attack Uses MEMS Gyroscope Ultrasonic Covert Channel to Leak Data ∗∗∗ --------------------------------------------- A novel data exfiltration technique has been found to leverage a covert ultrasonic channel to leak sensitive information from isolated, air-gapped computers to a nearby smartphone that doesn't even require a microphone to pick up the sound waves. --------------------------------------------- https://thehackernews.com/2022/08/new-air-gap-attack-uses-mems-gyroscope.ht… ∗∗∗ If you havent patched Zimbra holes by now, assume youre toast ∗∗∗ --------------------------------------------- Heres how to detect an intrusion via vulnerable email systems Organizations that didnt immediately patch their Zimbra email systems should assume miscreants have already found and exploited the bugs, and should start hunting for malicious activity across IT networks, according to Uncle Sam. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/08/23/cisa_zimbra_… ∗∗∗ Ransomware Gang Leaks Data Allegedly Stolen From Greek Gas Supplier ∗∗∗ --------------------------------------------- The cybergang behind the Ragnar Locker ransomware has published more than 360 gigabytes of data allegedly stolen from Greece’s largest natural gas supplier Desfa.Established in 2007 as a subsidiary of Depa (Public Gas Corporation of Greece), Desfa operates both the country’s natural gas transmission system and its gas distribution networks. --------------------------------------------- https://www.securityweek.com/ransomware-gang-leaks-data-allegedly-stolen-gr… ∗∗∗ Online-Marktplatz: Vorsicht, wenn Käufer:innen Links zu Kurierdiensten und Zahlungsplattformen schicken ∗∗∗ --------------------------------------------- Sie verkaufen über willhaben, laendleanzeiger.at, shpock und Co? Nehmen Sie sich vor betrügerischen Käufer:innen in Acht. --------------------------------------------- https://www.watchlist-internet.at/news/online-marktplatz-vorsicht-wenn-kaeu… ∗∗∗ The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware ∗∗∗ --------------------------------------------- Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organizations worldwide. Let's take a look. --------------------------------------------- https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5 ∗∗∗ --------------------------------------------- Today we are releasing versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. --------------------------------------------- https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitl… ∗∗∗ SECURITY BULLETIN AVEVA-2022-005 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in AVEVA Edge (formerly known as InduSoft Web Studio). Rating: High --------------------------------------------- https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-up… ∗∗∗ [CVE-2020-2733] JD Edwards EnterpriseOne Tools admin password not adequately protected ∗∗∗ --------------------------------------------- JD Edwards EnterpriseOne Tools 9.2 or lower versions allow unauthenticated attackers to bypass the authentication and get Administrator rights on the system. --------------------------------------------- https://redrays.io/cve-2020-2733-jd-edwards/ ∗∗∗ Einbruchsgefahr: Über 80.000 Hikvision-Kameras verwundbar ∗∗∗ --------------------------------------------- Hikvision hat zwar Updates für die Kameras veröffentlicht, mehr als 2300 Firmen ignorieren diese jedoch. Angreifer könnten dadurch in deren Netze einbrechen. --------------------------------------------- https://heise.de/-7239986 ∗∗∗ Firefox 104: Verbesserungen am PDF-Viewer und Stromverbrauch-Profiler ∗∗∗ --------------------------------------------- Die neue Version von Firefox bringt neben sechs gefixten Sicherheitslücken auch Re-Snapping sowie die Möglichkeit, im PDF-Viewer zu unterschreiben. --------------------------------------------- https://heise.de/-7240408 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (kernel and kernel-container), SUSE (bluez, gimp, rubygem-rails-html-sanitizer, systemd-presets-common-SUSE, and u-boot), and Ubuntu (libxslt). --------------------------------------------- https://lwn.net/Articles/905730/ ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2019-10785, CVE-2020-5259, CVE-2020-4051, CVE-2018-15494, CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2021-22931) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to issues with libcurl (CVE-2022-27780, CVE-2022-30115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-i… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to Google Gson (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Apache Commons Compress ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1151 ∗∗∗ Trellix Data Loss Prevention: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1149 ∗∗∗ xpdf: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1144 ∗∗∗ PowerDNS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1152 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2022
by Daily end-of-shift report 22 Aug '22

