- Daily - CERT.at

Tageszusammenfassung - 09.05.2022
by Daily end-of-shift report 09 May '22

09 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-05-2022 18:00 − Montag 09-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hilfestellung für die Analyse schadbringender Dokumente ∗∗∗ --------------------------------------------- Das SANS-Institut veröffentlicht einen neuen "Spickzettel", der bei der Malware-Analyse verschiedener Dokumenttypen helfen soll. --------------------------------------------- https://heise.de/-7079601 ∗∗∗ Utimaco, der Krypto-Miner und ein Disclosure-Desaster ∗∗∗ --------------------------------------------- Auch Anbieter von Hochsicherheitslösungen sind vor Securityproblemen nicht gefeit. Man sollte sich vorbereiten, bevor man davon erfährt, sagt Jürgen Schmidt. --------------------------------------------- https://heise.de/-7079962 ∗∗∗ Jetzt patchen! Attacken auf F5 BIG-IP-Systeme könnten bevorstehen ∗∗∗ --------------------------------------------- Sicherheitsforscher habe in vergleichsweise kurzer Zeit Exploit-Code entwickelt. Das könnten Angreifer auch. Admins sollten BIP-IP-Produkte aktualisieren. --------------------------------------------- https://heise.de/-7079049 ∗∗∗ Kaufen Sie keine Schuhe vom Instagram-Account „wesleyroberts375“ ∗∗∗ --------------------------------------------- Auf der Instagram-Seite „wesleyroberts375“ finden sich zahlreiche Fotos von Nike-Schuhen, meist Modelle, die sonst überall ausverkauft sind. Wer einen Schuh kaufen oder den Preis erfahren möchte, muss dem Instagram-Nutzer eine private Nachricht senden. Achtung: Hinter dem Profil von „wesleyroberts375“ steckt kein echter Online-Shop. Sie werden betrogen. Schicken Sie kein Geld oder Gutscheincodes! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-schuhe-vom-instagra… ∗∗∗ Bedrohungen in der Cloud ∗∗∗ --------------------------------------------- Die größten Sicherheitsrisiken bei der Cloud-Nutzung und wie Hacker zu mehr Sicherheit beitragen, schildert Laurie Mercer, Security Engineer bei HackerOne, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88401108/bedrohungen-in-der-cloud/ ∗∗∗ Gehärteter Online-Banking-Browser S-Protect, ein Totalausfall ∗∗∗ --------------------------------------------- Es klingt gut, was der Deutsche Sparkassen- und Giroverband da angestoßen hat. Mit S-Protect legt man einen "gehärteten" Browser vor, der Online-Banking-Kunden vor den Risiken bei Bankgeschäften auf Windows PCs oder Macs besser schützen soll. Der Haken an der Geschichte: [...] --------------------------------------------- https://www.borncity.com/blog/2022/05/09/gehrteter-online-banking-browser-s… ∗∗∗ Caramel credit card stealing service is growing in popularity ∗∗∗ --------------------------------------------- A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing… ∗∗∗ Constrained environment breakout. .NET Assembly exfiltration via Internet Options ∗∗∗ --------------------------------------------- It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/constrained-environment-break… ∗∗∗ Beware: This cheap and homemade malware is surprisingly effective ∗∗∗ --------------------------------------------- DCRat malware targets Windows devices. And its cheap and popular, which makes it a problem. --------------------------------------------- https://www.zdnet.com/article/beware-this-cheap-and-homemade-malware-is-sur… ∗∗∗ Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound ∗∗∗ --------------------------------------------- During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, [...] --------------------------------------------- https://blog.nviso.eu/2022/05/09/introducing-pycobalthound/ ∗∗∗ Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application ∗∗∗ --------------------------------------------- The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases. --------------------------------------------- https://asec.ahnlab.com/en/34010/ ∗∗∗ BPFDoor - an active Chinese global surveillance tool ∗∗∗ --------------------------------------------- Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to [...] --------------------------------------------- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool… ∗∗∗ [Infographic] Cloud Misconfigurations: Dont Become a Breach Statistic ∗∗∗ --------------------------------------------- Our latest infographic highlights some key commonalities uncovered in our 2022 Cloud Misconfigurations Report. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/09/infographic-cloud-misconfigurat… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: New installations fail with HTTP Error 403 from https://sus.sophosupd.com/ in Sophos Intercept X for Windows ∗∗∗ --------------------------------------------- Overview: New installation and/or device updates fail with HTTP Error 403 from https://sus.sophosupd.com/. This error is seen in C:\ProramData\Sophos\AutoUpdate\SophosUpdate.log. --------------------------------------------- https://support.sophos.com/support/s/article/KB-000043980?language=en_US ∗∗∗ Patchday: Fortinet schützt IP-Telefone vor Schadcode-Attacken ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem FortiClient, FortiFone und FortiOS. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-7079563 ∗∗∗ Freifunk: Einschleusen schädlicher Firmware durch kritische Lücke möglich ∗∗∗ --------------------------------------------- Freifunk aktualisiert seine Router-Firmware und schließt eine kritische Sicherheitslücke, durch die Angreifer eigene Firmware auf die Geräte aufspielen könnten. --------------------------------------------- https://heise.de/-7079644 ∗∗∗ Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) ∗∗∗ --------------------------------------------- Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in [...] --------------------------------------------- https://research.nccgroup.com/2022/05/06/technical-advisory-ruby-on-rails-p… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (ecdsautils and libz-mingw-w64), Fedora (cifs-utils, firefox, galera, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, mariadb, maven-shared-utils, mingw-freetype, redis, and seamonkey), Mageia (dcraw, firefox, lighttpd, rsyslog, ruby-nokogiri, and thunderbird), Scientific Linux (thunderbird), SUSE (giflib, kernel, and libwmf), and Ubuntu (dbus and rsyslog). --------------------------------------------- https://lwn.net/Articles/894353/ ∗∗∗ RubyGems Fixes Critical Gem Takeover Vulnerability ∗∗∗ --------------------------------------------- RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems. A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager. --------------------------------------------- https://www.securityweek.com/rubygems-fixes-critical-gem-takeover-vulnerabi… ∗∗∗ SonicWall SSL-VPN NetExtender Windows Client Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system. CVE: CVE-2022-22281 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0008 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ K12492858: Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12492858 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0549 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2022
by Daily end-of-shift report 06 May '22

06 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-05-2022 18:00 − Freitag 06-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Raspberry Robin worm uses Windows Installer to drop malware ∗∗∗ --------------------------------------------- Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-raspberry-robin-worm-use… ∗∗∗ Tipps zur Passwortsicherheit am World Password Day ∗∗∗ --------------------------------------------- Heute jährt sich der Welt-Passwort-Tag. Was können Sie tun, um sich online bestmöglich zu schützen? Hier finden Sie Tipps und Tricks für den sicheren Umgang mit Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/tipps-zur-passwortsicherheit-am-worl… ===================== = Vulnerabilities = ===================== ∗∗∗ ClamAV 0.105.0, 0.104.3, 0.103.6 released ∗∗∗ --------------------------------------------- Today, were also publishing the 0.104.3 and 0.103.6 security patch versions, including several CVE fixes. --------------------------------------------- https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html ∗∗∗ Schadcode-Attacken auf Videoüberwachungssystem und NAS von Qnap möglich ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehreren Lücken in Netzwerkprodukten von Qnap. --------------------------------------------- https://heise.de/-7077449 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, mruby, openjdk-11, and smarty3), Oracle (thunderbird), Red Hat (thunderbird), SUSE (chromium, libvirt, python-Twisted, and tar), and Ubuntu (cron and jbig2dec). --------------------------------------------- https://lwn.net/Articles/894141/ ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23772 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: TS3000 (TSSC/IMC) is vulnerable to privilege escalation vulnerability due to polkit ( CVE-2021-4034 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ts3000-tssc-imc-is-vulner… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution with IBM WebSphere Application Server (CVE-2021-23450). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2021-44716 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability (CVE-2022-22310). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect Rational Asset Analyzer (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39023 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote attack due to Go CVE-2021-44717 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to missing data encoding issue (CVE-2021-39027) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ affects Rational Asset Analyzer (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to attack under error due to Go CVE-2022-23773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-v10-is-vulner… ∗∗∗ K52379673: Linux kernel vulnerability for CVE-2021-4083 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52379673 ∗∗∗ K50899356: file vulnerability CVE-2018-10360 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50899356 ∗∗∗ poppler: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0545 ∗∗∗ Foxit Reader: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0544 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-125-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2022
by Daily end-of-shift report 05 May '22

05 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-05-2022 18:00 − Donnerstag 05-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New NetDooka malware spreads via poisoned search results ∗∗∗ --------------------------------------------- A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads… ∗∗∗ The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vatet ∗∗∗ --------------------------------------------- Cluster25 researchers, during a comparative analysis performed at the beginning of March 2022, found evidence that suggests a possible relationships between a piece of malware belonging to the Sprite Spider arsenal (or some elements that are or were part of it) and Vavet Loader. --------------------------------------------- https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malwar… ∗∗∗ The curious case of mavinject.exe ∗∗∗ --------------------------------------------- Mavinject is a LOLBIN currently employed by the infamous adversary group Lazarus successfully evades detection by various security products because the execution is masked under a legitimate process. --------------------------------------------- https://fourcore.io/blogs/mavinject-curious-process-injection ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-05-04 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 8 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Angreifer könnten die volle Kontrolle über F5 BIG-IP-Systeme erlangen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen unter anderem eine kritische Lücke in BIG-IP-Systemen. Admins sollten jetzt handeln. --------------------------------------------- https://heise.de/-7075530 ∗∗∗ Sicherheitsupdates: Cisco schließt VM-Ausbruch-Lücken mit Root-Zugriff ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat unter anderem in Enterprise NFV Infrastrucutre Software eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-7075725 ∗∗∗ Sicherheitsupdate schützt IBMs Datenbanksystem Informix Dynamic Server ∗∗∗ --------------------------------------------- Ein wichtiger Sicherheitspatch schließt eine Schwachstelle in IBMs Informix Dynamic Server. --------------------------------------------- https://heise.de/-7076231 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, recutils, suricata, and zchunk), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox), Slackware (mozilla, openssl, and seamonkey), SUSE (apache2-mod_auth_mellon, libvirt, and pgadmin4), and Ubuntu (dpdk, mysql-5.7, networkd-dispatcher, openssl, openssl1.0, sqlite3, and twisted). --------------------------------------------- https://lwn.net/Articles/894036/ ∗∗∗ 10 Jahre alte Schwachstellen in Avast und AVG gefährden Millionen Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher von Sentinel One haben in den Sicherheitsprodukten von Avast und AVG zwei seit 10 Jahren bestehende, schwerwiegende Schwachstellen entdeckt, die Millionen von Nutzern gefährden. --------------------------------------------- https://www.borncity.com/blog/2022/05/05/10-jahre-alte-schwachstellen-in-av… ∗∗∗ Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-036 ∗∗∗ Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-035 ∗∗∗ Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-034 ∗∗∗ Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-039 ∗∗∗ Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-038 ∗∗∗ Security Bulletin: Cross-site scripting vulnerabilities in jQuery may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to an issue where an API could be used to perform a DNS lookup via a third party provider. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may allow regular users to view some admin pages. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Data Encryption has vulnerability ( CVE-2021-39020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-dat… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2022
by Daily end-of-shift report 04 May '22

04 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-05-2022 18:00 − Mittwoch 04-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti, REvil, LockBit ransomware bugs exploited to block encryption ∗∗∗ --------------------------------------------- Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomwa… ∗∗∗ A new secret stash for “fileless” malware ∗∗∗ --------------------------------------------- We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. --------------------------------------------- https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/ ∗∗∗ Compromising Read-Only Containers with Fileless Malware ∗∗∗ --------------------------------------------- Many people see read-only filesystems as a catch-all to stop malicious activity and container drift in containerized environments. This blog will explore the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments. --------------------------------------------- https://sysdig.com/blog/containers-read-only-fileless-malware/ ∗∗∗ Update on cyber activity in Eastern Europe ∗∗∗ --------------------------------------------- Google’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. --------------------------------------------- https://blog.google/threat-analysis-group/update-on-cyber-activity-in-easte… ∗∗∗ Spyware blieb in Unternehmen bis zu 18 Monate lang unentdeckt ∗∗∗ --------------------------------------------- Die "Quietexit" genannte Backdoor blieb teilweise 18 Monate unentdeckt. Sicherheitsforscher vermuten, dass dahinter eine staatliche Gruppe steckt. --------------------------------------------- https://heise.de/-7074066 ∗∗∗ „Vorsicht, Falle!“: Wir brauchen Ihre Hilfe für ein neues Projekt! ∗∗∗ --------------------------------------------- Wir arbeiten derzeit an einem neuen Projekt: Bei „Vorsicht, Falle!“ entwickeln wir einen „Internetfallen-Generator“. Das heißt wir ahmen betrügerische Webseiten nach. Aber nicht mit dem Ziel, an Daten oder Geld zu kommen. Im Gegenteil: Allen, die in unsere Falle tappen, zeigen wir am Beispiel der Betrugsmasche, wie sie diese erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-falle-wir-brauchen-ihre-hil… ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/04/cisa-adds-five-kn… ∗∗∗ XSS in JSON: Old-School Attacks for Modern Applications ∗∗∗ --------------------------------------------- This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON). --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/04/xss-in-json-old-school-attacks-… ===================== = Vulnerabilities = ===================== ∗∗∗ Uclibc: Alte DNS-Lücke betrifft viele IoT-Geräte ∗∗∗ --------------------------------------------- Eine in Embedded-Geräten eingesetzte Bibliothek ist von Kaminskys DNS-Angriff betroffen, doch die Auswirkungen dürften sich in Grenzen halten. --------------------------------------------- https://www.golem.de/news/uclibc-alte-dns-luecke-betrifft-viele-iot-geraete… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (chromium and suricata), Oracle (mariadb:10.5), SUSE (amazon-ssm-agent, containerd, docker, java-11-openjdk, libcaca, libwmf, pcp, ruby2.5, rubygem-puma, webkit2gtk3, and xen), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/893839/ ∗∗∗ Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to FasterXML Jackson Databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-requireme… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is affected to denial of service due to FasterXML jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Intel Processors affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified… ∗∗∗ K55879220: Overview of F5 vulnerabilities (May 2022) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55879220 ∗∗∗ 2022-11 Multiple vulnerabilities in Provize Basic Frontend ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14299&mediaformat… ∗∗∗ 2022-05 Multiple vulnerabilities in Provize Basic Backend ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14298&mediaformat… ∗∗∗ 2022-01 Vulnerability in ‘axios’ HTTP client in Provize Basic ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14297&mediaformat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2022
by Daily end-of-shift report 03 May '22

03 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 02-05-2022 18:00 − Dienstag 03-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cyberspies use IP cameras to deploy backdoors, steal Exchange emails ∗∗∗ --------------------------------------------- A newly discovered and uncommonly stealthy Advanced Persistent Threat (APT) group is breaching corporate networks to steal Exchange (on-premise and online) emails from employees involved in corporate transactions such as mergers and acquisitions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to… ∗∗∗ AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. --------------------------------------------- https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.h… ∗∗∗ Zyxel firmware extraction and password analysis ∗∗∗ --------------------------------------------- In this first article of our Zyxel audit series we will cover firmware extraction and password decryption against Zyxel ZyWALL Unified Security Gateway (USG) appliances. --------------------------------------------- https://security.humanativaspa.it/zyxel-firmware-extraction-and-password-an… ∗∗∗ Trend Micros Apex One meldet Trojaner im Webbrowser Microsoft Edge ∗∗∗ --------------------------------------------- Es mehren sich Beschwerden von Nutzern in den Internetforen, dass der Virenscanner Apex One bei Ihnen einen Trojaner-Befall in Microsofts Edge-Browser meldet. --------------------------------------------- https://heise.de/-7073156 ∗∗∗ Vorsicht vor Betrug auf BlaBlaCar ∗∗∗ --------------------------------------------- BlaBlaCar, eine Plattform für Mitfahrgelegenheiten, gerät ins Visier von Kriminellen. Kriminelle erstellen bei BlaBlaCar Fake-Profile und bieten Fahrten an. Mitfahrer:innen, die diese Fahrt buchen, werden dann auf WhatsApp kontaktiert und auf eine betrügerische Zahlungsplattform gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betrug-auf-blablacar/ ∗∗∗ Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks ∗∗∗ --------------------------------------------- Malicious packages in multiple programming languages that went undetected for years were revealed by the Checkmarx Supply Chain Security team using advanced threat hunting techniques. --------------------------------------------- https://checkmarx.com/blog/attackers-target-packages-in-multiple-programmin… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched DNS bug affects millions of routers and IoT devices ∗∗∗ --------------------------------------------- A vulnerability in the domain name system (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at DNS poisoning attack risk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-dns-bug-affects-mi… ∗∗∗ Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information. --------------------------------------------- https://thehackernews.com/2022/05/critical-tlstorm-20-bugs-affect-widely.ht… ∗∗∗ Fortinet Security Advisories (FortiClient, FortiSOAR, FortiIsolator, FortiOS, FortiProxy, PJSIP Library, FortiNAC) ∗∗∗ --------------------------------------------- * FortiClient (Windows) - Privilege escalation in FortiClient installer * FortiSOAR - Improper access control on gateway API * FortiIsolator - Unauthorized user able to regenerate CA certificate * FortiOS - Improper Inter-VDOM access control * FortiOS - Lack of certificate verification when establishing secure connections to some external end-points * FortiProxy & FortiOS - XSS vulnerability in Web Filter Block Override Form * Multiple vulnerabilities in PJSIP library * FortiNAC - SQL --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=05-2022 ∗∗∗ Patchday: Wichtige Sicherheitsupdates für Android 10, 11 und 12 erschienen ∗∗∗ --------------------------------------------- Google hat sein mobiles Betriebssystem gegen mehrere mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-7072491 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jackson-databind, kernel, openvpn, and twisted), Fedora (xz), Mageia (chromium-browser-stable and curl), Oracle (vim and xmlrpc-c), Red Hat (gzip), Slackware (libxml2), SUSE (git, python39, and subversion), and Ubuntu (libvirt and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/893681/ ∗∗∗ Tenda HG6 v3.3.0 Remote Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender Configuration Utility and Mobile Enterprise Gateway have vulnerability (CVE-2021-43797) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… ∗∗∗ Security Bulletin: Vulnerability in IBM JAVA JDK affects IBM Spectrum Scale (CVE-2022-21291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host Header Injection (CVE-2021-29854) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a denial of service in Spring Framework (CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ OpenSSL Security Advisory (CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473) ∗∗∗ --------------------------------------------- https://openssl.org/news/secadv/20220503.txt ∗∗∗ Security Vulnerabilities fixed in Firefox 100 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-16/ ∗∗∗ Yokogawa CENTUM and ProSafe-RS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-123-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2022
by Daily end-of-shift report 02 May '22

02 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-04-2022 18:00 − Montag 02-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake Windows 10 updates infect you with Magniber ransomware ∗∗∗ --------------------------------------------- Fake Windows 10 updates on crack sites are being used to distribute the Magniber ransomware in a massive campaign that started earlier this month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infe… ∗∗∗ REvil ransomware returns: New malware sample confirms gang is back ∗∗∗ --------------------------------------------- The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new… ∗∗∗ Fake-YouTube-Videos mit Elon Musk führen zu Betrug mit Kryptowährung ∗∗∗ --------------------------------------------- Kriminelle fälschen Videos mit Elon Musk. In diesen Videos erhalten Zuseher:innen angeblich ein Geschenk von Musk. Er bietet die Möglichkeit, Bitcoins oder Ethereum zu verdoppeln. Und das ganz einfach: Sie überweisen Kryptowährung an ein bestimmtes Wallet und erhalten das Doppelte zurück. Achtung: Sie überweisen an Kriminelle und verlieren Geld! --------------------------------------------- https://www.watchlist-internet.at/news/fake-youtube-videos-mit-elon-musk-fu… ∗∗∗ Analysis on recent wiper attacks: examples and how wiper malware works ∗∗∗ --------------------------------------------- This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libarchive, and tinyxml), Fedora (CuraEngine, epiphany, gzip, usd, vim, xen, and xz), Oracle (maven-shared-utils and qemu), Red Hat (gzip, python27-python and python27-python-pip, rh-maven36-maven-shared-utils, rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip, and zlib), Slackware (pidgin), SUSE (jasper, java-11-openjdk, libcaca, libslirp, mariadb, mutt, nodejs12, opera, and python-Twisted), [...] --------------------------------------------- https://lwn.net/Articles/893440/ ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to stack-based buffer overflow in GNU C Library (CVE-2022-23219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a stack-based buffer overflow in GNU C Library (CVE-2022-23218) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow and underflow in GNU C Library (CVE-2021-3999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 91.8.0ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K24207649: GNU C Library (glibc) vulnerability CVE-2021-3999 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24207649 ∗∗∗ K52308021: GNU C Library (glibc) vulnerabilities CVE-2022-23218 and CVE-2022-23219 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52308021 ∗∗∗ K19473898: Multiple Expat vulnerabilities CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, and CVE-2022-23515 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19473898 ∗∗∗ K91589041: Expat vulnerabilities CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, and CVE-2022-22827 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91589041 ∗∗∗ K23421535: Expat vulnerabilities CVE-2022-22822, CVE-2022-22823, and CVE-2022-22824 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23421535 ∗∗∗ K23231802: Expat vulnerability CVE-2021-46143 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23231802 ∗∗∗ TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-016/ ∗∗∗ Vulnerabilities in the communication protocol of the PLC runtime ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-577411.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2022
by Daily end-of-shift report 29 Apr '22

29 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-04-2022 18:00 − Freitag 29-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware und Wiper: Cyberangriffe auf deutsche Windenergieunternehmen ∗∗∗ --------------------------------------------- Seit Beginn des Ukrainekrieges sind Windkraftanlagen-Hersteller Opfer von Cyberangriffen geworden. Besonders schwer hatten es die Angreifer wohl nicht. --------------------------------------------- https://www.golem.de/news/ransomware-und-wiper-cyberangriffe-auf-deutsche-w… ∗∗∗ Sicherheitsupdates: Angreifer könnten Firewalls von Cisco neu starten lassen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Cisco Firepower Threat Defense und Adaptive Security Appliance. --------------------------------------------- https://heise.de/-7069408 ∗∗∗ Angreifer könnten in Installationsprozess von Sonicwall Global VPN einsteigen ∗∗∗ --------------------------------------------- Sicherheitslücken gefährden Sonicwall Global VPN Client und Sonicos. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-7069729 ∗∗∗ Videokonferenzen: Schwachstellen in Zoom ermöglichen Rechteausweitung und mehr ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in der Zoom-Software könnten Angreifern ermöglichen, ihre Rechte im System auszuweiten oder unbefugt Informationen abzugreifen. --------------------------------------------- https://heise.de/-7069420 ∗∗∗ Studie: Active Directory je nach Branche unterschiedlich angreifbar ∗∗∗ --------------------------------------------- Einer Befragung von IT-Verantwortlichen zufolge spielt bei der Absicherung des Active Directory die Branche eine Rolle. Auch ist die Unternehmensgröße relevant. --------------------------------------------- https://heise.de/-7069098 ∗∗∗ EmoCheck now detects new 64-bit versions of Emotet malware ∗∗∗ --------------------------------------------- The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-… ∗∗∗ Colibri Loaders Unique Persistence Technique Using Get-Variable Cmdlet ∗∗∗ --------------------------------------------- Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console. In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run. --------------------------------------------- https://fourcore.io/blogs/colibri-loader-powershell-get-variable-persistence ∗∗∗ Using Passive DNS sources for Reconnaissance and Enumeration, (Fri, Apr 29th) ∗∗∗ --------------------------------------------- In so many penetration tests or assessments, the client gives you a set of subnets and says "go for it". This all seems reasonable, until you realize that if you have a website, there might be dozens or hundreds of websites hosted there, each only accessible by their DNS name. --------------------------------------------- https://isc.sans.edu/diary/rss/28596 ∗∗∗ Don’t expect to get your data back from the Onyx ransomware group ∗∗∗ --------------------------------------------- Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/04/29/onyx-ransomw… ∗∗∗ Bypassing LDAP Channel Binding with StartTLS ∗∗∗ --------------------------------------------- Active Directory LDAP implements StartTLS and it can be used to bypass the Channel Binding requirement of LDAPS for some relay attacks such as the creation of a machine account if LDAP signing is not required by the domain controller. --------------------------------------------- https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-startt… ∗∗∗ New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware ∗∗∗ --------------------------------------------- We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet). --------------------------------------------- https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberok… ∗∗∗ The Package Analysis Project: Scalable detection of malicious open source packages ∗∗∗ --------------------------------------------- Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. --------------------------------------------- http://security.googleblog.com/2022/04/the-package-analysis-project-scalabl… ∗∗∗ Analyzing VSTO Office Files ∗∗∗ --------------------------------------------- VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for [...] --------------------------------------------- https://blog.nviso.eu/2022/04/29/analyzing-vsto-office-files/ ∗∗∗ Trello From the Other Side: Tracking APT29 Phishing Campaigns ∗∗∗ --------------------------------------------- Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29’s efforts to evade detection through retooling and abuse of Atlassian's Trello service. --------------------------------------------- https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall Global VPN Client DLL Search Order Hijacking via Application Installer ∗∗∗ --------------------------------------------- SonicWall Global VPN Client 4.10.7 installer (32-bit and 64-bit) and earlier have a DLL Search Order Hijacking vulnerability in one of the installer components. Successful exploitation via a local attacker could result in command execution in the target system. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0036 ∗∗∗ AC500 V3 CODESYS VULNERABILITIES ∗∗∗ --------------------------------------------- All AC500 V3 products with firmware version smaller than 3.6.0 are affected by these vulnerabilities: CVE-2022-22513, CVE-2022-22514, CVE-2022-22515, CVE-2022-22517, CVE-2022-22518 and CVE-2022-22519. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR010997&Language… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/893102/ ∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-006/ ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0521 ∗∗∗ Mattermost security updates 6.6.1, 6.5.1, 6.4.3, 6.3.8 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-6-6-1-released/ ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to directory traversal due to CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-0155, CVE-2022-0536, CVE-2021-3749 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1233 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1243 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM QRadar SIEM (CVE-2021-22543, CVE-2021-3653, CVE-2021-3656, CVE-2021-37576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to CVE-2022-25645 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Denial of Service Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-24921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-uc-deploy-container-image… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2022
by Daily end-of-shift report 28 Apr '22

28 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-04-2022 18:00 − Donnerstag 28-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ security.txt: Kontaktinfos für IT-Sicherheitsmeldungen standardisiert ∗∗∗ --------------------------------------------- Ein RFC beschreibt, wie Webseiten über die Datei security.txt Kontaktinformationen für Sicherheitsforscher bereitstellen können. --------------------------------------------- https://www.golem.de/news/security-txt-kontaktinfos-fuer-it-sicherheitsmeld… ∗∗∗ Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution ∗∗∗ --------------------------------------------- MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. [...] This was mitigated within 48 hours (on January 13, 2022). --------------------------------------------- https://msrc-blog.microsoft.com/2022/04/28/azure-database-for-postgresql-fl… ∗∗∗ A Day of SMB: What does our SMB/RPC Honeypot see? CVE-2022-26809, (Thu, Apr 28th) ∗∗∗ --------------------------------------------- After Microsoft patched and went public with CVE-2022-26809, the recent RPC vulnerability, we set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. And to keep things more interesting, we are forwarding traffic from a subset of our honeypots to the system. This gives us a pretty nice cross-section and keeps the system pretty busy. Other than not applying the April patches, the system isn't particularly vulnerable and is left in the default configuration (firewall disabled, of course). So what did we get? --------------------------------------------- https://isc.sans.edu/diary/rss/28594 ∗∗∗ This isnt Optimus Primes Bumblebee but its Still Transforming ∗∗∗ --------------------------------------------- Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transf… ∗∗∗ Nimbuspwn detector ∗∗∗ --------------------------------------------- This tool performs several tests to determine whether the system is possibly vulnerable to Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team. --------------------------------------------- https://github.com/jfrog/nimbuspwn-tools ∗∗∗ QNAP customers urged to disable AFP to protect against severe vulnerabilities ∗∗∗ --------------------------------------------- MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/qnap-cus… ∗∗∗ LAPSUS$: Recent techniques, tactics and procedures ∗∗∗ --------------------------------------------- This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents. --------------------------------------------- https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-a… ∗∗∗ Neue Cyberspionage‑Kampagnen der TA410 Gruppe ∗∗∗ --------------------------------------------- ESET-Forscher enthüllen ein detailliertes Profil der APT-Gruppe TA410: Wir glauben, dass diese Cyberspionage-Dachgruppe aus drei verschiedenen Teams besteht, die unterschiedliche Tools verwenden, darunter eine neue Version der von ESET entdeckten FlowCloud-Spionage-Backdoor. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/04/27/cyberspionage-unter-dem-t… ∗∗∗ CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have updated joint Cybersecurity Advisory AA22-057A: Destructive Malware Targeting Organizations in Ukraine, originally released February 26, 2022. The advisory has been updated to include additional indicators of compromise for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/28/cisa-and-fbi-upda… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#730007: Tychon is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/730007 ∗∗∗ VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value ∗∗∗ --------------------------------------------- Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt. --------------------------------------------- https://kb.cert.org/vuls/id/411271 ∗∗∗ IBM Security Bulletins 2022-04-27 ∗∗∗ --------------------------------------------- IBM InfoSphere Information Server, IBM Watson for IBM Cloud Pak, Liberty for Java for IBM Cloud, IBM Cloud Transformation Advisor, WebSphere Application Server, IBM Spectrum Discover, IBM Integration Bus, IBM App Connect Enterprise, IBM Netezza Platform Server, IBM PowerVM Novalink, IBM Spectrum Scale SMB protocol --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-04-27 ∗∗∗ --------------------------------------------- Cisco released 17 Security Advisories (11 High, 6 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ PHP Object Injection Vulnerability in Booking Calendar Plugin ∗∗∗ --------------------------------------------- On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations. We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-cale… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, golang-1.7, and golang-1.8), Fedora (bettercap, chisel, containerd, doctl, gobuster, golang-contrib-opencensus-resource, golang-github-appc-docker2aci, golang-github-appc-spec, golang-github-containerd-continuity, golang-github-containerd-stargz-snapshotter, golang-github-coredns-corefile-migration, golang-github-envoyproxy-protoc-gen-validate, golang-github-francoispqt-gojay, golang-github-gogo-googleapis, golang-github-gohugoio-testmodbuilder, golang-github-google-containerregistry, golang-github-google-slothfs, golang-github-googleapis-gnostic, golang-github-googlecloudplatform-cloudsql-proxy, golang-github-grpc-ecosystem-gateway-2, golang-github-haproxytech-client-native, golang-github-haproxytech-dataplaneapi, golang-github-instrumenta-kubeval, golang-github-intel-goresctrl, golang-github-oklog, golang-github-pact-foundation, golang-github-prometheus, golang-github-prometheus-alertmanager, golang-github-prometheus-node-exporter, golang-github-prometheus-tsdb, golang-github-redteampentesting-monsoon, golang-github-spf13-cobra, golang-github-xordataexchange-crypt, golang-gopkg-src-d-git-4, golang-k8s-apiextensions-apiserver, golang-k8s-code-generator, golang-k8s-kube-aggregator, golang-k8s-sample-apiserver, golang-k8s-sample-controller, golang-mongodb-mongo-driver, golang-storj-drpc, golang-x-perf, gopass, grpcurl, onionscan, shellz, shhgit, snowcrash, stb, thunderbird, and xq), Oracle (gzip, kernel, and polkit), Slackware (curl), SUSE (buildah, cifs-utils, firewalld, golang-github-prometheus-prometheus, libaom, and webkit2gtk3), and Ubuntu (nginx and thunderbird). --------------------------------------------- https://lwn.net/Articles/893001/ ∗∗∗ Synology-SA-22:06 Netatalk ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_06 ∗∗∗ CVE-2022-23812: NPM Package node-ipc With Malicious Code Found in Russia and Belarus ∗∗∗ --------------------------------------------- Malicious code, also known as protestware, within certain versions of the package was causing chaos among Russia and Belarus based developers—overwriting their entire file system with a heart emoji. These versions (10.1.0 and 10.1.2) are now tracked under CVE-2022-23812. --------------------------------------------- https://orca.security/resources/blog/cve-2022-23812-protestware-malicious-c… ∗∗∗ ZDI-22-622: Sante DICOM Viewer Pro J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-622/ ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-118-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2022
by Daily end-of-shift report 27 Apr '22

27 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-04-2022 18:00 − Mittwoch 27-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet malware now installs via PowerShell in Windows shortcut files ∗∗∗ --------------------------------------------- The Emotet botnet is now using Windows shortcut files (.LNK) containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-… ∗∗∗ RIG Exploit Kit drops RedLine malware via Internet Explorer bug ∗∗∗ --------------------------------------------- Threat analysts have uncovered yet another large-scale campaign delivering the RedLine stealer malware onto worldwide targets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rig-exploit-kit-drops-redlin… ∗∗∗ MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering, (Wed, Apr 27th) ∗∗∗ --------------------------------------------- On Monday, a new version of the framework was released, which (among other changes) extends its content a little in order to make its use more straightforward when it comes to mapping of existing detections and for implementation of new ones. --------------------------------------------- https://isc.sans.edu/diary/rss/28590 ∗∗∗ Encrypting our way to SSRF in VMWare Workspace One UEM (CVE-2021-22054) ∗∗∗ --------------------------------------------- We discovered a pre-authentication vulnerability that allowed us to make arbitrary HTTP requests, including requests with any HTTP method and request body. --------------------------------------------- https://blog.assetnote.io/2022/04/27/vmware-workspace-one-uem-ssrf/ ∗∗∗ Npm-Schwachstelle "Package Planting": Vertrauen ist gut, Kontrolle ist besser ∗∗∗ --------------------------------------------- Eine als Package Planting bezeichnete Sicherheitslücke im Paketmanager npm erlaubte laut Aquasec, die Vertrauenswürdigkeit bekannter Maintainer zu missbrauchen. --------------------------------------------- https://heise.de/-7066873 ∗∗∗ Knapp die Hälfte der Ransomware-Opfer zahlt Lösegeld ∗∗∗ --------------------------------------------- Die Zahl der von Erpressungstrojanern angegriffenen Mittelständler weltweit steigt. Und viele von ihnen zahlen Lösegeld - oft in siebenstelliger Höhe. --------------------------------------------- https://heise.de/-7067219 ∗∗∗ Webinar: Sicher bezahlen im Internet ∗∗∗ --------------------------------------------- Am Dienstag, den 3. Mai 2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Sicher bezahlen im Internet" statt. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-bezahlen-im-internet/ ∗∗∗ Betrügerische Anrufe zu Investitionsmöglichkeiten und Bitcoin ∗∗∗ --------------------------------------------- Vermehrt werden der Watchlist Internet aktuell betrügerische Anrufe gemeldet. Kriminelle versuchen durch diese Anrufe Opfer für Investment-Betrugsmaschen zu gewinnen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-anrufe-zu-investition… ∗∗∗ AA22-117A: 2021 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-117a ===================== = Vulnerabilities = ===================== ∗∗∗ New Nimbuspwn Linux vulnerability gives hackers root privileges ∗∗∗ --------------------------------------------- A new set of vulnerabilities collectively tracked as Nimbuspwn could let local attackers escalate privileges on Linux systems to deploy malware ranging from backdoors to ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nimbuspwn-linux-vulnerab… ∗∗∗ CVE-2022-26148 Grafana Vulnerability in NetApp Products ∗∗∗ --------------------------------------------- Multiple NetApp products incorporate Grafana. Grafana versions through 7.3.4 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). --------------------------------------------- https://security.netapp.com/advisory/ntap-20220425-0005/ ∗∗∗ Schadcode könnte Nvidias Embedded-System Jetson gefährlich werden ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen Lücken in verschiedenen Jetson-Systemen von Nvidia. --------------------------------------------- https://heise.de/-7067304 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (virtualbox), Red Hat (container-tools:2.0, container-tools:3.0, gzip, kernel, kernel-rt, kpatch-patch, mariadb:10.3, mariadb:10.5, maven-shared-utils, polkit, vim, xmlrpc-c, and zlib), Scientific Linux (maven-shared-utils), SUSE (ant, go1.17, go1.18, kernel, and xen), and Ubuntu (fribidi, git, libcroco, libsepol, linux, linux-gcp, linux-ibm, linux-lowlatency, openjdk-17, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/892802/ ∗∗∗ Chrome 101.0.4951.41 fixt 30 Schwachstellen ∗∗∗ --------------------------------------------- Google hat zum 26. April 2022 Updates des Google Chrome 101.0.4951.41 für Windows und Mac auf dem Desktop im Stable Channel freigegeben. Das ist der neue 101-Entwicklungszweig, wobei das Update 30, zum Teil als Hoch eingestufte Schwachstellen schließt. --------------------------------------------- https://www.borncity.com/blog/2022/04/27/chrome-101-0-4951-41-fixt-30-schwa… ∗∗∗ Security Advisory - Buffer Overflow Vulnerabilities In Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220427-… ∗∗∗ Security Bulletin: UrbanCode Deploy users with create-resource permission for the standard resource type may create child resources inheriting custom types (CVE-2022-22315). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urbancode-deploy-users-wi… ∗∗∗ Security Bulletin: Dojo vulnerability in WebSphere Liberty affects SPSS Collaboration and Deployment Services (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dojo-vulnerability-in-web… ∗∗∗ K51975973: Eclipse Jetty vulnerability CVE-2021-34428 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51975973 ∗∗∗ PILZ: PMC programming tool 2.x.x affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-055/ ∗∗∗ PILZ: PMC programming tool 3.x.x affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-061/ ∗∗∗ PILZ: Multiple vulnerabilities in CODESYS V2 and V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-054/ ∗∗∗ BENDER/EBEE: Multiple Charge Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-047/ ∗∗∗ Miele: Security vulnerability in Benchmark Programming Tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-015/ ∗∗∗ Improper Control of Generation of Code in Bosch MATRIX ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-309239-bt.html ∗∗∗ Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-982696.html ∗∗∗ SonicOS Content Filtering Service and SNMP feature affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2022
by Daily end-of-shift report 26 Apr '22

26 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 25-04-2022 18:00 − Dienstag 26-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet war kaputt, infiziert jetzt aber wieder vermehrt Windows-Computer ∗∗∗ --------------------------------------------- Die hoch entwickelte Schadsoftware Emotet baut nach einem Fehler seine Attacken weltweit weiter aus. --------------------------------------------- https://heise.de/-7064903 ∗∗∗ Virustotal: Einbrecher führen eigenen Code auf Googles Servern aus ∗∗∗ --------------------------------------------- Update 26.04.2022 16:00 Uhr: Der Virustotal-Gründer Bernardo Quintero twitterte, dass keine VT-Maschinen direkt betroffen waren. Es handelte sich um Dritthersteller-und Partner-Maschinen etwa bei Antivirus-Herstellern, die die Daten von Virustotal für ihre Zwecke analysieren, erläutert Quintero dort. --------------------------------------------- https://heise.de/-7065048 ∗∗∗ Welpen kaufen im Internet: bulldogge-franzosische-welpen.com ist Betrug ∗∗∗ --------------------------------------------- Wer im Internet nach Welpen sucht, stößt höchstwahrscheinlich auf betrügerische Online-Shops für Welpen. „bulldogge-franzosische-welpen.com“ ist ein solcher Shop. Dort werden bezaubernde Welpen geboten, sogar mit Papieren. 900 Euro kostet eine französische Bulldogge. Doch Vorsicht: Sie erhalten trotz Bezahlung keinen Welpen. --------------------------------------------- https://www.watchlist-internet.at/news/welpen-kaufen-im-internet-bulldogge-… ∗∗∗ Hackers exploit critical VMware RCE flaw to install backdoors ∗∗∗ --------------------------------------------- Advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2022-22954, that affects in VMware Workspace ONE Access (formerly called VMware Identity Manager). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmw… ∗∗∗ Phishing goes KISS: Don’t let plain and simple messages catch you out! ∗∗∗ --------------------------------------------- Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because theyre uncomplicated. --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/25/phishing-goes-kiss-dont-let-pla… ∗∗∗ WSO2 RCE exploited in the wild, (Tue, Apr 26th) ∗∗∗ --------------------------------------------- While investigating a malicious crypto-mining case, I discovered that attackers implanted the payload exploiting a recently patched RCE vulnerability (CVE-2022-29464) affecting multiple WSO2 products, including API Manager. The vulnerability was discovered by Orange Tsai and responsibly disclosed to WSO2. --------------------------------------------- https://isc.sans.edu/diary/rss/28586 ∗∗∗ Over 18.8 million IPs vulnerable to Middlebox TCP reflection DDoS attacks ∗∗∗ --------------------------------------------- We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks. Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000! --------------------------------------------- https://www.shadowserver.org/news/over-18-8-million-ips-vulnerable-to-middl… ∗∗∗ Conti Ransomware Activity Surges Despite Exposure of Groups Operations ∗∗∗ --------------------------------------------- Conti ransomware activity has surged in the past weeks despite the recent exposure of the group’s operations by a pro-Ukraine hacktivist. --------------------------------------------- https://www.securityweek.com/conti-ransomware-activity-surges-despite-expos… ∗∗∗ Lapsus$: The script kiddies are alright ∗∗∗ --------------------------------------------- One afternoon last month, the regional head of security for the identity management platform Okta, an Australian named Brett Winterford, was in the middle of a client meeting when his phone sprang to life. “The first message said, ‘It looks like you’re going to have a bad day,’” he recently recalled. “And the second message [...] --------------------------------------------- https://therecord.media/lapsus-the-script-kiddies-are-alright/ ∗∗∗ New Malware of Lazarus Threat Actor Group Exploiting INITECH Process ∗∗∗ --------------------------------------------- The AhnLab ASEC analysis team has discovered that there are 47 companies and institutions—including defense companies—infected with the malware distributed by the Lazarus group in the first quarter of 2022. Considering the severity of the situation, the team has been monitoring the infection cases. In systems of the organizations infected with the malware, it was found that malicious behaviors stemmed from the process of INITECH (inisafecrosswebexsvc.exe), [...] --------------------------------------------- https://asec.ahnlab.com/en/33801/ ∗∗∗ Evasive Phishing Techniques Threat Actors Use to Circumvent Defense Mechanisms ∗∗∗ --------------------------------------------- Phishing continues to be the number one threat faced by companies of all sizes, and one of the main entry points threat actors use to infiltrate networks. As defenses continue to evolve, so do the tactics threat actors use to circumvent those defenses. In this article, the GoSecure Titan® Inbox Detection & Response (IDR) team shares examples of tactics threat actors have used to bypass anti-phishing defenses. --------------------------------------------- https://www.gosecure.net/blog/2022/04/26/evasive-phishing-techniques-threat… ∗∗∗ Attacker Adds Evasive Technique to Their Ongoing Attacks on NPM ∗∗∗ --------------------------------------------- A few weeks ago, we wrote about a new threat actor we called RED-LILI and described their capabilities, including an in-depth walkthrough of the automated system for publishing malicious NPM packages from automatically created user accounts. After our publication, we [...] --------------------------------------------- https://checkmarx.com/blog/attacker-adds-evasive-technique-to-their-ongoing… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg), Fedora (htmldoc, moby-engine, plantuml, and zchunk), Oracle (java-1.8.0-openjdk, java-17-openjdk, and kernel), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (freerdp), SUSE (kernel, mutt, SUSE Manager Client Tools, and xen), and Ubuntu (barbican and git). --------------------------------------------- https://lwn.net/Articles/892674/ ∗∗∗ Hitachi Energy System Data Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Integer Overflow or Wraparound, Reachable Assertion, Type Confusion, Uncontrolled Recursion, and Observable Discrepancy vulnerabilities in Hitachi Energy System Data Manager products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-116-01 ∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series (Update B) ∗∗∗ --------------------------------------------- This updated advisory is a follow up to the advisory update titled ICSA-21-334-02 Mitsubishi Electric MELSEC and MELIPC Series (Update A) that was published January 27, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Uncontrolled Resource Consumption, Improper Handling of Length Parameter Inconsistency, and Improper Input Validation vulnerabilities in Mitsubishi Electric MELSEC and MELIPC Series software management platforms. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02 ∗∗∗ CISA Adds Seven Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/25/cisa-adds-seven-k… ∗∗∗ K53648360: Linux kernel vulnerability CVE-2022-27666 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53648360 ∗∗∗ Pepperl+Fuchs: Vulnerability in multiple VisuNet devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-012/ ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0499 ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD is vulnerable to a denial of service vulnerability (CVE-2022-22323, CVE-2022-22312) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initializ… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may be vulnerable to an exposure of sensitive information by an aunauthorized actor through follow-redirects (CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM Process Mining (CVE-2022-23181) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-22345, CVE-2020-8022, CVE-2021-33813, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2022
by Daily end-of-shift report 25 Apr '22

25 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-04-2022 18:00 − Montag 25-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Einbruch in kritische Infrastrukturen: Experten zeigen, wie einfach es ist ∗∗∗ --------------------------------------------- Niederländische Forscher haben beim Hackerwettbewerb Pwn2Own demonstriert, wie leicht sich Industriesoftware übernehmen lässt, die zentrale Dienste steuert. --------------------------------------------- https://heise.de/-7062641 ∗∗∗ Netzwerkspeicher: Apple-Protokolle reißen Sicherheitslücken in Qnap-NAS ∗∗∗ --------------------------------------------- Die Unterstützung von Apples Netzwerkprotokollen durch netatalk in Qnap-NAS-Systemen bringt teils kritische Sicherheitslücken mit. Erste Updates stehen bereit. --------------------------------------------- https://heise.de/-7064336 ∗∗∗ Hacker-Gruppe Lapsus$ soll Sourcecode von T-Mobile kopiert haben ∗∗∗ --------------------------------------------- Angreifer sind mit erbeuteten Zugangsdaten in Computer-Systeme von T-Mobile eingebrochen. Kundendaten sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-7063836 ∗∗∗ Fake-E-Mail von Spotify: Kriminelle versuchen Ihr Konto zu übernehmen ∗∗∗ --------------------------------------------- Kriminelle versenden momentan gefälschte Spotify-E-Mails, um Ihr Konto zu übernehmen und Kreditkartendaten zu stehlen. Nutzer:innen erhalten vom Absender „Spotify-Rechnung“ ein Schreiben, in dem ein Problem mit Ihrer Zahlung vorgetäuscht wird. Im E-Mail werden Sie gebeten, auf einen Button zu klicken. Dieser führt dann auf eine gefälschte Spotify-Login-Seite. Daten, die dort eingetippt werden, landen direkt bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-e-mail-von-spotify-kriminelle-v… ∗∗∗ New powerful Prynt Stealer malware sells for just $100 per month ∗∗∗ --------------------------------------------- Threat analysts have spotted yet another addition to the growing space of info-stealer malware infections, named Prynt Stealer, which offers powerful capabilities and extra keylogger and clipper modules. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-powerful-prynt-stealer-m… ∗∗∗ DDoS attacks in Q1 2022 ∗∗∗ --------------------------------------------- Against the backdrop of the conflict between Russia and Ukraine, the number of DDoS attacks in Q1 2022 increased by 4.5 times against Q1 2021. A significant proportion of them were by hacktivists. --------------------------------------------- https://securelist.com/ddos-attacks-in-q1-2022/106358/ ∗∗∗ Are Roku Streaming Devices Safe from Exploitation?, (Sat, Apr 23rd) ∗∗∗ --------------------------------------------- I have noticed in the past several weeks random scans specifically for Roku streaming devices (and likely other types) captured by my honeypot. If they can be compromised, what can be gain? Settings like stored payment information, personal information (email/password), subscription, App selected, etc. Like any other devices, it is important to keep the OS and Apps up-to-date. --------------------------------------------- https://isc.sans.edu/diary/rss/28578 ∗∗∗ Simple PDF Linking to Malicious Content, (Mon, Apr 25th) ∗∗∗ --------------------------------------------- Last week, I found an interesting piece of phishing based on a PDF file. Today, most of the PDF files that are delivered to end-user are not malicious, I mean that they dont contain an exploit to trigger a vulnerability and infect the victims computer. They are just used as a transport mechanism to deliver more malicious content. Yesterday, Didier analyzed the same kind of Word document[1]. They are more and more common because they are (usually) not blocked by common filters at the perimeter. --------------------------------------------- https://isc.sans.edu/diary/rss/28582 ∗∗∗ Researcher Releases PoC for Recent Java Cryptographic Vulnerability ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been shared online. The high-severity flaw in question, CVE-2022-21449 (CVSS score: 7.5), impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition - [...] --------------------------------------------- https://thehackernews.com/2022/04/researcher-releases-poc-for-recent-java.h… ∗∗∗ Defeating BazarLoader Anti-Analysis Techniques ∗∗∗ --------------------------------------------- Anti-analysis techniques make it harder for malware analysts to do their work. We cover BazarLoader anti-analysis techniques and how to defeat them. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/ ∗∗∗ Webcam hacking: How to know if someone may be spying on you through your webcam ∗∗∗ --------------------------------------------- Camfecting doesn’t ‘just’ invade your privacy – it could seriously impact your mental health and wellbeing. Here’s how to keep an eye on your laptop camera. --------------------------------------------- https://www.welivesecurity.com/2022/04/25/webcam-hacking-how-know-someone-s… ∗∗∗ Quantum Ransomware ∗∗∗ --------------------------------------------- In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for [...] --------------------------------------------- https://thedfirreport.com/2022/04/25/quantum-ransomware/ ∗∗∗ FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/22/fbi-releases-iocs… ∗∗∗ Malware analysis report on SparrowDoor malware ∗∗∗ --------------------------------------------- A technical analysis of a new variant of the SparrowDoor malware. --------------------------------------------- https://www.ncsc.gov.uk/report/mar-sparrowdoor ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Bug in Everscale Wallet Couldve Let Attackers Steal Cryptocurrencies ∗∗∗ --------------------------------------------- A security vulnerability has been disclosed in the web version of the Ever Surf wallet that, if successfully weaponized, could allow an attacker to gain full control over a victims wallet. --------------------------------------------- https://thehackernews.com/2022/04/critical-bug-in-everscale-wallet.html ∗∗∗ IBM Security Bulletins 2022-04-22 ∗∗∗ --------------------------------------------- IBM Cloud Private, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Sterling File Gateway, IBM Watson Explorer, IBM Planning Analytics, IBM App Connect Enterprise --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ IBM schließt kritische Sicherheitslücken in Cognos Analytics ∗∗∗ --------------------------------------------- In der Business-Intelligence-Software IBM Cognos Analytics könnten Angreifer unter anderem Schadcode einschleusen. Aktualisierte Software behebt die Probleme. --------------------------------------------- https://heise.de/-7063645 ∗∗∗ Sicherheitsupdates Atlassian Jira: Angreifer könnten Authentifizierung umgehen ∗∗∗ --------------------------------------------- Die Entwickler haben eine kritische Sicherheitslücke im Projektmanagement-Tool Jira geschlossen. --------------------------------------------- https://heise.de/-7063649 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, kernel-headers, kernel-tools, libinput, podman-tui, and vim), Mageia (git, gzip/xz, libdxfrw, libinput, librecad, and openscad), and SUSE (dnsmasq, git, libinput, libslirp, libxml2, netty, podofo, SDL, SDL2, and tomcat). --------------------------------------------- https://lwn.net/Articles/892536/ ∗∗∗ Opportunistic Exploitation of WSO2 CVE-2022-29464 ∗∗∗ --------------------------------------------- On April 18, 2022, MITRE published CVE-2022-29464, an unrestricted file upload vulnerability affecting various WSO2 products. --------------------------------------------- https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-w… ∗∗∗ FreeRADIUS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0496 ∗∗∗ Multiple Vulnerabilities in Netatalk ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2022
by Daily end-of-shift report 22 Apr '22

22 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-04-2022 18:00 − Freitag 22-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Apple-Codec sorgt für Lücke in Android-Smartphones ∗∗∗ --------------------------------------------- Mit päparierten Audiodateien haben sich etliche Android-Smartphones mit Qualcomm- oder Mediatek-Chip hacken lassen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-apple-codec-sorgt-fuer-luecke-i… ∗∗∗ LemonDuck zielt auf Docker ∗∗∗ --------------------------------------------- LemonDuck, ein Kryptomining-Botnet, hat es auf Docker abgesehen, um Kryptowährung auf Linux-Systemen zu schürfen. Diese Kampagne ist derzeit aktiv. --------------------------------------------- https://www.zdnet.de/88400783/lemonduck-zielt-auf-docker/ ∗∗∗ Kritische Lücken in XML Parser Expat gefährden IBM Db2 ∗∗∗ --------------------------------------------- Updates sichern die Datenbank-Software Db2 von IBM ab. Angreifer könnten Systeme mit Schadcode attackieren. --------------------------------------------- https://heise.de/-7062152 ∗∗∗ Vorsicht Fake-SMS: „Sie haben eine neue Sprachnachricht erhalten“ ∗∗∗ --------------------------------------------- Leser:innen der Watchlist Internet melden derzeit wieder vermehrt betrügerische SMS. Kriminelle behaupten dabei, dass Sie eine neue Sprachnachricht hätten. Um mehr zu erfahren, sollen Sie auf einen Link klicken. Wer diesem Link folgt, landet auf einer betrügerischen Webseite, auf der eine App heruntergeladen werden soll. Installieren Sie die App auf keinen Fall! Es handelt sich um gefährliche Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-fake-sms-sie-haben-eine-neu… ∗∗∗ QNAP warns of new bugs in its Network Attached Storage devices ∗∗∗ --------------------------------------------- Heres what you need to know - plus some sensible advice for all the devices on your home or small biz network! --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/22/qnap-warns-of-new-bugs-in-its-n… ∗∗∗ Threat Assessment: BlackByte Ransomware ∗∗∗ --------------------------------------------- BlackByte is ransomware as a service that emerged in July 2021. Read our overview and recommended courses of action for mitigation. --------------------------------------------- https://unit42.paloaltonetworks.com/blackbyte-ransomware/ ∗∗∗ Atlassian fixes critical Jira authentication bypass vulnerability ∗∗∗ --------------------------------------------- Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the companys web application security framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-jir… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (composer, golang-x-crypto, rubygem-nokogiri, wavpack, xen, and xz) and SUSE (dnsmasq, openjpeg, swtpm, tomcat, and xen). --------------------------------------------- https://lwn.net/Articles/892372/ ∗∗∗ Multiple vulnerabilities found in Mitsubishi controllers ∗∗∗ --------------------------------------------- Mitsubishi recommends using encryption and firewalls. This will help minimize the risk of the detected vulnerabilities being exploited. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/multiple-vulnerabilities-found-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – nginx (CVE-2018-16844, CVE-2018-16845, CVE-2018-16843, CVE-2019-7401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in Node.js affects IBM Process Mining (CVE-2019-5484) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Lodash affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lodash-a… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44532) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2020-27223,CVE-2021-28169) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Node.js Color-String affects IBM Process Mining (CVE-2021-29060) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – curl (CVE-2020-8231) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Node.js lodash affects IBM Process Mining (CVE-2021-23337,CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-a… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44533) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in http2-common affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-http2-co… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – NGINX (CVE-2019-20372) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Node.js normalize-url affects IBM Process Mining (CVE-2021-33502) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Node.js IS-SVG affects IBM Process Mining (CVE-2021-29059, CVE-2021-28092) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: The Apache Log4j (CVE-2021-4104) vulnerability affects TPF Operations Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-apache-log4j-cve-2021… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Due to WebSphere Liberty is vulnerable, PowerVM Novalink could allow a remote attacker to hijack the clicking action of the victim. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-websphere-liberty-… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-39031 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to a denial of service through node.js lodash ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons IO affects IBM Process Mining (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Vulnerability in nth-check affects IBM Process Mining (CVE-2021-3803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nth-chec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2022
by Daily end-of-shift report 21 Apr '22

21 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-04-2022 18:00 − Donnerstag 21-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Exchange servers hacked to deploy Hive ransomware ∗∗∗ --------------------------------------------- A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-h… ∗∗∗ REvils TOR sites come alive to redirect to new ransomware operation ∗∗∗ --------------------------------------------- REvil ransomwares servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-… ∗∗∗ Multi-Cryptocurrency Clipboard Swapper, (Thu, Apr 21st) ∗∗∗ --------------------------------------------- It’s not the first time that I found a piece of code that monitors the clipboard and swap the BTC address found with the attacker's one. This time, the script that I found supports a lot of cryptocurrencies! --------------------------------------------- https://isc.sans.edu/diary/rss/28574 ∗∗∗ Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark ∗∗∗ --------------------------------------------- This time we will take a closer look at what the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments. --------------------------------------------- https://research.nccgroup.com/2022/04/20/mitigating-the-top-10-security-thr… ∗∗∗ Two OpenWrt updates ∗∗∗ --------------------------------------------- The OpenWrt 21.02.3 and 19.07.10 updates have been released. These updates contain some security fixes and improved device support. --------------------------------------------- https://lwn.net/Articles/892161/ ∗∗∗ Willhaben, ebay, Vinted & Co. im Fokus von Kriminellen! ∗∗∗ --------------------------------------------- Egal ob Sie etwas kaufen oder verkaufen wollen – nehmen Sie sich vor der Abzocke auf Kleinanzeigenplattformen in Acht! Wenn Sie dazu aufgefordert werden, die Transaktion mithilfe eines Kurierdienstes abzuwickeln, brechen Sie den Kontakt ab. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-ebay-vinted-co-im-fokus-vo… ∗∗∗ Abusing Azure Container Registry Tasks ∗∗∗ --------------------------------------------- In this post, I will explain how one Azure service supporting DevOps can start in a very solid “secure by default” state, but then quickly descend into a very dangerous configured state. --------------------------------------------- https://posts.specterops.io/abusing-azure-container-registry-tasks-1f407bfa… ∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.6 ∗∗∗ --------------------------------------------- A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.6 --------------------------------------------- https://blog.zsec.uk/cobalt-strike-profiles/ ∗∗∗ TeamTNT targeting AWS, Alibaba ∗∗∗ --------------------------------------------- TeamTNT is actively modifying its scripts after they were made public by security researchers. These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances. --------------------------------------------- http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-04-20 ∗∗∗ --------------------------------------------- Cisco published 12 Security Advisories (3 High, 9 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Statischer SSH-Schlüssel macht Cloudsicherheitssystem Cisco Umbrella zu schaffen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates für Hard- und Software von Cisco schließen mehrere Lücken. Angreifer könnten Admin-Zugangsdaten mitschneiden. --------------------------------------------- https://heise.de/-7061311 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (frr, grafana, gzip, and pdns), Oracle (java-11-openjdk), Red Hat (java-11-openjdk and kernel), Scientific Linux (java-11-openjdk), SUSE (dcraw, GraphicsMagick, gzip, kernel, nbd, netty, qemu, SDL, and xen), and Ubuntu (libinput, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure,[...] --------------------------------------------- https://lwn.net/Articles/892214/ ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-009 ∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-008 ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affect App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-ke… ∗∗∗ Security Bulletin: IBM Emptoris Supplier Lifecycle Management vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-supplier-lif… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-use-case-manag… ∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the included Expat 3rd party library (CVE-2022-23852 and CVE-2022-23990) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-mu… ∗∗∗ Security Bulletin: A Vulnerability in IBM WebSphere Application Server – Liberty affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Jira Security Advisory 2022-04-20 ∗∗∗ --------------------------------------------- https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-111… ∗∗∗ Delta Electronics ASDA-Soft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-01 ∗∗∗ Johnson Controls Metasys SCT Pro ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-02 ∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2022
by Daily end-of-shift report 20 Apr '22