22 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-08-2022 18:00 − Montag 22-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 241 npm and PyPI packages caught dropping Linux cryptominers ∗∗∗ --------------------------------------------- More than 200 malicious packages were discovered infiltrating the PyPI and npm open source registries this week. These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/241-npm-and-pypi-packages-ca… ∗∗∗ New tool checks if in-app mobile browsers inject risky code on sites ∗∗∗ --------------------------------------------- A new online tool named InAppBrowser lets you analyze the behavior of in-app browsers embedded within mobile apps and determine if they inject privacy-threatening JavaScript into websites you visit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tool-checks-if-in-app-mo… ∗∗∗ LockBit claims ransomware attack on security giant Entrust, leaks data ∗∗∗ --------------------------------------------- The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-claims-ransomware-at… ∗∗∗ Multi-Faktor-Authentisierung umgehen: Malware klaut automatisiert Cookies ∗∗∗ --------------------------------------------- Um Multi-Faktor-Authentisierung umgehen zu können, klauen Kriminelle vermehrt Browser-Cookies mittels Malware. --------------------------------------------- https://www.golem.de/news/multi-faktor-authentisierung-umgehen-malware-klau… ∗∗∗ Meet Borat RAT, a New Unique Triple Threat ∗∗∗ --------------------------------------------- Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the comic creation of Sacha Baron Cohen? --------------------------------------------- https://thehackernews.com/2022/08/meet-borat-rat-new-unique-triple-threat.h… ∗∗∗ Sicherer im Internet surfen: Obacht vor gefälschten DDoS-Check-Websites ∗∗∗ --------------------------------------------- Wer im Internet ohne Nachzudenken klickt, kann sich schnell einen Trojaner einfangen. Nun warnen Sicherheitsforscher vor einer weiteren Malware-Masche. --------------------------------------------- https://heise.de/-7238985 ∗∗∗ Bösartige Apps im Google Play Store: Mehr als zwei Millionen Downloads ∗∗∗ --------------------------------------------- Bitdefender hat 35 bösartige Apps in Googles Play Store entdeckt. Sie kommen zusammen auf mehr als zwei Millionen Downloads. --------------------------------------------- https://heise.de/-7239109 ∗∗∗ Kriminelle kapern Facebook-Konten und bewerben Fake-Investment-Plattformen ∗∗∗ --------------------------------------------- Tom und zahlreiche andere Personen wurden von Claudia auf Facebook bei einem Beitrag markiert. Der Beitrag ist ein Link zu einem Artikel, wie man mit einer Investment-Plattform in kurzer Zeit viel Geld verdienen kann. Vorsicht: Dabei handelt es sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-kapern-facebook-konten-un… ∗∗∗ Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More ∗∗∗ --------------------------------------------- Recent exploits observed in the wild are highlighted based on the availability of proofs of concept, the severity of the vulnerabilities the exploits are based on and the ease of exploitation. --------------------------------------------- https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/ ∗∗∗ Hackers are using this sneaky exploit to bypass Microsofts multi-factor authentication ∗∗∗ --------------------------------------------- Attackers guessed the password of a dormant account and were able to apply their own MFA to it - providing access to the victims network. --------------------------------------------- https://www.zdnet.com/article/hackers-are-using-this-sneaky-trick-to-exploi… ∗∗∗ Sicherheitslücken - jetzt auch in deiner Appliance ∗∗∗ --------------------------------------------- Die Entwickler des quelloffenen Frameworks YARA haben vor knapp zwei Wochen fast schon heimlich still und leise eine neue Version veröffentlicht, v4.2.3, welche in der medialen Berichterstattung beinahe untergegangen ist. --------------------------------------------- https://cert.at/de/blog/2022/8/sicherheitslucken-jetzt-auch-in-deiner-appli… ∗∗∗ CISA Adds One Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added a new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/22/cisa-adds-one-kno… ∗∗∗ Sicherheit: Wenn plötzlich ein (Fake-)"Office 365-Paket" per Post kommt ∗∗∗ --------------------------------------------- Kleine Warnung, die sich vor allem an unerfahrene Leser dieses Blogs bzw. Nutzer richtet. Kriminelle verschicken wohl Päckchen an (vorwiegend ältere Leute), in denen vorgeblich ein Microsoft Office enthalten ist. --------------------------------------------- https://www.borncity.com/blog/2022/08/21/sicherheit-wenn-pltzlich-ein-offic… ===================== = Vulnerabilities = ===================== ∗∗∗ Uncovering a ChromeOS remote memory corruption vulnerability ∗∗∗ --------------------------------------------- Microsoft discovered a memory corruption vulnerability in a ChromeOS component that could have been triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE). --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/19/uncovering-a-chromeos-re… ∗∗∗ "As Nasty as Dirty Pipe" — 8 Year Old Linux Kernel Vulnerability Uncovered ∗∗∗ --------------------------------------------- Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is "as nasty as Dirty Pipe." Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level. --------------------------------------------- https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.h… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9 and kicad), Fedora (community-mysql and trafficserver), Gentoo (chromium, gettext, tomcat, and vim), Mageia (apache-mod_wsgi, libitrpc, libxml2, teeworlds, wavpack, and webkit2), Red Hat (podman), Slackware (vim), SUSE (java-1_8_0-openjdk, nodejs10, open-iscsi, rsync, and trivy), and Ubuntu (exim4). --------------------------------------------- https://lwn.net/Articles/905590/ ∗∗∗ YARA 4.2.3 Released, (Sat, Aug 20th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/28964 ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-29891 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2019-16649 and CVE-2019-16650 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Vulnerabilities with OpenJDK affect IBM Cloud Object Storage Systems (August 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-open… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring RRT Agent (CVE-2021-45346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2022
by Daily end-of-shift report 19 Aug '22

19 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-08-2022 18:00 − Freitag 19-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Honeypot Attack Summaries with Python ∗∗∗ --------------------------------------------- We are lucky to have a variety of tools available to enrich existing honeypot data, but also automate that enrichment. I put together a script to try and help myself achieve a simple goal. --------------------------------------------- https://isc.sans.edu/diary/rss/28956 ∗∗∗ Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads ∗∗∗ --------------------------------------------- Under normal circumstances, DDoS pages usually don’t affect users much — they simply perform a check or request a skill testing question in order to proceed to the desired webpage. However, a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware. --------------------------------------------- https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-… ∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Renderer (Part 1) ∗∗∗ --------------------------------------------- At Pwn2Own Vancouver 2022, Manfred Paul compromised the Mozilla Firefox browser using a full chain exploit that broke the mold. Although his exploit used some memory corruptions, the vulnerable code was written in a memory-safe programming language: JavaScript! --------------------------------------------- https://www.zerodayinitiative.com/blog/2022/8/17/but-you-told-me-you-were-s… ∗∗∗ Auch TikTok-App soll mit internem iPhone-Browser spionieren können ∗∗∗ --------------------------------------------- Nachdem das Problem bereits bei Facebook und Instagram aufgedeckt worden war, hat sich ein Sicherheitsforscher nun auch den chinesischen Videodienst angesehen. --------------------------------------------- https://heise.de/-7235891 ∗∗∗ Aktive Angriffe auf iPhones, iPads und Macs: Was Nutzer jetzt tun sollten ∗∗∗ --------------------------------------------- Erneut warnt Apple vor schweren Sicherheitslücken, die wohl aktiv ausgenutzt werden. Es gibt Patches, aber nicht für alle Systeme und Bugs. Ein Überblick. --------------------------------------------- https://heise.de/-7237518 ∗∗∗ Back in Black: Unlocking a LockBit 3.0 Ransomware Attack ∗∗∗ --------------------------------------------- This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement. --------------------------------------------- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-… ∗∗∗ SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences. --------------------------------------------- https://www.securityweek.com/sap-vulnerability-exploited-attacks-after-deta… ∗∗∗ Fake-Shop-Alarm: getvoltplug.com hilft Ihnen nicht beim Stromsparen ∗∗∗ --------------------------------------------- In Zeiten der Energiekrise wirbt getvoltplug.com mit einem attraktiven Angebot: Ein Gerät soll Ihnen helfen bis zu 90% Ihrer Stromrechnung zu sparen. Aber Achtung! Dieses Gerät existiert gar nicht, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-getvoltplugcom-hilft… ∗∗∗ Wissen: Webseite als kompromittiert gemeldet? Wie geht man vor? ∗∗∗ --------------------------------------------- Wer eine Webseite betreibt, wird möglicherweise gelegentlich mit dem Problem konfrontiert, dass diese von Sicherheitsportalen oder Benutzern als "riskant" gemeldet wird. Dann stellt sich die Frage, wie man vorgehen könnte, um herauszufinden, ob dies ein Fehlalarm ist oder die Webseite kompromittiert