20 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-04-2022 18:00 − Mittwoch 20-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CISA warns of attackers now exploiting Windows Print Spooler bug ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-now-… ∗∗∗ Emotet botnet switches to 64-bit modules, increases activity ∗∗∗ --------------------------------------------- The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64… ∗∗∗ Google: 2021 war Rekordjahr für entdeckte Zero Days ∗∗∗ --------------------------------------------- Laut Google ändert sich die Ursache der Sicherheitslücken selbst aber kaum. Größtes Problem bleiben Speicherfehler. --------------------------------------------- https://www.golem.de/news/google-2021-war-rekordjahr-fuer-entdeckte-zero-da… ∗∗∗ "aa" distribution Qakbot (Qbot) infection with DarkVNC traffic, (Wed, Apr 20th) ∗∗∗ --------------------------------------------- Chain of Events and IOCs of a Qakbot infection. --------------------------------------------- https://isc.sans.edu/diary/rss/28568 ∗∗∗ Phishing-Welle zu Online-Banking rollt durch Postfächer ∗∗∗ --------------------------------------------- Aktuell rollt eine Phishing-Welle durch österreichische E-Mail-Postfächer, mit der es Kriminelle vor allem auf Online-Banking-Daten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-welle-zu-online-banking-rol… ∗∗∗ CISA Releases Secure Cloud Business Applications (SCuBA) Guidance Documents for Public Comment ∗∗∗ --------------------------------------------- CISA has released draft versions of two guidance documents—along with a request for comment (RFC)—that are a part of the recently launched Secure Cloud Business Applications (SCuBA) project. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/19/cisa-releases-sec… ∗∗∗ Investigating an engineering workstation – Part 3 ∗∗∗ --------------------------------------------- In our third blog post we will focus on information we can get from the projects itself. --------------------------------------------- https://blog.nviso.eu/2022/04/20/investigating-an-engineering-workstation-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Elliptische Kurven: Java-Signaturprüfung lässt sich mit Nullen austricksen ∗∗∗ --------------------------------------------- Bei der Prüfung von ECDSA-Signaturen in Java fand sich ein Fehler, der dazu führt, dass man eine immer gültige Signatur erstellen kann. --------------------------------------------- https://www.golem.de/news/elliptische-kurven-java-signaturpruefung-laesst-s… ∗∗∗ Oracle stellt 520 Sicherheitspatches für sein Software-Portfolio bereit ∗∗∗ --------------------------------------------- Admins von Oracle-Anwendungen sollten die verfügbaren Aktualisierungen installieren, um zum Teil kritische Sicherheitslücken zu schließen. --------------------------------------------- https://heise.de/-6746906 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (condor), Red Hat (389-ds:1.4, container-tools:2.0, kernel, kernel-rt, and kpatch-patch), SUSE (chrony, containerd, expat, git, icedtea-web, jsoup, jsr-305, kernel, libeconf, shadow and util-linux, protobuf, python-libxml2-python, python3, slirp4netns, sssd, vim, and wpa_supplicant), and Ubuntu (bash). --------------------------------------------- https://lwn.net/Articles/892047/ ∗∗∗ AWSs Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation ∗∗∗ --------------------------------------------- We identified severe security issues within AWS Log4Shell hot patch solutions. We provide a root cause analysis and overview of fixes and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities/ ∗∗∗ SSA-254054: Spring Framework Vulnerability (Spring4Shell or SpringShell, CVE-2022-22965) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-254054.txt ∗∗∗ Security Bulletin: IBM Emptoris Strategic Supply Management Platform is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-strategic-su… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by Node.js vulnerability (CVE-2021-22939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM Emptoris Sourcing is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-sourcing-is-… ∗∗∗ Security Bulletin: IBM Emptoris Contract Management is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-contract-man… ∗∗∗ Security Bulletin: IBM Emptoris Program Management is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-program-mana… ∗∗∗ April 19, 2022 TNS-2022-09 [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-09 ∗∗∗ Veritas NetBackup: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0474 ∗∗∗ Interlogix Hills ComNav ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-01 ∗∗∗ Automated Logic WebCTRL ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-02 ∗∗∗ FANUC ROBOGUIDE Simulation Platform ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-03 ∗∗∗ Elcomplus SmartPPT SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-04 ∗∗∗ Multiple ctrlX CORE vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-029150.html ∗∗∗ MISP 2.4.158 security fix and general improvement release ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.158 ∗∗∗ Multiple Vulnerabilities in Apache HTTP Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2022
by Daily end-of-shift report 19 Apr '22

19 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-04-2022 18:00 − Dienstag 19-04-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Freier Decryptor für Yanlouwang-Ransomware ∗∗∗ --------------------------------------------- Sicherheitsanbieter Kaspersky hat in der Verschlüsselung der Yanlouwang-Ransomware eine Schwachstelle entdeckt. In Folge dieser Schwachstelle kann die Verschlüsselung von Dateien unter bestimmten Voraussetzungen geknackt werden. Jedenfalls steht ein kostenloser Decryptor für die Yanlouwang-Ransomware zur Verfügung. --------------------------------------------- https://www.borncity.com/blog/2022/04/19/freier-decryptor-fr-yanlouwang-ran… ∗∗∗ Achtung unseriös: hondrox.com, hondrox.eu & hondrox.shop ∗∗∗ --------------------------------------------- Auf der Suche nach Behandlungsmöglichkeiten bei Gelenkschmerzen stoßen Sie möglicherweise auf „Hondrox“. Ein Spray, der die „Wiederherstellung der Knorpel in den Gelenken“ sowie Schmerzlinderung verspricht. Auf hondrox.com, hondrox.eu und hondrox.shop wird dieses vermeintliche Wundermittel angeboten. Doch Vorsicht: Diese Online-Shops sind unseriös. Sie verschwenden Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-unserioes-hondroxcom-hondrox… ∗∗∗ GitHub-Sicherheitslücke: OAuth-Token von Heroku und Travis-CI kompromittiert ∗∗∗ --------------------------------------------- Unauthorisierte Zugriffe auf die npm-Infrastruktur haben kriminelle Aktivitäten enttarnt. Betroffenen sind OAuth-Token von Heroku und Travis-CI. --------------------------------------------- https://heise.de/-6703708 ∗∗∗ Sicherheit fürs Anmelden: Was bei Kennwörtern, FIDO2 und TOTP zu beachten ist ∗∗∗ --------------------------------------------- In der Theorie sind zweite Faktoren einfach. In der praktischen Umsetzung tauchen aber diverse Fragen auf – die häufigsten haben wir zusammengetragen. --------------------------------------------- https://heise.de/-6660829 ∗∗∗ Lenovo System Update könnte Schadcode auf Computer lassen ∗∗∗ --------------------------------------------- Lenovo hat Sicherheitslücken in einer Anwendung und verschiedenen BIOS-Versionen geschlossen und Hintertüren entfernt. --------------------------------------------- https://heise.de/-6740544 ∗∗∗ Studie: Ciscos Webex telefoniert auch stummgeschaltet nach Hause ∗∗∗ --------------------------------------------- Bei einer Untersuchung der Stummschaltefunktion von Videokonferenzsoftware fiel Ciscos Webex negativ auf. --------------------------------------------- https://www.golem.de/news/studie-ciscos-webex-telefoniert-auch-stummgeschal… ∗∗∗ New stealthy BotenaGo malware variant targets DVR devices ∗∗∗ --------------------------------------------- Threat analysts have spotted a new variant of the BotenaGo botnet malware, and its the stealthiest seen so far, running undetected by any anti-virus engine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-botenago-malwar… ∗∗∗ Managing container vulnerability risks: Tools and best practices ∗∗∗ --------------------------------------------- Containers are quickly becoming the de facto form of compute and workload deployments in the cloud-native ecosystem. The latest Cloud Native Computing Foundation (CNCF) Cloud Native Survey shows that 96% of organizations are either actively using containers and Kubernetes or are evaluating them. Containers have well-known benefits such as portability, consistency and efficiency, but they aren’t without security concerns. --------------------------------------------- https://www.csoonline.com/article/3656702/managing-container-vulnerability-… ∗∗∗ Sysmons RegistryEvent (Value Set), (Mon, Apr 18th) ∗∗∗ --------------------------------------------- A colleague asked me about Sysmon's event ID 13 RegistryEvent (Value Set). They wanted to know if binary data could be recorded in event 13. --------------------------------------------- https://isc.sans.edu/diary/rss/28558 ∗∗∗ Why you shouldn’t automate your VirusTotal uploads ∗∗∗ --------------------------------------------- Security teams use VirusTotal as a second opinion scanner, but its not advisable to upload documents to VirusTotal as that may result in a breach of confidence and exposure of confidential data. --------------------------------------------- https://blog.malwarebytes.com/101/2022/04/why-you-shouldnt-automate-your-vi… ∗∗∗ How vx-underground is building a hacker’s dream library ∗∗∗ --------------------------------------------- When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. "I had no success really," said its founder, who goes by the online moniker smelly_vx. --------------------------------------------- https://therecord.media/how-vx-underground-is-building-a-hackers-dream-libr… ∗∗∗ Stories from the SOC - Lateral movement using default accounts ∗∗∗ --------------------------------------------- The Windows ‘Administrator’ account is a highly privileged account that is created during a Windows installation by default. If this account is not properly secured, attackers may leverage it to conduct privilege escalation and lateral movement. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer könnten sich als Admins an Cisco Wireless LAN Controller anmelden ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem Cisco IOS XE, SD-WAN und WLC. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-6737709 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (abcm2ps and chromium), Fedora (cacti, cacti-spine, and fribidi), and Mageia (crun, docker-containerd, libarchive, mediawiki, and ruby). --------------------------------------------- https://lwn.net/Articles/891725/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc). --------------------------------------------- https://lwn.net/Articles/891818/ ∗∗∗ Elcomplus SmartPPT SCADA Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cross-site Scripting, Unauthorized Exposure to Sensitive Information, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Cross-site Request Forgery vulnerabilities in the Elcomplus SmartPPT SCADA Server voice and data dispatch software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-05 ∗∗∗ Multiple RTOS (Update E) ∗∗∗ --------------------------------------------- Update E: Windriver VxWorks – Update in progress The following devices use Windriver VxWorks as their RTOS: Hitachi Energy GMS600 – See public advisory. Hitachi Energy PWC600 – See public advisory. Hitachi Energy REB500 – See public advisory. Hitachi Energy Relion 670, 650 series and SAM600-IO – See public advisory Hitachi Energy RTU500 series CMU – Updates available for some firmware versions – See public advisory. Hitachi Energy Modular Switchgear Monitoring System MSM – Protect your network – See public advisory. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 ∗∗∗ Delta Controls enteliTOUCH 3.40.3935 Cookie User Password Disclosure ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022040067 ∗∗∗ Delta Controls enteliTOUCH 3.40.3935 Cross Site Scripting ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022040065 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ K56105136: BIND vulnerability CVE-2022-0396 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56105136 ∗∗∗ K21054458: Eclipse Jetty vulnerability CVE-2017-7656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21054458 ∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0456 ∗∗∗ 7-Zip: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0459 ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0458 ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0461 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2022
by Daily end-of-shift report 15 Apr '22

15 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-04-2022 18:00 − Freitag 15-04-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheit: Best Practice, zum Updaten von Windows Domain Controllern ∗∗∗ --------------------------------------------- In Unternehmensumgebungen werden oft Windows Server eingesetzt, die als Domain Controller (DC) fungieren. Domänencontroller sind für viele Unternehmen nach wie vor (trotz Trend zur Azure-Coud, so Microsoft) ein zentraler Bestandteil der Infrastruktur. Und die in der Active Directory gespeicherten Identitäten [...] --------------------------------------------- https://www.borncity.com/blog/2022/04/15/sicherheit-best-practice-zum-updat… ∗∗∗ Vorsicht vor ungerechtfertigten Kreditkartenabbuchungen von medianess.co ∗∗∗ --------------------------------------------- Ein QR-Code wird gescannt, ein Programm heruntergeladen oder eine App am Handy installiert. Konsument:innen berichten von ganz alltäglichen Situationen, in denen sie plötzlich auf der Seite medianess.co landen und aufgefordert werden ihre Kreditkartendaten einzugeben. Einige Tage später stellen sie verwundert fest, dass sie ein ungewolltes Abo abgeschlossen haben. Wir erklären Ihnen, wie Sie die ungerechtfertigten Abbuchungen beenden können und Ihr Geld zurückerhalten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-ungerechtfertigten-kred… ∗∗∗ CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers ∗∗∗ --------------------------------------------- This blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the writeup published last week looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to understand the XNU vouchers subsystem. I hope that this writeup serves as the missing documentation for how some of the internals of the voucher subsystem works and its quirks which lead to this vulnerability. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/04/cve-2021-1782-ios-in-wild-vu… ∗∗∗ Gaining Visibility Within Container Clusters ∗∗∗ --------------------------------------------- Service mesh platforms can be used to provide insight into the container processes and their network operations within K8s clusters. --------------------------------------------- https://unit42.paloaltonetworks.com/visibility-k8s-clusters/ ∗∗∗ CISA Adds Nine Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the "Date Added to Catalog" column, which will sort by descending dates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/15/cisa-adds-nine-kn… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- On March 29, 2022, the following critical vulnerability in the Spring Cloud Function Framework affecting releases 3.1.6, 3.2.2, and older unsupported releases was disclosed: CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fribidi and python-django), Fedora (postgresql-jdbc, stargz-snapshotter, and thunderbird), Slackware (git, gzip, and xz), and SUSE (kernel, SDL2, and tomcat). --------------------------------------------- https://lwn.net/Articles/891453/ ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incomplete Cleanup vulnerability in the Johnson Controls Metasys ADS/ADX/OAS servers for building management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-02 ∗∗∗ Red Lion DA50N ∗∗∗ --------------------------------------------- This advisory contains mitigation for Insufficient Verification of Data Authenticity, Weak Password Requirements, Use of Unmaintained Third-Party Components, and Insufficiently Protected Credentials vulnerabilities in the Red Lion DA50N networking gateway. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-03 ∗∗∗ Siemens SCALANCE FragAttacks ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authentication, Injection, Improper Validation of Integrity Check, and Improper Input Validation vulnerabilities in the Siemens SCALANCE FragAttacks. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-04 ∗∗∗ Siemens OpenSSL Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for a NULL Pointer Dereference vulnerability in the Siemens OpenSSL. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-05 ∗∗∗ Delta Electronics DMARS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in the Delta Electronics DMARS program development tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-01 ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/14/juniper-networks-… ∗∗∗ Chrome 100.0.4896.127 fixt 0-day Schwachstelle CVE-2022-1364 ∗∗∗ --------------------------------------------- Google hat zum 14. April 2022 Notfall-Updates des Google Chrome 100.0.4896.127 für Android, sowie für Windows und Mac auf dem Desktop im Stable Channel freigegeben. Das Update schließt die 0-day-Schwachstelle CVE-2022-1364, die bereits Exploits existieren. --------------------------------------------- https://www.borncity.com/blog/2022/04/15/chrome-100-0-4896-127-fixt-ausgenu… ∗∗∗ OpenSSL Infinite loop when parsing certificates CVE-2022-0778 ∗∗∗ --------------------------------------------- A vulnerability CVE-2022-0778 was found in OpenSSL that allows to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate leads to a DoS (Denial of service) attack. SonicWall is investigating its product line to determine which products and cloud services may be affected by this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002 ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Security ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: Due to use of Apache Storm IBM Tivoli Network Manager is vulnerable to arbiraty code execution ( CVE-2021-38294, CVE-2021-40865 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-stor… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities in Plexus-utils affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to a denial of service due to a flaw in the BN_mod_sqrt() function (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2022
by Daily end-of-shift report 14 Apr '22

14 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-04-2022 18:00 − Donnerstag 14-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New EnemyBot DDoS botnet recruits routers and IoTs into its army ∗∗∗ --------------------------------------------- A new Mirai-based botnet malware named Enemybot has been observed growing its army of infected devices through vulnerabilities in modems, routers, and IoT devices, with the threat actor operating it known as Keksec. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-enemybot-ddos-botnet-rec… ∗∗∗ An Update on CVE-2022-26809 - MSRPC Vulnerabliity - PATCH NOW, (Thu, Apr 14th) ∗∗∗ --------------------------------------------- If your main concern is that you do not have time to apply the April update, stop wasting more time reading this (or anything else about CVE-2022-26809) and start patching. --------------------------------------------- https://isc.sans.edu/diary/rss/28550 ∗∗∗ A Primer on Cold Boot Attacks Against Embedded Systems ∗∗∗ --------------------------------------------- A computers main memory is volatile, and its content disappears if it is not regularly refreshed. This enables some attacks that exploit this behavior. One fairly well-known attack is called the "cold boot attack". --------------------------------------------- https://sec-consult.com/blog/detail/a-primer-on-cold-boot-attacks-against-e… ∗∗∗ "Pipedream": US-Warnung vor ausgeklügelten Cyberangriffen auf Energiesektor ∗∗∗ --------------------------------------------- Mit einem Werkzeugkasten hochentwickelter Cyberwaffen sollen unbekannte Angreifer industrielle Steuerungslagen übernehmen können. --------------------------------------------- https://heise.de/-6670554 ∗∗∗ Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet ∗∗∗ --------------------------------------------- Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines. --------------------------------------------- https://www.securityweek.com/microsoft-seizes-control-notorious-zloader-cyb… ∗∗∗ SMS-Werbung für sichernow.com führt in Crypto-Investment-Falle ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle SMS, in denen für eine Crypto-Investment-Falle geworben wird. Der enthaltene Link führt zu einer betrügerischen Investment-Plattform. --------------------------------------------- https://www.watchlist-internet.at/news/sms-werbung-fuer-sichernowcom-fuehrt… ∗∗∗ Blinding Snort: Breaking the Modbus OT Preprocessor ∗∗∗ --------------------------------------------- Team82 discovered a means by which it could blind the popular Snort intrusion detection and prevention system to malicious packets. --------------------------------------------- https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-mo… ∗∗∗ Old Gremlins, new methods ∗∗∗ --------------------------------------------- After a long break, the Russian-speaking ransomware group OldGremlin resumes attacks in Russia --------------------------------------------- https://blog.group-ib.com/oldgremlin_comeback ∗∗∗ Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer ∗∗∗ --------------------------------------------- Cisco Talos recently observed a new information stealer, called "ZingoStealer" that has been released for free by a threat actor known as "Haskers Gang." --------------------------------------------- http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html ∗∗∗ Unfolding the Log4j Security Vulnerability and Log4shell TTPs in AWS ∗∗∗ --------------------------------------------- Orca researcher Lidor Ben Shitrit reveals how Log4 shell TTPs in an AWS cloud environment can be used to open up a Log4j security vulnerability. --------------------------------------------- https://orca.security/resources/blog/log4j-security-vulnerability-log4shell… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-04-13 ∗∗∗ --------------------------------------------- 1 Critical, 13 High, 9 Medium Severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Jetzt patchen! Attacken auf VMware Identity Manager und Workspace One Access ∗∗∗ --------------------------------------------- Angreifer schieben Krypto-Miner durch eine kritische Schadcode-Lücke in VMware Identity Manager und Workspace One Access. Updates stehen zum Download bereit. --------------------------------------------- https://heise.de/-6677723 ∗∗∗ Lücken in mehren Komponente machen Datenmanagement-Software IBM Db2 angreifbar ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für IBM Db2, IBM Db2 On Openshift und IBM Db2 Warehouse on Cloud Pak for Data. --------------------------------------------- https://heise.de/-6677497 ∗∗∗ Sicherheitsupdate: Admin-Tool Grafana ist verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Datenvisualisierungssoftware Grafana attackieren. --------------------------------------------- https://heise.de/-6678300 ∗∗∗ VMSA-2022-0013 ∗∗∗ --------------------------------------------- VMware Cloud Director update addresses remote code execution vulnerability (CVE-2022-22966) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0013.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils). --------------------------------------------- https://lwn.net/Articles/891354/ ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerabilities with libxml2 affect IBM Cloud Object Storage Systems (Apr 2022 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-libx… ∗∗∗ Security Bulletin: IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint are vulnerable to exposing sensitive information (CVE-2022-22391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-high-speed-tra… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.3.0 and earlier (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-imp… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-17530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K11455641: NGINX LDAP Reference Implementation security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11455641 ∗∗∗ Juniper JUNOS (J-Web): Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0444 ∗∗∗ CVE-2022-0023 PAN-OS: Denial-of-Service (DoS) Vulnerability in DNS Proxy (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0023 ∗∗∗ PAN-SA-2022-0002 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0002 ∗∗∗ PAN-SA-2022-0001 Cortex XDR Agent: Supervisor Password Hash Disclosure Vulnerability When Generating Support Files (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0001 ∗∗∗ CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed) ∗∗∗ --------------------------------------------- https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-ads… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2022
by Daily end-of-shift report 13 Apr '22

13 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-04-2022 18:00 − Mittwoch 13-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Emotet modules and recent attacks ∗∗∗ --------------------------------------------- Emotet was disrupted in January 2021 and returned in November. This report provides technical description of its active modules and statistics on the malwares recent attacks. --------------------------------------------- https://securelist.com/emotet-modules-and-recent-attacks/106290/ ∗∗∗ Fodcha, a new DDos botnet ∗∗∗ --------------------------------------------- Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims being targeted on a daily basis. --------------------------------------------- https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/ ∗∗∗ TallGrass - A Python script that enumerates supported antiviruses and their exclusions on Windows hosts within a domain ∗∗∗ --------------------------------------------- Some antiviruses, like Windows Defender, expose their exclusions through the registry. Because of this, it is possible, and somewhat trivial, to enumerate them for potential means of AV evasion. TallGrass queries the domain controller for all domain-joined Windows hosts, then enumerates the AV exclusions for each host. --------------------------------------------- https://github.com/chdav/TallGrass ∗∗∗ PCI DSS 4.0 veröffentlicht: Mehr Sicherheit für Kreditkartendaten ∗∗∗ --------------------------------------------- Die neue Version 4.0 von PCI DSS erweitert den De-facto-Standard der Security für Zahlungssysteme. Vor allem sollen die Ziele flexibler umzusetzen sein. --------------------------------------------- https://heise.de/-6671323 ∗∗∗ Achtung vor unseriösen Urlaubsangeboten wie reisebuero-fuchs.com! ∗∗∗ --------------------------------------------- Die Urlaubsplanungen für Frühling und Sommer sind längst voll in Gang. Das nützen auch Kriminelle und veröffentlichen betrügerische Plattformen zur Urlaubsbuchung. Dort finden Sie tolle Unterkünfte zu top Konditionen. Der Haken: Sie sollen vorab Anzahlungen leisten, die Inhaber:innen der Unterkünfte erfahren aber nichts von Ihren Buchungen und das Geld landet in der Tasche Krimineller! Fazit: Nichts bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-unserioesen-urlaubsangeb… ∗∗∗ Coercing NTLM Authentication from SCCM ∗∗∗ --------------------------------------------- tl;dr: Disable NTLM for Client Push Installation [...] Client push installation accounts require local admin privileges to install software on systems in an SCCM site, so it is often possible to relay the credentials and execute actions in the context of a local admin on other SCCM clients in the site. --------------------------------------------- https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8… ∗∗∗ CVE-2022-26809: All your RPC are belong to us ∗∗∗ --------------------------------------------- Im April 2022 Patchday von Microsoft findet man wieder Updates [...] Spannender ist das Pärchen CVE-2022-26809/CVE-2022-24491 mit RCE: hier kommt zwar der Patch vor der ersten bekannten Ausnutzung der Schwachstelle, dafür sollten bei CVSS 9.8 die Alarmglocken laut läuten. Beim ersten geht es um das generische RPC Service, beim zweiten um den NFS Server. Während NFS nicht überall im Einsatz sein wird, ist Windows RPC auf Port 445 sehr weit verbreitet und innerhalb von Firmennetzen auch zwangsläufig sehr selten durch Firewalls geschützt. --------------------------------------------- https://cert.at/de/aktuelles/2022/4/2022-04-windows-patchday ∗∗∗ [Caution] Virus/XLS Xanpei Infecting Normal Excel Files ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the constant distribution of malware strains that spread the infection when Excel file is opened. Besides infecting normal Excel files, they can also perform additional malicious behaviors such as acting as a downloader and performing DNS Spoofing, therefore, users need to take great caution. --------------------------------------------- https://asec.ahnlab.com/en/33630/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical flaw in Elementor WordPress plugin may affect 500k sites ∗∗∗ --------------------------------------------- The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. [..] The latest version includes a commit that implements an additional check on the nonce access, using the "current_user_can" WordPress function. While this should address the security gap, the researchers haven't validated the fix yet, and the Elementor team hasn't published any details about the patch. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaw-in-elementor-w… ∗∗∗ Sicherheit: Git gibt Sicherheitslücken bekannt und veröffentlicht Patch ∗∗∗ --------------------------------------------- Git hat zwei Sicherheitslücken bekannt gegeben und gleich auch einen Patch bereitgestellt, der diese stopft: Update dringend empfohlen. --------------------------------------------- https://www.golem.de/news/sicherheit-git-gibt-sicherheitsluecken-bekannt-un… ∗∗∗ Patchday: SAP dichtet 30 Sicherheitslücken ab ∗∗∗ --------------------------------------------- SAP hat zu Lücken in diversen Produkten 21 neue Meldungen veröffentlicht und neun ältere aktualisiert. Administratoren sollten die Updates bald installieren. --------------------------------------------- https://heise.de/-6670382 ∗∗∗ Sicherheitspatch für Apache Struts unvollständig – neues Updates soll es richten ∗∗∗ --------------------------------------------- Aufgrund der Gefahr von möglichen Schadcode-Attacken sollten Admins ihre Apache-Struts-Systeme auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-6670584 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion). --------------------------------------------- https://lwn.net/Articles/891182/ ∗∗∗ Apache Subversion: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Apache Subversion ausnutzen, um Informationen offenzulegen oder einen Denial of Service zu verursachen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0436 ∗∗∗ Citrix Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Original release date: April 12, 2022Citrix has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the following Citrix security bulletins and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/12/citrix-releases-s… ∗∗∗ Motorola Android App Vulnerabilities ∗∗∗ --------------------------------------------- Some Motorola Android applications do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker. [..] Update to latest version of the applications in the Product Impact section below. App Name: 'Ready For', 'Device Help' --------------------------------------------- http://support.lenovo.com/product_security/PS500482-MOTOROLA-ANDROID-APP-VU… ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- The following vulnerabilities were reported in ThinkPad BIOS. CVE IDs: CVE-2022-1107, CVE-2022-1108 Update system firmware to the version (or newer) indicated for your model [..] --------------------------------------------- http://support.lenovo.com/product_security/PS500480-THINKPAD-BIOS-VULNERABI… ∗∗∗ Lenovo System Update Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window. --------------------------------------------- http://support.lenovo.com/product_security/PS500483-LENOVO-SYSTEM-UPDATE-PR… ∗∗∗ Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968) ∗∗∗ --------------------------------------------- While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration. --------------------------------------------- https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulne… ∗∗∗ Bentley Security Advisory BE-2022-0006: IFC File Parsing Vulnerabilities in MicroStation and MicroStation-based applications ∗∗∗ --------------------------------------------- https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006 ∗∗∗ Security Bulletin: IBM Security SOAR is affected but not classified as vulnerable to remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-affe… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to arbitrary code exection due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability in GNU binutils affects IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Valmet DNA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-01 ∗∗∗ Mitsubishi Electric MELSEC-Q Series C Controller Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-02 ∗∗∗ Inductive Automation Ignition ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-03 ∗∗∗ Mitsubishi Electric GT25-WLAN ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-04 ∗∗∗ Aethon TUG Home Base Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-05 ∗∗∗ NetApp Active IQ Unified Manager Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500484-NETAPP-ACTIVE-IQ-UNIFIE… ∗∗∗ Post-Auth Arbitrary File Read vulnerability Impacting End-Of-Life SRA Appliances and End-Of-Support SMA100 firmware versions ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2022
by Daily end-of-shift report 12 Apr '22

12 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 11-04-2022 18:00 − Dienstag 12-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qbot malware switches to new Windows Installer infection vector ∗∗∗ --------------------------------------------- The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new… ∗∗∗ Discord-Konten im Visier von Cyberkriminellen ∗∗∗ --------------------------------------------- Seit Jahresanfang sehen GDatas Sicherheitsforscher einen Anstieg an Malware, die Zugangstoken zu Discord stehlen will. Nutzer sollten Maßnahmen ergreifen. --------------------------------------------- https://heise.de/-6669765 ∗∗∗ Terrible cloud security is leaving the door open for hackers. Heres what youre doing wrong ∗∗∗ --------------------------------------------- A rise in hybrid work and a shift to cloud platforms has changed how businesses operate - but its also leaving them vulnerable to cyberattacks. --------------------------------------------- https://www.zdnet.com/article/terrible-cloud-security-is-leaving-the-door-o… ∗∗∗ Industroyer2: Industroyer reloaded ∗∗∗ --------------------------------------------- This ICS-capable malware targets a Ukrainian energy company --------------------------------------------- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ ∗∗∗ F5 investigating reports of NGINX zero day ∗∗∗ --------------------------------------------- UPDATE 4/12: On Monday evening, NGINX released a blog about the issue, writing that it only affects reference implementations and does not affect NGINX Open Source or NGINX Plus. The company said deployments of the LDAP reference implementation are affected by the vulnerabilities if command-line parameters are used to configure the Python daemon, if there are unused, optional configuration parameters and if LDAP authentication depends on specific group membership. --------------------------------------------- https://therecord.media/f5-investigating-reports-of-nginx-zero-day/ ∗∗∗ SystemBC Being Used by Various Attackers ∗∗∗ --------------------------------------------- SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as a passage if the infected system utilizes SystemBC, which acts as a Proxy Bot. --------------------------------------------- https://asec.ahnlab.com/en/33600/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical LFI Vulnerability Reported in Hashnode Blogging Platform ∗∗∗ --------------------------------------------- Researchers have disclosed a previously undocumented local file inclusion (LFI) vulnerability in Hashnode, a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, servers IP address, and other network information. --------------------------------------------- https://thehackernews.com/2022/04/critical-lfi-vulnerability-reported-in.ht… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and usbguard), Fedora (containerd, firefox, golang-github-containerd-imgcrypt, nss, and vim), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (libexif, mozilla-nss, mysql-connector-java, and qemu), and Ubuntu (libarchive and python-django). --------------------------------------------- https://lwn.net/Articles/891048/ ∗∗∗ Amazon RDS Vulnerability Led to Exposure of Credentials ∗∗∗ --------------------------------------------- Amazon Web Services (AWS) on Monday announced that it recently addressed a vulnerability in Amazon Relational Database Service (RDS) that could lead to the exposure of internal credentials. --------------------------------------------- https://www.securityweek.com/amazon-rds-vulnerability-led-exposure-credenti… ∗∗∗ SSA-350757 V1.0: Improper Access Control Vulnerability in TIA Portal Affecting S7-1200 and S7-1500 CPUs Web Server (Incl. Related ET200 CPUs and SIPLUS variants) ∗∗∗ --------------------------------------------- An attacker could achieve privilege escalation on the web server of certain devices configured by SIMATIC STEP 7 (TIA Portal) due to incorrect handling of the webserverâ€™s user management configuration during downloading. This only affects the S7-1200 and S7-1500 CPUsâ€™ (incl.Â related ET200 CPUs and SIPLUS variants) web server, when activated. Siemens has released updates for several affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-350757.txt ∗∗∗ SSA-392912 V1.0: Multiple Denial Of Service Vulnerabilities in SCALANCE W1700 Devices ∗∗∗ --------------------------------------------- Vulnerabilities have been identified in devices of the SCALANCE W-1700 (11ac) family that could allow an attacker to cause various denial of service conditions. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-392912.txt ∗∗∗ SSA-414513 V1.0: Information Disclosure Vulnerability in Mendix ∗∗∗ --------------------------------------------- An information disclosure vulnerability in Mendix applications was discovered. The vulnerability could allow to read sensitive data. Siemens has released an update for the Mendix Applications using Mendix 9 and recommends to update to the latest version. Siemens recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-414513.txt ∗∗∗ SSA-446448 V1.0: Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack ∗∗∗ --------------------------------------------- The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, contains a vulnerability that could allow an attacker to cause a denial of service condition on affected industrial products. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-446448.txt ∗∗∗ SSA-557541 V1.0: Denial-of-Service Vulnerability in SIMATIC S7-400 CPUs ∗∗∗ --------------------------------------------- SIMATIC S7-400 CPU devices contain an input validation vulnerability that could allow an attacker to create a Denial-of-Service condition. A restart is needed to restore normal operations. Siemens has released an update for SIMATIC S7-410 V10 CPU family and SIMATIC S7-400 H V6 CPU family (incl.Â SIPLUS variants for both) and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not yet --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-557541.txt ∗∗∗ SSA-655554 V1.0: Multiple Vulnerabilities in SIMATIC Energy Manager before V7.3 Update 1 ∗∗∗ --------------------------------------------- SIMATIC Energy Manager is affected by multiple vulnerabilities that could allow an attacker to gain local privilege escalation, local code execution or remote code execution. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-655554.txt ∗∗∗ SSA-711829 V1.0: Denial of Service Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- In conjunction with the installation of the affected products listed in the table below, a vulnerability in TIA Administrator occurs that could allow an unauthenticated attacker to perform a denial of service attack. Siemens has released a first update for one of the affected products and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-711829.txt ∗∗∗ SSA-836527 V1.0: Multiple Vulnerabilities in SCALANCE X-300 Switch Family Devices ∗∗∗ --------------------------------------------- Several SCALANCE X-300 switches contain multiple vulnerabilities. An unauthenticated attacker could reboot, cause denial of service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-836527.txt ∗∗∗ SSA-870917 V1.0: Improper Access Control Vulnerability in Mendix ∗∗∗ --------------------------------------------- When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-870917.txt ∗∗∗ SSA-998762 V1.0: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.2 ∗∗∗ --------------------------------------------- Siemens Simcenter Femap versions before V2022.1.2 are affected by vulnerabilities that could be triggered when the application reads files in .NEU format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to leak information or potentially perform remote code execution in the context of the current process. Siemens recommends to update to the latest version line of Simcenter Femap and to avoid opening of untrusted files --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-998762.txt ∗∗∗ SSA-316850: Unauthenticated File Access in SICAM A8000 Devices ∗∗∗ --------------------------------------------- SICAM A8000 CP-8050 and CP-8031 devices contain vulnerabilities that could allow an attacker to access files without authentication. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-316850.txt ∗∗∗ SAP Patchday April 2022 ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0414 ∗∗∗ Citrix SD-WAN Security Bulletin for CVE-2022-27505 and CVE-2022-27506 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX370550 ∗∗∗ Citrix StoreFront Security Bulletin for CVE-2022-27503 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX377814 ∗∗∗ Citrix Gateway Plug-in for Windows Security Bulletin for CVE-2022-21827 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341455 ∗∗∗ PHOENIX CONTACT: Multiple Linux component vulnerabilities fixed in latest AXC F x152 LTS release ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-010/ ∗∗∗ PHOENIX CONTACT: mGuard Device Manager affected by HTTP Request Smuggling of Apache Webserver ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-014/ ∗∗∗ PHOENIX CONTACT: Multiple products affected by possible infinite loop within OpenSSL library ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-013/ ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Framework ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is affected by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Maximo For Civil infrastructure is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-for-civil-infr… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to Prototype Pollution due to json-schema CVE-2021-3918 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: Vulnerabilities in Dojo and dom4j libraries affect Tivoli Netcool/OMNIbus WebGUI (CVE-2020-10683, CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-dojo-a… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Performance Management products (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to arbitrary code execution due to CVE-2021-23555 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple Vulnerabilities affect IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to CKEditor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2022
by Daily end-of-shift report 11 Apr '22

11 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-04-2022 18:00 − Montag 11-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Android banking malware takes over calls to customer support ∗∗∗ --------------------------------------------- A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a banks customer support number and connect the victim directly with the cybercriminals operating the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-banking-malware-take… ∗∗∗ Security: OpenSSH 9.0 veröffentlicht ∗∗∗ --------------------------------------------- Die neue Version von OpenSSH bringt unter anderem eine Härtung gegen Faktorisierungsattacken mit zukünftigen Quantencomputern mit. --------------------------------------------- https://www.golem.de/news/security-openssh-9-0-veroeffentlicht-2204-164550-… ∗∗∗ Method For String Extraction Filtering, (Sat, Apr 9th) ∗∗∗ --------------------------------------------- In diary entry "XLSB Files: Because Binary is Stealthier Than XML", Xavier shows how to extract strings (URLs) from binary files that make up an Excel spreadsheet. This inspired me to make a tool to parse this XLSB file format: "Quickie: Parsing XLSB Documents". Now I'm presenting another method, one that uses string analysis. --------------------------------------------- https://isc.sans.edu/diary/rss/28532 ∗∗∗ Mirai-Botnet missbraucht Spring4Shell-Sicherheitsleck ∗∗∗ --------------------------------------------- Sicherheitsforscher haben beobachtet, dass das Mirai-Botnet die Spring4Shell-Schwachstelle angreift und dadurch die Malware verbreitet. --------------------------------------------- https://heise.de/-6668646 ∗∗∗ Denonia cryptominer is first malware to target AWS Lambda ∗∗∗ --------------------------------------------- There is now malware in serverless environments. Dubbed Denonia, it specifically targets the AWS Lambda to perform cryptojacking. --------------------------------------------- https://blog.malwarebytes.com/business-2/2022/04/denonia-cryptominer-is-fir… ∗∗∗ Octo Android Trojan Allows Cybercrooks to Conduct On-Device Fraud ∗∗∗ --------------------------------------------- Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud. --------------------------------------------- https://www.securityweek.com/octo-android-trojan-allows-cybercrooks-conduct… ∗∗∗ Think Like a Criminal: Knowing Popular Attack Techniques to Stop Bad Actors Faster ∗∗∗ --------------------------------------------- Analyzing the attack goals of adversaries is important to be able to better align defenses against the speed of changing attack techniques. By focusing on a handful of techniques, you can effectively shut down malware’s methods of choice for getting in and making itself at home. To achieve this, you need to know which key areas to be focusing on in the coming months. --------------------------------------------- https://www.securityweek.com/think-criminal-knowing-popular-attack-techniqu… ∗∗∗ Love-Scam - Wie unterstütze ich Betroffene? ∗∗∗ --------------------------------------------- Hilfe! Mein Mutter, mein Onkel, meine Bekannte liebt eine:n Internetbetrüger:in. Für Außenstehende ist der Fall meist klar: Die Internetliebe ist ein:e Betrüger:in. Das Opfer möchte dies aber nicht glauben und überweist immer wieder Geld. Was tun? Wie können Sie Opfer von Liebesbetrüger:innen unterstützen? --------------------------------------------- https://www.watchlist-internet.at/news/love-scam-wie-unterstuetze-ich-betro… ∗∗∗ New SolarMarker (Jupyter) Campaign Demonstrates the Malware's Changing Attack Patterns ∗∗∗ --------------------------------------------- A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve. --------------------------------------------- https://unit42.paloaltonetworks.com/solarmarker-malware/ ∗∗∗ Insider-Bedrohungen greifen nach außen ∗∗∗ --------------------------------------------- Wenn Mitarbeiter auf eigene Faust zum Cyberkrieger werden wollen, kann das die Unternehmenssicherheit ebenso gefährden wie traditionelle Insider- und externe Bedrohungen, berichtet Andreas Riepen, Regional Sales Director Central Europe bei Vectra AI, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88400523/insider-bedrohungen-greifen-nach-aussen/ ∗∗∗ Cyber-Sicherheit im Gesundheitswesen ∗∗∗ --------------------------------------------- Das Gesundheitswesen ist nach wie vor einer der am häufigsten durch Hacker angegriffenen Bereiche. Lieder wurden in der Vergangenheit entsprechende Hausaufgaben lange aufgeschobene. --------------------------------------------- https://www.borncity.com/blog/2022/04/10/cyber-sicherheit-im-gesundheitswes… ===================== = Vulnerabilities = ===================== ∗∗∗ Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now! ∗∗∗ --------------------------------------------- A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it. --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/08/popular-ruby-asciidoc-toolkit-p… ∗∗∗ Spring: It isnt just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too., (Mon, Apr 11th) ∗∗∗ --------------------------------------------- Our "First Seen URL" page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. [...] The scan for /actuator/gateway/routes may be looking for systems that are possibly vulnerable to CVE-2022-22947 or other vulnerabilities in the Spring Cloud function (we had at least three different vulnerabilities recently). --------------------------------------------- https://isc.sans.edu/diary/rss/28538 ∗∗∗ ABB Cyber Security Advisory: ARM600 M2M Gateway NSS library and polkit vulnerabilities ∗∗∗ --------------------------------------------- These vulnerabilities affect cryptographic libraries and privilege handling. Subsequently, a successful exploit could allow attackers to execute code with root user privileges or to elevate a non-privileged user to a privileged user. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001254&Language… ∗∗∗ ABB Cyber Security Advisory: Arctic Wireless Gateway Firewall vulnerability (CVE-2022-0947) ∗∗∗ --------------------------------------------- A vulnerability is found in the ABB Arctic wireless gateways in a specific configuration and when using firmware versions from 2.4.0 or later until version 3.4.10. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001253&Language… ∗∗∗ Verschlüsselungsschwächen in Datenmanagementsoftware Dell EMC PowerScale OneFS ∗∗∗ --------------------------------------------- Admins von Systemen mit Dell EMC PowerScale OneFS sollten die Software aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-6668566 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gzip, libxml2, minidlna, openjpeg2, thunderbird, webkit2gtk, wpewebkit, xen, and xz-utils), Fedora (crun, unrealircd, and vim), Mageia (389-ds-base, busybox, flatpak, fribidi, gdal, python-paramiko, and usbredir), openSUSE (opera and seamonkey), Oracle (kernel and kernel-container), Red Hat (firefox), Scientific Linux (firefox), Slackware (libarchive), SUSE (389-ds, libsolv, libzypp, zypper, and python), and Ubuntu (python-django and tcpdump). --------------------------------------------- https://lwn.net/Articles/890936/ ∗∗∗ XSS vulnerability patched in Directus data engine platform ∗∗∗ --------------------------------------------- The platform is described as a "flexible powerhouse for engineers." --------------------------------------------- https://www.zdnet.com/article/xss-vulnerability-patched-in-directus-data-en… ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0412 ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23806 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to spoofing and clickjacking attacks due to swagger-ui (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Sterling Global Mailbox is vulnerable to denial of service due to Jackson-Databind (217968 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-global-mailb… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to log4js-node CVE-2022-21704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: A cross-site scripting (XSS) vulnerability may impact IBM Cúram Social Program Management(CVE-2021-39068) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xs… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in Google Gson (217225) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-24921 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23772 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to node-request-retry CVE-2022-0654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-5421). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to cross-site Ajax request vulnerability due to Prototype JavaScript (CVE-2008-7220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple CVEs in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2022
by Daily end-of-shift report 08 Apr '22

08 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-04-2022 18:00 − Freitag 08-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious web redirect service infects 16,500 sites to push malware ∗∗∗ --------------------------------------------- A new TDS (Traffic Direction System) operation called Parrot has emerged in the wild, having already infected servers hosting 16,500 websites of universities, local governments, adult content platforms, and personal blogs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-web-redirect-servi… ∗∗∗ Mirai malware now delivered using Spring4Shell exploits ∗∗∗ --------------------------------------------- The Mirai malware is now leveraging the Spring4Shell exploit to infect vulnerable web servers and recruit them for DDoS (distributed denial of service) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mirai-malware-now-delivered-… ∗∗∗ CVE-2021-30737, @xerubs 2021 iOS ASN.1 Vulnerability ∗∗∗ --------------------------------------------- Originally this post was just a series of notes I took last year as I was trying to understand this bug. But the bug itself and the narrative around it are so fascinating that I thought it would be worth writing up these notes into a more coherent form to share with the community. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/04/cve-2021-30737-xerubs-2021-i… ∗∗∗ Public Report – Google Enterprise API Security Assessment ∗∗∗ --------------------------------------------- During the autumn of 2021, Google engaged NCC Group to perform a review of the Android 12 Enterprise API to evaluate its compliance with the Security Technical Implementation Guides (STIG) matrix provided by Google. --------------------------------------------- https://research.nccgroup.com/2022/04/07/public-report-google-enterprise-ap… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libtiff), Debian (chromium), Fedora (buildah and chromium), openSUSE (firefox), SUSE (firefox, libsolv, libzypp, and openjpeg2), and Ubuntu (firefox and python-oslo.utils). --------------------------------------------- https://lwn.net/Articles/890718/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SPSS Analytic Server is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spss-analytic-server-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2021-22931) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to cross-site request forgery (CVE-2020-4668) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: Vulnerability in json4j – CVE-2021-3918 (Publicly disclosed vulnerability) impacts IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json4j-c… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Apache Log4j vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: LDAP vulnerability in WebSphere Liberty Profile can affect IBM InfoSphere Global Name Management ENS (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ldap-vulnerability-in-web… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0004.html ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0405 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0406 ∗∗∗ Microsoft Edge 100.0.1185.36 fixt Schwachstelle ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/04/08/microsoft-edge-100-0-1185-36-fixt-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2022
by Daily end-of-shift report 07 Apr '22

07 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-04-2022 18:00 − Donnerstag 07-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New FFDroider malware steals Facebook, Instagram, Twitter accounts ∗∗∗ --------------------------------------------- A new information stealer named FFDroider has emerged, stealing credentials and cookies stored in browsers to hijack victims social media accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ffdroider-malware-steals… ∗∗∗ A Bad Luck BlackCat ∗∗∗ --------------------------------------------- A new ransomware actor started advertising its services on a Russian underground forum. They presented themselves as ALPHV, but the group is also known as BlackCat. --------------------------------------------- https://securelist.com/a-bad-luck-blackcat/106254/ ∗∗∗ What is BIMI and how is it supposed to help with Phishing., (Thu, Apr 7th) ∗∗∗ --------------------------------------------- Phishing works because it is hard to figure out if an email or a website is authentic. Over the years, many technical solutions have been implemented to make it easier to recognize valid senders or a valid website. --------------------------------------------- https://isc.sans.edu/diary/rss/28528 ∗∗∗ SharkBot Banking Trojan Resurfaces On Google Play Store Hidden Behind 7 New Apps ∗∗∗ --------------------------------------------- As many as seven malicious Android apps discovered on the Google Play Store masqueraded as antivirus solutions to deploy a banking trojan called SharkBot. --------------------------------------------- https://thehackernews.com/2022/04/sharkbot-banking-trojan-resurfaces-on.html ∗∗∗ Whatsapp-Kettenbrief: "Milka" erneut Köder für gefälschte Gewinnspiele ∗∗∗ --------------------------------------------- Kriminelle werden nicht müde, die Schokoladenmarke für ihre Zwecke zu nutzen. Erst recht kurz vor Ostern. --------------------------------------------- https://heise.de/-6665629 ∗∗∗ DSGVO-Verstoß auf Ihrer Webseite? Lassen Sie sich nicht verunsichern! ∗∗∗ --------------------------------------------- Uns wurden zahlreiche E-Mails gemeldet, die auf einen DSGVO-Verstoß auf der Website von Unternehmen hinweisen. Das E-Mail bezieht sich auf die Verwendung von Google Analytics. Es besteht kein Grund zur Sorge, doch langfristig sollten Sie nach Alternativen zu dem Google-Dienst suchen. --------------------------------------------- https://www.watchlist-internet.at/news/dsgvo-verstoss-auf-ihrer-webseite-la… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/06/cisa-adds-three-k… ∗∗∗ CVE-2022-26381: Gone by others! Triggering a UAF in Firefox ∗∗∗ --------------------------------------------- Memory corruption vulnerabilities have been well known for a long time and programmers have developed various methods to prevent them. One type of memory corruption that is very hard to prevent is the use-after-free and the reason is that it has too many faces! --------------------------------------------- https://www.thezdi.com/blog/2022/4/7/cve-2022-26381-gone-by-others-triggeri… ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug ∗∗∗ --------------------------------------------- American cybersecurity company Palo Alto Networks warned customers on Wednesday that some of its firewall, VPN, and XDR products are vulnerable to a high severity OpenSSL infinite loop bug disclosed three weeks ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/palo-alto-networks-firewalls… ∗∗∗ Jetzt aktualisieren: VMware patcht teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere VMware-Produkte sind von teils kritischen Lücken betroffen, durch die Angreifer Schadcode einschleusen könnten. Es gibt Updates und Gegenmaßnahmen. --------------------------------------------- https://heise.de/-6665440 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind), Debian (firefox-esr), Fedora (fribidi, gdal, and mingw-gdal), openSUSE (pdns-recursor and SDL2), Oracle (kernel), Slackware (mozilla), SUSE (glibc and openvpn-openssl1), and Ubuntu (fribidi and linux-azure-5.13, linux-oracle-5.13). --------------------------------------------- https://lwn.net/Articles/890620/ ∗∗∗ Multiple Cisco Security Products Simple Network Management Protocol Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Java Deserialization Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Secure Network Analytics Network Diagrams Application Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: Apache Log4j vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ April 6, 2022 TNS-2022-08 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.20.1: Patch 202204.1 ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-08 ∗∗∗ VMSA-2022-0012 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0012.html ∗∗∗ K51048910: Eclipse Jetty vulnerability CVE-2021-28169 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51048910 ∗∗∗ Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulne… ∗∗∗ WEIDMUELLER: Multiple vulnerabilities in Modbus TCP/RTU Gateways ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-008/ ∗∗∗ Pepperl+Fuchs WirelessHART-Gateway ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-097-01 ∗∗∗ ABB SPIET800 and PNI800 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-097-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2022
by Daily end-of-shift report 06 Apr '22

06 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-04-2022 18:00 − Mittwoch 06-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft detects Spring4Shell attacks across its cloud services ∗∗∗ --------------------------------------------- Microsoft said that its currently tracking a "low volume of exploit attempts" targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability across its cloud services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-detects-spring4she… ∗∗∗ Windows MetaStealer Malware, (Wed, Apr 6th) ∗∗∗ --------------------------------------------- The malware abuses legitimate services by Github and transfer.sh to host these data binaries. All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary. --------------------------------------------- https://isc.sans.edu/diary/rss/28522 ∗∗∗ Zero-Day-Lücken: Ältere macOS- und iOS-Versionen weiter angreifbar ∗∗∗ --------------------------------------------- Aktiv ausgenutzte Lücken hat Apple nur in iOS 15 und macOS 12 gestopft. Sicherheitsforschern zufolge sind aber auch ältere Betriebssystemversionen verwundbar. --------------------------------------------- https://heise.de/-6664730 ∗∗∗ Wenn der PC plötzlich steckenbleibt, nicht bei Microsoft anrufen! ∗∗∗ --------------------------------------------- Die Betrugsmasche, bei der sich Kriminelle als Microsoft-Angestellte ausgeben und ihre Opfer telefonisch kontaktieren, ist weitläufig bekannt. Aktuell erhalten Betroffene vermehrt keinen Anruf, sondern werden durch Pop-ups auf ihren Bildschirmen, die die Nutzung des Computers einschränken, zu Anrufen bewegt. Achtung: Nicht anrufen, sonst drohen Geld- und Datenverluste! --------------------------------------------- https://www.watchlist-internet.at/news/wenn-der-pc-ploetzlich-steckenbleibt… ∗∗∗ Fake e‑shops on the prowl for banking credentials using Android malware ∗∗∗ --------------------------------------------- This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans attributed to this campaign. --------------------------------------------- https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credent… ∗∗∗ Analyzing a “multilayer” Maldoc: A Beginner’s Guide ∗∗∗ --------------------------------------------- In this blog post, we will not only analyze an interesting malicious document, but we will also demonstrate the steps required to get you up and running with the necessary analysis tools. There is also a howto video for this blog post. --------------------------------------------- https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories (FortiClient, FortiEDR, FortiWAN) ∗∗∗ --------------------------------------------- * FortiClient (Linux) - Improper directories permissions * FortiClient (Linux) - external access to confighandler webserver * FortiClient (Windows) - privilege escalation in online installer due to incorrect working directory * FortiEDR - Denial of service due to folder access permission change * FortiEDR - Hardcoded AES key enable disabling local Collector * FortiEDR - Insecure RSA key transport * FortiWAN - Improper cryptographic operations in Dynamic Tunnel Protocol * FortiWAN - Pervasive OS command --------------------------------------------- https://www.fortiguard.com/psirt?date=04-2022 ∗∗∗ VMSA-2022-0011 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-9.8 CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0011.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (rizin), Fedora (fish, gdal, mingw-fribidi, mingw-gdal, mingw-openexr, mingw-python-pillow, mingw-python3, and python-pillow), Mageia (chromium-browser-stable), Oracle (Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel and kernel), Red Hat (kernel, kernel-rt, and Red Hat OpenStack Platform 16.2 (python-waitress)), Scientific Linux (kernel), Slackware (mozilla), SUSE (mozilla-nss), and Ubuntu (h2database). --------------------------------------------- https://lwn.net/Articles/890404/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.8 ∗∗∗ --------------------------------------------- CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, CVE-2022-28289 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/ ∗∗∗ Spring Cloud Data Flow 2.9.4 Released ∗∗∗ --------------------------------------------- On behalf of the team and everyone who has contributed, I’m happy to announce that Spring Cloud Dataflow 2.9.4 has been released and is now available from Maven Central. This release contains an update of the Spring Boot version and addresses a couple of CVEs. Notable Changes in 2.9.4: * Update to Spring Boot 2.5.12 * Resolves CVE-2022-22965 * Resolves CVE-2021-29425 --------------------------------------------- https://spring.io/blog/2022/04/05/spring-cloud-data-flow-2-9-4-released ∗∗∗ Improper Authentication Management Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220406-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Watson Query potentially exposes adminstrator's key under some conditions due to CVE-2022-22410 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-query-potentially-… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Vulnerabilities with Apache HTTP Server affect IBM Cloud Object Storage Systems (Apr 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-apac… ∗∗∗ K49419538: libxml2 vulnerability CVE 2016-4658 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49419538?utm_source=f5support&utm_mediu… ∗∗∗ WAGO: Multiple Products affected by Linux Kernel Vulnerability Dirty Pipe ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-009/ ∗∗∗ LifePoint Informatics Patient Portal ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-095-01 ∗∗∗ Rockwell Automation ISaGRAF ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-095-01 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2022
by Daily end-of-shift report 05 Apr '22

05 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-04-2022 18:00 − Dienstag 05-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ WhatsApp voice message phishing emails push info-stealing malware ∗∗∗ --------------------------------------------- A new WhatsApp phishing campaign impersonating WhatsApps voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whatsapp-voice-message-phish… ∗∗∗ SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 ∗∗∗ --------------------------------------------- Microsoft provides guidance for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability CVE-2022-22965, also known as SpringShell or Spring4Shell. --------------------------------------------- https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerab… ∗∗∗ WebLogic Crypto Miner Malware Disabling Alibaba Cloud Monitoring Tools, (Tue, Apr 5th) ∗∗∗ --------------------------------------------- Looking through my honeypot logs for some Spring4Shell exploits (I didn't find anything interesting), I came across this attempt to exploit an older WebLogic vulnerability (likely %%cve:2020-14882%% or %%cve:2020-14883%%). The exploit itself is "run of the mill," but the script downloaded is going through an excessively long list of competitors to disable and disabled cloud monitoring tools, likely to make detecting and response more difficult. --------------------------------------------- https://isc.sans.edu/diary/rss/28520 ∗∗∗ ZDI-22-547: (0Day) (Pwn2Own) Samsung Galaxy S21 Exposed Dangerous Method Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on affected installations of Samsung Galaxy S21 phones. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-547/ ∗∗∗ Phishing-Angriffe auf Kryptowährungssektor nach Einbruch bei MailChimp ∗∗∗ --------------------------------------------- Nach einem Einbruch beim Marketing-Mail-Anbieter MailChimp haben Cyberkriminelle versucht, per Phishing an Kryptowährungen von Krypto-Wallet-Kunden zu gelangen. --------------------------------------------- https://heise.de/-6662971 ∗∗∗ CISA advises D-Link users to take vulnerable routers offline ∗∗∗ --------------------------------------------- CISA has advised users to take certain vulnerable D-Link routers offline since the existing vulnerabilities are know to be actively exploited and the models have reached EOL and will not get patched. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-adv… ∗∗∗ Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter ∗∗∗ --------------------------------------------- Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.The infections leverage process injection to evade detection by endpoint security software. --------------------------------------------- http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin—April 2022 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-04-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2022-04-01 ∗∗∗ Xen Security Advisory CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 / XSA-400 ∗∗∗ --------------------------------------------- IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues. The precise impact is system specific, but would likely be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-400.html ∗∗∗ Xen Security Advisory CVE-2022-26357 / XSA-399 ∗∗∗ --------------------------------------------- race in VT-d domain ID cleanup. The precise impact is system specific, but would typically be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-399.html ∗∗∗ Xen Security Advisory CVE-2022-26356 / XSA-397 ∗∗∗ --------------------------------------------- Racy interactions between dirty vram tracking and paging log dirty hypercalls. An attacker can cause Xen to leak memory, eventually leading to a Denial of Service (DoS) affecting the entire host. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-397.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (polkit, postgresql, and zlib), openSUSE (389-ds and opera), Red Hat (kpatch-patch), SUSE (389-ds and util-linux), and Ubuntu (waitress). --------------------------------------------- https://lwn.net/Articles/890258/ ∗∗∗ Kyocera Printer: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Kyocera Printer ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0391 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- This issue may allow privileged code in a guest VM to cause the host to crash or become unresponsive. The issue only affects systems with Intel CPUs where the malicious guest VM has had a physical PCI device assigned to it by the host administrator using the PCI passthrough feature. The issue has the following identifier: CVE-2022-26357 Customers who have not assigned a physical PCI device to a guest VM are not affected by this issue. Customers who are running on systems with only AMD CPUs are also not affected by this issue. --------------------------------------------- https://support.citrix.com/article/CTX390511 ∗∗∗ Sicherheitsupdate für Webbrowser Google Chrome ∗∗∗ --------------------------------------------- https://heise.de/-6662814 ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple issues within Red Hat UBI packages and the IBM WebSphere Application Server Liberty shipped with IBM MQ Operator v1.7 CD Release ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Dojo Toolkil shipped with IBM Tivoli Netcool Impact (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by account enumeration and denial of service vulnerabilities (CVE-2022-22356 and CVE-2022-22355) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by gson vulnerability (C2021-0419) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ K29855410: Vim vulnerabilities CVE-2022-0261, CVE-2022-0318, CVE-2022-0361, CVE-2022-0392, and CVE-2022-0413 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29855410?utm_source=f5support&utm_mediu… ∗∗∗ K08827426: Vim vulnerability CVE-2022-0359 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08827426?utm_source=f5support&utm_mediu… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 91.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/ ∗∗∗ Security Vulnerabilities fixed in Firefox 99 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2022
by Daily end-of-shift report 04 Apr '22