wurde. --------------------------------------------- https://www.borncity.com/blog/2022/08/19/wissen-webseite-als-kompromittiert… ∗∗∗ Ukraine war spotlights agriculture sectors vulnerability to cyber attack ∗∗∗ --------------------------------------------- The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. We assess those future threats to the agriculture section will mainly include financially motivated ransomware actors and disruptive attacks carried out by state-sponsored APTs. --------------------------------------------- http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agricult… ∗∗∗ Business Email Compromise Attack Tactics ∗∗∗ --------------------------------------------- Is BEC more damaging than ransomware? What tactics are BEC actors using? How can organizations bolster their defenses? --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/business-email-compromise-bec-at… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1076: PDF-XChange Editor submitForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1076/ ∗∗∗ DSA-2022-241: Dell EMC PowerFlex Rack Security Update for Multiple Third-Party Component Vulnerabilities ∗∗∗ --------------------------------------------- Dell EMC PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system. --------------------------------------------- https://www.dell.com/support/kbdoc/de-at/000202540/dsa-2022-241-dell-emc-po… ∗∗∗ Virenscanner: Schwachstelle von McAfee erleichtert Angreifern das Einnisten ∗∗∗ --------------------------------------------- Angreifer hätten aufgrund einer Sicherheitslücke im Virenschutz McAfee Security Scan Plus ihre Rechte erhöhen können. Das erleichterte das Einnisten im System. --------------------------------------------- https://heise.de/-7235809 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-tzinfo), Mageia (nvidia-current and nvidia390), SUSE (python-PyYAML, ucode-intel, and zlib), and Ubuntu (linux-aws, postgresql-10, postgresql-12, postgresql-14, and rsync). --------------------------------------------- https://lwn.net/Articles/905265/ ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1076 ∗∗∗ Security Advisory - JAD-AL50: Permission Bypass Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220819-… ∗∗∗ Security Bulletin: IBM MQ Explorer is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2022-22489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-explorer-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-35948 and CVE-2022-35949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM WebSphere Application Server Liberty and OpenSSL (CVE-2022-2068, CVE-2022-2097, CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in ICU [CVE-2017-14952 and CVE-2020-10531] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2022-2048 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2022
by Daily end-of-shift report 18 Aug '22

18 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-08-2022 18:00 − Donnerstag 18-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ BlackByte ransomware gang is back with new extortion tactics ∗∗∗ --------------------------------------------- The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-gang-is… ∗∗∗ Microsoft Sysmon can now block malicious EXEs from being created ∗∗∗ --------------------------------------------- Microsoft has released Sysmon 14 with a new FileBlockExecutable option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-bl… ∗∗∗ Schwere Lücken: Vorsicht bei VPN-Nutzung auf Apple-Geräten ∗∗∗ --------------------------------------------- Wer über Apples iOS einen VPN-Dienst nutzt, ist nicht so sicher unterwegs, wie man es eigentlich vermuten würde. --------------------------------------------- https://futurezone.at/produkte/schwere-luecken-vorsicht-vpn-apple-iphone-ip… ∗∗∗ Clop: Ransomwaregruppe erpresst wohl falsches Wasserwerk ∗∗∗ --------------------------------------------- Eine Ransomwaregruppe hat sich nach einem Hack eines Wasserversorgungsunternehmens in Großbritannien offenbar vertan und ein anderes Werk erpresst. --------------------------------------------- https://www.golem.de/news/clop-ransomwaregruppe-erpresst-scheinbar-falsches… ∗∗∗ Hacking: Der Bad-USB-Stick Rubber Ducky wird noch gefährlicher ∗∗∗ --------------------------------------------- Mit einer neuen Version des Bad-USB-Sticks Rubber Ducky lassen sich Rechner noch leichter angreifen und neuerdings auch heimlich Daten ausleiten. --------------------------------------------- https://www.golem.de/news/hacking-der-bad-usb-stick-rubber-ducky-wird-noch-… ∗∗∗ Hackers Using Bumblebee Loader to Compromise Active Directory Services ∗∗∗ --------------------------------------------- The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities. --------------------------------------------- https://thehackernews.com/2022/08/hackers-using-bumblebee-loader-to.html ∗∗∗ Deluge of of entries to Spamhaus blocklists includes various household names ∗∗∗ --------------------------------------------- Nastymail tracking service blames sloppy sending practices for swelling lists of dangerous mailers Spam-tracking service Spamhaus reported Tuesday that some of the worlds biggest brands are getting loose with their email practices, causing its spam blocklists (SBL) to swell significantly. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/08/18/deluge_of_en… ∗∗∗ Real-Time Behavior-Based Detection on Android Reveals Dozens of Malicious Apps on Google Play Store ∗∗∗ --------------------------------------------- Cybersecurity researchers identify 35 apps, many downloaded over 100,000 times, that have been serving up malware to millions of Android users. --------------------------------------------- https://www.bitdefender.com/blog/labs/real-time-behavior-based-detection-on… ∗∗∗ PayPal Phishing Scam Uses Invoices Sent Via PayPal ∗∗∗ --------------------------------------------- Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. --------------------------------------------- https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent… ∗∗∗ ASEC Weekly Malware Statistics (August 8th, 2022 – August 14th, 2022) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from August 8th, 2022 (Monday) to August 14th, 2022 (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/37837/ ∗∗∗ Analyzing the Hidden Danger of Environment Variables for Keeping Secrets ∗∗∗ --------------------------------------------- While DevOps practitioners use environment variables to regularly keep secrets in applications, these could be conveniently abused by cybercriminals for their malicious activities, as our analysis shows. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/h/analyzing-hidden-danger-of-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Aktive Exploits: macOS 12.5.1, iOS 15.6.1 und iPadOS 15.6.1 verfügbar ∗∗∗ --------------------------------------------- Apple legt nochmals Aktualisierungen für seine 2021er Betriebssysteme vor. Grund sind wichtige Sicherheitsfixes. Für die Apple Watch kommt ein Extra-Update. --------------------------------------------- https://heise.de/-7223549 ∗∗∗ Cisco Secure Web Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Webkonferenzen: Teils kritische Lücken in Zoom ∗∗∗ --------------------------------------------- In mehreren Zoom-Varianten stecken teilweise kritische Sicherheitslücken. Updates sollen sie abdichten. Mac-Nutzer müssen erneut aktualisieren. --------------------------------------------- https://heise.de/-7223873 ∗∗∗ TP-Link: Schadcode-Schmuggel durch Sicherheitslücke in Routern ∗∗∗ --------------------------------------------- Sicherheitsforscher aus Vietnam haben im WLAN-Router TL-WR841N von TP-Link einen kritischen Fehler festgestellt, der Code-Ausführung auf dem Gerät ermöglicht. --------------------------------------------- https://heise.de/-7224392 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, epiphany-browser, freecad, and schroot), Fedora (freeciv, microcode_ctl, qemu, and rsync), Oracle (httpd), SUSE (aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures, python-coverage, python-oniconfig, python-unittest-mixins, bluez, curl, gnutls, kernel, ntfs-3g_ntfsprogs, podman, and ucode-intel), and Ubuntu (zlib). --------------------------------------------- https://lwn.net/Articles/905072/ ∗∗∗ Apache ActiveMQ Artemis: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache ActiveMQ Artemis ausnutzen, um falsche Informationen darzustellen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1069 ∗∗∗ TypeORM 0.3.7 Information Disclosure ∗∗∗ --------------------------------------------- TypeORM 0.3.7 Information Disclosure Risk: I found what I think is a vulnerability in the latest typeorm 0.3.7. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022080057 ∗∗∗ DSA-2022-238: Dell Client BIOS Security Update for Multiple Tianocore EDK2 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.dell.com/support/kbdoc/de-at/000202475/dsa-2022-238-dell-client… ∗∗∗ Security Bulletin: Vulnerability in Moment affects IBM Process Mining . CVE-2022-31129 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-moment-a… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Apr 2022 – Includes Oracle April 2022 CPU (minus CVE-2022-21426)affects IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in FasterXML jackson-databind affects IBM Process Mining . CVE-2020-36518 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxm… ∗∗∗ Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2022-1292 and CVE-2022-2068) or an attacker may obtain sensitive information (CVE-2022-2097) due to OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-arbi… ∗∗∗ Security Bulletin: Multiple vulnerabilities due to OpenSSL and Node js which affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ Security Bulletin: Samba for IBM i is vulnerable to attacker obtaining sensitive information due to a memory leak with SMB1 requests (CVE-2022-32742) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-samba-for-ibm-i-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2020-36518 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0