04 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-04-2022 18:00 − Montag 04-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Einkauf von Markenware! ∗∗∗ --------------------------------------------- Wer Markenkleidung oder -schuhe online kaufen will, sollte sich vergewissern, dass das Angebot seriös ist. Denn derzeit tauchen zahlreiche Fake-Shops auf, die angeben, beliebte Markenware zu verkaufen. Keine dieser betrügerischen Shops hat ein Impressum auf der Seite, die Webadresse hat außerdem nichts mit den angebotenen Waren zu tun. Das sind typische Merkmale für Fake-Shops und gute Gründe, hier nicht einzukaufen! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Explaining Spring4Shell: The Internet security disaster that wasn’t ∗∗∗ --------------------------------------------- Vulnerability in the Spring Java Framework is important, but its no Log4Shell. --------------------------------------------- https://arstechnica.com/?p=1845362 ∗∗∗ Beastmode botnet boosts DDoS power with new router exploits ∗∗∗ --------------------------------------------- A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos… ∗∗∗ Emptying the Phishtank: Are WordPress sites the Mosquitoes of the Internet?, (Mon, Apr 4th) ∗∗∗ --------------------------------------------- In November, an accountant working for a construction company received an innocent enough-looking email: An update on the terms to submit bills to a local county. Seeing the email, the accountant clicked on the link and quickly downloaded the new document after entering their Outlook 365 credentials. The PDF looked all right but was something the accountant had already downloaded a couple of weeks ago from the county’s official website. [...] This, turns out, was a typical case of “business email compromise.” --------------------------------------------- https://isc.sans.edu/diary/rss/28516 ∗∗∗ WordPress Popunder Malware Redirects to Scam Sites ∗∗∗ --------------------------------------------- Over the last year we’ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected over 3,000 websites infected with this injection this year and over 17,000 in total since we first detected it in March of 2021. The reported behaviour is always the same: After a few seconds of loading, the website will redirect to a dodgy scam site. --------------------------------------------- https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-sca… ∗∗∗ Brokenwire Hack Could Let Remote Attackers Disrupt Charging for Electric Vehicles ∗∗∗ --------------------------------------------- A group of academics from the University of Oxford and Armasuisse S+T has disclosed details of a new attack technique against the popular Combined Charging System (CCS) that could potentially disrupt the ability to charge electric vehicles at scale. Dubbed "Brokenwire," the method interferes with the control communications that transpire between the vehicle and charger to wirelessly abort the abort the charging sessions from a distance of as far as 47m (151ft). --------------------------------------------- https://thehackernews.com/2022/04/brokenwire-hack-could-let-remote.html ∗∗∗ Deep Dive Analysis - Borat RAT ∗∗∗ --------------------------------------------- [...] During our regular OSINT research, Cyble Research Labs came across a new Remote Access Trojan (RAT) named Borat. Unlike other RATs, the Borat provides Ransomware, DDOS services, etc., to Threat Actors along with usual RAT features, further expanding the malware capabilities. --------------------------------------------- https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/ ∗∗∗ FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 ∗∗∗ --------------------------------------------- Recent public research asserts threat groups sharing overlaps with FIN7 transitioned to targeted ransomware operations involving REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware. With the purported shift to ransomware operations, Mandiant is publishing our research on the evolution of FIN7 which we haven’t publicly written about since Mahalo FIN7, published in 2019. --------------------------------------------- https://www.mandiant.com/resources/evolution-of-fin7 ∗∗∗ Hacker accessed 319 crypto- and finance-related Mailchimp accounts, company said ∗∗∗ --------------------------------------------- Email marketing firm Mailchimp announced on Monday that a hacker breached its internal tools and managed to gain access to 319 Mailchimp accounts for companies in the cryptocurrency and finance industries. --------------------------------------------- https://therecord.media/hacker-accessed-319-crypto-and-finance-related-mail… ∗∗∗ Kaseya Full Disclosure ∗∗∗ --------------------------------------------- In honor of our appearance on the Ransomware Files podcast episode #5 we are releasing the full details of the vulnerabilities we found during our research into Kaseya VSA of which some were used by REvil to attack Kaseya’s customers. The details can be found in our CVE entries: [...] --------------------------------------------- https://csirt.divd.nl/2022/04/04/Kaseya-VSA-Full-Disclosure/ ===================== = Vulnerabilities = ===================== ∗∗∗ 15-Year-Old Bug in PEAR PHP Repository Couldve Enabled Supply Chain Attacks ∗∗∗ --------------------------------------------- A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code. --------------------------------------------- https://thehackernews.com/2022/04/15-year-old-bug-in-pear-php-repository.ht… ∗∗∗ FG-IR-22-059: Vulnerability in OpenSSL library ∗∗∗ --------------------------------------------- A security advisory was released affecting the version of OpenSSL library used in some Fortinet products. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-059 ∗∗∗ VMSA-2022-0010 ∗∗∗ --------------------------------------------- A critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0010.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, qemu, and zlib), Fedora (389-ds-base, ghc-cmark-gfm, ghc-hakyll, gitit, libkiwix, openssl, pandoc, pandoc-citeproc, patat, phoronix-test-suite, seamonkey, and skopeo), Mageia (libtiff, openjpeg2, and php-smarty), openSUSE (python), Oracle (httpd), Red Hat (httpd), and SUSE (libreoffice, python, and python36). --------------------------------------------- https://lwn.net/Articles/890187/ ∗∗∗ Microsoft Edge 100.0.1185.29 fixt Schwachstellen ∗∗∗ --------------------------------------------- Microsoft hat zum 1. April 2022 (kein April-Scherz) den Chromium-Edge Browser auf die Version Edge 100.0.1185.29 aktualisiert. Es handelt sich um ein Wartungsupdate, das eine Reihe Schwachstellen schließt und den 100er-Entwicklungszweig einleitet. --------------------------------------------- https://www.borncity.com/blog/2022/04/02/microsoft-edge-100-0-1185-29-fixt-… ∗∗∗ Kaspersky Anti-Virus: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0384 ∗∗∗ Vulnerability in Spring Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Netty – CVE-2021-43797 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-cv… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Cloud Pak for Security contains packages that have multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-co… ∗∗∗ Security Bulletin: Cross-Site Scripting and information disclosure vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2022 (CVE-2021-29835, CVE-39046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server in Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2022
by Daily end-of-shift report 01 Apr '22

01 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-03-2022 18:00 − Freitag 01-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New BlackGuard password-stealing malware sold on hacker forums ∗∗∗ --------------------------------------------- A new information-stealing malware named BlackGuard is winning the attention of the cybercrime community, now sold on numerous darknet markets and forums for a lifetime price of $700 or a subscription of $200 per month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blackguard-password-stea… ∗∗∗ Viasat confirms satellite modems were wiped with AcidRain malware ∗∗∗ --------------------------------------------- A newly discovered data wiper malware that wipes routers and modems has been deployed in the cyberattack that targeted the KA-SAT satellite broadband service to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens of thousands more across Europe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-mo… ∗∗∗ Phishing uses Azure Static Web Pages to impersonate Microsoft ∗∗∗ --------------------------------------------- Phishing attacks are abusing Microsoft Azures Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/phishing-uses-azure-static-… ∗∗∗ FORCEDENTRY: Sandbox Escape ∗∗∗ --------------------------------------------- In this post we'll take a look at that sandbox escape. It's notable for using only logic bugs. In fact it's unclear where the features that it uses end and the vulnerabilities which it abuses begin. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.h… ∗∗∗ iOS-Updates: Automatik braucht mehrere Wochen ∗∗∗ --------------------------------------------- Wer will, dass sein iPhone auf aktuellem Stand ist, sollte händisch aktualisieren. Die automatische Verteilung braucht lange, bestätigt Apples Softwarechef. --------------------------------------------- https://heise.de/-6657879 ∗∗∗ CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) ∗∗∗ --------------------------------------------- CVE-2022-22965, aka SpringShell, is a remote code execution vulnerability in the Spring Framework. We provide a root cause analysis and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/ ∗∗∗ The spectre of Stuxnet: CISA issues alert on Rockwell Automation ICS vulnerabilities ∗∗∗ --------------------------------------------- The flaws can be exploited to execute code on vulnerable controllers and workstations. --------------------------------------------- https://www.zdnet.com/article/cisa-issues-alert-on-critical-ics-vulnerabili… ∗∗∗ Spring Framework RCE, Mitigation Alternative ∗∗∗ --------------------------------------------- Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection. --------------------------------------------- https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternati… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-03-31 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM Sterling Partner Engagement Manager, IBM QRadar Network Security, IBM Security Access Manager for Enterprise, IBM Urbancode Deploy, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Netcool Impact, Watson Knowledge Catalog InstaScan --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Kritische Sicherheitslücke: Gitlab-Update außer der Reihe ∗∗∗ --------------------------------------------- Die Gitlab-Entwickler haben ein Update veröffentlicht, um Sicherheitslücken zu schließen. Eine kritische Lücke könnte Angreifern die Kontoübernahme ermöglichen. --------------------------------------------- https://heise.de/-6660080 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (wireshark), Fedora (389-ds-base), Mageia (golang, wavpack, and zlib), openSUSE (yaml-cpp), SUSE (expat and yaml-cpp), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.13, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-aws-hwe, linux-gcp-4.15, linux-oracle, linux-intel-5.13, and tomcat9). --------------------------------------------- https://lwn.net/Articles/889983/ ∗∗∗ Sicherheitsupdates: iOS 15.4.1 und macOS Monterey 12.3.1 ∗∗∗ --------------------------------------------- Apple hat zum 31. März 2022 zwei Sicherheitsupdates für macOS 12.3.1 (Monterey) und iOS/iPad OS 15.4.1 freigegeben. Diese schließen die Schwachstellen CVE-2022-22675 (in AppleAVD für iOS und macOS) und CVE-2022-22674 im macOS Intel Grafiktreiber. --------------------------------------------- https://www.borncity.com/blog/2022/04/01/sicherheitsupdates-ios-15-4-1-und-… ∗∗∗ K56241216: OpenLDAP vulnerabilities CVE-2020-25709 and CVE-2020-25710 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56241216 ∗∗∗ K44994972: Linux kernel vulnerability CVE-2020-25704 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44994972 ∗∗∗ Schneider Electric SCADAPack Workbench ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-01 ∗∗∗ Hitachi Energy e-mesh EMS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-02 ∗∗∗ Fuji Electric Alpha5 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-03 ∗∗∗ Mitsubishi Electric FA Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-04 ∗∗∗ General Electric Renewable Energy MDS Radios ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-06 ∗∗∗ CISA Adds Seven Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/31/cisa-adds-seven-k… ∗∗∗ Mehrere Schwachstellen in ZA|ARC (SYSS-2021-063/-064/-065/-066/-067) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-zaarc-syss-2021-… ∗∗∗ SA45100 - CVE-2022-0778-OpenSSL-Vulnerability may lead to DoS attack ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-0778… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2022
by Daily end-of-shift report 31 Mar '22

31 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-03-2022 18:00 − Donnerstag 31-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spring patches leaked Spring4Shell zero-day RCE vulnerability ∗∗∗ --------------------------------------------- Spring released emergency updates to fix the Spring4Shell zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring… ∗∗∗ Java: Exploit für RCE-Lücke in Spring geleakt ∗∗∗ --------------------------------------------- Unter Umständen reicht ein HTTP-Request, um Spring-Anwendungen eine Webshell unterzujubeln. Die Lücke wird wohl bereits ausgenutzt. --------------------------------------------- https://www.golem.de/news/java-exploit-fuer-rce-luecke-in-spring-geleakt-22… ∗∗∗ SpringShell Detector - searches compiled code (JAR/WAR binaries) for potentially vulnerable web apps ∗∗∗ --------------------------------------------- The SpringShell vulnerability may affect some web applications using Spring Framework, but requires a number of conditions to be exploitable. One specific condition which may be rather rare (and therefore render most applications non-exploitable in practice) is the existence of Spring endpoints which bind request parameters to a non-primitive (Java Bean) type. This tool can be used to scan compiled code and verify whether such endpoints exist in the codebase. --------------------------------------------- https://github.com/jfrog/jfrog-spring-tools ∗∗∗ Simple local Spring vulnerability scanner ∗∗∗ --------------------------------------------- This is a simple tool that can be used to find instances of Spring vulnerable to CVE-2022-22965 ("SpringShell") in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged. --------------------------------------------- https://github.com/hillu/local-spring-vuln-scanner ∗∗∗ Spring4Shell: Security Analysis of the latest Java RCE 0-day vulnerabilities in Spring ∗∗∗ --------------------------------------------- Weve been taking a look at the new zero-day exploit, dubbed Spring4Shell, supposedly discovered in Spring Core to determine if its a problem or not, as well as explained another RCE vulnerability found in Spring. --------------------------------------------- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities ∗∗∗ Calendly actively abused in Microsoft credentials phishing ∗∗∗ --------------------------------------------- Phishing actors are actively abusing Calendly to kick off a clever sequence to trick targets into entering their email account credentials on the phishing page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/calendly-actively-abused-in-… ∗∗∗ Lazarus Trojanized DeFi app for delivering malware ∗∗∗ --------------------------------------------- We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. --------------------------------------------- https://securelist.com/lazarus-trojanized-defi-app/106195/ ∗∗∗ Conti-nuation: methods and techniques observed in operations post the leaks ∗∗∗ --------------------------------------------- This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks. --------------------------------------------- https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniqu… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns severe OpenSSL bug affects most of its NAS devices ∗∗∗ --------------------------------------------- Taiwan-based network-attached storage (NAS) maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-severe-openssl-bu… ∗∗∗ “VMware Spring Cloud” Java bug gives instant remote code execution – update now! ∗∗∗ --------------------------------------------- Easy unauthenticated remote code execution - PoC code already out --------------------------------------------- https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gi… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgc and pjproject), Fedora (cobbler, mingw-openjpeg2, and openjpeg2), Mageia (openvpn), openSUSE (abcm2ps, fish3, icingaweb2, kernel-firmware, nextcloud, openSUSE-build-key, python2-numpy, salt, and zlib), Slackware (vim), SUSE (kernel-firmware, opensc, python2-numpy, python3, salt, and zlib), and Ubuntu (dosbox, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.13, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/889852/ ∗∗∗ The Old Switcheroo: Hiding Code on Rockwell Automation PLCs ∗∗∗ --------------------------------------------- CVE-2022-1161 affects numerous versions of Rockwell’s Logix Controllers and has a CVSS score of 10, the highest criticality. CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity. --------------------------------------------- https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automa… ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42543427/ ∗∗∗ Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-032 ∗∗∗ Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-web-query-for-i-i… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in NumPy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to HTTP request smuggling due to Netty (CVE-2021-43797) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-omnibu… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by Wget vulnerability (CVE-2021-31879) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Security Verify Access is vulnerable to obtaining sensitive information due to improper validation of JWT tokens. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces… ∗∗∗ CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0778 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2022
by Daily end-of-shift report 30 Mar '22

30 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-03-2022 18:00 − Mittwoch 30-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Mars Stealer malware pushed via OpenOffice ads on Google ∗∗∗ --------------------------------------------- A newly launched information-stealing malware variant called Mars Stealer is rising in popularity, and threat analysts are now spotting the first notable large-scale campaigns employing it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mars-stealer-malware-pushed-… ∗∗∗ Viasat shares details on KA-SAT satellite service cyberattack ∗∗∗ --------------------------------------------- US satellite communications provider Viasat has shared an incident report regarding the cyberattack that affected its KA-SAT consumer-oriented satellite broadband service on February 24, the day Russia invaded Ukraine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/viasat-shares-details-on-ka-… ∗∗∗ Angriff auf Schnellllader: Forscher können Ladevorgänge per Funk unterbrechen ∗∗∗ --------------------------------------------- CCS hat sich als Standard beim Schnellladen von Elektroautos etabliert. Doch der Ladevorgang lässt sich durch Funksignale zum Absturz bringen. --------------------------------------------- https://www.golem.de/news/schnelllladen-forscher-bringen-ccs-ladevorgaenge-… ∗∗∗ Threat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks ∗∗∗ --------------------------------------------- Team Nautilus has uncovered a Python-based ransomware attack that, for the first time, was targeting Jupyter Notebook, a popular tool used by data practitioners. The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack. --------------------------------------------- https://blog.aquasec.com/python-ransomware-jupyter-notebook ∗∗∗ Kostenlose Webinar-Reihe: So schützen Sie sich im Internet ∗∗∗ --------------------------------------------- Mit Unterstützung der Arbeiterkammer Burgenland veranstalten unsere KollegInnen von saferinternet.at ab 5. April eine Webinar-Reihe. Die kostenlosen Webinare sind für alle interessierten Erwachsenen offen und beschäftigen sich mit dem sicheren und verantwortungsvollen Umgang mit digitalen Medien. Mit dabei sind auch ExpertInnen der Watchlist Internet. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-so-schuetze… ∗∗∗ Investigating an engineering workstation – Part 2 ∗∗∗ --------------------------------------------- In this second post we will focus on specific evidence written by the TIA Portal. As you might remember, in the first part we covered standard Windows-based artefacts regarding execution of the TIA Portal and usage of projects. --------------------------------------------- https://blog.nviso.eu/2022/03/30/investigating-an-engineering-workstation-p… ∗∗∗ Advanced warning: probable remote code execution (RCE) in Spring, an extremely popular Java framework ∗∗∗ --------------------------------------------- This notice is intended to alert you that there may be a significant issue with Spring which, if confirmed, would require immediate attention.In the morning (New York time) on Wednesday, March 29th, 2022, a member of the security research team KnownSec posted a now-removed screenshot to Twitter purporting to show a trivially-exploited remote code execution vulnerability against Spring core, the most popular Java framework in use on the Internet. The researcher did not provide a proof-of-concept or public details. --------------------------------------------- https://bugalert.org/content/notices/2022-03-29-spring.html ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Angriffe auf Sicherheitslücke in Trend Micro Apex Central ∗∗∗ --------------------------------------------- Trend Micro warnt vor Angriffen auf eine Sicherheitslücke in zentralen Verwaltungssoftware Apex Central. Zum Abdichten des Lecks stehen Updates bereit. --------------------------------------------- https://heise.de/-6656849 ∗∗∗ VMSA-2022-0009 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.5 CVE(s): CVE-2022-22948 Synopsis: VMware vCenter Server updates address an information disclosure vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0009.html ∗∗∗ Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk ∗∗∗ --------------------------------------------- On February 15, 2022, the Wordfence Threat Intelligence team finished research on two separate vulnerabilities in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin with over 100,000 installations. [...] A patched version, 5.174.1, was made available on March 25, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/03/reflected-xss-in-spam-protection-ant… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (expat, firefox, httpd, openssl, and thunderbird), Debian (cacti), Fedora (kernel, rsh, unrealircd, and xen), Mageia (kernel and kernel-linus), openSUSE (apache2, java-1_8_0-ibm, kernel, openvpn, and protobuf), Oracle (openssl), Red Hat (httpd:2.4, kernel, kpatch-patch, and openssl), SUSE (apache2, java-1_7_1-ibm, java-1_8_0-ibm, kernel, openvpn, protobuf, and zlib), and Ubuntu (chromium-browser and paramiko). --------------------------------------------- https://lwn.net/Articles/889682/ ∗∗∗ SaltStack Salt: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SaltStack Salt ausnutzen, um Dateien zu manipulieren, einen Denial of Service Zustand herbeizuführen, Privilegien zu erweitern oder beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0371 ∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro AntiVirus für Mac ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0370 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 100.0.4896.60 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/30/google-releases-s… ∗∗∗ Password-Hash-Preisgabe im CMS Statamic (SYSS-2022-022) ∗∗∗ --------------------------------------------- Im CMS Statamic können in der REST-API Passwort-Hash-Werte aller Benutzer:innen ausgelesen werden. Dies kann zur Übernahme der Website führen. --------------------------------------------- https://www.syss.de/pentest-blog/password-hash-preisgabe-in-statamic-cms-sy… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021and Jan 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ PHOENIX CONTACT: Vulnerabilities in XML parser library Expat (libexpat) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-005/ ∗∗∗ Buffer Overflow Vulnerability in Recovery Image ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-446276-bt.html ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2022
by Daily end-of-shift report 29 Mar '22

29 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-03-2022 18:00 − Dienstag 29-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sophos warns critical firewall bug is being actively exploited ∗∗∗ --------------------------------------------- British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/sophos-warns-critical-firewall-… ∗∗∗ Triton Malware Still Targeting Energy Firms ∗∗∗ --------------------------------------------- The FBIs latest Private Industry Notification warns the energy sector that the group behind Triton is still up to no good. --------------------------------------------- https://www.darkreading.com/attacks-breaches/triton-malware-still-targeting… ∗∗∗ Linux-Kernel: Netfilter-Bug gibt Nutzern Root-Rechte ∗∗∗ --------------------------------------------- Im Linux-Kernel sind mehrere Fehler im Netfilter-Code gefunden worden, die es einem Nutzer ermöglichen, Root-Rechte zu erlangen. Das Kernel-Team hat für alle unterstützten Versionszweige Updates veröffentlicht. CVE-2022-1015, CVE-2022-1016). --------------------------------------------- https://www.golem.de/news/linux-kernel-netfilter-bug-gibt-nutzern-root-rech… ∗∗∗ A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages ∗∗∗ --------------------------------------------- A threat actor dubbed "RED-LILI" has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules. --------------------------------------------- https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.h… ∗∗∗ Betrügerische SMS im Namen der Volksbank ∗∗∗ --------------------------------------------- Aktuell kursieren betrügerische SMS im Namen der Volksbank. EmpfängerInnen werden dringlich aufgefordert, auf einen Link zu klicken – angeblich, weil das Konto gesperrt wurde. Achtung: Dabei handelt es sich um Betrug. Wer den Link anklickt, landet auf einer gefälschten Login-Seite der Volksbank. Dort werden Zugangsdaten gestohlen! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-sms-im-namen-der-volk… ∗∗∗ Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners ∗∗∗ --------------------------------------------- A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated. According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. --------------------------------------------- https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-… ∗∗∗ Verblecon: Sophisticated New Loader Used in Low-level Attacks ∗∗∗ --------------------------------------------- Indications the attacker may not realize the potential capabilities of the malware they are using. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ve… ∗∗∗ Mitigating Attacks Against Uninterruptable Power Supply Devices ∗∗∗ --------------------------------------------- CISA and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/29/mitigating-attack… ===================== = Vulnerabilities = ===================== ∗∗∗ Wyze Cam flaw lets hackers remotely access your saved videos ∗∗∗ --------------------------------------------- The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019. The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery. The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-r… ∗∗∗ ZDI-22-545: (0Day) Siemens Simcenter Femap NEU File Parsing Out-Of-Bounds Write Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Siemens Simcenter Femap. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-545/ ∗∗∗ Kritische Schadcode-Lücke in In-Memory-Datenbank Redis geschlossen ∗∗∗ --------------------------------------------- Das Zusammenspiel von Debian-Systemen und Redis kann zu ernsten Sicherheitsproblemen führen. Dagegen abgesicherte Versionen schaffen Abhilfe. --------------------------------------------- https://heise.de/-6655726 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl, pjproject, and tzdata), Mageia (chromium-browser-stable, docker, graphicsmagick, and libtiff), Oracle (expat), Red Hat (expat, httpd:2.4, openssl, and screen), Scientific Linux (expat and openssl), and Ubuntu (libtasn1-6, linux-oem-5.14, openjdk-lts, and paramiko). --------------------------------------------- https://lwn.net/Articles/889571/ ∗∗∗ Sicherheitswarnung: Authentifizierungsschwachstelle CVE-2022-0342 in Zyxel USG/ZyWALL ∗∗∗ --------------------------------------------- In verschiedenen Zyxel Firewall-Produkten gibt es eine kritische Authentifizierungs-Schwachstelle (CVE-2022-0342). Durch diese Sicherheitslücke wird eine Übernahme der Firewall möglich. Zyxel stellt zwar für Geräte, die noch im Support sind, Firmware-Updates bereits. --------------------------------------------- https://www.borncity.com/blog/2022/03/29/sicherheitswarnung-authentifizieru… ∗∗∗ CVE-2018-25032: Zlib Memory Corruption Vulnerability ∗∗∗ --------------------------------------------- You may be thinking: ‘Wait, this new CVE starts with 2018.., this must be a mistake?’. In fact, it is not a mistake. This is about a CVE that everyone thought was patched years ago but now appears to be alive and well. [...] Linux distributions such as Ubuntu and Alpine have already implemented the fix in their latest releases, so you may want to update Zlib to your platform’s release of version 1.2.12, and re-compile any programs with the updated library. --------------------------------------------- https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-c… ∗∗∗ Security Bulletin: CVE-2021-44228 log4j affects MAS Monitor 8.4, 8.5 and 8.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-44228-log4j-affe… ∗∗∗ Security Bulletin: MAS Monitor 8.4, 8.5, and 8.6 log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mas-monitor-8-4-8-5-and-8… ∗∗∗ Security Bulletin: Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-critical-vulnerabilities-… ∗∗∗ K33548065: Eclipse Jetty vulnerability CVE-2018-12536 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33548065?utm_source=f5support&utm_mediu… ∗∗∗ K03674368: Linux kernel vulnerability CVE-2021-3715 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03674368?utm_source=f5support&utm_mediu… ∗∗∗ Philips e-Alert ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-088-01 ∗∗∗ Rockwell Automation ISaGRAF ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-01 ∗∗∗ Omron CX-Position ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-02 ∗∗∗ Hitachi Energy LinkOne WebView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-03 ∗∗∗ Modbus Tools Modbus Slave ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2022
by Daily end-of-shift report 28 Mar '22

28 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-03-2022 18:00 − Montag 28-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Webbrowser: Notfallupdate für Google Chrome ∗∗∗ --------------------------------------------- Google hat neue Versionen vom Webbrowser Chrome veröffentlicht, die eine Sicherheitslücke schließen, für die bereits Exploit-Code existiert. --------------------------------------------- https://heise.de/-6638415 ∗∗∗ PayPal Funktion „Geld an Freunde senden“ nicht als Zahlungsmittel auf Online-Marktplätzen verwenden ∗∗∗ --------------------------------------------- Momentan melden uns Facebook-NutzerInnen betrügerische Inserate im Facebook Marketplace. Darin werden beispielsweise Gaming-Stühle zum Verschenken angeboten. Die Person verlangt nur 15 Euro für den Versand. Der Betrag sollte mit der PayPal-Funktion „Geld an Freunde senden“ übermittelt werden. Achtung: Dabei handelt es sich um Betrug! Sie verlieren Ihr Geld und erhalten kein Produkt! --------------------------------------------- https://www.watchlist-internet.at/news/paypal-funktion-geld-an-freunde-send… ∗∗∗ Public Redis exploit used by malware gang to grow botnet ∗∗∗ --------------------------------------------- Threat analysts report having spotted a change in the operations of the Muhstik threat group, which has now switched to actively exploiting a Lua sandbox escape flaw in Redis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/public-redis-exploit-used-by… ∗∗∗ Hive ransomware ports its Linux VMware ESXi encryptor to Rust ∗∗∗ --------------------------------------------- The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victims ransom negotiations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-li… ∗∗∗ The Mystery Admin User ∗∗∗ --------------------------------------------- One of our clients recently submitted a malware removal request with a curious problem: A mystery admin user kept getting re-created on their website. Try as they might, nothing they did would get rid of this user; it just kept coming back. --------------------------------------------- https://blog.sucuri.net/2022/03/the-mystery-admin-user.html ∗∗∗ Purple Fox Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks ∗∗∗ --------------------------------------------- The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software. "Users machines are targeted via trojanized software packages masquerading as legitimate application installers," Trend Micro researchers said in a report [...] --------------------------------------------- https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html ∗∗∗ Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware ∗∗∗ --------------------------------------------- A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report [...] --------------------------------------------- https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html ∗∗∗ Under the hood of Wslink’s multilayered virtual machine ∗∗∗ --------------------------------------------- ESET researchers describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through its obfuscation techniques --------------------------------------------- https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-vi… ∗∗∗ Vulnerability Management in a nutshell ∗∗∗ --------------------------------------------- Vulnerability Management plays an important role in an organization’s line of defense. However, setting up a Vulnerability Management process can be very time consuming. This blogpost will briefly cover the core principles of Vulnerability Management and how it can help protect your organization against threats and adversaries looking to abuse weaknesses. --------------------------------------------- https://blog.nviso.eu/2022/03/28/vulnerability-management-in-a-nutshell/ ∗∗∗ Ransomware profile: RansomExx ∗∗∗ --------------------------------------------- A comprehensive profile of the RansomExx ransomware strain. --------------------------------------------- https://blog.emsisoft.com/en/41027/ransomware-profile-ransomexx/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Sophos Firewall könnte Schadcode passieren lassen ∗∗∗ --------------------------------------------- Die Firewall von Sophos ist löchrig. Aktualisierte Versionen lösen das Sicherheitsproblem. --------------------------------------------- https://heise.de/-6653493 ∗∗∗ Whitepaper – Double Fetch Vulnerabilities in C and C++ ∗∗∗ --------------------------------------------- Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes. As much of this information is spread across various sources, this whitepaper, draws the knowledge together into a single place, in order to better describe the different [...] --------------------------------------------- https://research.nccgroup.com/2022/03/28/whitepaper-double-fetch-vulnerabil… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and faad2), Fedora (dotnet3.1, libass, linux-firmware, python-paramiko, seamonkey, and xen), openSUSE (perl-DBD-SQLite and wavpack), Slackware (seamonkey), SUSE (perl-DBD-SQLite and wavpack), and Ubuntu (binutils, python2.7, python3.4, python3.5, python3.6, python3.8, and smarty3). --------------------------------------------- https://lwn.net/Articles/889423/ ∗∗∗ CISA Adds 66 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/25/cisa-adds-66-know… ∗∗∗ Microsoft Security Update Revisions (25. März 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 25. März 2022 noch einige Revisionen für Sicherheitsupdates veröffentlicht. In den Revisionen werden geänderte Einschätzungen zu Schwachstellen thematisiert. Hier eine unkommentierte Übersicht. --------------------------------------------- https://www.borncity.com/blog/2022/03/28/microsoft-security-update-revision… ∗∗∗ SonicWall SonicOS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0348 ∗∗∗ PowerDNS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0358 ∗∗∗ Cross-Site Scripting-Schwachstelle in DHC Vision (SYSS-2022-019) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-dhc-… ∗∗∗ SQL Injection in der B2B Suite des Shopware e-Commerce Frameworks (SYSS-2022-018) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/sql-injection-in-der-b2b-suite-des-shopwar… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35550, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2022-23181 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-42340 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2022
by Daily end-of-shift report 25 Mar '22

25 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-03-2022 18:00 − Freitag 25-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing kits constantly evolve to evade security software ∗∗∗ --------------------------------------------- Modern phishing kits sold on cybercrime forums as off-the-shelve packages feature multiple and sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions wont mark them as a threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-kits-constantly-evo… ∗∗∗ Malicious Microsoft Excel add-ins used to deliver RAT malware ∗∗∗ --------------------------------------------- Researchers report a new version of the JSSLoader remote access trojan being distributed via malicious Microsoft Excel addins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-ad… ∗∗∗ Racing against the clock -- hitting a tiny kernel race window ∗∗∗ --------------------------------------------- This is a writeup of how I managed to hit the race on a normal Linux desktop kernel, with a hit rate somewhere around 30% if the proof of concept has been tuned for the specific machine. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting… ∗∗∗ XLSB Files: Because Binary is Stealthier Than XML, (Fri, Mar 25th) ∗∗∗ --------------------------------------------- In one of his last diaries, Brad mentioned an Excel sheet named with a .xlsb extension. Now, it was my turn to find one... --------------------------------------------- https://isc.sans.edu/diary/rss/28476 ∗∗∗ Linux-Malware bedroht Windows ∗∗∗ --------------------------------------------- Es taucht immer mehr Malware auf, die das Windows Subsytem for Linux (WSL) als Einfallstor nutzen. Die Gefahr steigt, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-6631700 ∗∗∗ Mining data from Cobalt Strike beacons ∗∗∗ --------------------------------------------- Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. --------------------------------------------- https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-bea… ∗∗∗ E-Mails mit Anschuldigungen der Polizei sind Fake! ∗∗∗ --------------------------------------------- Auch Sie haben ein E-Mail von der Polizei oder dem Bundeskriminalamt erhalten, das Sie der Kinderpornografie, Pädophilie und des Exhibitionismus beschuldigt? Das E-Mail ist fake, die Anschuldigungen frei erfunden. Antworten Sie nicht und löschen Sie die Nachricht am besten. --------------------------------------------- https://www.watchlist-internet.at/news/e-mails-mit-anschuldigungen-der-poli… ∗∗∗ Crypto malware in patched wallets targeting Android and iOS devices ∗∗∗ --------------------------------------------- ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets. --------------------------------------------- https://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-ta… ===================== = Vulnerabilities = ===================== ∗∗∗ URL rendering trick enabled WhatsApp, Signal, iMessage phishing ∗∗∗ --------------------------------------------- A set of flaws affecting the worlds leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, has allowed threat actors to create legitimate-looking phishing URLs for the past three years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-… ∗∗∗ Western Digital schließt Root-Schadcode-Lücke in My-Cloud-Netzwerkspeichern ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für verschiedene NAS-Modelle von Western Digital. --------------------------------------------- https://heise.de/-6630582 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (nicotine+ and openvpn), openSUSE (bind, libarchive, python3, and slirp4netns), Oracle (cyrus-sasl, httpd, httpd:2.4, and openssl), Red Hat (httpd and httpd:2.4), Scientific Linux (httpd), SUSE (bind, libarchive, python3, and slirp4netns), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/889265/ ∗∗∗ ZDI-22-538: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-538/ ∗∗∗ ZDI-22-537: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-537/ ∗∗∗ ZDI-22-536: (0Day) Electronic Arts Origin Web Helper Service Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-536/ ∗∗∗ ZDI-22-541: (0Day) Array Networks MotionPro Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-541/ ∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nims… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by denial of service vulnerabilities in OpenSSL (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by an OpenSSL vulnerability (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0342 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2022
by Daily end-of-shift report 24 Mar '22

24 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-03-2022 18:00 − Donnerstag 24-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns ∗∗∗ --------------------------------------------- Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years. According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. --------------------------------------------- https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.ht… ∗∗∗ Doppelter Betrug: Phishing-Konzept mit Browser-In-The-Browser-Attacke ausgebaut ∗∗∗ --------------------------------------------- In seinem Beispiel macht sich der Sicherheitsforscher das OAuth-Fenster zunutze. In seiner Demo baut er es via HTML/CSS exakt nach und versieht es mit einer legitimen Google-URL inklusive HTTPS-Schloss-Symbol. Dadurch fällt es Opfern schwerer, den Betrug aufzudecken und eingegebene Passwörter landen bei Betrügern. Einen Schwachpunkt hat dieser Ansatz aber: Der Ausgangspunkt von einer BITB-Attacke ist eine Phishing-Website, die das OAuth-Anmeldeverfahren mit dem Fake-Fenster anbietet. Dahin müssen Betrüger Opfer erst mal locken, ohne dass Verdacht aufkommt. --------------------------------------------- https://heise.de/-6621914 ∗∗∗ A Closer Look at the LAPSUS$ Data Extortion Group ∗∗∗ --------------------------------------------- Microsoft and identity management platform Okta both disclosed this week breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish the information unless a ransom demand is paid. Heres a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations. --------------------------------------------- https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extort… ===================== = Vulnerabilities = ===================== ∗∗∗ Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-031 ∗∗∗ Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030 ∗∗∗ --------------------------------------------- Security risk: Critical The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-030 ∗∗∗ Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) ∗∗∗ --------------------------------------------- Western Digital published a firmware update (5.19.117) which entirely removed support for the open source third party vulnerable service "Depreciated Netatalk Service". As this vulnerability was addressed in the upstream Netatalk code, CVE-2022-23121 was assigned and a ZDI advisory published together with a new Netatalk release 3.1.13 distributed which fixed this vulnerability together with a number of others. --------------------------------------------- https://research.nccgroup.com/2022/03/24/remote-code-execution-on-western-d… ∗∗∗ Splunk: SVD-2022-0301 Indexer denial-of-service via malformed S2S request ∗∗∗ --------------------------------------------- CVSSv3.1 Score: 7.5, High CVE ID: CVE-2021-3422 The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. --------------------------------------------- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.h… ∗∗∗ VMware Carbon App Control: Angreifer könnten Schadcode auf Server schieben ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen zwei kritische Lücken in Carbon App Control für Windows. --------------------------------------------- https://heise.de/-6619596 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-twig), Mageia (abcm2ps, libpano13, and pesign), openSUSE (nextcloud and xen), Oracle (kernel, kernel-container, and openssl), SUSE (java-1_7_1-ibm and xen), and Ubuntu (linux-oem-5.14, openvpn, and thunderbird). --------------------------------------------- https://lwn.net/Articles/889120/ ∗∗∗ Schwachstelle in Windows 3CX-Telefonanlagen, Patchen ist angesagt ∗∗∗ --------------------------------------------- Wer unter Windows ein 3CX-System (Telefonanlage) in einer Version unterhalb v18 Update 3 (Build 450) betreibt, sollte reagieren. Der Hersteller hat ein Sicherheitsupdate für dieses Produkt in Form der v18 Update 3 (Build 450) veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/03/24/schwachstelle-in-windows-3cx-telef… ∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-manage… ∗∗∗ Security Bulletin: IBM Security Verify Governance, Identity Manager virtual appliance component is vulnerable to denial of service (CVE-2021-38951) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35550). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 affects IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-sdk-java-technology-ed… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35603). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Vulnerabilities with Expat affect IBM Cloud Object Storage Systems (Mar 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expa… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-manage… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2022-22374 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35578). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-006/ ∗∗∗ Yokogawa CENTUM and Exaopc ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-083-01 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-083-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2022
by Daily end-of-shift report 23 Mar '22

23 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-03-2022 18:00 − Mittwoch 23-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Okta confirms 2.5% customers impacted by hack in January ∗∗∗ --------------------------------------------- Okta, a major provider of access management systems, says that 2.5%, or approximately 375 customers, were impacted by a cyberattack claimed by the Lapsus$ data extortion group. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-cus… ∗∗∗ Raccoon Stealer – An Insight into Victim “Gates” ∗∗∗ --------------------------------------------- Raccoon Stealer is an information stealer sold to ‘affiliates’ as a Malware-as-a-Service (MaaS) on multiple underground forums. Affiliates are provided access to a control panel hosted on the Tor network as an onion site, where they can generate new malware builds and review data collected from infected hosts. --------------------------------------------- https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-vict… ∗∗∗ Ransomware: Microsoft bestätigt Hack durch Lapsus$ ∗∗∗ --------------------------------------------- Nach der Veröffentlichung von Code durch Lapsus$ bestätigt Microsoft nun den Hack. Der sei aber sehr begrenzt gewesen. --------------------------------------------- https://www.golem.de/news/ransomware-microsoft-bestaetigt-hack-durch-lapsus… ∗∗∗ DEV-0537 criminal actor targeting organizations for data exfiltration and destruction ∗∗∗ --------------------------------------------- The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. --------------------------------------------- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-… ∗∗∗ Exploring a New Class of Kernel Exploit Primitive ∗∗∗ --------------------------------------------- MSRC receives a wide variety of cases spanning different products, bug types and exploit primitives. One particularly interesting primitive we see is an arbitrary kernel pointer read. --------------------------------------------- https://msrc-blog.microsoft.com/2022/03/22/exploring-a-new-class-of-kernel-… ∗∗∗ Arkei Variants: From Vidar to Mars Stealer, (Wed, Mar 23rd) ∗∗∗ --------------------------------------------- Sometime in 2018, a new information stealer named Vidar appeared. Analysis revealed Vidar is an information stealer that is a copycat or fork of Arkei malware. Since that time, Vidar has led to other Arkei-based variants. --------------------------------------------- https://isc.sans.edu/diary/rss/28468 ∗∗∗ Dissecting a Phishing Campaign with a Captcha-based URL ∗∗∗ --------------------------------------------- In today’s environment, much of the population are doing their bank or financial transactions online and online banking or wire transfers have become a huge necessity. Recently, we received a phishing email that is targeting PayPal accounts. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dissecting-… ∗∗∗ A journey into IoT – Unknown Chinese alarm – Part 1 – Discover components and ports ∗∗∗ --------------------------------------------- So, after a couple of introductory articles, let’s start with a series of articles on an analysis executed on an unknown device. I received a Chinese smart alarm, clone of the Xiaomi Smart Home system, and it seemed perfect for the purpose. --------------------------------------------- https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-… ∗∗∗ Alte Tricks, neue Korplug‑Variante: Hodur von Mustang Panda ∗∗∗ --------------------------------------------- ESET-Forscher haben eine zuvor undokumentierte Korplug-Variante namens Hodur entdeckt, die von Mustang Panda verbreitet wird. Sie nutzt Phishing-Köder, die auf aktuelle Ereignisse in Europa anspielen, einschließlich der Invasion in der Ukraine. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/03/23/alte-tricks-neue-korplug-… ∗∗∗ Fake-Shop auf idealo.com.de! ∗∗∗ --------------------------------------------- Kriminelle haben die Website der Preisvergleichsplattformen idealo.at und idealo.de nachgebaut. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-auf-idealocomde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Netatalk < 3.1.13: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Netatalk 3.1.13 behebt die folgenden Schwachstellen: CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, CVE-2022-0194 --------------------------------------------- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (cyrus-sasl, openssl, sphinx, and swtpm), openSUSE (qemu), Red Hat (expat, rh-mariadb103-mariadb, and rh-mariadb105-mariadb), SUSE (apache2, binutils, java-1_7_0-ibm, kernel-firmware, nodejs12, qemu, and xen), and Ubuntu (ckeditor and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/888994/ ∗∗∗ Bosch Fire Monitoring System (FSM) affected by log4net Vulnerability ∗∗∗ --------------------------------------------- A vulnerability has been discovered affecting the Bosch Fire Monitoring System (FSM-2500, FSM-5000, FSM-10k and obsolete FSM-10000). The issue applies to FSM server with version 5.6.630 and lower, and FSM client with version 5.6.2131 and lower. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-479793-bt.html ∗∗∗ ZDI-22-524: (Pwn2Own) NETGEAR R6700v3 libreadycloud.so Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-524/ ∗∗∗ ZDI-22-523: (Pwn2Own) NETGEAR R6700v3 circled Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-523/ ∗∗∗ ZDI-22-522: (Pwn2Own) NETGEAR R6700v3 readycloud_control.cgi Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-522/ ∗∗∗ ZDI-22-521: (Pwn2Own) NETGEAR R6700v3 Missing Authentication for Critical Function Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-521/ ∗∗∗ ZDI-22-520: (Pwn2Own) NETGEAR R6700v3 Improper Certificate Validation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-520/ ∗∗∗ ZDI-22-519: (Pwn2Own) NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-519/ ∗∗∗ ZDI-22-518: (Pwn2Own) NETGEAR R6700v3 httpd Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-518/ ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Service Registry and Repository in packages such as Apache Struts and Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Service Registry and Repository due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Db2 Big SQL is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-is-vulner… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Vulnerability in Apache log4j affects WebSphere Service Registry and Repository (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to LDAP injection due to WebSphere Application Server Liberty (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Cloudera Data Platform Private Cloud Base with IBM products have log messages vulnerable to arbitrary code execution, denial of service, remote code execution, and SQL injection due to Apache Log4j vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-pr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2022-22316) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM WebSphere eXtreme Scale is vulnerable to arbitrary code execution due to Apache Log4j v1.x (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-extreme-sca… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Elastic Storage System (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ VMSA-2022-0008 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0008.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2022
by Daily end-of-shift report 22 Mar '22

22 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-03-2022 18:00 − Dienstag 22-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Serpent malware campaign abuses Chocolatey Windows package manager ∗∗∗ --------------------------------------------- Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new Serpent backdoor malware on systems of French government agencies and large construction firms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abu… ∗∗∗ Conti Ransomware V. 3, Including Decryptor, Leaked ∗∗∗ --------------------------------------------- The latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it’s reportedly clunkier code. Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously released – specifically, the source code for Conti Ransomware V3.0 – to VirusTotal. --------------------------------------------- https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/1790… ∗∗∗ CryptoRom Crypto Scam Abusing iPhone Features to Target Mobile Users ∗∗∗ --------------------------------------------- Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been deceiving unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips. --------------------------------------------- https://thehackernews.com/2022/03/cryptorom-crypto-scam-abusing-iphone.html ∗∗∗ Microsoft und Okta: Hacker-Gruppe Lapsus$ hat offenbar erneut zugeschlagen ∗∗∗ --------------------------------------------- Derzeit untersuchen Microsoft bei Azure DevOps und der Zugriffsmanagement-Dienstleister Okta unberechtigte Server-Zugriffe. --------------------------------------------- https://heise.de/-6603364 ∗∗∗ Ausgesperrt? Vorsicht vor unseriösen Schlüsseldiensten ∗∗∗ --------------------------------------------- Sie haben sich ausgesperrt und benötigen einen Schlüsseldienst, um wieder in Ihre Wohnung zu kommen? Bleiben Sie ruhig, recherchieren Sie sorgfältig und überprüfen Sie das Unternehmen genau! Bedenken Sie: Die ersten Google-Suchergebnisse sind nicht immer die besten. Im Gegenteil: Wie Erfahrungen und Analysen zeigen, sind viele beworbene Schlüsseldienste unseriös! --------------------------------------------- https://www.watchlist-internet.at/news/ausgesperrt-vorsicht-vor-unserioesen… ∗∗∗ Sandworm: A tale of disruption told anew ∗∗∗ --------------------------------------------- [..] BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group – Sandworm. Who is Sandworm? --------------------------------------------- https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-ane… ∗∗∗ FBI and FinCEN Release Advisory on AvosLocker Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/22/fbi-and-fincen-re… ∗∗∗ Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS ∗∗∗ --------------------------------------------- In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. --------------------------------------------- https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick… ∗∗∗ Facestealer-Trojaner aus der Google Play Store-App Craftsart Cartoon Photo Tools klaut Facebook-Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Pradeo haben eine Android-App Craftsart Cartoon Photo Tools im Google Play Store entdeckt. Diese ist mit dem bekannten Facestealer-Trojaner verseucht und 100.000 Leute haben die App auf ihre Geräte gezogen. --------------------------------------------- https://www.borncity.com/blog/2022/03/22/facestealer-trojaner-aus-der-googl… ∗∗∗ Cobalt Strike: Overview – Part 7 ∗∗∗ --------------------------------------------- This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. --------------------------------------------- https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/ ∗∗∗ Detecting shadow credentials ∗∗∗ --------------------------------------------- This article is about my journey into tracing changes to the msDS-KeyCredentialLink attribute to verify if their origin is legitimate or a potential attack (aka. Shadow Credentials). --------------------------------------------- https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ ∗∗∗ 8 Tips for Securing Networks When Time Is Scarce ∗∗∗ --------------------------------------------- In light of increased cyber risk surrounding the Russia-Ukraine conflict, we’ve put together 8 tips that defenders can take right now to prepare. --------------------------------------------- https://www.rapid7.com/blog/post/2022/03/22/8-tips-for-securing-networks-wh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006 ∗∗∗ --------------------------------------------- Security risk: Moderately critical Vulnerability: Third-party libraries CVE IDs: CVE-2022-24775 Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. --------------------------------------------- https://www.drupal.org/sa-core-2022-006 ∗∗∗ Multiple Vulnerabilities in GARO Wallbox ∗∗∗ --------------------------------------------- 1. Without Authentication(CVE-2021-45878) 2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877) 3. Unauthenticated Command Injection(CVE-2021-45876) --------------------------------------------- https://github.com/delikely/advisory/tree/main/GARO ∗∗∗ Kritische Sicherheitslücken in mehr als 200 HP-Drucker-Modellen ∗∗∗ --------------------------------------------- Zahlreiche HP-Drucker haben Sicherheitslücken, durch die Angreifer Schadcode einschleusen und ausführen könnten. Firmware-Updates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6605306 ∗∗∗ Sophos schließt Sicherheitslücken in Unified Threat Management-Firmware ∗∗∗ --------------------------------------------- Eine neue Firmware-Version schließt unter anderem Sicherheitslücken, durch die angemeldete Nutzer Schadcode hätten ausführen können. --------------------------------------------- https://heise.de/-6602749 ∗∗∗ Cyclops-Blink-Botnet: Asus-Router im Fokus, Firmware-Updates verfügbar ∗∗∗ --------------------------------------------- Die Cybergang Sandworm hat ihr Cyclops-Blink-Botnet inzwischen auf Asus-Router angesetzt. Firmware-Updates sollen dem Befall vorbeugen. --------------------------------------------- https://heise.de/-6604576 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/888859/ ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-23192) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2124) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K31323265: OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31323265?utm_source=f5support&utm_mediu… ∗∗∗ PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-007/ ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2022
by Daily end-of-shift report 21 Mar '22

21 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-03-2022 18:00 − Montag 21-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Elden Ring: Hacker zerstören Spielstände ∗∗∗ --------------------------------------------- Invasionen feindlicher Spieler sind noch gefährlicher geworden, denn eine Sicherheitslücke kann Elden Ring zum Absturz zu bringen. --------------------------------------------- https://www.golem.de/news/elden-ring-hacker-zerstoeren-spielstaende-2203-16… ∗∗∗ Sicherheitsanalyse zum Industrieprotokoll OPC UA aktualisiert ∗∗∗ --------------------------------------------- Die Studie des BSI liefert eine Bewertung der spezifizierten und realisierten Sicherheitsfunktionen von OPC UA. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Willhaben-VerkäuferInnen aufgepasst: Kurierdienst von Willhaben ist Betrug ∗∗∗ --------------------------------------------- Auf willhaben.at inseriert? Dann nehmen Sie sich vor betrügerischen KäuferInnen in Acht! Betrügerische KäuferInnen schlagen Ihnen vor, die Zahlung und Übergabe der Ware über den „Kurierdienst PayLivery AG“ vorzunehmen. Der Link zur Webseite, auf der dieser „Kurierdienst“ beschrieben wird, wird gleich mitgesendet. Vorsicht: Diesen Kurierdienst gibt es gar nicht. Die Webseite willhaben-at.shop/help.html ist gefälscht und gehört nicht zu willhaben.at! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-verkaeuferinnen-aufgepasst… ∗∗∗ Free decryptor released for TrickBot gangs Diavol ransomware ∗∗∗ --------------------------------------------- Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ New Phishing toolkit lets anyone create fake Chrome browser windows ∗∗∗ --------------------------------------------- A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-lets-an… ∗∗∗ Meet Exotic Lily, access broker for ransomware and other malware peddlers ∗∗∗ --------------------------------------------- Exotic Lily is the name given to a group of cybercriminals that specialized as an initial access broker, serving groups like Conti and Diavol ransomware. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-acc… ∗∗∗ APT35 Automates Initial Access Using ProxyShell ∗∗∗ --------------------------------------------- In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks [...] --------------------------------------------- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Western Digital EdgeRover geschlossen ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate für Western Digitals Datenverwaltungsanwendung EdgeRover sperrt Angreifer aus. --------------------------------------------- https://heise.de/-6594172 ∗∗∗ A Bug That Doesnt Want To Die (CVE-2021-34484) ∗∗∗ --------------------------------------------- In November we issued a micropatch for a local privilege escalation in User Profile Service. This vulnerability was found and reported to Microsoft by security researcher Abdelhamid Naceri and assigned CVE-2021-34484 when initially fixed. Abdelhamid subsequently noticed that Microsofts patch was incomplete and wrote a POC to bypass it. Based on that information, we were able to create a micropatch for what was then considered a 0day [...] --------------------------------------------- https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html ∗∗∗ Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) ∗∗∗ --------------------------------------------- Update 3/21/2022: Microsofts fix for this issue turned out to be flawed. We ported our micropatches to all affected Windows versions and made them all FREE for everyone again. --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, libgit2, libpano13, paramiko, usbredir, and wordpress), Fedora (expat, kernel, openexr, thunderbird, and wordpress), openSUSE (chromium, frr, and weechat), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), SUSE (frr), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/888686/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0332 ∗∗∗ MISP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0331 ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities fixed in IBM Maximo Application Suite Monitor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Answer Retrieval for Watson Discovery is vulnerable to phishing attacks due to Swagger UI (CVE number(s) 221508) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-answer-retrieval-for-… ∗∗∗ Security Bulletin: urllib upgrade CVE-2021-33503, CVE-2021-28363 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urllib-upgrade-cve-2021-3… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Protect 8.1.14.000 Server is vulnerable to bypass of security restrictions (CVE-2022-22394) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-8-1-… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-2369) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE related to the Libraries component affects IBM Control Center (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: Vulnerabilities in Java SE and Eclipse OpenJ9 affect IBM Control Center (CVE-2020-14803 & CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2022
by Daily end-of-shift report 18 Mar '22

18 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-03-2022 18:00 − Freitag 18-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Unix rootkit used to steal ATM banking data ∗∗∗ --------------------------------------------- Threat analysts following the activity of LightBasin, a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unix-rootkit-used-to-ste… ∗∗∗ Open Source: NPM-Paket löscht Dateien aus Protest gegen Ukrainekrieg ∗∗∗ --------------------------------------------- Ein weitverbreitetes NPM-Paket löscht die Dateien von russischen Entwicklern und vervielfältigt Anti-Kriegsbotschaften. --------------------------------------------- https://www.golem.de/news/open-source-npm-paket-loescht-dateien-aus-protest… ∗∗∗ Scans for Movable Type Vulnerability (CVE-2021-20837), (Fri, Mar 18th) ∗∗∗ --------------------------------------------- Yesterday, our honeypots started seeing many requests scanning for the Movable Type API. Movable Type is a content management system comparable to WordPress or Drupal. --------------------------------------------- https://isc.sans.edu/diary/rss/28454 ∗∗∗ New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers ∗∗∗ --------------------------------------------- ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks. --------------------------------------------- https://thehackernews.com/2022/03/new-variant-of-russian-cyclops-blink.html ∗∗∗ Neue Phishing-Methode kombiniert Fax und Captchas ∗∗∗ --------------------------------------------- Um den Anti-Phishing-Filter auszutricksen, packt eine neue Angriffsmethode Links in Fax-PDFs und versteckt die gefälschte Webseite hinter einem Google-Captcha. --------------------------------------------- https://heise.de/-6587105 ∗∗∗ How to protect RDP ∗∗∗ --------------------------------------------- RDP is still a popular target for attackers, so how do you keep your remote desktops safe? --------------------------------------------- https://blog.malwarebytes.com/security-world/business-security-world/2022/0… ∗∗∗ Diese Betrugsmaschen sollten LinkedIn-NutzerInnen kennen ∗∗∗ --------------------------------------------- LinkedIn wird vor allem mit Professionalität verbunden. Das ist wohl auch ein Grund, wieso LinkedIn weniger mit Betrug in Zusammenhang gebracht wird. Das spielt Kriminellen in die Hände, die mit Fake-Profilen Schadsoftware verbreiten können, betrügerische Jobs anbieten oder mit Hilfe von Phishing-Mails versuchen an sensible Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/diese-betrugsmaschen-sollten-linkedi… ∗∗∗ Strengthening Cybersecurity of SATCOM Network Providers and Customers ∗∗∗ --------------------------------------------- CISA and FBI strongly encourage critical infrastructure organizations and, specifically, organizations that are SATCOM network providers or customers to review the joint CSA and implement the mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/strengthening-cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-treq), Fedora (openvpn, pesign, rust-regex, and thunderbird), Oracle (expat), Red Hat (kpatch-patch-4_18_0-147_58_1), Slackware (bind and openssl), SUSE (python-lxml), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/888412/ ∗∗∗ CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable ∗∗∗ --------------------------------------------- CVE-2021-28372, a vulnerability in third-party software commonly built into many IP cameras, highlights issues in IoT supply chain security. --------------------------------------------- https://unit42.paloaltonetworks.com/iot-supply-chain-cve-2021-28372/ ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect IBM Decision Optimization Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ may affect IBM ILOG CPLEX Optimization Studio (CVE-2022-21360, CVE-2022-21365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-4104, CVE-2021-29469, CVE-2021-44531, CVE-2021-44531, CVE-2022-21824, CVE-2021-29899, CVE-2021-27290 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Information disclosure vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-CVE-2021-39046 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect IBM Decision Optimization Center (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ Runtime may affect IBM Decision Optimization Center (CVE-2022-21360, CVE-2022-21365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K08173228: Multiple Intel CPU vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08173228 ∗∗∗ Synology-SA-22:04 OpenSSL ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_04 ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0329 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2022
by Daily end-of-shift report 17 Mar '22

17 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-03-2022 18:00 − Donnerstag 17-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SolarWinds warns of attacks targeting Web Help Desk instances ∗∗∗ --------------------------------------------- SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-attacks-… ∗∗∗ Microsoft creates tool to scan MikroTik routers for TrickBot infections ∗∗∗ --------------------------------------------- The TrickBot trojan has just added one more trick up its sleeve, now using vulnerable IoT (internet of things) devices like modem routers as proxies for its C2 (command and control) server communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-sc… ∗∗∗ CISA: US-Behörde warnt vor 15 aktiv ausgenutzten Sicherheitslücken ∗∗∗ --------------------------------------------- Die US-Sicherheitsbehörde CISA warnt Unternehmen und Behörden vor 15 älteren Sicherheitslücken, die aktiv für Angriffe ausgenutzt werden. --------------------------------------------- https://www.golem.de/news/cisa-us-behoerde-warnt-vor-15-aktiv-ausgenutzten-… ∗∗∗ DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly ∗∗∗ --------------------------------------------- The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation," Avast researcher Martin Chlumecký said in a report published Wednesday. --------------------------------------------- https://thehackernews.com/2022/03/dirtymoe-botnet-gains-new-exploits-in.html ∗∗∗ LokiLocker ransomware family spotted with built-in wiper ∗∗∗ --------------------------------------------- BlackBerry says extortionists erase documents if ransom unpaid BlackBerry security researchers have identified a ransomware family targeting English-speaking victims that is capable of erasing all non-system files from infected Windows PCs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/03/16/blackberry_l… ∗∗∗ Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks ∗∗∗ --------------------------------------------- What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives. --------------------------------------------- https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-esc… ∗∗∗ From BlackMatter to BlackCat: Analyzing two attacks from one affiliate ∗∗∗ --------------------------------------------- While researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP addresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter attack in September 2021. Further analysis revealed more commonalities, such as tools, file names and techniques that were common to both ransomware variants. --------------------------------------------- http://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-anal… ===================== = Vulnerabilities = ===================== ∗∗∗ New Vulnerability in CRI-O Engine Lets Attackers Escape Kubernetes Containers ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host. "Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," [..] --------------------------------------------- https://thehackernews.com/2022/03/new-vulnerability-in-cri-o-engine-lets.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db). --------------------------------------------- https://lwn.net/Articles/888288/ ∗∗∗ Red Hat Virtualization: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Virtualization ausnutzen, um Dateien zu manipulieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0328 ∗∗∗ ISC Releases Security Advisories for BIND ∗∗∗ --------------------------------------------- Original release date: March 17, 2022The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/isc-releases-secu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of IBM Websphere Liberty (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-0235) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A security vulnerability in log4j v1.2 affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2022
by Daily end-of-shift report 16 Mar '22

16 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-03-2022 18:00 − Mittwoch 16-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Android trojan persists on the Google Play Store since January ∗∗∗ --------------------------------------------- Security researchers tracking the mobile app ecosystem have noticed a recent spike in trojan infiltration on the Google Play Store, with one of the apps having over 500,000 installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-trojan-persists-on-t… ∗∗∗ Qakbot infection with Cobalt Strike and VNC activity, (Wed, Mar 16th) ∗∗∗ --------------------------------------------- On Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot (Qbot) malware. Today's diary provides a quick review of the infection activity. --------------------------------------------- https://isc.sans.edu/diary/rss/28448 ∗∗∗ The Attack of the Chameleon Phishing Page ∗∗∗ --------------------------------------------- Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-… ∗∗∗ Werbe-SMS „Bewerbung erhalten“ führt zu Investment-Betrug ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle SMS, in denen von einer angeblichen Bewerbung durch die EmpfängerInnen die Rede ist. Wie die Kriminellen an Namen und Telefonnummer der Betroffenen gelangen, ist unklar. Klar hingegen ist, dass der enthaltene Link auf eine betrügerische Investment-Werbung führt. --------------------------------------------- https://www.watchlist-internet.at/news/werbe-sms-bewerbung-erhalten-fuehrt-… ∗∗∗ Gh0stCringe RAT Being Distributed to Vulnerable Database Servers ∗∗∗ --------------------------------------------- This blog will explain the RAT malware named Gh0stCringe. Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. --------------------------------------------- https://asec.ahnlab.com/en/32572/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters ∗∗∗ --------------------------------------------- Researchers have disclosed an unpatched security vulnerability in "dompdf," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations. --------------------------------------------- https://thehackernews.com/2022/03/unpatched-rce-bug-in-dompdf-project.html ∗∗∗ 7 RCE and DoS vulnerabilities Found in ClickHouse DBMS ∗∗∗ --------------------------------------------- The vulnerabilities require authentication, but can be triggered by any user with read permissions. This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. --------------------------------------------- https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-db… ∗∗∗ Sicherheitslücke: Präparierte TLS-Zertifikate können OpenSSL-Systeme gefährden ∗∗∗ --------------------------------------------- Angreifer könnten Clients und Server mit präparierten TLS-Zertifikaten auf Basis von elliptischen Kurven lahmlegen. --------------------------------------------- https://heise.de/-6550820 ∗∗∗ Sicherheitsupdates: Angreifer könnten Schadcode durch pfSense-Firewall schieben ∗∗∗ --------------------------------------------- Mehrere Schwachstellen gefährden Systeme mit der Firewall-Distribution pfSense. --------------------------------------------- https://heise.de/-6577971 ∗∗∗ Sicherheitsupdates: Schadcode-Schlupflöcher in Dell-BIOS ∗∗∗ --------------------------------------------- Angreifer könnten Dell-Computer attackieren und im schlimmsten Fall die volle Kontrolle über Geräte erlangen. --------------------------------------------- https://heise.de/-6550647 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, [...] --------------------------------------------- https://lwn.net/Articles/888093/ ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-005 ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js follow-redirects module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Network Automation (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform upgrade from Log4j 2.17 to 2.17.1 to protect from infinite recursion in lookup evaluation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2021-33198 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Improper Restriction of XML External Entity Reference in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-506619-bt.html ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/16/google-releases-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2022
by Daily end-of-shift report 15 Mar '22

15 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-03-2022 18:00 − Dienstag 15-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Massive phishing campaign uses 500+ domains leading to fake login pages ∗∗∗ --------------------------------------------- Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-phishing-campaign-us… ∗∗∗ Sicherheitslücke in Druckern: Über 300 Jahre alter Algorithmus knackt RSA-Keys ∗∗∗ --------------------------------------------- Drucker von Canon und Fujifilm erzeugen schwache RSA-Schlüssel, die sich mit dem Faktorisierungsalgorithmus von Fermat angreifen lassen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-in-druckern-ueber-300-jahre-alt… ∗∗∗ New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel ∗∗∗ --------------------------------------------- Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J vulnerability. What stands out is that the network traffic generated by this sample triggered a DNS Tunnel alert in our system, We decided to take a close look, and indeed, it is a new botnet family, which we named B1txor20 based on its propagation using the file name "b1t", the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes. --------------------------------------------- https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ ∗∗∗ Clean Binaries with Suspicious Behaviour, (Tue, Mar 15th) ∗∗∗ --------------------------------------------- EDR or "Endpoint Detection & Response" is a key element of many networks today. An agent is installed on all endpoints to track suspicious/malicious activity and (try to) block it. Behavioral monitoring is also a key element in modern SIEM infrastructure: To see a word.exe running is definitively not malicious, same with a Powershell script being launched. But if you monitor parent/child relations, to see a Powershell script launched from a Word process, that is suspicious! --------------------------------------------- https://isc.sans.edu/diary/rss/28444 ∗∗∗ A Simple Guide to Getting CVEs Published ∗∗∗ --------------------------------------------- This guide will, hopefully, let you skip the headaches and guesswork that we endured learning this process when you try to get a CVE published. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-simple-gu… ∗∗∗ Can an HTTPS Website be Hacked? ∗∗∗ --------------------------------------------- It should be no shock by now that a professional can break through anything. These days, zero-days are a dime a dozen, so it’s important to ensure your site is hardened and protected as much as possible. While an SSL certificate can certainly be an important factor, it’s only one slice of the pie. In this article, we’ll be elaborating on the myths of SSL, the kinds of hacks that still have the potential to occur, and how you can improve an HTTPS site beyond installing an SSL certificate. --------------------------------------------- https://blog.sucuri.net/2022/03/can-an-https-website-be-hacked.html ∗∗∗ Ukraine-Krieg: BSI warnt vor Kasperskys Sicherheits- und Antiviren-Software ∗∗∗ --------------------------------------------- Wer Antiviren-Software des russischen Herstellers einsetzt, sollte auf alternative Produkte ausweichen, heißt es der offizellen BSI-Warnung. --------------------------------------------- https://heise.de/-6549515 ∗∗∗ Vorsicht vor Anrufe und E-Mails von „Besser-Gefunden“ ∗∗∗ --------------------------------------------- Momentan werden Unternehmen telefonisch von „Besser-Gefunden“ kontaktiert. Die Person am Telefon erklärt Ihnen, dass Ihr Unternehmen einen Vertrag für die Schaltung von kostenpflichtigen Anzeigen im Firmenverzeichnis von „Besser-Gefunden“ abgeschlossen hat und die Gebühren bald fällig werden. Dieser Vertrag verlängert sich automatisch, wenn er nicht sofort schriftlich storniert wird. Vorsicht: Dabei handelt es sich um eine betrügerische Masche zur Kundengewinnung! Legen Sie auf und unterschreiben Sie nichts. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufe-und-e-mails-von-… ∗∗∗ Updated: Kubernetes Hardening Guide ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have updated their joint Cybersecurity Technical Report (CTR): Kubernetes Hardening Guide, originally released in August 2021, based on valuable feedback and inputs from the cybersecurity community. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/updated-kubernete… ∗∗∗ Investigating an engineering workstation – Part 1 ∗∗∗ --------------------------------------------- In this series of blog posts we will deal with the investigation of an engineering workstation running Windows 10 with the Siemens TIA Portal Version 15.1 installed. In this first part we will cover some selected classic Windows-based evidence sources, and how they behave with regards to the execution of the TIA Portal and interaction with it. --------------------------------------------- https://blog.nviso.eu/2022/03/15/investigating-an-engineering-workstation-p… ∗∗∗ Threat Advisory: CaddyWiper ∗∗∗ --------------------------------------------- Overview Cybersecurity company ESET disclosed another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. [..] Analysis: The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Our analysis didn't show any indications of persistency, self-propagation or exploitation code. Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html ∗∗∗ OpenSSL security releases may require Node.js security releases ∗∗∗ --------------------------------------------- The Node.js project may be releasing new versions across all of its supportedrelease lines late this week to incorporate upstream patches from OpenSSL. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/mar-2022-security-releases ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: MacOS 12.3, XCode 13.3, tvOS 15.4, watchOS 8.5, iPadOS 15.4 and more, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- Apple today released one of its massive "surprise" updates for all of its operating systems. This includes updates for Safari as well as stand-alone security updates for older operating systems like macOS Big Sur and Catalina. As so often, this also includes feature updates for the respective operating systems. --------------------------------------------- https://isc.sans.edu/diary/rss/28438 ∗∗∗ Sicherheitsupdate für IBM Spectrum Protect: Fremdzugriff auf Datenbanken möglich ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für IBMs Backup-Lösung Spectrum Protect. Angreifer könnten unter anderem auf eigentlich verschlüsselte Informationen zugreifen. --------------------------------------------- https://heise.de/-6548621 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Fedora (chromium), Mageia (chromium-browser-stable, kernel, kernel-linus, and ruby), openSUSE (firefox, flac, java-11-openjdk, protobuf, tomcat, and xstream), Oracle (thunderbird), Red Hat (kpatch-patch and thunderbird), Scientific Linux (thunderbird), Slackware (httpd), SUSE (firefox, flac, glib2, glibc, java-11-openjdk, libcaca, SDL2, squid, sssd, tomcat, xstream, and zsh), and Ubuntu (zsh). --------------------------------------------- https://lwn.net/Articles/887914/ ∗∗∗ Belden Security Bulletin – Industrial IT BSECV-2021-16 ∗∗∗ --------------------------------------------- CVEs: CVE-2020-24588, CVE-2020-26144, CVE-2020-26146 and CVE-2020-26147. FragAttacks 2 (fragmentation and aggregation attacks) is a collection of security vulnerabilities that affect Wi-Fi devices. An adversary that is within range of a victim's Wi-Fi network can exploit these vulnerabilities to steal user information or attack devices. Affected products: Hirschmann OpenBAT, WLC, BAT450 --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14146&mediaformat… ∗∗∗ Dirty Pipe Linux Flaw Affects a Wide Range of QNAP NAS Devices ∗∗∗ --------------------------------------------- https://thehackernews.com/2022/03/dirty-pipe-linux-flaw-affects-wide.html ∗∗∗ Security Bulletin: CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-deferred-fr… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: A Vulnerability In Apache Commons IO Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Workstations Central Administration Console (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Mobilefirst is affected by a log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mobilefirst-is-affected-b… ∗∗∗ Security Bulletin: Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-1-2-reached-… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j affects IBM Tivoli Composite Application Manager for Application Diagnostics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect Operations Center (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ ABB OPC Server for AC 800M ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-074-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2022
by Daily end-of-shift report 14 Mar '22

14 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-03-2022 18:00 − Montag 14-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Android malware Escobar steals your Google Authenticator MFA codes ∗∗∗ --------------------------------------------- The Aberebot banking trojan appears to have returned, as its author is actively promoting a new version of the tool on dark web markets and forums. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-escobar-stea… ∗∗∗ Curl on Windows, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- It's about 2 years ago that Xavier wrote a diary entry ("Keep an Eye on Command-Line Browsers") mentioning that curl was now build into Windows. [...] So with this particular malicious script, it's rather easy to detect (especially if you are in a network environment without Linux machines): search for curl UAS. If you are in a corporate environment, there's something else to know about curl on Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/28436 ∗∗∗ New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access ∗∗∗ --------------------------------------------- Tracked as CVE-2022-25636 (CVSS score: 7.8), the vulnerability impacts Linux kernel versions 5.4 through 5.6.10 and is a result of a heap out-of-bounds write in the netfilter subcomponent in the kernel. [..] "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat said in an advisory published on February 22, 2022. Similar alerts have been released by Debian, Oracle Linux, SUSE, and Ubuntu. --------------------------------------------- https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html ∗∗∗ Reverse Engineering a Netgear Nday ∗∗∗ --------------------------------------------- This post will detail how I went about developing a proof of concept for a Netgear Nday vulnerability. --------------------------------------------- https://nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-net… ∗∗∗ Making Sense of the Dirty Pipe Vulnerability (CVE-2022-0847) ∗∗∗ --------------------------------------------- [..] the flaw could allow anyone with read access on a system to write arbitrary data into arbitrary files. In this blog post, we analyze the vulnerability details in-depth and demonstrate how the exploit works to successfully escalate privileges. --------------------------------------------- https://redhuntlabs.com/blog/the-dirty-pipe-vulnerability.html ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Following responsible disclosure on September 9, 2021, fixes have been released to address the issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all three of which are affected by the untrusted search path flaw, have opted not to address the bug. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Shodan: Introducing the InternetDB API ∗∗∗ --------------------------------------------- The major differences between the InternetDB API and the main Shodan API are: - No API key required - Much higher rate limit - Weekly updates - Minimal port/ service information - Non-commercial use only --------------------------------------------- https://blog.shodan.io/introducing-the-internetdb-api/ ∗∗∗ Diskrepanz zwischen erwarteten und tatsächlichen Cyberattacken im Ukraine-Krieg ∗∗∗ --------------------------------------------- c’t: Ukrainische Behörden haben Freiwillige in aller Welt aufgerufen, sich an Cyberattacken gegen Russland zu beteiligen. Halten Sie es für sinnvoll, dabei mitzumachen? Dr. Sven Herpig: Nein. Natürlich könnten Freiwillige irgendwelche Ziele in Russland ärgern, aber das wird weit weg sein von kriegsentscheidend. Gleichzeitig ist es aus drei Gründen ziemlich gefährlich. --------------------------------------------- https://heise.de/-6540223 ∗∗∗ Gefälschte Otto-Shops werben auf Facebook ∗∗∗ --------------------------------------------- ottot.shop, otto.us.com und ghrh.shop sind betrügerische Online-Shops. Diese Shops imitieren das deutsche Handelsunternehmen „OTTO“ und bieten Produkte zu sehr günstigen Preisen an. Aber: Ware, die dort bestellt und bezahlt wird, wird nicht geliefert. Geschädigte können versuchen ihr Geld über den Käuferschutz von PayPal zurückzubekommen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-otto-shops-werben-auf-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup & Replication - CVE-2022-26500 | CVE-2022-26501 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. CVSS v3 score: 9.8 --------------------------------------------- https://www.veeam.com/kb4288 ∗∗∗ High-Severity Vulnerabilities Patched in Omron PLC Programming Software ∗∗∗ --------------------------------------------- Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron. An advisory released earlier this month by Japan’s JPCERT/CC revealed that the product is affected by five use-after-free and out-of-bounds vulnerabilities, all with a CVSS score of 7.8. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-pl… ∗∗∗ Riverbed spinoff Aternity ships emergency software patch ∗∗∗ --------------------------------------------- Riverbed’s performance monitoring spinoff Aternity has published seven security advisories describing now-patched vulnerabilities in its AppInternals monitoring agent software. The most serious of the bugs gave attackers remote code execution with system-level privilege. [..] Riverbed has shipped AppInternals Agent versions 11.8.8 and 12.14.0, which include patches for the bugs. --------------------------------------------- https://www.itnews.com.au/news/riverbed-spinoff-aternity-ships-emergency-so… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, haproxy, libphp-adodb, nbd, and vim), Fedora (chromium, cobbler, firefox, gnutls, linux-firmware, radare2, thunderbird, and usbguard), Mageia (gnutls), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, and kernel), SUSE (firefox, tomcat, and webkit2gtk3), and Ubuntu (libxml2 and nbd). --------------------------------------------- https://lwn.net/Articles/887807/ ∗∗∗ Dell BIOS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, CVE-2022-24421 Ein lokaler Angreifer kann mehrere Schwachstellen in Dell BIOS und Dell Computer ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0308 ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943 Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache HTTP Server ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0306 ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus is vulnerable to PostgreSQL Man-in-the-Middle and Slowloris Denial of Service attacks (CVE-2021-23222, CVE-2022-22354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Analytical Decision Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects SPSS Collaboration and Deployment Services (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Big SQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Vulnerabilities in the Linux Kernel, Samba, Sudo, Python, and tcmu-runner affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-li… ∗∗∗ Security Bulletin: IBM Spectrum Copy Data Management is vulnerable to Slowloris, HTTP header injection, XSS, and CSRF (CVE-2022-22354, CVE-2022-22344, CVE-2021-39055, CVE-2021-39051) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-copy-data-ma… ∗∗∗ Security Bulletin: Vulnerabilities in Celery, Golang Go, and Python affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-celery… ∗∗∗ Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-flask-an… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, PostgreSQL, OpenSSL, OpenSSH, and jQuery affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and IBM WebSphere Application Server Liberty affect IBM Operations Center and Client Management Service (CVE-2021-35578, CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, Node.js, OpenSSH, and Golang Go affect IBM Spectrum Protect Plus (CVE-2021-4034, CVE-2022-21681, CVE-2022-21680, CVE-2022-0235, CVE-2021-41617, CVE-2021-44716, CVE-2021-44717, 218243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Reverse Tabnabbing and Cross-Site Request Forgery vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-22348, CVE-2020-22346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-reverse-tabnabbing-and-cr… ∗∗∗ K63603485: Linux kernel vulnerability CVE-2022-0847 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63603485 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2022
by Daily end-of-shift report 11 Mar '22

11 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-03-2022 18:00 − Freitag 11-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Raccoon Stealer Crawls Into Telegram ∗∗∗ --------------------------------------------- The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware. --------------------------------------------- https://threatpost.com/raccoon-stealer-telegram/178881/ ∗∗∗ Keep an Eye on WebSockets, (Fri, Mar 11th) ∗∗∗ --------------------------------------------- It has been a while that I did not spot WebSockets used by malware. Yesterday I discovered an interesting piece of Powershell. Very small and almost undetected according to its Virustotal score (2/54)[1]. A quick reminder for those that don't know what a "WebSocket" is. --------------------------------------------- https://isc.sans.edu/diary/rss/28430 ∗∗∗ Bypassing MFA: A Pentest Case Study ∗∗∗ --------------------------------------------- When a company implements multifactor authentication, the organization is usually confident that it’s using the best system possible. However, not all MFA is built the same and there are times when the MFA solution being implemented is not delivering the protection required. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bypassing-m… ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines. Its, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Whats up with in-the-wild exploits? Plus, what were doing about it. ∗∗∗ --------------------------------------------- If you are a regular reader of our Chrome release blog, you may have noticed that phrases like exploit for CVE-1234-567 exists in the wild have been appearing more often recently. In this post well explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. Well then share how Chrome is continuing to make it harder for attackers to achieve their goals. --------------------------------------------- http://security.googleblog.com/2022/03/whats-up-with-in-wild-exploits-plus.… ∗∗∗ WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities ∗∗∗ --------------------------------------------- Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. --------------------------------------------- https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixe… ∗∗∗ Cobalt Strike: Memory Dumps – Part 6 ∗∗∗ --------------------------------------------- This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/ ∗∗∗ Infostealer Being Distributed via YouTube ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post. --------------------------------------------- https://asec.ahnlab.com/en/32499/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-503: MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-503/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion). --------------------------------------------- https://lwn.net/Articles/887635/ ∗∗∗ Mattermost security updates 6.4.2, 6.3.5, 6.2.5, 5.37.9 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.4.2, 6.3.5 (Extended Support Release), 6.2.5, 5.37.9 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-4-2-6-3-5-6-2-5-5… ∗∗∗ Siemens Solid Edge, JT2Go, and Teamcenter Visualization ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization that was published February 10, 2022, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-041-07 ∗∗∗ Mehrere Schwachstellen in PONTON X/P Messenger (SYSS-2021-077/-078/-079/-080) ∗∗∗ --------------------------------------------- Der PONTON X/P Messenger der PONTON GmbH ist in den Versionen 3.8.0 und 3.10.0 unter eingeschränkten Voraussetzungen anfällig für mehrere Schwachstellen. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-ponton-x/p-messe… ∗∗∗ CERT-EU warnt vor SMBv3-Schwachstelle CVE-2022-24508, Fix durch Windows März 2022-Updates ∗∗∗ --------------------------------------------- Mit den Sicherheitsupdates vom 8. März 2022 für Windows hat Microsoft eine Reihe Schwachstellen geschlossen. Darunter ist auch eine als wichtig eingestufte Remote Code Execution-Schwachstelle (REC) im Windows SMBv3 Client/Server. CERT-EU warnt in einer aktuellen Mitteilung vor dieser SMBv3-Schwachstelle CVE-2022-24508 [...] --------------------------------------------- https://www.borncity.com/blog/2022/03/11/cert-eu-warnt-vor-smbv3-schwachste… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 10 March 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0299 ∗∗∗ phpMyAdmin: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0304 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0302 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has a vulnerability (CVE-2021-39022), related to hazardous input. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A Python Issue Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-python-issue-affects-ib… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to an attacker obtaining sensitive information (CVE-2021-35550, CVE-2021-35603) and denial of service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Cloud Pak for Automation Workflow Process Service (CVE-2021-38893 CVE-2021-38966) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2022
by Daily end-of-shift report 10 Mar '22

10 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-03-2022 18:00 − Donnerstag 10-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Nearly 30% of critical WordPress plugin bugs dont get a patch ∗∗∗ --------------------------------------------- Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nearly-30-percent-of-critica… ∗∗∗ What Security Controls Do I Need for My Kubernetes Cluster? ∗∗∗ --------------------------------------------- This Tech Tip offers some security controls to embed in your organizations CI/CD pipeline to protect Kubernetes clusters and corporate networks. --------------------------------------------- https://www.darkreading.com/dr-tech/what-security-controls-do-i-need-for-my… ∗∗∗ Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads ∗∗∗ --------------------------------------------- The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things. --------------------------------------------- https://threatpost.com/qakbot-botnet-sprouts-fangs-injects-malware-into-ema… ∗∗∗ Credentials Leaks on VirusTotal, (Thu, Mar 10th) ∗∗∗ --------------------------------------------- A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. Im keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform. --------------------------------------------- https://isc.sans.edu/diary/rss/28426 ∗∗∗ Demystifying E-Commerce Website Security ∗∗∗ --------------------------------------------- Here we’ll be discussing the main aspects that are important to an E-Commerce website, the kinds of vulnerabilities that can impact your business, and how to take better preventative measures. --------------------------------------------- https://blog.sucuri.net/2022/03/demystifying-e-commerce-website-security.ht… ∗∗∗ Pre-announcement of 4 BIND security issues scheduled for disclosure 16 March 2022 ∗∗∗ --------------------------------------------- As part of our policy of pre-notification of upcoming security releases, we are writing to inform you that the March 2022 BIND maintenance releases that will be released on Wednesday, 16 March, will contain a patches for a security vulnerabilities affecting the BIND 9.11.x, 9.16.x and 9.18.x release branches. Further details about those vulnerabilities will be publicly disclosed at the time the releases are published. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2022-March/001211.html ∗∗∗ Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers ∗∗∗ --------------------------------------------- In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EUs digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation (GDPR) and the Network and Information Systems Directive (NISD) --------------------------------------------- https://arxiv.org/abs/2203.04887 ∗∗∗ The Conti Leaks: Insight into a Ransomware Unicorn ∗∗∗ --------------------------------------------- In late February 2022, the internal chat logs of the Conti ransomware group were disclosed. This blog dissects the internal chat logs that illuminate how Conti’s organizational infrastructure is run, details key figureheads, tooling as well as bitcoin transactions. --------------------------------------------- https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/ ∗∗∗ Spectre V2 ist auch bei ARM und Intel zurück: Angriff auf Branch History Buffer ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen von Intel-Prozessoren und ARM-Kernen gegen Seitenkanalangriffe vom Typ Spectre V2 reichen nicht aus. --------------------------------------------- https://heise.de/-6545263 ∗∗∗ „Ihr ID-Betriebssystem wird gesperrt“ – Apple E-Mail ist Fake! ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail, das angeblich von Apple versendet wird, werden Sie aufgefordert Ihre Apple ID zu überprüfen. Doch Vorsicht – es handelt sich um Phishing! Hier sind Kriminelle auf Ihre Daten aus! Am besten ignorieren Sie das E-Mail. --------------------------------------------- https://www.watchlist-internet.at/news/ihr-id-betriebssystem-wird-gesperrt-… ∗∗∗ Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools ∗∗∗ --------------------------------------------- Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ [webapps] Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- # note : this is blind RCE so don't expect to see results on the site # this exploit is tested against Zabbix 5.0.17 only --------------------------------------------- https://www.exploit-db.com/exploits/50816 ∗∗∗ XSA-396 ∗∗∗ --------------------------------------------- CVEs: CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends --------------------------------------------- https://xenbits.xen.org/xsa/advisory-396.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat). --------------------------------------------- https://lwn.net/Articles/887484/ ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- - SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028 - Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0298 ∗∗∗ CVE-2022-0022 PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes (Severity: MEDIUM) ∗∗∗ --------------------------------------------- Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. [..] Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0022 ∗∗∗ UNIVERGE WA Series vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN72801744/ ∗∗∗ [remote] Siemens S7-1200 - Unauthenticated Start/Stop Command ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50820 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-23450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to cross-site scripting (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM DataPower Gateway permits reflected JSON injection (CVE-2021-38910) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-per… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2022
by Daily end-of-shift report 09 Mar '22

09 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-03-2022 18:00 − Mittwoch 09-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Betrug auf Discord: „Sorry, ich habe deinen Steam-Account gemeldet!“ ∗∗∗ --------------------------------------------- Gamerinnen und Gamer aufgepasst: Auf Discord kommt es momentan zu Kontaktaufnahmen durch Kriminelle, die sich für das Melden des Steam-Accounts entschuldigen. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-auf-discord-sorry-ich-habe-de… ∗∗∗ Daxin Backdoor: In-Depth Analysis, Part Two ∗∗∗ --------------------------------------------- In the second of a two-part series of blogs, we examine the communications and networking features of Daxin. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ===================== = Vulnerabilities = ===================== ∗∗∗ Guidance for CVE-2022-23278 spoofing in Microsoft Defender for Endpoint ∗∗∗ --------------------------------------------- Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. --------------------------------------------- https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoo… ∗∗∗ New 16 High-Severity UEFI Firmware Flaws Discovered in Millions of HP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday disclosed 16 new high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices. --------------------------------------------- https://thehackernews.com/2022/03/new-16-high-severity-uefi-firmware.html ∗∗∗ Critical RCE Bugs Found in Pascom Cloud Phone System Used by Businesses ∗∗∗ --------------------------------------------- Researchers have disclosed three security vulnerabilities affecting Pascom Cloud Phone System (CPS) that could be combined to achieve a full pre-authenticated remote code execution of affected systems. --------------------------------------------- https://thehackernews.com/2022/03/critical-rce-bugs-found-in-pascom-cloud.h… ∗∗∗ TLStorm: Three critical vulnerabilities discovered in APC Smart-UPS devices ∗∗∗ --------------------------------------------- Armis has discovered a set of three critical zero-day vulnerabilities in APC Smart-UPS devices that can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. --------------------------------------------- https://www.armis.com/research/tlstorm/ ∗∗∗ Patchday: SAP behebt 16 Schwachstellen ∗∗∗ --------------------------------------------- Zum März-Patchday bei SAP liefert das Unternehmen Aktualisierungen für zwölf neue Sicherheitslücken aus. Zudem aktualisiert es vier ältere Sicherheitsmeldungen. --------------------------------------------- https://heise.de/-6543439 ∗∗∗ Alte Lücke in Pulse Connect Secure-VPN wird angegriffen ∗∗∗ --------------------------------------------- Schon Mitte 2020 hat Pulse Secure in seiner VPN-Lösung Aktualisierungen veröffentlicht, die Sicherheitslücken schließen. Die Lücken werden jetzt angegriffen. --------------------------------------------- https://heise.de/-6544328 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-4.19, spip, and thunderbird), Fedora (cyrus-sasl and libxml2), Mageia (firefox and thunderbird), openSUSE (buildah and tcpdump), Red Hat (cyrus-sasl, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (buildah, kernel, libcaca, and tcpdump), and Ubuntu (linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oem-5.14, linux-oracle, linux-oracle-5.13, [...] --------------------------------------------- https://lwn.net/Articles/887309/ ∗∗∗ Microsoft Releases March 2022 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/microsoft-release… ∗∗∗ SAP Releases March 2022 Security Updates ∗∗∗ --------------------------------------------- SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/sap-releases-marc… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/adobe-releases-se… ∗∗∗ ZDI-22-492: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-492/ ∗∗∗ ZDI-22-491: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-491/ ∗∗∗ ZDI-22-490: (0Day) Ecava IntegraXor Inkscape WMF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-490/ ∗∗∗ ZDI-22-489: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Uninitialized Pointer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-489/ ∗∗∗ ZDI-22-488: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Uninitialized Pointer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-488/ ∗∗∗ ZDI-22-487: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-487/ ∗∗∗ ZDI-22-486: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-486/ ∗∗∗ ZDI-22-485: (0Day) Ecava IntegraXor Inkscape PCX File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-485/ ∗∗∗ AMD: LFENCE/JMP Mitigation Update for CVE-2017-5715 ∗∗∗ --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 ∗∗∗ Intel Processor Advisory: INTEL-SA-00598 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in ISC BIND affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-isc-bind… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer Content Analytics Studio ( CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ XSA-398 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-398.html ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0279 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0276 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341586 ∗∗∗ NetApp SnapCenter Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500477-NETAPP-SNAPCENTER-INFOR… ∗∗∗ Brocade Fabric OS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500476-BROCADE-FABRIC-OS-VULNE… ∗∗∗ Lenovo Thin Installer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500475-LENOVO-THIN-INSTALLER-D… ∗∗∗ Glance by Mirametrix Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500474-GLANCE-BY-MIRAMETRIX-VU… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2022
by Daily end-of-shift report 08 Mar '22

08 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-03-2022 18:00 − Dienstag 08-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fernverwaltung mit Sicherheitslücke gefährdet medizinische Geräte ∗∗∗ --------------------------------------------- Viele medizinische IoT-Geräte enthalten Fernverwaltungssoftware von Axeda/PTC. Sicherheitslücken ermöglichen Angreifern das Einschleusen von Schadcode. --------------------------------------------- https://heise.de/-6542436 ∗∗∗ Stecker zum Stromsparen auf „getecotex.com“ ist Betrug ∗∗∗ --------------------------------------------- Auf getecotex.com wird ein Stecker zum Stromsparen angeboten. Für 59 Euro kann angeblich der Stromfluss stabilisiert, hochfrequenter Strom entfernt und die Energierechnung reduziert werden. Vorsicht: Diese Versprechen sind frei erfunden - ein solches Gerät existiert nicht. Sie werden betrogen und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/stecker-zum-stromsparen-auf-getecote… ∗∗∗ CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector ∗∗∗ --------------------------------------------- A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet. --------------------------------------------- https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-… ∗∗∗ Emotet growing slowly but steadily since November resurgence ∗∗∗ --------------------------------------------- The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-growing-slowly-but-st… ∗∗∗ An attackers toolchest: Living off the land ∗∗∗ --------------------------------------------- If you’ve been keeping up with the information security world, you’ve certainly heard that recent ransomware attacks and other advanced persistent threats are sometimes using special kind of tools. But for the most part, the tools will be very familiar to you. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37248-living-off-the-land ∗∗∗ Androids March 2022 Security Updates Patch 39 Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced the release of patches for 39 vulnerabilities as part of the March 2022 security update for Android. The most serious vulnerability is CVE-2021-39708, a remotely exploitable elevation of privilege issue identified in the System component. --------------------------------------------- https://www.securityweek.com/androids-march-2022-security-updates-patch-39-… ∗∗∗ Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities ∗∗∗ --------------------------------------------- We disclosed several GKE Autopilot vulnerabilities and attack techniques to Google. The issues are now fixed - we provide a technical analysis. --------------------------------------------- https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/ ∗∗∗ Phishing attempts from FancyBear and Ghostwriter stepping up says Google ∗∗∗ --------------------------------------------- Google TAG also sees Chinese Mustang Panda going after Europeans and DDoS attempts against Ukrainian targets. --------------------------------------------- https://www.zdnet.com/article/phishing-attempts-from-fancybear-and-ghostwri… ∗∗∗ Daxin Backdoor: In-Depth Analysis, Part One ∗∗∗ --------------------------------------------- In the first of a two-part series of blogs, we will delve deeper into Daxin, examining the driver initialization, networking, key exchange, and backdoor functionality of the malware. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ∗∗∗ FBI Releases Indicators of Compromise for RagnarLocker Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000163-MW and apply the recommended mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/fbi-releases-indi… ∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- 08.03.2022 16:40 Bereich "Indirekte Angriffsfläche" erweitert --------------------------------------------- https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Kritische Sicherheitslecks in APC Smart-UPS ∗∗∗ --------------------------------------------- In den APC Smart-UPS von Schneider Electric könnten Angreifer Sicherheitslücken ausnutzen, um Schadcode einzuschleusen oder die Geräte außer Funktion zu setzen. --------------------------------------------- https://heise.de/-6542950 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis). --------------------------------------------- https://lwn.net/Articles/887159/ ∗∗∗ AVEVA System Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Storage of Sensitive Information in Memory vulnerability in the AVEVA System Platform, a software management product. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-067-02 ∗∗∗ Sensormatic PowerManage (Update A) ∗∗∗ --------------------------------------------- This update advisory is a follow-up to the original advisory titled ICSA-22-034-01 Sensormatic PowerManage that was published February 3, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. Update A (Part 1 of 1): Upgrade PowerManage to Version 4.10 --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0268 ∗∗∗ Citrix Federated Authentication Service (FAS) Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341587 ∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guar… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: IBM Security Directory Integrator has upgraded log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-in… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Virtualization Engine TS7700 (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ SSA-250085: Multiple Vulnerabilities in SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-250085.txt ∗∗∗ SSA-223353: Multiple Vulnerabilities in Nucleus RTOS based SIMOTICS CONNECT 400 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-223353.txt ∗∗∗ SSA-166747: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-166747.txt ∗∗∗ SSA-155599: File Parsing Vulnerabilities in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-155599.txt ∗∗∗ SSA-148641: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-148641.txt ∗∗∗ SSA-134279: Vulnerability in Mendix Forgot Password Appstore module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-134279.txt ∗∗∗ SSA-764417: Multiple Vulnerabilities in RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-764417.txt ∗∗∗ SSA-594438: Remote Code Execution and Denial-of-Service Vulnerability in multiple RUGGEDCOM ROX products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-594438.txt ∗∗∗ SSA-562051: Cross-Site Scripting Vulnerability in Polarion ALM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-562051.txt ∗∗∗ SSA-415938: Improper Access Control Vulnerability in Mendix ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-415938.txt ∗∗∗ SSA-406691: Buffer Vulnerabilities in DHCP function of RUGGEDCOM ROX products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-406691.txt ∗∗∗ SSA-389290: Third-Party Component Vulnerabilities in SINEC INS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-389290.txt ∗∗∗ SSA-337210: Privilege Escalation Vulnerability in SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-337210.txt ∗∗∗ SSA-256353: Third-Party Component Vulnerabilities in RUGGEDCOM ROS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-256353.txt ∗∗∗ SSA-252466: Multiple Vulnerabilities in Climatix POL909 (AWM and AWB) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-252466.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2022
by Daily end-of-shift report 07 Mar '22

07 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-03-2022 18:00 − Montag 07-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ E-Mail vom "Zoll Kundenservice" ist Fake ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail von "[email protected]" wird behauptet, dass Ihr Paket nicht geliefert werden kann, da Zollgebühren nicht bezahlt wurden. Um die Zollgebühren zu begleichen, werden Sie aufgefordert, einen Paysafecard-Pin um 75 Euro zu schicken. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-zoll-kundenservice-ist-fa… ∗∗∗ Notfallupdate: Sicherheitslücken in Firefox und Thunderbird werden angegriffen ∗∗∗ --------------------------------------------- Die Mozilla-Stiftung hat außer der Reihe Sicherheitsupdates für Firefox, Klar und Thunderbird herausgegeben, die bereits aktiv angegriffene Lücken schließen. --------------------------------------------- https://heise.de/-6540649 ∗∗∗ Sicherheitsprobleme bei Samsung: Quellcode geklaut, unsichere Kryptografie ∗∗∗ --------------------------------------------- Einbrecher haben bei Samsung Quellcode entwendet. Zudem patzte der Hersteller bei Kryptografie in der Trusted Execution Environment von Flaggschiff-Smartphones. --------------------------------------------- https://heise.de/-6540849 ∗∗∗ Dirty Pipe: Linux-Kernel-Lücke erlaubt Schreibzugriff mit Root-Rechten ∗∗∗ --------------------------------------------- Ein Fehler bei der Verarbeitung von Pipes im Linux-Kernel lässt sich ausnutzen, um Root-Rechte zu erlangen. --------------------------------------------- https://www.golem.de/news/dirty-pipe-linux-kernel-luecke-erlaubt-schreibzug… ∗∗∗ Microsoft fixes critical Azure bug that exposed customer data ∗∗∗ --------------------------------------------- Microsoft has addressed a critical vulnerability in the Azure Automation service that could have allowed attackers to take full control over other Azure customers data. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-critical-az… ∗∗∗ Massive Meris Botnet Embeds Ransomware Notes from REvil ∗∗∗ --------------------------------------------- Notes threatening to tank targeted companies stock price were embedded into the DDoS ransomware attacks as a string_of_text directed to CEOs and webops_geeks in the URL. --------------------------------------------- https://threatpost.com/massive-meris-botnet-embeds-ransomware-notes-revil/1… ∗∗∗ Scam E-Mail Impersonating Red Cross, (Fri, Mar 4th) ∗∗∗ --------------------------------------------- Earlier today, I received a scam email that impersonates the Ukrainian Red Cross. It attempts to solicit donations via Bitcoin. The email is almost certainly not related to any valid Red Cross effort. --------------------------------------------- https://isc.sans.edu/diary/rss/28404 ∗∗∗ oledumps Extra Option, (Sat, Mar 5th) ∗∗∗ --------------------------------------------- A colleague asked if it was possible with oledump.py, to search through a set of malicious documents and filter out all streams that have identical VBA source code. --------------------------------------------- https://isc.sans.edu/diary/rss/28406 ∗∗∗ Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking ∗∗∗ --------------------------------------------- Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage (TNAS) devices that could be chained to attain unauthenticated remote code execution with the highest privileges. The issues reside in TOS, an abbreviation for TerraMaster Operating System, and "can grant unauthenticated attackers access to the victims box simply by knowing the IP [...] --------------------------------------------- https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.ht… ∗∗∗ Backdooring WordPress using PyShell ∗∗∗ --------------------------------------------- PyShell is new tool made for bug bounty, ethical hacking, penetration testers or red-teamers. This tool helps you to obtain a shell-like interface on a web server to be remotely accessed. --------------------------------------------- https://blog.wpsec.com/backdooring-wordpress-using-pyshell/ ∗∗∗ Beware of malware offering “Warm greetings from Saudi Aramco” ∗∗∗ --------------------------------------------- A new Formbook campaign is targeting oil and gas companies. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware… ∗∗∗ Amcache contains SHA-1 Hash – It Depends! ∗∗∗ --------------------------------------------- If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. --------------------------------------------- https://blog.nviso.eu/2022/03/07/amcache-contains-sha-1-hash-it-depends/ ∗∗∗ Webhook Party – Malicious packages caught exfiltrating data via legit webhook services ∗∗∗ --------------------------------------------- Checkmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages attempting to use a dependency confusion attack. Those packages were detected by the team’s malicious package detection system. Findings show all packages caught contained malicious payload [...] --------------------------------------------- https://checkmarx.com/blog/webhook-party-malicious-packages-caught-exfiltra… ===================== = Vulnerabilities = ===================== ∗∗∗ New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances ∗∗∗ --------------------------------------------- Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8. --------------------------------------------- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, containerd, cyrus-sasl2, expat, firefox-esr, freecad, kernel, and tiff), Fedora (seamonkey, swtpm, and webkit2gtk3), Mageia (docker-containerd, firefox, flac, libtiff, libxml2, and mc), openSUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, libeconf, shadow and util-linux, mariadb, nodejs14, perl-App-cpanminus, vim, wireshark, wpa_supplicant, and zsh), SUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, java-11-openjdk, [...] --------------------------------------------- https://lwn.net/Articles/887055/ ∗∗∗ Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device ∗∗∗ --------------------------------------------- Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device. --------------------------------------------- https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte… ∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nims… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38988) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: Some unspecified vulnerabilities in Java SE result in the unauthenticated attacker to take control of the system or some impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-some-unspecified-vulnerab… ∗∗∗ Bitdefender Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0264 ∗∗∗ Webmin: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0267 ∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0266 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0265 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2022
by Daily end-of-shift report 04 Mar '22

04 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-03-2022 18:00 − Freitag 04-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 8-Character Passwords Can Be Cracked in Less than 60 Minutes ∗∗∗ --------------------------------------------- Researchers say passwords with less than seven characters can be hacked "instantly." --------------------------------------------- https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-c… ∗∗∗ 5 Risks That Can Cause Your Website to Get Reinfected ∗∗∗ --------------------------------------------- Re-infections are one of the most frustrating encounters site owners experience. Like a game of whack-a-mole, when you think you’ve found and removed everything malicious, more malicious content pops up. --------------------------------------------- https://blog.sucuri.net/2022/03/5-risks-that-can-cause-your-website-to-get-… ∗∗∗ SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store ∗∗∗ --------------------------------------------- NCC Group, as well as many other researchers noticed a rise in Android malware last year, especillay Android banking malware. --------------------------------------------- https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-bankin… ∗∗∗ Nvidias geleakte Code-Signing-Zertifikate missbraucht ∗∗∗ --------------------------------------------- Die Einbrecher haben bei Nvidia auch Code-Signing-Zertifikate entwendet und veröffentlicht. Mit denen werden nun Angriffs-Tools signiert. --------------------------------------------- https://heise.de/-6537255 ∗∗∗ Betrügerische Spendenaufrufe: Kriminelle missbrauchen Krieg in der Ukraine ∗∗∗ --------------------------------------------- Um Menschen in der Ukraine finanziell zu unterstützen, gibt es derzeit zahlreiche Möglichkeiten. Doch auch Kriminelle missbrauchen diese Situation und erstellen betrügerische Webseiten mit Spendenaufrufen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-spendenaufrufe-krimin… ∗∗∗ A Backdoor Lockpick ∗∗∗ --------------------------------------------- In early September, 2021, a fairly ordinary and inexpensive residential router came into the Zero Day research team’s possession. --------------------------------------------- https://medium.com/tenable-techblog/a-backdoor-lockpick-d847a83f4496 ∗∗∗ Die Renaissance des Cybervigilantismus ∗∗∗ --------------------------------------------- Der Krieg zwischen Russland und der Ukraine hat als - bis zu einem gewissen Grad überraschenden - Nebeneffekt die Renaissance von Software, die der durch Anonymous bekannt und populär gemachten, zu DDoS-Zwecken verwendeten "Low Orbit Ion Cannon" ähnelt. Dutzende solcher Programme oder auf dem selben Prinzip basierende Webseiten werden aktuell auf den sozialen Netzwerken verteilt und fast schon begeistert von vielen Menschen genutzt. --------------------------------------------- https://cert.at/de/blog/2022/3/die-renaissance-des-cybervigilantismus ∗∗∗ NSA Releases Network Infrastructure Security Guidance ∗∗∗ --------------------------------------------- The report captures best practices based on the depth and breadth of experience in supporting customers and responding to threats. Recommendations include perimeter and internal network defenses to improve monitoring and access controls throughout the network. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/03/nsa-releases-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Amazon Alexa can be hijacked via commands from own speaker ∗∗∗ --------------------------------------------- Without a critical update, Amazon Alexa devices could wake themselves up and start executing audio commands issued by a remote attacker, according to infosec researchers at Royal Holloway, University of London. --------------------------------------------- https://www.theregister.com/2022/03/03/amazon_alexa_speaker_vuln/ ∗∗∗ New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape? ∗∗∗ --------------------------------------------- CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/ ∗∗∗ Kritische Root-Lücken gefährden Ciscos Fernzugriff-Software Expressway Series ∗∗∗ --------------------------------------------- Der Netzwerkhersteller Cisco hat wichtige Sicherheitsupdates für Expressway Series, StarOS & Co. veröffentlicht. --------------------------------------------- https://heise.de/-6537019 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (varnish), Fedora (barrier and polkit), openSUSE (bitcoin, conmon, libcontainers-common, libseccomp, podman, firefox, nodejs-electron, nodejs8, php7, and webkit2gtk3), SUSE (conmon, libcontainers-common, libseccomp, podman, cyrus-sasl, expat, firefox, nodejs8, php7, tomcat, and webkit2gtk3), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/886792/ ∗∗∗ pfSense-pkg-WireGuard vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85572374/ ∗∗∗ B&R APROL and B&R APROL: A flaw in Chainsaw component of Log4j can lead to code execution ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16449471… ∗∗∗ Security Bulletin: IBM Security QRadar SOAR is using a component vulnerable to Cross Site Scripting (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-soar-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security QRadar SOAR ( CVE-2021-35560, CVE-2021-35578, CVE-2021-35564, CVE-2021-35565, CVE-2021-35588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ Trailer Power Line Communications (PLC) J2497 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-063-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2022
by Daily end-of-shift report 03 Mar '22

03 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-03-2022 18:00 − Donnerstag 03-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Free decryptor released for HermeticRansom victims in Ukraine ∗∗∗ --------------------------------------------- Avast Threat Labs has released a decryptor for the HermeticRansom ransomware strain used predominately in targeted attacks against Ukrainian systems in the past ten days. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ Researchers Devise Attack for Stealing Data During Homomorphic Encryption ∗∗∗ --------------------------------------------- A vulnerability in a Microsoft crypto library gives attackers a way to figure out what data is being encrypted in lockpicker-like fashion. --------------------------------------------- https://www.darkreading.com/application-security/researchers-devise-attack-… ∗∗∗ Threat landscape for industrial automation systems, H2 2021 ∗∗∗ --------------------------------------------- By 2021 everyone got used to pandemic limitations – industrial organization employees and IT security professionals and threat actors. If we compare the numbers from 2020 and 2021, we see that 2021 looks more stable, particularly in H2. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ The Truth About USB Device Serial Numbers – (and the lies your tools tell) ∗∗∗ --------------------------------------------- Evidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry. The difficulty comes in attempting to make sense of all this data. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity. --------------------------------------------- https://www.sans.org/blog/the-truth-about-usb-device-serial-numbers?msc=rss ∗∗∗ Vorsicht vor diesen betrügerischen Handwerksdiensten! ∗∗∗ --------------------------------------------- Ihnen ist die Tür zugefallen, der Schlüssel abgebrochen, oder ein Abflussrohr ist verstopft? Solche Notsituationen werden zunehmend von Kriminellen ausgenutzt: Sie bieten schnelle und einfache Hilfe an, doch Vorsicht! Diese unseriösen Anbieter verlangen Wucherpreise in bar und beheben oft nicht einmal das Problem! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-diesen-betruegerischen-… ∗∗∗ Update: Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- Version 1.3 03.03.2022 15:45 * Weitere Empfehlungen, "Weitere Lektüre" Sektion * Aufgrund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifische Gefährdung für Österreich ist aktuell noch nicht auszumachen. --------------------------------------------- https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4). --------------------------------------------- https://lwn.net/Articles/886683/ ∗∗∗ Zoho ManageEngine Desktop Central: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Zoho ManageEngine Desktop Central ausnutzen, um Informationen offenzulegen. CVE Liste: CVE-2022-23779 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0253 ∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Autodesk AutoCAD ausnutzen, um beliebigen Programmcode auszuführen. CVE Liste: CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25795 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0252 ∗∗∗ Security Bulletin: IBM i is vulnerable to bypass security restrictions due to Samba SMB1 (CVE-2021-43566 and CVE-2021-44141) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-is-vulnerable-to-by… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-components-are-affe… ∗∗∗ Security Bulletin: IBM DataPower affected by vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-affected-by… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ K73200428: Linux kernel vulnerability CVE-2022-0185 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73200428?utm_source=f5support&utm_mediu… ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-062-01 ∗∗∗ BD Viper LT ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-062-02 ∗∗∗ IPCOMM ipDIO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-062-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2022
by Daily end-of-shift report 02 Mar '22

02 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-03-2022 18:00 − Mittwoch 02-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing attacks target countries aiding Ukrainian refugees ∗∗∗ --------------------------------------------- A spear-phishing campaign likely coordinated by a state-backed threat actor has been targeting European government personnel providing logistics support to Ukrainian refugees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attacks-target-coun… ∗∗∗ Geoblocking when you cant Geoblock, (Tue, Mar 1st) ∗∗∗ --------------------------------------------- Given recent events, I've gotten a flood of calls from clients who want to start blocking egress traffic to specific countries, or block ingress traffic from specific countries (or both). --------------------------------------------- https://isc.sans.edu/diary/rss/28392 ∗∗∗ TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps ∗∗∗ --------------------------------------------- An Android banking trojan designed to steal credentials and SMS messages has been observed once again sneaking past Google Play Store protections to target users of more than 400 banking and financial apps, including those from Russia, China, and the U.S. --------------------------------------------- https://thehackernews.com/2022/03/teabot-android-banking-malware-spreads.ht… ∗∗∗ "Authority-Scam": Kriminelle imitieren Behörden für Investment-Betrug ∗∗∗ --------------------------------------------- Beim „Authority-Scam“ geben sich die Kriminellen als Behörde aus und fordern Zahlungen wegen der Investments. Nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-kriminelle-imitieren-… ∗∗∗ Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization ∗∗∗ --------------------------------------------- Scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations found 75% had known security gaps. --------------------------------------------- https://unit42.paloaltonetworks.com/infusion-pump-vulnerabilities/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Bugs Reported in Popular Open Source PJSIP SIP and Media Stack ∗∗∗ --------------------------------------------- As many as five security vulnerabilities have been disclosed in the PJSIP open-source multimedia communication library that could be abused by an attacker to trigger arbitrary code execution and denial-of-service (DoS) in applications that use the protocol stack. --------------------------------------------- https://thehackernews.com/2022/03/critical-bugs-reported-in-popular-open.ht… ∗∗∗ IBM warnt vor zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- IBM hat für diverse Produkte Updates veröffentlicht, die teils kritische Sicherheitslücken schließen. Administratoren sollten sie zeitnah installieren. --------------------------------------------- https://heise.de/-6531076 ∗∗∗ Sicherheitsupdates von Fortinet: Angreifer könnten Admin-Zugänge erraten ∗∗∗ --------------------------------------------- Unter anderen FortiMail und FortiWLC sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-6531249 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mingw-expat and seamonkey), openSUSE (mc, mysql-connector-java, nodejs12, and sphinx), Red Hat (kernel and kpatch-patch), SUSE (cyrus-sasl, kernel, nodejs12, and php74), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/886560/ ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in AIX CAA (CVE-2022-22350, CVE-2021-38996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-aix-ca… ∗∗∗ Security Bulletin: SQL injection vulnerability in PostgreSQL affects IBM Connect:Direct Web Services (CVE-2021-23214) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote attacker due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Bulletin: IBM InfoSphere Master Data Management Server vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-ibm-inf… ∗∗∗ Security Bulletin: Vulnerabilities with Expat, Spring Framework and Apache HTTP Server affect IBM Cloud Object Storage Systems (Feb 2022 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expa… ∗∗∗ VMSA-2022-0007 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0007.html ∗∗∗ K34519550: Linux kernel vulnerability CVE-2021-27364 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34519550 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2022
by Daily end-of-shift report 01 Mar '22

01 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-02-2022 18:00 − Dienstag 01-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Axis Communications shares details on disruptive cyberattack ∗∗∗ --------------------------------------------- Axis Communications has published a post mortem about a cyberattack that caused severe disruption in their systems, with some systems still partially offline. --------------------------------------------- https://www.bleepingcomputer.com/news/security/axis-communications-shares-d… ∗∗∗ Cyber threat activity in Ukraine: analysis and resources ∗∗∗ --------------------------------------------- Microsoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed activity in order to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts. We’ve brought together all our analysis and guidance for customers who may be impacted by events ... --------------------------------------------- https://msrc-blog.microsoft.com:443/2022/02/28/analysis-resources-cyber-thr… ∗∗∗ Instagram scammers as busy as ever: passwords and 2FA codes at risk ∗∗∗ --------------------------------------------- Instagram scams dont seem to be dying out - were seeing more variety and trickiness than ever... --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/28/instagram-scammers-as-busy-as-e… ∗∗∗ Triaging A Malicious Docker Container ∗∗∗ --------------------------------------------- Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting. In this article, we will walk through the triage of a malicious image containing a previously undetected-in-VirusTotal (at the time of this writing) piece of malware --------------------------------------------- https://sysdig.com/blog/triaging-malicious-docker-container/ ∗∗∗ How To Protect Magento Websites ∗∗∗ --------------------------------------------- As of recently, Magento1 has become outdated and no longer supported. Adobe’s goal is to move all users away to Magento2 instead, which has 2FA and a non-standard login URL enabled by default, being generally more secure. Migrating is very costly for an average business, however, so this article will hopefully shed some light on how you can still protect your site regardless of which version of Magento is currently being used. --------------------------------------------- https://blog.sucuri.net/2022/02/how-to-protect-magento-websites.html ∗∗∗ Trickbot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail ∗∗∗ --------------------------------------------- Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gangs AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail. --------------------------------------------- https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html ∗∗∗ Nein, Signal wurde nicht gehackt ∗∗∗ --------------------------------------------- Auf Twitter tritt Signal derzeit Gerüchten entgegen, die behaupten, der Messenger sei gehackt oder anderweitig kompromittiert worden. Die Gerüchte "sind falsch. Signal wurde nicht gehackt", betont Signal auf Twitter. "Wir glauben, dass diese Gerüchte Teil einer koordinierten Fehlinformationskampagne sind, die die Menschen dazu bringen soll, weniger sichere Alternativen zu nutzen." --------------------------------------------- https://www.golem.de/news/messenger-nein-signal-wurde-nicht-gehackt-2203-16… ∗∗∗ Unusual sign-in activity mail goes phishing for Microsoft account holders ∗∗∗ --------------------------------------------- We look at a phishing mail which may cause concern for users of Microsoft services as it claims theres been a suspicious login from Russia.The post Unusual sign-in activity mail goes phishing for Microsoft account holders appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/03/unusual-sign-in-activity-mail-g… ∗∗∗ DDoS Attacks Abuse Network Middleboxes for Reflection, Amplification ∗∗∗ --------------------------------------------- Threat actors specializing in distributed denial-of-service (DDoS) attacks have started abusing network middleboxes for reflection and amplification, Akamai warns. --------------------------------------------- https://www.securityweek.com/ddos-attacks-abuse-network-middleboxes-reflect… ∗∗∗ Betrügerische Investitionsplattformen: Checken Sie unsere Liste ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! In diesem Artikel listen wir betrügerische Investitionsplattformen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-investitionsplattform… ∗∗∗ Tales from the Field: Coin-Operated Culprit ∗∗∗ --------------------------------------------- Due to a lack of proper visibility and segmentation, a breakroom vending machine was provided unfettered access to an operational network worth billions of dollars. --------------------------------------------- https://claroty.com/2022/02/28/blog-tales-from-the-field-coin-operated-culp… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in VoipMonitor ∗∗∗ --------------------------------------------- I discovered and reported a few bugs in VoipMonitor ranging from a simple authentication bypass to a full RCE chain. Here I'll describe "most" of these bugs. The issues have been patched in VoipMonitor GUI version 24.97. --------------------------------------------- https://kerbit.io/research/read/blog/3 ∗∗∗ Cloud-Schutzlösung von Okta könnte Schadcode auf Server lassen ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt ein Schadcode-Schlupfloch in Okta Advanced Server Client. --------------------------------------------- https://heise.de/-6529223 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Oracle (kernel, kernel-container, and ruby:2.5), Red Hat (rh-ruby26-ruby), Slackware (libxml2 and libxslt), SUSE (htmldoc and SUSE Manager Server 4.2), and Ubuntu (mariadb-10.3, mariadb-10.5, policykit-1, qemu, virglrenderer, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/886472/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Lansweeper could lead to JavaScript, SQL injections ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Lansweeper IT asset management solution that could allow an attacker to inject JavaScript or SQL code on the targeted device. [..] Users are encouraged to update these affected products as soon as possible: Lansweeper version 9.1.20.2. Talos tested and confirmed this version is affected by these vulnerabilities. Lansweeper 9.2.0 incorporates fixes for these issues. --------------------------------------------- http://blog.talosintelligence.com/2022/03/vuln-spotlight-.html ∗∗∗ ZDI-22-424: (0Day) Delta Industrial Automation DIAEnergie AM_Handler SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-424/ ∗∗∗ ZDI-22-423: (0Day) Delta Industrial Automation DIAEnergie HandlerPage_KID Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-423/ ∗∗∗ ZDI-22-422: (0Day) Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-422/ ∗∗∗ ZDI-22-421: (0Day) Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-421/ ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to buffer overflow and denial of service (CVE-2021-44790, CVE-2021-34798, CVE-2021-39275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-http-server-as-use… ∗∗∗ Security Bulletin: Ansible vulnerability affects IBM Elastic Storage System (CVE-2021-3583) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ansible-vulnerability-aff… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management(CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an incorrect session invalidation vulnerability (CVE-2021-38986) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Dashboards may be vulnerable to a denial of service vulnerability due to IBM X-Force vulnerability 220063 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in AIX audit commands (CVE-2021-38955) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-audi… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a Java vulnerability (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for i is vulnerable to CVE-2021-44224 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow unauthorized viewing of logs and files (CVE-2022-22326) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27645) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by a password hash that provides insufficient protection (CVE-2022-22321) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Datacap is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ BECKHOFF: Null Pointer Dereference vulnerability in products with OPC UA technology ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-003/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2022
by Daily end-of-shift report 28 Feb '22

28 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-02-2022 18:00 − Montag 28-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Visual Voice Mail on Android may be vulnerable to eavesdropping ∗∗∗ --------------------------------------------- The security researcher, Chris Talbot, discovered the flaw on June 21, 2021, and filed the vulnerability under CVE-2022-23835. The bug is not a flaw in the Android operating system but rather how the service is implemented by mobile carriers. However, the flaw has a "disputed" status because AT&T and T-Mobile dismissed the report for describing a non-exploitable risk, while Sprint and Verizon have not responded. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visual-voice-mail-on-android… ∗∗∗ Reborn of Emotet: New Features of the Botnet and How to Detect it ∗∗∗ --------------------------------------------- One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotets executables. And it looked like the end of the trojans story. But the malware never ceased to surprise. November 2021, it was reported that TrickBot no longer works alone and delivers Emotet. --------------------------------------------- https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.h… ∗∗∗ CISA Warns of High-Severity Flaws in Schneider and GE Digitals SCADA Software ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system (ICS) advisory related to multiple vulnerabilities impacting Schneider Electrics Easergy medium voltage protection relays. --------------------------------------------- https://thehackernews.com/2022/02/cisa-warns-of-high-severity-flaws-in.html ∗∗∗ Rogue RDP – Revisiting Initial Access Methods ∗∗∗ --------------------------------------------- With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red teams that will inevitably make initial access a bit more difficult to achieve. Over the last year, I have invested some research time in pursuing the use of the Remote Desktop Protocol as an alternative initial access vector, which this post will cover. --------------------------------------------- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-metho… ∗∗∗ BSI liefert "Maßnahmenkatalog Ransomware" ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik stellt im "Maßnahmenkatalog Ransomware" für Unternehmen und Behörden wichtige Präventionsmaßnahmen vor. --------------------------------------------- https://heise.de/-6528055 ∗∗∗ BrokenPrint: A Netgear stack overflow ∗∗∗ --------------------------------------------- This blog post describes a stack-based overflow vulnerability found and exploited in September 2021 in the Netgear R6700v3 --------------------------------------------- https://research.nccgroup.com/2022/02/28/brokenprint-a-netgear-stack-overfl… ∗∗∗ Bestellungen bei herzens-mensch.de und heimfroh.com führen zu Problemen ∗∗∗ --------------------------------------------- Bei den Online-Shops herzens-mensch.de und heimfroh.com handelt es sich um sogenannte Dropshipping-Shops. Die Shops geben an, ein österreichisches Unternehmen zu sein, liefern jedoch aus Asien. Diese Vorgehensweise ist nicht unbedingt betrügerisch, eine Bestellung bei herzens-mensch.de oder heimfroh.com kann aber sehr teuer werden und zu zahlreichen Problemen führen. --------------------------------------------- https://www.watchlist-internet.at/news/bestellungen-bei-herzens-menschde-un… ∗∗∗ Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks ∗∗∗ --------------------------------------------- The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets. There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 [..] --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- Auf Grund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifsch hohe Gefährdung für Österreich ist aktuell noch nicht auszumachen. Wir sind in laufendem Kontakt mit unseren Kollegen im europäischen CSIRTs Network und in den nationalen Koordinierungsstrukturen. --------------------------------------------- https://cert.at/de/aktuelles/2022/2/ukraine-krise-aktuelle-informationen ∗∗∗ BlackCat ransomware ∗∗∗ --------------------------------------------- AT&T Alien Labs is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware ===================== = Vulnerabilities = ===================== ∗∗∗ Mozillas VPN-Client könnte Schadcode nachladen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für Mozilla VPN. Nach erfolgreichen Attacken könnten Angreifer Systeme übernehmen. --------------------------------------------- https://heise.de/-6527681 ∗∗∗ Programmiersprache: Sicherheitslücke ermöglicht Codeschmuggel in PHP ∗∗∗ --------------------------------------------- Mit neuen PHP-Versionen schließen die Entwickler Sicherheitslücken, die Angreifern unter Umständen das Einschleusen von Schadcode ermöglichen könnten. --------------------------------------------- https://heise.de/-6527558 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0). --------------------------------------------- https://lwn.net/Articles/886358/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Gerbv could lead to code execution, information disclosure ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Gerbv file viewing software that could allow an attacker to execute arbitrary remote code or disclose sensitive information. [..] Cisco Talos worked with Gerbv to responsibly disclose these vulnerabilities in adherence to Cisco’s vulnerability disclosure policy. However, an update is not available to fix these issues as of Feb. 28, 2022. CVE IDs: CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, CVE-2021-40401, CVE-2021-40400, CVE-2021-40402, CVE-2021-40403 --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-gerbv-g.html ∗∗∗ ABB CYBER SECURITY ADVISORY - AC 800M MMS - DENIAL OF SERVICE VULNERABILITY IN MMS COMMUNICATION ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=7PAA001499&Language… ∗∗∗ Security Bulletin: Vulnerability in Java SE -CVE-2021-2161 may affect IBM Watson Assistant for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE – 2021-22930 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Content Navigator is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution (CVE-2021-44142). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak… ∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE-2021-22959, CVE-2021-22960 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-… ∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak… ∗∗∗ Security Bulletin: A Vulnerability In Apache HttpClient Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily