- Daily - CERT.at

Tageszusammenfassung - 12.01.2024
by Daily end-of-shift report 12 Jan '24

12 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-01-2024 18:00 − Freitag 12-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden ∗∗∗ --------------------------------------------- Ein niederländischer Radiosender bekam 80 Gigabyte an Standortdaten von der Berliner Plattform Datarade in die Hände und konnte so etwa Offiziere beschatten. --------------------------------------------- https://www.heise.de/-9596230.html ∗∗∗ Microsoft liefert Abhilfe zur Installation von Updates in WinRE-Partition ∗∗∗ --------------------------------------------- Am Januar-Patchday schlägt die Update-Intallation unter Windows 10 oft mit Fehler 0x80070643 fehl. Ein Microsoft-Skript soll helfen. --------------------------------------------- https://www.heise.de/-9595312.html ∗∗∗ Jetzt patchen! Kritische Sicherheitslücke in GitLab ermöglicht Accountklau ∗∗∗ --------------------------------------------- Der Fehler wird bereits aktiv von Kriminellen ausgenutzt, Administratoren sollten zügig handeln und ihre GitLab-Instanzen aktualisieren oder abschotten. --------------------------------------------- https://www.heise.de/-9595848.html ∗∗∗ Datenleck bei Halara: Persönliche Daten von 941.910 Kunden stehen wohl im Netz ∗∗∗ --------------------------------------------- Die Daten zahlreicher Halara-Kunden sind in einem Hackerforum aufgetaucht. Abgeflossen sein sollen sie über eine Schwachstelle in der Webseiten-API. --------------------------------------------- https://www.golem.de/news/bekleidungshersteller-halara-kundendaten-in-hacke… ∗∗∗ New Balada Injector campaign infects 6,700 WordPress sites ∗∗∗ --------------------------------------------- A new Balada Injector campaign launched in mid-December has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign… ∗∗∗ Over 150k WordPress sites at takeover risk via vulnerable plugin ∗∗∗ --------------------------------------------- Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at… ∗∗∗ One File, Two Payloads, (Fri, Jan 12th) ∗∗∗ --------------------------------------------- It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75[1]) --------------------------------------------- https://isc.sans.edu/diary/rss/30558 ∗∗∗ Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier [...] --------------------------------------------- https://thehackernews.com/2024/01/cryptominers-targeting-misconfigured.html ∗∗∗ Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families ∗∗∗ --------------------------------------------- As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said [...] --------------------------------------------- https://thehackernews.com/2024/01/nation-state-actors-weaponize-ivanti.html ∗∗∗ Akira ransomware attackers are wiping NAS and tape backups ∗∗∗ --------------------------------------------- “The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,” the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations. --------------------------------------------- https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/ ∗∗∗ Joomla! vulnerability is being actively exploited ∗∗∗ --------------------------------------------- A vulnerability in the popular Joomla! CMS has been added to CISAs known exploited vulnerabilities catalog. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/01/joomla-vulnerability-is-bein… ∗∗∗ An Introduction to AWS Security ∗∗∗ --------------------------------------------- Cloud providers are becoming a core part of IT infrastructure. Amazon Web Services (AWS), the worlds biggest cloud provider, is used by millions of organizations worldwide and is commonly used to run sensitive and mission-critical workloads. This makes it critical for IT and security professionals to understand the basics of AWS security and take measures to protect their data and workloads. --------------------------------------------- https://www.tripwire.com/state-of-security/introduction-aws-security ∗∗∗ Financial Fraud APK Campaign ∗∗∗ --------------------------------------------- Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-u… ∗∗∗ CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign ∗∗∗ --------------------------------------------- This blog delves into the Phemedrone Stealer campaigns exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malwares payload. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for… ===================== = Vulnerabilities = ===================== ∗∗∗ Pufferüberlauf und andere Sicherheitslücken in IBM Business Automation Workflow ∗∗∗ --------------------------------------------- Angreifer können Code einschleusen, Komponenten zum Stillstand bringen und geheime Informationen abgreifen. IBM informiert Kunden über Gegenmaßnahmen. --------------------------------------------- https://www.heise.de/-9596204.html ∗∗∗ Splunk, cacti, checkmk: Sicherheitslücken in Monitoring-Software ∗∗∗ --------------------------------------------- In drei beliebten Monitoring-Produkten gibt es Sicherheitsprobleme. Admins sollten sich um Updates kümmern. --------------------------------------------- https://www.heise.de/-9595021.html ∗∗∗ Bluetooth-Lücke: Apple sichert Tastaturen mit neuer Firmware ab ∗∗∗ --------------------------------------------- Aufgrund eines Bugs war es möglich, Bluetooth-Datenverkehr mitzuzeichnen. Allerdings brauchte der Angreifer physischen Zugriff auf die Tastatur. --------------------------------------------- https://www.heise.de/-9595522.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c). --------------------------------------------- https://lwn.net/Articles/958124/ ∗∗∗ Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000296153?language=en_US ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2024
by Daily end-of-shift report 11 Jan '24

11 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-01-2024 18:00 − Donnerstag 11-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Atomic Stealer rings in the new year with updated version ∗∗∗ --------------------------------------------- Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware is stealthy thanks to added encryption and obfuscation of its code. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-steale… ∗∗∗ SECGlitcher (Part 1) - Reproducible Voltage Glitching on STM32 Microcontrollers ∗∗∗ --------------------------------------------- Voltage glitching is a technique used in hardware security testing to try to bypass or modify the normal operation of a device by injecting a glitch. --------------------------------------------- https://sec-consult.com/blog/detail/secglitcher-part-1-reproducible-voltage… ∗∗∗ Achtung Nachahmer: Gefahren durch gefälschte Messaging-Apps und App-Mods ∗∗∗ --------------------------------------------- Klone und Mods von WhatsApp, Telegram und Signal sind nach wie vor ein beliebtes Mittel zur Verbreitung von Malware. Lassen Sie sich nicht für dumm verkaufen. --------------------------------------------- https://www.welivesecurity.com/de/mobile-sicherheit/achtung-nachahmer-gefah… ∗∗∗ Vorsicht vor Promi-Klonen auf Social Media: So täuschen Kriminelle treue Fans ∗∗∗ --------------------------------------------- Christina Stürmer, Hubert von Goisern oder Christopher Seiler: Das sind nur 3 von zahlreichen österreichischen Prominenten, die auf Facebook und Instagram vertreten sind -allerdings nicht nur mit einem einzigen Profil. Denn Kriminelle erstellen Fake-Profile, auf denen sie sich als diese Stars ausgeben, um den treuen Fans das Geld aus der Tasche zu ziehen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-promi-klonen-auf-social… ∗∗∗ Medusa Ransomware Turning Your Files into Stone ∗∗∗ --------------------------------------------- Medusa ransomware gang has not only escalated activities but launched a leak site. We also analyze new TTPS encountered in an incident response case. --------------------------------------------- https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Kein Patch verfügbar: Ivanti Connect Secure und Policy Secure sind angreifbar ∗∗∗ --------------------------------------------- In Ivanti Connect Secure und Policy Secure klaffen aktiv ausgenutzte Sicherheitslücken. Patches gibt es bisher nicht - nur einen Workaround. --------------------------------------------- https://www.golem.de/news/kein-patch-verfuegbar-ivanti-connect-secure-und-p… ∗∗∗ Zoho ManageEngine: Codeschmuggel in ADSelfService Plus möglich ∗∗∗ --------------------------------------------- In Zoho ManageEngine ADSelfService Plus klafft eine kritische Sicherheitslücke. Angreifer können dadurch Schadcode einschleusen. --------------------------------------------- https://www.heise.de/news/Zoho-ManageEngine-Codeschmuggel-in-ADSelfService-… ∗∗∗ Sicherheitspatch: API-Fehler in Cisco Unity Connection macht Angreifer zum Root ∗∗∗ --------------------------------------------- Verschiedene Netzwerkprodukte von Cisco sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-API-Fehler-in-Cisco-Unity-Connec… ∗∗∗ BIOS-Sicherheitsupdates von Dell und Lenovo ∗∗∗ --------------------------------------------- Dell stellt aktualisierte BIOS-Versionen für einige Geräte bereit. AMI schließt mehrere Sicherheitslücken, Lenovo reicht diese durch. --------------------------------------------- https://www.heise.de/news/BIOS-Sicherheitsupdates-von-Dell-und-Lenovo-95940… ∗∗∗ Sicherheitspatch: IBM Security Verify für Root-Attacken anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben in IBMs Zugriffsmanagementlösung Security Verify mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-IBM-Security-Verify-fuer-Root-At… ∗∗∗ Juniper Networks bessert zahlreiche Schwachstellen aus ∗∗∗ --------------------------------------------- Juniper Networks hat 27 Sicherheitsmitteilungen veröffentlicht. Sie betreffen Junos OS, Junos OS Evolved und diverse Hardware. --------------------------------------------- https://www.heise.de/news/Juniper-Networks-bessert-zahlreiche-Schwachstelle… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (chromium, python-paramiko, tigervnc, and xorg-x11-server), Oracle (ipa, libxml2, python-urllib3, python3, and squid), Red Hat (.NET 6.0, .NET 7.0, .NET 8.0, container-tools:4.0, fence-agents, frr, gnutls, idm:DL1, ipa, kernel, kernel-rt, libarchive, libxml2, nss, openssl, pixman, python-urllib3, python3, tigervnc, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (gstreamer-plugins-bad), and Ubuntu (firefox, Go, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/958029/ ∗∗∗ Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN ∗∗∗ --------------------------------------------- Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). --------------------------------------------- https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-da… ∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Apache ActiveMQ OpenWire Protocol Class Type Manipulation Arbitrary Code Execution Vulnerability affects Atos Unify OpenScape UC and Atos Unify Common Management Platform ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2401-02.pdf ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rapid Software LLC Rapid SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2024
by Daily end-of-shift report 10 Jan '24

10 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-01-2024 18:00 − Mittwoch 10-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Absenderdaten entschlüsselt: China hat wohl Apples Airdrop-Protokoll "geknackt" ∗∗∗ --------------------------------------------- Forensikern aus Peking ist es angeblich gelungen, Telefonnummern und E-Mail-Adressen von Airdrop-Absendern zu entschlüsseln. --------------------------------------------- https://www.golem.de/news/absenderdaten-entschluesselt-china-hat-wohl-apple… ∗∗∗ Jenkins Brute Force Scans, (Tue, Jan 9th) ∗∗∗ --------------------------------------------- Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords. --------------------------------------------- https://isc.sans.edu/diary/rss/30546 ∗∗∗ Vorgaben der CISA: Mehr Sicherheit für die Microsoft-Cloud ∗∗∗ --------------------------------------------- Die Security-Vorgaben der CISA für die Microsoft-Cloud sind fertig. Wir zeigen, was hinter den Empfehlungen steckt und wo sie sich von MS und CIS unterscheiden. --------------------------------------------- https://www.heise.de/-9591800.html ∗∗∗ Patchday Microsoft: Kerberos-Authentifizierung unter Windows verwundbar ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Azure, Office, Windows und Co. erschienen. Attacken können bevorstehen. Ein Bitlocker-Patch macht Probleme. --------------------------------------------- https://www.heise.de/-9592648.html ∗∗∗ Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin ∗∗∗ --------------------------------------------- On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view [...] --------------------------------------------- https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabi… ∗∗∗ Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024 ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities. --------------------------------------------- https://www.securityweek.com/siemens-schneider-electric-release-first-ics-p… ∗∗∗ Achtung: Vermehrt PayLife Phishing-Mails im Umlauf ∗∗∗ --------------------------------------------- Schützen Sie Ihre Kreditkartendaten und nehmen Sie sich vor Phishing-Mails im Namen von PayLife in Acht. Kriminelle behaupten in den E-Mails, dass Sie aufgrund der Verpflichtung zur Zwei-Faktor-Authentifizierung Schritte setzen und einem Link folgen müssen. Sie landen auf einer kaum als Fälschung erkennbaren Kopie der PayLife-Seite. Geben Sie dort keine Daten ein! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vermehrt-paylife-phishing-ma… ∗∗∗ ‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer ∗∗∗ --------------------------------------------- A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors. --------------------------------------------- https://therecord.media/mirai-based-botnet-spreading-akamai ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-expl… ∗∗∗ Apache Applications Targeted by Stealthy Attacker ∗∗∗ --------------------------------------------- Researchers at Aqua Nautilus have uncovered a new attack targeting Apache Hadoop and Flink applications. This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware. The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses. --------------------------------------------- https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-steal… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-01-10 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 6x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Lenovo Security Advisories 2024-01-09 ∗∗∗ --------------------------------------------- - AMI MegaRAC Vulnerabilities - Lenovo XClarity Administrator (LXCA) Vulnerability - Lenovo Vantage Vulnerabilities - Lenovo Tablet Vulnerabilities - TianoCore EDK II BIOS Vulnerabilities --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Patchday Adobe: Mehrere Schwachstellen in Substance 3D Stager geschlossen ∗∗∗ --------------------------------------------- Adobes Anwendung zum Erstellen von 3D-Szenen Substance 3D Stager ist angreifbar. Eine fehlerbereinigte Version steht zum Download bereit. --------------------------------------------- https://www.heise.de/-9592712.html ∗∗∗ Update für Google Chrome: Hochriskantes Sicherheitsleck abgedichtet ∗∗∗ --------------------------------------------- Google hat turnusgemäß den Webbrowser Chrome aktualisiert. Dabei haben die Entwickler eine als hohes Risiko eingestufte Sicherheitslücke gestopft. --------------------------------------------- https://www.heise.de/-9592658.html ∗∗∗ Update gegen Rechteausweitung in FortiOS und FortiProxy ∗∗∗ --------------------------------------------- Fortinet warnt vor einem Fehler in der Rechteverwaltung von FortiOS und FortiProxy in HA Clustern. Bösartige Akteure können ihre Rechte ausweiten. --------------------------------------------- https://www.heise.de/-9592816.html ∗∗∗ Webkonferenzen: Zoom-Sicherheitslücken ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Zoom verteilt aktualisierte Videokonferenz-Software. Sie schließt eine Sicherheitslücke, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://www.heise.de/-9593000.html ∗∗∗ 2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164) ∗∗∗ --------------------------------------------- Modification History 2022-01-12: Initial Publication 2024-01-10: updated the JSA with information on an additional PR which fixed some releases which were not completely fixed originally --------------------------------------------- https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/957340/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SVD-2024-0104: Splunk User Behavior Analytics (UBA) Third-Party Package Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0104 ∗∗∗ SVD-2024-0103: Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0103 ∗∗∗ SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0102 ∗∗∗ SVD-2024-0101: Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2024
by Daily end-of-shift report 09 Jan '24

09 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-01-2024 18:00 − Dienstag 09-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware ∗∗∗ --------------------------------------------- A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023. --------------------------------------------- https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html ∗∗∗ Skrupel nur vorgeschoben? Ransomware-Banden attackieren Kliniken ∗∗∗ --------------------------------------------- Zwar zürnt der Lockbit-Betreiber öffentlich mit einem Handlanger, ist sich dennoch für Krankenhaus-Erpressung nicht zu schade. Andere bedrohen gar Patienten. --------------------------------------------- https://www.heise.de/news/Skrupel-nur-vorgeschoben-Ransomware-Banden-attack… ∗∗∗ Vorsicht vor Phishing-Mails im Namen der KingBill GmbH ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail im Namen der „KingBill GmbH“ werden Sie gebeten, Ihre offenen Zahlungen an KingBill zu sperren. Angeblich werden ausstehende Rechnungen nun auf eine Nebenkontoverbindung verrechnet. Sie werden aufgefordert, umgehend auf das E-Mail zu antworten. Bei diesem E-Mail handelt es sich aber um Betrug, um Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-im-namen… ∗∗∗ Roles allowing to abuse Entra ID federation for persistence and privilege escalation ∗∗∗ --------------------------------------------- Microsoft Entra ID (formerly known as Azure AD) allows delegation of authentication to another identity provider through the legitimate federation feature. However, attackers with elevated privileges can abuse this feature, leading to persistence and privilege escalation. --------------------------------------------- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federa… ∗∗∗ New decryptor for Babuk Tortilla ransomware variant released ∗∗∗ --------------------------------------------- Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. --------------------------------------------- https://blog.talosintelligence.com/decryptor-babuk-tortilla/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: Teils kritische Lücken in Geschäftssoftware ∗∗∗ --------------------------------------------- Der Januar-Patchday von SAP behandelt teils kritische Sicherheitslücken. Zu insgesamt zehn Schwachstellen gibt es Sicherheitsnotizen. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Teils-kritische-Luecken-in-Geschaeft… ∗∗∗ Synology warnt vor Sicherheitslücke im DSM-Betriebssystem ∗∗∗ --------------------------------------------- Synology gibt eine Warnung vor einer Sicherheitslücke im DSM-Betriebssystem für NAS-Systeme heraus. Updates stehen länger bereit. --------------------------------------------- https://www.heise.de/news/Synology-warnt-vor-Sicherheitsluecke-im-DSM-Betri… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (podman), Mageia (dropbear), SUSE (eclipse-jgit, jsch, gcc13, helm3, opusfile, qt6-base, thunderbird, and wireshark), and Ubuntu (clamav, libclamunrar, and qemu). --------------------------------------------- https://lwn.net/Articles/957236/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SSA-794653 V1.0: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-794653.html ∗∗∗ SSA-786191 V1.0: Local Privilege Escalation Vulnerability in Spectrum Power 7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-786191.html ∗∗∗ SSA-777015 V1.0: Multiple Vulnerabilities in SIMATIC CN 4100 before V2.7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-777015.html ∗∗∗ SSA-702935 V1.0: Redfish Server Vulnerability in maxView Storage Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-702935.html ∗∗∗ SSA-589891 V1.0: Multiple PAR File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-589891.html ∗∗∗ SSA-583634 V1.0: Command Injection Vulnerability in the CPCI85 Firmware of SICAM A8000 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-583634.html ∗∗∗ Open Port 8899 in BCC Thermostat Product ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-473852.html ∗∗∗ CVE-2023-48795 Impact of Terrapin SSH Attack (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-48795 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2024
by Daily end-of-shift report 08 Jan '24

08 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-01-2024 18:00 − Montag 08-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Post-Quanten-Kryptografie: Verschlüsselungsverfahren Kyber birgt Schwachstellen ∗∗∗ --------------------------------------------- Durch die Messung der für bestimmte Divisionsoperationen benötigten Rechenzeit lassen sich wohl geheime Kyber-Schlüssel rekonstruieren. --------------------------------------------- https://www.golem.de/news/post-quanten-kryptografie-verschluesselungsverfah… ∗∗∗ Suspicious Prometei Botnet Activity, (Sun, Jan 7th) ∗∗∗ --------------------------------------------- On the 31 Dec 2023, after trying multiple username/password combination, actor using IP 194.30.53.68 successfully loging to the honeypot and uploaded eight files where 2 of them are protected with a 7zip password (updates1.7z & updates2.7z). Some of these files have been identified to be related to the Prometei trojan by Virustotal. --------------------------------------------- https://isc.sans.edu/diary/rss/30538 ∗∗∗ Bypass Cognito Account Enumeration Controls ∗∗∗ --------------------------------------------- Amazon Cognito is a popular “sign-in as a service” offering from AWS. It allows developers to push the responsibility of developing authentication, sign up, and secure credential storage to AWS so they can instead focus on building their app. [..] This bypass was originally reported via a GitHub issue in July 2020 and Cognito is still vulnerable as of early 2024. --------------------------------------------- https://hackingthe.cloud/aws/enumeration/bypass_cognito_user_enumeration_co… ∗∗∗ Jetzt patchen! Attacken auf Messaging-Plattform Apache RocketMQ ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten zurzeit Angriffsversuche auf die Messaging- und Streaming-Plattform Apache RocketMQ. Sicherheitsupdates sind bereits seit Mai 2023 verfügbar. --------------------------------------------- https://www.heise.de/-9590555 ∗∗∗ Sicherheitsupdates: Schadcode- und DoS-Attacken auf Qnap NAS möglich ∗∗∗ --------------------------------------------- Angreifer können Netzwerkspeicher von Qnap ins Visier nehmen. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/-9589870 ∗∗∗ Die OAuth-Hintertür: Google wiegelt ab ∗∗∗ --------------------------------------------- Der Suchmaschinenriese Google sieht keine Sicherheitslücke in der durch Kriminelle ausgenutzten Schnittstelle, sie funktioniere wie vorgesehen. --------------------------------------------- https://www.heise.de/-9589840 ∗∗∗ NIST: No Silver Bullet Against Adversarial Machine Learning Attacks ∗∗∗ --------------------------------------------- NIST has published a report on adversarial machine learning attacks and mitigations, and cautioned that there is no silver bullet for these types of threats. --------------------------------------------- https://www.securityweek.com/nist-no-silver-bullet-against-adversarial-mach… ∗∗∗ Werbung für verlorene Pakete der Post für € 1,95 ist Betrug ∗∗∗ --------------------------------------------- Auf Facebook und im Facebook Messenger kursiert eine Werbung, die verloren gegangene Pakete der Post um € 1,95 verspricht. Die Werbung vermittelt den Eindruck, dass Angebot käme von der Post selbst. In den Paketen befinden sich angeblich hochpreisige Elektronikprodukte wie Laptops, Spielkonsolen oder Smartwatches. Dabei handelt es sich aber um eine betrügerische Werbung, die nichts mit der Österreichischen Post zu tun hat! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-verlorene-pakete-der-po… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices ∗∗∗ --------------------------------------------- Pentagrid identified several vulnerabilities in Lantronixs EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more. --------------------------------------------- https://www.pentagrid.ch/en/blog/multiple-vulnerabilties-in-lantronix-eds-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (chromium, perl-Spreadsheet-ParseExcel, python-aiohttp, python-pysqueezebox, and tinyxml), Gentoo (Apache Batik, Eclipse Mosquitto, firefox, R, Synapse, and util-linux), Mageia (libssh2 and putty), Red Hat (squid), SUSE (libxkbcommon), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/957146/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Qt: Security advisory: Potential Integer Overflow in Qts HTTP2 implementation ∗∗∗ --------------------------------------------- https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-… ∗∗∗ BOSCH-SA-711465: Multiple vulnerabilities in Nexo cordless nutrunner ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-711465.html ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/08/cisa-adds-six-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2024
by Daily end-of-shift report 05 Jan '24

05 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-01-2024 18:00 − Freitag 05-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Schadcode-Lücke gefährdet Ivanti Endpoint Manager ∗∗∗ --------------------------------------------- Unter bestimmten Voraussetzungen können Angreifer Schadcode auf Ivanti-EPM-Servern ausführen. --------------------------------------------- https://www.heise.de/-9587991.html ∗∗∗ Ransomware: Nach der Erpressung folgt umgehend die nächste Erpressung ∗∗∗ --------------------------------------------- Online-Kriminelle werden immer dreister und schlachten Opfer von Erpressungstrojanern gleich mehrfach aus. --------------------------------------------- https://www.heise.de/-9588424.html ∗∗∗ Fitness-App „Mad Muscles“: Kostenfalle statt Unterstützung bei Neujahrsvorsätzen ∗∗∗ --------------------------------------------- Der unseriöse Anbieter „Mad Muscles“ schaltet derzeit massiv Werbung auf Facebook und Instagram. Die Botschaft? „Building muscle isnt as hard as it sounds!“ („Muskelaufbau ist nicht so schwer, wie es klingt!“) - gerade zum Jahreswechsel sind solche Botschaften beliebt, sollen die Angebote doch dabei helfen, Neujahrsvorsätze einzuhalten. Was die Werbung verschweigt: Die Betreiber:innen von madmuscles.com und der dazugehörigen „Mad Muscle App“ machen Informationen zum Unternehmen genauso wenig transparent wie die Gesamtkosten. Hinzu kommt: Kündigungen werden laut Erfahrungsberichten erschwert. --------------------------------------------- https://www.watchlist-internet.at/news/fitness-app-mad-muscles-kostenfalle-… ∗∗∗ The source code of Zeppelin Ransomware sold on a hacking forum ∗∗∗ --------------------------------------------- Researchers from cybersecurity firm KELA reported that a threat actor announced on a cybercrime forum the sale of the source code and a cracked version of the Zeppelin ransomware builder for $500. --------------------------------------------- https://securityaffairs.com/156974/cyber-crime/zeppelin-ransomware-source-c… ∗∗∗ New Bandook RAT Variant Resurfaces, Targeting Windows Machines ∗∗∗ --------------------------------------------- A new variant of remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware. Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.“ --------------------------------------------- https://thehackernews.com/2024/01/new-bandook-rat-variant-resurfaces.html ∗∗∗ SpectralBlur: New macOS Backdoor Threat from North Korean Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [...] --------------------------------------------- https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.ht… ∗∗∗ Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer ∗∗∗ --------------------------------------------- Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-configuration-extraction-techni… ===================== = Vulnerabilities = ===================== ∗∗∗ Inductive Automation Trust Center Updates ∗∗∗ --------------------------------------------- Inductive Automation offers a special thanks to the following security researchers from Trend Micro Zero Day Initiative, Star Labs, Incite Team, and Claroty Research Team82 for their hard work in finding and responsibly disclosing security vulnerabilities described in this tech advisory. All reported issues have been resolved as of Ignition 8.1.35. Inductive Automation recommends upgrading Ignition to the current version to address known vulnerabilities. --------------------------------------------- https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-69… ∗∗∗ QNAP Security Advisories ∗∗∗ --------------------------------------------- - Vulnerability in QcalAgent - Multiple Vulnerabilities in QTS and QuTS hero - Multiple Vulnerabilities in QuMagie - Multiple Vulnerabilities in Video Station - Vulnerability in Netatalk --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/957005/ ∗∗∗ Security Update for Ivanti EPM ∗∗∗ --------------------------------------------- [...] We are reporting this vulnerability as CVE-2023-39366. We have no indication that customers have been impacted by this vulnerability. This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5. If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-epm ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2024
by Daily end-of-shift report 04 Jan '24

04 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-01-2024 18:00 − Donnerstag 04-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Mandiant’s account on X hacked to push cryptocurrency scam ∗∗∗ --------------------------------------------- The Twitter account of American cybersecurity firm and Google subsidiary Mandiant was hijacked earlier today to impersonate the Phantom crypto wallet and share a cryptocurrency scam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mandiants-account-on-x-hacke… ∗∗∗ UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT ∗∗∗ --------------------------------------------- The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software. [..] "Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said. --------------------------------------------- https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html ∗∗∗ Three Ways To Supercharge Your Software Supply Chain Security ∗∗∗ --------------------------------------------- If you make software and ever hope to sell it to one or more federal agencies, you have to pay attention to this. Even if you never plan to sell to a government, understanding your Software Supply Chain and learning how to secure it will pay dividends in a stronger security footing and the benefits it provides. --------------------------------------------- https://thehackernews.com/2024/01/three-ways-to-supercharge-your-software.h… ∗∗∗ Internetstörungen in Spanien: Orange-Konto bei RIPE geknackt ∗∗∗ --------------------------------------------- Im spanischen Internet kam es zu Störungen. Das Konto des Anbieters Orange bei RIPE wurde geknackt, die Angreifer haben Routen umgelenkt. [..] Durch ein schwaches Passwort ("ripeadmin") und den Verzicht auf Zwei-Faktor-Authentifizierung hatte der Angreifer leichtes Spiel. [..] Eine Antwort auf eine Anfrage beim RIPE NCC zu weiteren betroffenen oder gefährdeten Accounts und zu einer möglichen Verpflichtung, RIPE Accounts künftig zwingend mit Zwei-Faktor-Authentifizierung zu schützen, steht noch aus. Orange Spanien ist mit einem blauen Auge davongekommen; offenbar ging es dem Angreifer nur darum, den Provider bloßzustellen. --------------------------------------------- https://www.heise.de/-9587184 ∗∗∗ Terrapin-Attacke: Millionen SSH-Server angreifbar, Risiko trotzdem überschaubar ∗∗∗ --------------------------------------------- Zwar ist mehr als die Hälfte aller im Internet erreichbaren SSH-Server betroffen, Admins können jedoch aufatmen: Ein erfolgreicher Angriff ist schwierig. --------------------------------------------- https://www.heise.de/-9587473 ∗∗∗ Beyond Protocols: How Team Camaraderie Fortifies Security ∗∗∗ --------------------------------------------- The most efficient and effective teams have healthy and constructive cultures that encourage team members to go above and beyond the call of duty. --------------------------------------------- https://www.securityweek.com/beyond-protocols-how-team-camaraderie-fortifie… ∗∗∗ „Sofortiges Handeln erforderlich“: Massenhaft Phishing-Mails im Namen von A1 im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Konsument:innen wenden sich aktuell mit gefälschten E-Mails im Namen von A1 an die Watchlist Internet. Im E-Mail wird behauptet, dass „ungewöhnliche Verbindungen“ festgestellt wurden und daher „Ihre sofortige Aufmerksamkeit“ notwendig ist, „um die Sicherheit Ihres Kontos zu gewährleisten“. Gleichzeitig wird mit der Sperre des Kontos gedroht. Wir können entwarnen: Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/sofortiges-handeln-erforderlich-mass… ∗∗∗ CVE-2022-1471: SnakeYAML Deserialization Deep Dive ∗∗∗ --------------------------------------------- Get an overview of SnakeYAML deserialization vulnerabilities (CVE-2022-1471) - how it works, why it works, and what it affects. --------------------------------------------- https://www.greynoise.io/blog/cve-2022-1471-snakeyaml-deserialization-deep-… ===================== = Vulnerabilities = ===================== ∗∗∗ Update für Google Chrome schließt sechs Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat aktualisierte Chrome-Versionen herausgegeben. Sie schließen sechs Sicherheitslücken, davon mehrere mit hohem Risiko. --------------------------------------------- https://www.heise.de/-9586697 ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte erschleichen ∗∗∗ --------------------------------------------- Android-Geräte sind für Attacken anfällig. Google, Samsung & Co. stellen Sicherheitsupdates bereit. --------------------------------------------- https://www.heise.de/-9586713 ∗∗∗ Netzwerkanalysetool Wireshark gegen mögliche Attacken abgesichert ∗∗∗ --------------------------------------------- Die Wireshark-Entwickler haben in aktuellen Versionen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9587170 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), Red Hat (squid:4), SUSE (exim, libcryptopp, and proftpd), and Ubuntu (openssh and sqlite3). --------------------------------------------- https://lwn.net/Articles/956855/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-02 ∗∗∗ Rockwell Automation FactoryTalk Activation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2024
by Daily end-of-shift report 03 Jan '24

03 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-01-2024 18:00 − Mittwoch 03-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Leaksmas: Auch Cyberkriminelle haben sich zu Weihnachten beschenkt ∗∗∗ --------------------------------------------- Rund um Weihnachten wurden im Darknet mehr als 50 Millionen neue Datensätze aus verschiedenen Quellen veröffentlicht. Der Zeitpunkt war kein Zufall. Cyberkriminelle haben die Weihnachtszeit offenbar genutzt, um sich gegenseitig mit umfangreichen und von verschiedenen Unternehmen und Behörden erbeuteten Datensätzen zu beschenken. --------------------------------------------- https://www.golem.de/news/leaksmas-auch-cyberkriminelle-haben-sich-zu-weihn… ∗∗∗ Google-Konten in Gefahr: Exploit erlaubt böswilligen Zugriff trotz Passwort-Reset ∗∗∗ --------------------------------------------- Durch eine Schwachstelle in einem OAuth-Endpunkt können sich Cyberkriminelle dauerhaft Zugriff auf das Google-Konto einer Zielperson verschaffen. [..] Eine offizielle Stellungnahme zum Missbrauch des Multilogin-Endpunkts gibt es seitens Google wohl noch nicht. Dass dem Unternehmen das Problem bekannt ist, ist angesichts der Abhilfemaßnahmen aber anzunehmen. --------------------------------------------- https://www.golem.de/news/google-konten-in-gefahr-exploit-erlaubt-boeswilli… ∗∗∗ Interesting large and small malspam attachments from 2023, (Wed, Jan 3rd) ∗∗∗ --------------------------------------------- At the end of a year, or at the beginning of a new one, I like to go over all malicious attachments that were caught in my e-mail trap over the last 12 months, since this can provide a good overview of long-term malspam trends and may sometimes lead to other interesting discoveries. --------------------------------------------- https://isc.sans.edu/diary/rss/30524 ∗∗∗ Don’t trust links with known domains: BMW affected by redirect vulnerability ∗∗∗ --------------------------------------------- Cybernews researchers have discovered two BMW subdomains that were vulnerable to SAP redirect vulnerability. They were used to access the internal workplace systems for BMW dealers and could have been useful to attackers for spear-phishing campaigns or malware distribution. [..] Cybernews researchers immediately disclosed the vulnerability to BMW, and it was promptly fixed. --------------------------------------------- https://securityaffairs.com/156843/reports/bmw-affected-by-redirect-vulnera… ∗∗∗ How to Stop a DDoS Attack in 5 Steps ∗∗∗ --------------------------------------------- In this post, we’ll cover some essential fundamentals on how to stop a DDoS attack and prevent them from happening in the future. --------------------------------------------- https://blog.sucuri.net/2024/01/how-to-stop-a-ddos-attack.html ∗∗∗ Nehmen Sie keine unerwarteten Nachnahme-Sendungen an! ∗∗∗ --------------------------------------------- Aktuell erreichen uns gehäuft Meldungen zu unerwarteten Paketzustellungen, welche bei der Annahme per Nachnahme zu bezahlen sind. Nach einer Übernahme stellt sich häufig heraus, dass der Inhalt wertlos ist, beziehungsweise die Ware nie bestellt wurde. Achtung: Nehmen Sie Nachnahmesendungen nur an, wenn Sie ein entsprechendes Paket erwarten und den Absender kennen. Eine Rückerstattung über die Post ist im Problemfall nämlich nicht mehr möglich! --------------------------------------------- https://www.watchlist-internet.at/news/nehmen-sie-keine-unerwarteten-nachna… ∗∗∗ Decoding ethical hacking: A comprehensive exploration of white hat practices ∗∗∗ --------------------------------------------- In summation, ethical hacking emerges as a linchpin in fortifying cybersecurity defenses. Adopting a proactive approach, ethical hackers play a pivotal role in identifying vulnerabilities, assessing risks, and ensuring that organizations exhibit resilience in the face of evolving cyber threats. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/decoding-ethical-ha… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (slurm), Oracle (kernel and postgresql:15), Red Hat (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), SUSE (polkit, postfix, putty, w3m, and webkit2gtk3), and Ubuntu (nodejs). --------------------------------------------- https://lwn.net/Articles/956694/ ∗∗∗ WordPress MyCalendar Plugin — Unauthenticated SQL Injection(CVE-2023–6360) ∗∗∗ --------------------------------------------- WordPress Core is the most popular web Content Management System (CMS). This free and open-source CMS written in PHP allows developers to develop web applications quickly by allowing customization through plugins and themes. In this article, we will analyze an unauthenticated sql injection vulnerability found in the MyCalendar plugin. --------------------------------------------- https://medium.com/tenable-techblog/wordpress-mycalendar-plugin-unauthentic… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2024
by Daily end-of-shift report 02 Jan '24

02 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-12-2023 18:00 − Dienstag 02-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2023/12/cert-ua-uncovers-new-malware-wave.html ∗∗∗ Neue Lücke in altem E-Mail-Protokoll: SMTP smuggling ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwäche im Simple Mail Transfer Protocol (SMTP) entdeckt. Sie hebt das Fälschen des Absenders auf ein neues Niveau. --------------------------------------------- https://www.heise.de/-9584467 ∗∗∗ Ransomware: Fehler in Black-Basta-Programmierung ermöglicht Entschlüsselungstool ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen kann das kostenlose Entschlüsselungstool Black Basta Buster Opfern des Erpressungstrojaners Black Basta helfen. --------------------------------------------- https://www.heise.de/-9584846 ∗∗∗ New DLL Search Order Hijacking Technique Targets WinSxS Folder ∗∗∗ --------------------------------------------- Attackers can abuse a new DLL search order hijacking technique to execute code in applications within the WinSxS folder. --------------------------------------------- https://www.securityweek.com/new-dll-search-order-hijacking-technique-targe… ∗∗∗ Domain (in)security: the state of DMARC ∗∗∗ --------------------------------------------- This blog discusses the state of DMARC, the role that DMARC plays in email authentication, and why it should be a key component of your email security solution. --------------------------------------------- https://www.bitsight.com/blog/domain-insecurity-state-dmarc ===================== = Vulnerabilities = ===================== ∗∗∗ Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise ∗∗∗ --------------------------------------------- In this post I describe the 18 vulnerabilities that I discovered in PandoraFMS Enterprise v7.0NG.767 available at https://pandorafms.com. PandoraFMS is an enterprise scale network monitoring and management application which provides systems administrators with a central ‘hub’ to monitor and manipulate the state of computers (agents) deployed across the network. --------------------------------------------- https://research.nccgroup.com/2024/01/02/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, asterisk, cjson, firefox-esr, kernel, libde265, libreoffice, libspreadsheet-parseexcel-perl, php-guzzlehttp-psr7, thunderbird, tinyxml, and xerces-c), Fedora (podman-tui, proftpd, python-asyncssh, squid, and xerces-c), Mageia (libssh and proftpd), and SUSE (deepin-compressor, gnutls, gstreamer, libreoffice, opera, proftpd, and python-pip). --------------------------------------------- https://lwn.net/Articles/956521/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (Joblib), Red Hat (firefox and thunderbird), SUSE (gstreamer-plugins-bad, libssh2_org, and webkit2gtk3), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/956568/ ∗∗∗ Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7103673 ∗∗∗ Multiple vulnerabilities affect IBM Storage Scale Hadoop Connector ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104389 ∗∗∗ IBM Maximo Application Suite uses axios-0.25.0.tgz which is vulnerable to CVE-2023-45857 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104391 ∗∗∗ IBM Maximo Application Suite uses WebSphere Liberty which is vulnerable to CVE-2023-46158, CVE-2023-44483 and CVE-2023-44487 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104390 ∗∗∗ Vulnerabilities in Apache Ant affect IBM Operations Analytics - Log Analysis (CVE-2020-11023, CVE-2020-23064, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104401 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2023
by Daily end-of-shift report 29 Dec '23

29 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-12-2023 18:00 − Freitag 29-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts ∗∗∗ --------------------------------------------- Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named "MultiLogin" to restore expired authentication cookies and log into users accounts, even if an accounts password was reset. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-… ∗∗∗ Steam game mod breached to push password-stealing malware ∗∗∗ --------------------------------------------- Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/steam-game-mod-breached-to-p… ∗∗∗ Security: Wie man mit Ransomware-Hackern verhandelt ∗∗∗ --------------------------------------------- Wer Opfer einer Ransomware-Attacke wird, kommt an Verhandlungen mit den Kriminellen manchmal nicht vorbei. Dabei gibt es einige Regeln zu beachten. Ein Bericht von Friedhelm Greis --------------------------------------------- https://www.golem.de/news/security-wie-man-mit-ransomware-hackern-verhandel… ∗∗∗ New Version of Meduza Stealer Released in Dark Web ∗∗∗ --------------------------------------------- On Christmas Eve, Resecurity’s HUNTER unit spotted the author of perspective password stealer Meduza has released a new version (2.2). One of the key significant improvements are support of more software clients [...] --------------------------------------------- https://securityaffairs.com/156598/malware/meduza-stealer-released-dark-web… ∗∗∗ Clash of Clans gamers at risk while using third-party app ∗∗∗ --------------------------------------------- An exposed database and secrets on a third-party app puts Clash of Clans players at risk of attacks from threat actors. The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information. With 100,000 downloads on the Google Play store, [...] --------------------------------------------- https://securityaffairs.com/156617/security/clash-of-clans-gamers-at-risk.h… ∗∗∗ The Worst Hacks of 2023 ∗∗∗ --------------------------------------------- It was a year of devastating cyberattacks around the globe, from ransomware attacks on casinos to state-sponsored breaches of critical infrastructure. --------------------------------------------- https://www.wired.com/story/worst-hacks-2023/ ∗∗∗ From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence ∗∗∗ --------------------------------------------- >From October-December, the activities of DarkGate, Pikabot, IcedID and more were seen and shared with the broader community via social media [...] --------------------------------------------- https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/ ∗∗∗ Windows: CVE-2021-43890 ausnutzbar: App-Installer-Protokoll deaktiviert; Storm-1152 ausgeschaltet ∗∗∗ --------------------------------------------- Ich packe zum Jahresende noch einige "Gruselgeschichten" rund um das Thema "Sicherheit in Microsoft-Produkten" zusammen. So hat Microsoft den MSXI-App-Installer-Protokoll deaktiviert, weil dieses von Malware-Gruppen missbraucht wurde. Dann gab es die Schwachstelle CVE-2021-43890, die längst gefixt zu sein schien, jetzt [...] --------------------------------------------- https://www.borncity.com/blog/2023/12/29/microsoft-sicherheitssplitter-cve-… ∗∗∗ Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023 ∗∗∗ --------------------------------------------- Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download. There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform. --------------------------------------------- https://www.rapid7.com/blog/post/2023/12/29/velociraptor-0-7-1-release-sigm… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache OpenOffice 4.1.15 Release Notes ∗∗∗ --------------------------------------------- CVE-2012-5639: Loading internal / external resources without warning, CVE-2022-43680: "Use after free" fixed in libexpat, CVE-2023-1183: Arbitrary file write in Apache OpenOffice Base, CVE-2023-47804: Macro URL arbitrary script execution --------------------------------------------- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.15+Release+Not… ∗∗∗ CVE-2019-3773 Spring Web Services Vulnerability in NetApp Products ∗∗∗ --------------------------------------------- Multiple NetApp products incorporate Spring Web Services. Spring Web Services 2.4.3, 3.0.4, and older unsupported versions are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). [...] CVE-2019-3773 9.8 (CRITICAL) --------------------------------------------- https://security.netapp.com/advisory/ntap-20231227-0011/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2023
by Daily end-of-shift report 28 Dec '23

28 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-12-2023 18:00 − Donnerstag 28-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Lockbit ransomware disrupts emergency care at German hospitals ∗∗∗ --------------------------------------------- German hospital network Katholische Hospitalvereinigung Ostwestfalen (KHO) has confirmed that recent service disruptions were caused by a Lockbit ransomware attack where the threat actors gained access to IT systems and encrypted devices on the network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupts-… ∗∗∗ Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary], (Wed, Dec 27th) ∗∗∗ --------------------------------------------- In this post, I dig into my instance of the DShield honeypot to see what attack vectors malicious actors are trying to exploit. What I found were several attempts to upload the Mirai family of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/30514 ∗∗∗ Operation Triangulation: "Raffiniertester Exploit aller Zeiten" auf iPhones ∗∗∗ --------------------------------------------- Im Sommer wurde bekannt, dass iPhones der russischen Sicherheitsfirma Kaspersky per hoch entwickeltem Exploit übernommen wurden. Auf dem 37C3 gab es Details. --------------------------------------------- https://www.heise.de/-9583427 ∗∗∗ Neuer iPhone-Diebstahlschutz: "Wichtige Orte" als Sicherheitsloch ∗∗∗ --------------------------------------------- Apple will bald die Account-Ausplünderung nach iPhone-Diebstählen erschweren. Ein Sicherheitsfeature bietet allerdings eine Umgehungsmöglichkeit. --------------------------------------------- https://www.heise.de/-9582753 ∗∗∗ Jahresrückblick: Diese Themen beschäftigten uns 2023! ∗∗∗ --------------------------------------------- 2023 geht für die Watchlist Internet erfolgreich zu Ende: Mit rund 3,2 Millionen Besucher:innen konnten wir auch heuer wieder zahlreiche Menschen vor Internetbetrug warnen. Monatlich erreichten uns dabei rund 1.000 Meldungen, die wir 2023 in rund 200 Warnartikel und durch die Veröffentlichung von über 12.000 Domains auf unseren Warnlisten verarbeitet haben. Danke an unsere Leser:innen, die diesen Erfolg ermöglichen. --------------------------------------------- https://www.watchlist-internet.at/news/jahresrueckblick-diese-themen-bescha… ∗∗∗ How to report Gmail messages as spam to improve your life and make you a hero ∗∗∗ --------------------------------------------- The act of marking and reporting an email as spam in Gmail has an important side effect that makes it totally worth a few seconds of your day. --------------------------------------------- https://www.zdnet.com/article/how-to-report-gmail-messages-as-spam-to-impro… ∗∗∗ Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed ∗∗∗ --------------------------------------------- While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected. --------------------------------------------- https://asec.ahnlab.com/en/60054/ ∗∗∗ Cyber Toufan goes Oprah mode, with free Linux system wipes of over 100 organisations ∗∗∗ --------------------------------------------- For the past 6 or so weeks, I’ve been tracking Cyber Toufan on Telegram. They appeared in November, and they’ve been very busy and very naughty boys. They actually set up their infrastructure around October, and started owning things apparently undetected. They’re not a lame DDoS pretend hacktivist group like NoName016 — instead, they claim to be Palestinian state cyber warriors. --------------------------------------------- https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-syste… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: 2023-12 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF03. Severity Assessment (CVSS) Score 9.8 --------------------------------------------- https://supportportal.juniper.net/s/article/2023-12-Security-Bulletin-JSA-S… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy, libssh, and nodejs), Fedora (filezilla and minizip-ng), Gentoo (Git, libssh, and OpenSSH), and SUSE (gstreamer, postfix, webkit2gtk3, and zabbix). --------------------------------------------- https://lwn.net/Articles/956257/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2023
by Daily end-of-shift report 27 Dec '23

27 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-12-2023 18:00 − Mittwoch 27-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Operation Triangulation: The last (hardware) mystery ∗∗∗ --------------------------------------------- Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs. --------------------------------------------- https://securelist.com/operation-triangulation-the-last-hardware-mystery/11… ∗∗∗ Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices ∗∗∗ --------------------------------------------- McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-andro… ∗∗∗ Gefährliche VPN-Extension für Chrome ist millionenfach installiert ∗∗∗ --------------------------------------------- Rund 1,5 Millionen Rechner sind mit Malware infiziert, die sich in den Browsern als VPN-Erweiterung einnistet. [..] Auf den Computern landet die Software über unrechtmäßig kopierte Spiele wie Grand Theft Auto, Assassins Creed und The Sims 4, die von Torrent-Seiten heruntergeladen wurden. --------------------------------------------- https://futurezone.at/digital-life/vpn-extension-chrome-gefaehrlich-million… ∗∗∗ Python Keylogger Using Mailtrap.io, (Sat, Dec 23rd) ∗∗∗ --------------------------------------------- I found another Python keylogger... This is pretty common because Python has plenty of modules to implement this technique in a few lines of code [..} But, in this case, the attacker used another popular online service: mailtrap.io. --------------------------------------------- https://isc.sans.edu/diary/rss/30512 ∗∗∗ New Guide: Broken Access Control ∗∗∗ --------------------------------------------- We are excited to announce the release of our new guide What is Broken Access Control. This handy resource helps you grasp the ins-and-outs of BACs, their potential risks and operation, enabling you to effectively secure your website against unauthorized access and breaches. --------------------------------------------- https://blog.sucuri.net/2023/12/new-guide-broken-access-control.html ∗∗∗ Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft ∗∗∗ --------------------------------------------- Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri. --------------------------------------------- https://thehackernews.com/2023/12/rogue-wordpress-plugin-exposes-e.html ∗∗∗ Tesla: Forscher der TU Berlin verschaffen sich Zugriff auf Autopilot-Hardware ∗∗∗ --------------------------------------------- Mit Hilfe eines kurzen Spannungsabfalls konnten sich drei Doktoranden der TU Berlin Zugriff auf die Platine verschaffen, auf der Teslas Autopilot arbeitet. --------------------------------------------- https://www.heise.de/-9583095 ∗∗∗ Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized Access in Kubernetes ∗∗∗ --------------------------------------------- This article examines two specific issues in Google Kubernetes Engine (GKE). While each issue might not result in significant damage on its own, when combined they create an opportunity for an attacker who already has access to a Kubernetes cluster to escalate their privileges. This article serves as a crucial resource for Kubernetes users and administrators, offering insights on safeguarding their clusters from potential attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/google-kubernetes-engine-privilege-esca… ∗∗∗ Analysis of Attacks That Install Scanners on Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) analyzes attack campaigns against poorly managed Linux SSH servers and shares the results on the ASEC Blog. --------------------------------------------- https://asec.ahnlab.com/en/59972/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack ∗∗∗ --------------------------------------------- A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month. --------------------------------------------- https://thehackernews.com/2023/12/critical-zero-day-in-apache-ofbiz-erp.html ∗∗∗ Kritische Sicherheitslücke in Perl-Bibliothek: Schwachstelle bereits ausgenutzt ∗∗∗ --------------------------------------------- In einer Perl-Bibliothek zum Parsen von Excel-Dateien haben Sicherheitsforscher eine kritische Schwachstelle entdeckt, die Angreifer bereits ausgenutzt haben. [..] Die MITRE hat der Schwachstelle den Eintrag CVE-2023-7101 vergeben. Der Proof of Concept ist von März 2023. Ein Sicherheitspatch ist derzeit noch nicht verfügbar. --------------------------------------------- https://www.heise.de/-9583179 ∗∗∗ Barracuda ESG-Schwachstelle CVE-2023-7102 (Dez. 2023) ∗∗∗ --------------------------------------------- Barracuda hat bei einer laufenden Untersuchung festgestellt, dass ein Bedrohungsakteur die Schwachstelle Schwachstelle CVE-2023-7102 in der Barracuda Email Security Gateway Appliance (ESG) ausnutzt. Die Verwendung einer Bibliothek eines Drittanbieters führte zu dieser Schwachstelle, die die Barracuda ESG Appliance von 5.1.3.001 bis 9.2.1.001 betraf. Barracuda hat zum 21. Dezember 2023 ein Sicherheitsupdate für alle aktiven ESGs bereitgestellt, um die ACE-Schwachstelle zu beheben. --------------------------------------------- https://www.borncity.com/blog/2023/12/27/barracuda-esg-schwachstelle-cve-20… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, openssh, osslsigncode, and putty), Fedora (chromium, filezilla, libfilezilla, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, opensc, thunderbird, unrealircd, and xorg-x11-server-Xwayland), Gentoo (Ceph, FFmpeg, Flatpak, Gitea, and SABnzbd), Mageia (chromium-browser-stable), Slackware (kernel and postfix), and SUSE (cppcheck, distribution, gstreamer-plugins-bad, jbigkit, and ppp). --------------------------------------------- https://lwn.net/Articles/956156/ ∗∗∗ Autodesk: Multiple Vulnerabilities in Autodesk InfoWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0024 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2023
by Daily end-of-shift report 22 Dec '23

22 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-12-2023 18:00 − Freitag 22-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft: Hackers target defense firms with new FalseFont malware ∗∗∗ --------------------------------------------- Microsoft says the APT33 Iranian cyber-espionage group is using recently discovered FalseFont backdoor malware to attack defense contractors worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-def… ∗∗∗ Europol warns 443 online shops infected with credit card stealers ∗∗∗ --------------------------------------------- Europol has notified over 400 websites that their online shops have been hacked with malicious scripts that steal debit and credit cards from customers making purchases. --------------------------------------------- https://www.bleepingcomputer.com/news/security/europol-warns-443-online-sho… ∗∗∗ Have your data and hide it too: An introduction to differential privacy ∗∗∗ --------------------------------------------- Providing software and web services that deliver value for users often requires measuring user behavior. In this blog we discuss emerging cryptographic and statistical techniques that enable collecting such measurements without violating user privacy --------------------------------------------- https://blog.cloudflare.com/have-your-data-and-hide-it-too-an-introduction-… ∗∗∗ Experts Detail Multi-Million Dollar Licensing Model of Predator Spyware ∗∗∗ --------------------------------------------- A new analysis of the sophisticated commercial spyware called Predator has revealed that its ability to persist between reboots is offered as an "add-on feature" and that it depends on the licensing options opted by a customer. --------------------------------------------- https://thehackernews.com/2023/12/multi-million-dollar-predator-spyware.html ∗∗∗ Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware ∗∗∗ --------------------------------------------- A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language. "Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers unfamiliarity can hamper their investigation," [...] --------------------------------------------- https://thehackernews.com/2023/12/decoy-microsoft-word-documents-used-to.ht… ∗∗∗ Cyber sleuths reveal how they infiltrate the biggest ransomware gangs ∗∗∗ --------------------------------------------- How do you break into the bad guys ranks? Master the lingo and research, research, research --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/12/22/how_to_infil… ∗∗∗ Malicious GPT Can Phish Credentials, Exfiltrate Them to External Server: Researcher ∗∗∗ --------------------------------------------- A researcher has shown how malicious actors can create custom GPTs that can phish for credentials and exfiltrate them to external servers. --------------------------------------------- https://www.securityweek.com/malicious-gpt-can-phish-credentials-exfiltrate… ∗∗∗ CISA Releases Microsoft 365 Secure Configuration Baselines and SCuBAGear Tool ∗∗∗ --------------------------------------------- CISA has published the finalized Microsoft 365 Secure Configuration Baselines, designed to bolster the security and resilience of organizations’ Microsoft 365 (M365) cloud services. This guidance release is accompanied by the updated SCuBAGear tool that assesses organizations’ M365 cloud services per CISA’s recommended baselines. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/21/cisa-releases-microsoft-… ∗∗∗ Python Packages Leverage GitHub to Deploy Fileless Malware ∗∗∗ --------------------------------------------- In early December, a number of malicious Python packages captured our attention, not just because of their malicious nature, but for the cleverness of their deployment strategy. --------------------------------------------- https://checkmarx.com/blog/python-packages-leverage-github-to-deploy-filele… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- BlueZ, Kofax Power PDF --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, chromium, gst-plugins-bad1.0, openssh, and thunderbird), Fedora (chromium, firefox, kernel, libssh, nss, opensc, and thunderbird), Gentoo (Arduino, Exiv2, LibRaw, libssh, NASM, and QtWebEngine), Mageia (gstreamer), and SUSE (gnutls, gstreamer-plugins-bad, libcryptopp, libqt5-qtbase, ppp, tinyxml, xorg-x11-server, and zbar). --------------------------------------------- https://lwn.net/Articles/956012/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2023
by Daily end-of-shift report 21 Dec '23

21 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-12-2023 18:00 − Donnerstag 21-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New phishing attack steals your Instagram backup codes to bypass 2FA ∗∗∗ --------------------------------------------- A new phishing campaign pretending to be a copyright infringement email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-attack-steals-y… ∗∗∗ Fake F5 BIG-IP zero-day warning emails push data wipers ∗∗∗ --------------------------------------------- The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-f5-big-ip-zero-day-warn… ∗∗∗ Android malware Chameleon disables Fingerprint Unlock to steal PINs ∗∗∗ --------------------------------------------- The Chameleon Android banking trojan has re-emerged with a new version that uses a tricky technique to take over devices — disable fingerprint and face unlock to steal device PINs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-chameleon-di… ∗∗∗ Windows CLFS and five exploits used by ransomware operators ∗∗∗ --------------------------------------------- We had never seen so many CLFS driver exploits being used in active attacks before, and then suddenly there are so many of them captured in just one year. Is there something wrong with the CLFS driver? Are all these vulnerabilities similar? These questions encouraged me to take a closer look at the CLFS driver and its vulnerabilities. --------------------------------------------- https://securelist.com/windows-clfs-exploits-ransomware/111560/ ∗∗∗ Increase in Exploit Attempts for Atlassian Confluence Server (CVE-2023-22518), (Wed, Dec 20th) ∗∗∗ --------------------------------------------- Attacks for the vulnerability started early in November, shortly after the vulnerability was announced. At the time, the attacks were more targeted to specific hosts. Now we are seeing more widespread scans typical for attackers trying to "clean up" instances earlier attacks may have missed. --------------------------------------------- https://isc.sans.edu/diary/rss/30502 ∗∗∗ Weaponizing DHCP DNS Spoofing — A Hands-On Guide ∗∗∗ --------------------------------------------- In this second blog post, we aim to elaborate on some of the technical details that are required to exploit this attack surface. We will detail the methods used to collect all the necessary information to conduct the attacks, describe some attack limitations, and explore how we can spoof multiple DNS records by abusing an interesting DHCP server behavior. --------------------------------------------- https://www.akamai.com/blog/security-research/weaponizing-dhcp-dns-spoofing… ∗∗∗ Kritische Lücken in Mobile-Device-Management-Lösung Ivanti Avalanche geschlossen ∗∗∗ --------------------------------------------- Angreifer können Ivanti Avalanche mit Schadcode attackieren. Eine reparierte Version steht zum Download bereit. --------------------------------------------- https://www.heise.de/-9580221 ∗∗∗ BSI veröffentlicht Studie zu Implementierungsangriffen auf QKD-Systeme ∗∗∗ --------------------------------------------- Das BSI hat eine wissenschaftliche Studie über Implementierungsangriffe auf Quantum Key Distribution (QKD)-Systeme veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Spoofing: Spätestens im Herbst 2024 soll mit dem Betrug Schluss sein ∗∗∗ --------------------------------------------- Alle österreichischen Telefonnummern erhalten ein "Mascherl", das sie als echt ausweist. Provider haben bis 1. September Zeit, die neue Verordnung umzusetzen. --------------------------------------------- https://www.derstandard.at/story/3000000200615/spoofing-spaetestens-im-herb… ∗∗∗ security.txt: A Simple File with Big Value ∗∗∗ --------------------------------------------- Our team at CISA often receives questions about why creation of a “security.txt” file was included as one of the priority Cybersecurity Performance Goals (CPGs). Why is it so important? Well, it’s such a simple concept, but it provides great value to all of those involved in vulnerability management and disclosure. --------------------------------------------- https://www.cisa.gov/news-events/news/securitytxt-simple-file-big-value ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- Voltronic Power ViewPower, Hancom Office, Honeywell Saia PG5 Controls Suite --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Google Chrome: Update schließt bereits angegriffene Zero-Day-Lücke ∗∗∗ --------------------------------------------- Googles Entwickler haben ein Update für Chrome veröffentlicht, das eine bereits angegriffene Sicherheitslücke abdichtet. --------------------------------------------- https://www.heise.de/-9580061 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 11, 2023 to December 17, 2023) ∗∗∗ --------------------------------------------- Last week, there were 16 vulnerabilities disclosed in 16 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 7 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (kernel), Mageia (bluez), Oracle (fence-agents, gstreamer1-plugins-bad-free, opensc, openssl, postgresql:10, and postgresql:12), Red Hat (postgresql:15 and tigervnc), Slackware (proftpd), and SUSE (docker, rootlesskit, firefox, go1.20-openssl, go1.21-openssl, gstreamer-plugins-bad, libreoffice, libssh2_org, poppler, putty, rabbitmq-server, wireshark, xen, xorg-x11-server, and xwayland). --------------------------------------------- https://lwn.net/Articles/955914/ ∗∗∗ ESET Patches High-Severity Vulnerability in Secure Traffic Scanning Feature ∗∗∗ --------------------------------------------- ESET has patched CVE-2023-5594, a high-severity vulnerability that can cause a browser to trust websites that should not be trusted. --------------------------------------------- https://www.securityweek.com/eset-patches-high-severity-vulnerability-in-se… ∗∗∗ Drupal: Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-055 ∗∗∗ Foxit: Security Advisories for Foxit PDF Reader ∗∗∗ --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ NETGEAR: Security Advisory for Stored Cross Site Scripting on the NMS300, PSV-2023-0106 ∗∗∗ --------------------------------------------- https://kb.netgear.com/000065901/Security-Advisory-for-Stored-Cross-Site-Sc… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/21/cisa-adds-two-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2023
by Daily end-of-shift report 20 Dec '23

20 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-12-2023 18:00 − Mittwoch 20-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Datenleckseite beschlagnahmt: Das FBI und die ALPHV-Hacker spielen Katz und Maus ∗∗∗ --------------------------------------------- Das FBI hat die Datenleckseite der Ransomwaregruppe ALPHV beschlagnahmt. Die Hacker haben jedoch auch noch Zugriff darauf. Sie drohen nun mit neuen Regeln. --------------------------------------------- https://www.golem.de/news/datenleckseite-beschlagnahmt-das-fbi-und-die-alph… ∗∗∗ Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster ∗∗∗ --------------------------------------------- Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns."Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," [...] --------------------------------------------- https://thehackernews.com/2023/12/remote-encryption-attacks-surge-how-one.h… ∗∗∗ Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla ∗∗∗ --------------------------------------------- First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. --------------------------------------------- https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2… ∗∗∗ New MetaStealer malvertising campaigns ∗∗∗ --------------------------------------------- In recent malvertising campaigns, threat actors dropped the MetaStealer information stealer, more or less coinciding with a new version release. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metasteal… ∗∗∗ BSI und ANSSI veröffentlichen Publikation zu Remote Identity Proofing ∗∗∗ --------------------------------------------- Das BSI hat zusammen mit der französischen Behörde für IT-Sicherheit, ANSSI, eine gemeinsame Publikation veröffentlicht. Die diesjährige Veröffentlichung beschäftigt sich mit den Gefahren und möglichen Angriffsvektoren, die in den verschiedenen Phasen der videobasierten Identifikation entstehen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets ∗∗∗ --------------------------------------------- Malicious JavaScript is used to steal PPI via survey sites, web chat APIs and more. We detail how JavaScript malware is implemented and evades detection. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-d… ∗∗∗ Behind the scenes: JaskaGO’s coordinated strike on macOS and Windows ∗∗∗ --------------------------------------------- In recent developments, a sophisticated malware stealer strain crafted in the Go programming language has been discovered by AT&T Alien Labs, posing a severe threat to both Windows and macOS operating systems. As of the time of publishing of this article, traditional antivirus solutions have low or even non-existent detection rates, making it a stealthy and formidable adversary. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskago… ∗∗∗ Spike in Atlassian Exploitation Attempts: Patching is Crucial ∗∗∗ --------------------------------------------- In the blog we discuss the importance of securing your Atlassian products, provide valuable insights on various IP activities, and offer friendly advice on proactive measures to protect your organization. --------------------------------------------- https://www.greynoise.io/blog/spike-in-atlassian-exploitation-attempts-patc… ∗∗∗ Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors ∗∗∗ --------------------------------------------- Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors. --------------------------------------------- https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-b… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-1810: QEMU NVMe Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information on affected installations of QEMU. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.0. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1810/ ∗∗∗ ZDI-23-1813: Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1813/ ∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability CVE-2023-6784, December 2023 ∗∗∗ --------------------------------------------- The Progress Sitefinity team recently discovered a MEDIUM CVSS vulnerability in the Sitefinity application available under # CVE-2023-6784. A fix has been developed and tested – and is now available for download. Below you can find information about the discoveries and version-specific product updates for supported versions. --------------------------------------------- https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-A… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible and ansible-core), Gentoo (Minecraft Server and thunderbird), Mageia (fusiondirectory), Red Hat (gstreamer1-plugins-bad-free, opensc, and openssl), Slackware (libssh and mozilla), SUSE (avahi, firefox, ghostscript, gstreamer-plugins-bad, mariadb, openssh, openssl-1_1-livepatches, python-aiohttp, python-cryptography, xorg-x11-server, and xwayland), and Ubuntu (libssh and openssh). --------------------------------------------- https://lwn.net/Articles/955786/ ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in Safari, iOS, iPadOS, and macOS Sonoma. A cyber threat actor could exploit one of these vulnerabilities to obtain sensitive information. CISA encourages users and administrators to review Apple security releases and apply necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/20/apple-releases-security-… ∗∗∗ New Ivanti Avalanche Vulnerabilities ∗∗∗ --------------------------------------------- As part of our ongoing strengthening of the security of our products we have discovered twenty new vulnerabilities in the Ivanti Avalanche on-premise product. We are reporting these vulnerabilities as the CVE numbers listed below. These vulnerabilities impact all supported versions of the products – Avalanche versions 6.3.1 and above. Older versions/releases are also at risk. This release corrects multiple memory corruption vulnerabilities, covered in these security advisories: [...] --------------------------------------------- https://www.ivanti.com/blog/new-ivanti-avalanche-vulnerabilities ∗∗∗ Multiple vulnerabilites in D-Link G416 routers ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ K000137965 : Apache Tomcat vulnerability CVE-2023-45648 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137965 ∗∗∗ K000137966 : Apache Tomcat vulnerability CVE-2023-42794 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137966 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities. [CVE-2022-42889, CVE-2023-35001, CVE-2023-32233] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7095693 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7087688 ∗∗∗ IBM Maximo Application Suite - IoT Component uses Pygments-2.14.0-py3-none-any.whl which is vulnerable to CVE-2022-40896 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7099774 ∗∗∗ IBM Maximo Application Suite uses urllib3-1.26.16-py2.py3-none-any.whl which is vulnerable to CVE-2023-43804 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7099772 ∗∗∗ IBM Sterling B2B Integrator EBICs client affected by multiple issues due to Jettison ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7099862 ∗∗∗ IBM Security Guardium is affected by a guava-18.0.jar vulnerability (CVE-2023-2976) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7099896 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7100525 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-39975, CVE-2023-34042) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7100884 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2023
by Daily end-of-shift report 19 Dec '23

19 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 18-12-2023 18:00 − Dienstag 19-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Akute Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗ --------------------------------------------- Seit Kurzem sehen sich österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur vermehrt mit DDoS Angriffen konfrontiert. Die genauen Hintergründe der Attacken sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir Unternehmen und Organisationen, die eigenen Prozesse und technischen Maßnahmen nochmals auf ihre Wirksamkeit zu überprüfen, um im Fall eines Angriffes bestmöglich gewappnet zu sein. Dies gilt insbesondere, da eine Intensivierung der Angriffe nicht ausgeschlossen werden kann. --------------------------------------------- https://cert.at/de/aktuelles/2023/12/akute-welle-an-ddos-angriffen-auf-staa… ∗∗∗ Neue Angriffstechnik: Terrapin schwächt verschlüsselte SSH-Verbindungen ∗∗∗ --------------------------------------------- Ein Angriff kann wohl zur Verwendung weniger sicherer Authentifizierungsalgorithmen führen. Betroffen sind viele gängige SSH-Implementierungen. --------------------------------------------- https://www.golem.de/news/neue-angriffstechnik-terrapin-schwaecht-verschlue… ∗∗∗ FBI disrupts Blackcat ransomware operation, creates decryption tool ∗∗∗ --------------------------------------------- The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operations servers to monitor their activities and obtain decryption keys. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-disrupts-blackcat-ransom… ∗∗∗ 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware ∗∗∗ --------------------------------------------- The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. --------------------------------------------- https://thehackernews.com/2023/12/8220-gang-exploiting-oracle-weblogic.html ∗∗∗ Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts ∗∗∗ --------------------------------------------- Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages. --------------------------------------------- https://thehackernews.com/2023/12/hackers-abusing-github-to-evade.html ∗∗∗ Mute the Sound: Chaining Vulnerabilities to Achieve RCE on Outlook: Pt 1 ∗∗∗ --------------------------------------------- In this post, we have detailed the research process that led to the discovery of the two bypasses, including their root-cause analysis. As we’ve shown, Windows path parsing code is complex and often can lead to vulnerabilities. [..] Windows machines with the October 2023 software update installed are protected from these vulnerabilities. Additionally, Outlook clients that use Exchange servers patched with March 2023 software update are protected against the abused feature. --------------------------------------------- https://www.akamai.com/blog/security-research/2023/dec/chaining-vulnerabili… ∗∗∗ Botnet: Qakbot wieder aktiv mit neuer Phishing-Kampagne ∗∗∗ --------------------------------------------- Im August haben internationale Strafverfolger das Quakbot-Botnetz außer Gefecht gesetzt. Jetzt hat Microsoft eine neue Phishing-Kampagne entdeckt. --------------------------------------------- https://www.heise.de/-9577963 ∗∗∗ Retro Gaming Vulnerability Research: Warcraft 2 ∗∗∗ --------------------------------------------- This blog post is part one in a short series on learning some basic game hacking techniques. [..] I leave it as an exercise to the reader to extend wc2shell further to add the first checksum byte and attempt to fuzz other traffic. --------------------------------------------- https://research.nccgroup.com/2023/12/19/retro-gaming-vulnerability-researc… ∗∗∗ Achtung Fake: „Ihr iCloud-Speicher ist voll. Erhalten Sie 50 GB KOSTENLOS !“ ∗∗∗ --------------------------------------------- Ihr iCloud-Speicher ist voll? Sie erhalten aber angeblich 50 GB kostenlos? Vorsicht, bei diesem E-Mail handelt es sich um Phishing. Tippen Sie nicht auf das Feld „Erhalten Sie 50 GB“. Sie würden auf einer gefälschten iCloud-Webseite landen, die Ihre Login-Daten stiehlt. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-ihr-icloud-speicher-ist… ∗∗∗ Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks ∗∗∗ --------------------------------------------- This post will cover the recent additional attacks that installed Ladon, NetCat, AnyDesk, and z0Miner. --------------------------------------------- https://asec.ahnlab.com/en/59904/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (rdiff-backup and xorg-x11-server-Xwayland), Mageia (cjose and ghostscript), Oracle (avahi), Red Hat (postgresql:10), and SUSE (avahi, freerdp, libsass, and ncurses). --------------------------------------------- https://lwn.net/Articles/955678/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ mozilla: Security Vulnerabilities fixed in Firefox 121 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/ ∗∗∗ mozilla: Security Vulnerabilities fixed in Thunderbird 115.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/ ∗∗∗ mozilla: Security Vulnerabilities fixed in Firefox ESR 115.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/ ∗∗∗ EFACEC UC 500E ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03 ∗∗∗ Subnet Solutions Inc. PowerSYSTEM Center ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-01 ∗∗∗ Open Design Alliance Drawing SDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-04 ∗∗∗ EFACEC BCU 500 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02 ∗∗∗ EuroTel ETL3100 Radio Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-05 ∗∗∗ F5: K000137926 : Apache Tomcat vulnerability CVE-2023-46589 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137926 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.12.2023
by Daily end-of-shift report 18 Dec '23

18 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-12-2023 18:00 − Montag 18-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zwei Monate nach Meldung: SQL-Injection-Schwachstelle in 3CX noch immer ungepatcht ∗∗∗ --------------------------------------------- Statt einen Patch bereitzustellen, fordert 3CX seine Kunden nun dazu auf, aus Sicherheitsgründen ihre SQL-Datenbank-Integrationen zu deaktivieren. --------------------------------------------- https://www.golem.de/news/zwei-monate-nach-meldung-sql-injection-schwachste… ∗∗∗ SMTP Smuggling - Spoofing E-Mails Worldwide ∗∗∗ --------------------------------------------- Introducing a novel technique for e-mail spoofing --------------------------------------------- https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwi… ∗∗∗ SLP Denial of Service Amplification - Attacks are ongoing and rising ∗∗∗ --------------------------------------------- We build on our previous work and look into how threat actors are abusing SLP to launch reflection/amplification DDoS attacks, their evolution, and what targets are they focused on at the moment. --------------------------------------------- https://www.bitsight.com/blog/slp-denial-service-amplification-attacks-are-… ∗∗∗ WordPress hosting service Kinsta targeted by Google phishing ads ∗∗∗ --------------------------------------------- WordPress hosting provider Kinsta is warning customers that Google ads have been observed promoting phishing sites to steal hosting credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-hosting-service-ki… ∗∗∗ Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds ∗∗∗ --------------------------------------------- Microsoft is warning of an uptick in malicious activity from an emerging threat cluster its tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. --------------------------------------------- https://thehackernews.com/2023/12/microsoft-warns-of-storm-0539-rising.html ∗∗∗ PikaBot distributed via malicious search ads ∗∗∗ --------------------------------------------- PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distr… ∗∗∗ QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry ∗∗∗ --------------------------------------------- A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry. --------------------------------------------- https://thehackernews.com/2023/12/qakbot-malware-resurfaces-with-new.html ∗∗∗ iOS 17.2: Flipper Zero kann keine iPhones mehr crashen ∗∗∗ --------------------------------------------- Apple verhindert mit iOS 17.2 offenbar, dass iPhones mit einem Flipper-Zero-Bluetooth-Exploit ge-DoSt werden können. --------------------------------------------- https://www.heise.de/-9576526 ∗∗∗ Ransomware-Gruppen buhlen zunehmend um Medien-Aufmerksamkeit ∗∗∗ --------------------------------------------- Um sich von der Konkurrenz abzusetzen und die eigenen Leistungen gewürdigt zu wissen, suchen Ransomware-Gruppen zunehmend den direkten Kontakt zu Journalisten. --------------------------------------------- https://www.heise.de/-9576774 ∗∗∗ E-Mail vom Entschädigungsamt ist Fake ∗∗∗ --------------------------------------------- Kriminelle geben sich als „Entschädigungsamt“ aus und behaupten in einem E-Mail, dass Betrugsopfer mit einer Gesamtsumme von 3.500.000 Euro entschädigt werden. Antworten Sie nicht und schicken Sie keinesfalls persönliche Daten und Ausweiskopien. Sie werden erneut betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-entschaedigungsamt-ist-fa… ∗∗∗ Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains ∗∗∗ --------------------------------------------- Using machine learning to target stockpiled malicious domains, the results of our detection pipeline tool highlight campaigns from phishing to scams. --------------------------------------------- https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/ ∗∗∗ An Example of RocketMQ Exploit Scanner, (Sat, Dec 16th) ∗∗∗ --------------------------------------------- A few months ago, RocketMQ, a real-time message queue platform, suffered of a nasty vulnerability referred as cve:2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score: 2/60 --------------------------------------------- https://isc.sans.edu/diary/rss/30492 ∗∗∗ CISA Urges Manufacturers to Eliminate Default Passwords After Recent ICS Attacks ∗∗∗ --------------------------------------------- CISA is advising device makers to stop relying on customers to change default passwords following attacks targeting water sector ICS. --------------------------------------------- https://www.securityweek.com/cisa-urges-manufacturers-to-eliminate-default-… ∗∗∗ CISA Releases Key Risk and Vulnerability Findings for Healthcare and Public Health Sector ∗∗∗ --------------------------------------------- Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-key-risk-and-vulnerabil… ∗∗∗ #StopRansomware: Play Ransomware ∗∗∗ --------------------------------------------- These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a ===================== = Vulnerabilities = ===================== ∗∗∗ Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server ∗∗∗ --------------------------------------------- Four new unauthenticated remotely exploitable security vulnerabilities discovered in the popular source code management platform Perforce Helix Core Server have been remediated after being responsibly disclosed by Microsoft. Perforce Server customers are strongly urged to update to version 2023.1/2513900. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/12/15/patching-perforce-… ∗∗∗ ZDI-23-1799: Ivanti Avalanche Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Ivanti Avalanche. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-41726. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1799/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeimage, ghostscript, intel-microcode, spip, and xorg-server), Fedora (chromium, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, PyDrive2, seamonkey, and vim), Gentoo (Leptonica), Mageia (audiofile, gimp, golang, and poppler), Oracle (buildah, containernetworking-plugins, gstreamer1-plugins-bad-free, kernel, kernel-container, libxml2, pixman, podman, postgresql, postgresql:15, runc, skopeo, tracker-miners, and webkit2gtk3), and SUSE (fish). --------------------------------------------- https://lwn.net/Articles/955566/ ∗∗∗ OpenSSH Security December 18, 2023 ∗∗∗ --------------------------------------------- penSSH 9.6 was released on 2023-12-18. It is available from the mirrors listed at https://www.openssh.com/. This release contains a number of security fixes, some small features and bugfixes. --------------------------------------------- https://www.openssh.com/security.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Nextcloud Security Advisories ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2023
by Daily end-of-shift report 15 Dec '23

15 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-12-2023 18:00 − Freitag 15-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ten new Android banking trojans targeted 985 bank apps in 2023 ∗∗∗ --------------------------------------------- This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ten-new-android-banking-troj… ∗∗∗ Fake-Werbeanzeige auf Facebook & Instagram: „Verlorenes Gepäck für nur 1,95 €!“ ∗∗∗ --------------------------------------------- Im Namen des „Vienna International Airport“ schalten Kriminelle aktuell betrügerische Anzeigen und behaupten, dass verloren gegangene Koffer für knapp 2 Euro verkauft werden. --------------------------------------------- https://www.watchlist-internet.at/news/fake-werbeanzeige-auf-facebook-insta… ∗∗∗ OilRig’s persistent attacks using cloud service-powered downloaders ∗∗∗ --------------------------------------------- ESET researchers document a series of new OilRig downloaders, all relying on legitimate cloud service providers for C&C communications. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-c… ∗∗∗ New Hacker Group GambleForce Hacks Targets with Open Source Tools ∗∗∗ --------------------------------------------- Yet another day, yet another threat actor posing a danger to the cybersecurity of companies globally. --------------------------------------------- https://www.hackread.com/gambleforce-hacks-targets-open-source-tools/ ∗∗∗ Mining The Undiscovered Country With GreyNoise EAP Sensors: F5 BIG-IP Edition ∗∗∗ --------------------------------------------- Discover the fascinating story of a GreyNoise researcher who found that attackers were using his demonstration code for a vulnerability instead of the real exploit. Explore the implications of this situation and learn about the importance of using accurate and up-to-date exploits in the cybersecurity community. --------------------------------------------- https://www.greynoise.io/blog/mining-the-undiscovered-country-with-greynois… ∗∗∗ Opening a new front against DNS-based threats ∗∗∗ --------------------------------------------- There are multiple ways in which threat actors can leverage DNS to carry out attacks. We will provide a an introduction to DNS threat landscape.The post Opening a new front against DNS-based threats appeared first on Avast Threat Labs. --------------------------------------------- https://decoded.avast.io/threatintel/opening-a-new-front-against-dns-based-… ===================== = Vulnerabilities = ===================== ∗∗∗ Ubiquiti: Nutzer konnten auf fremde Sicherheitskameras zugreifen ∗∗∗ --------------------------------------------- Teilweise erhielten Anwender sogar Benachrichtigungen auf ihre Smartphones, in denen Bilder der fremden Kameras enthalten waren. --------------------------------------------- https://www.golem.de/news/ubiquiti-nutzer-konnten-auf-fremde-sicherheitskam… ∗∗∗ New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. --------------------------------------------- https://thehackernews.com/2023/12/new-security-vulnerabilities-uncovered.ht… ∗∗∗ Squid-Proxy: Denial of Service durch Endlosschleife ∗∗∗ --------------------------------------------- Schickt ein Angreifer einen präparierten HTTP-Header an den Proxy-Server, kann er ihn durch eine unkontrollierte Rekursion zum Stillstand bringen. --------------------------------------------- https://www.heise.de/news/Squid-Proxy-Denial-of-Service-durch-Endlosschleif… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez and haproxy), Fedora (curl, dotnet6.0, dotnet7.0, tigervnc, and xorg-x11-server), Red Hat (avahi and gstreamer1-plugins-bad-free), Slackware (bluez), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, cosign, curl, gstreamer-plugins-bad, haproxy, ImageMagick, kernel, kernel-firmware, libreoffice, tiff, [...] --------------------------------------------- https://lwn.net/Articles/955336/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Unitronics Vision Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-15 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2023
by Daily end-of-shift report 14 Dec '23

14 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-12-2023 18:00 − Donnerstag 14-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Urteil des EuGH: Datenleck-Betroffene könnten doch Schadensersatz bekommen ∗∗∗ --------------------------------------------- Der Europäische Gerichtshof (EuGH) hat in einem neuen Urteil die Rechte der Betroffenen von Datenlecks gestärkt. Schon der Umstand, "dass eine betroffene Person infolge eines Verstoßes gegen die DSGVO befürchtet, dass ihre personenbezogenen Daten durch Dritte missbräuchlich verwendet werden könnten, kann einen 'immateriellen Schaden' darstellen", heißt es in dem Urteil, das am 14. Dezember 2023 veröffentlicht wurde. --------------------------------------------- https://www.golem.de/news/urteil-des-eugh-datenleck-betroffene-koennten-doc… ∗∗∗ Reverse, Reveal, Recover: Windows Defender Quarantine Forensics ∗∗∗ --------------------------------------------- Windows Defender (the antivirus shipped with standard installations of Windows) places malicious files into quarantine upon detection. Reverse engineering mpengine.dll resulted in finding previously undocumented metadata in the Windows Defender quarantine folder that can be used for digital forensics and incident response. Existing scripts that extract quarantined files do not process this metadata, even though it could be useful for analysis. Fox-IT’s open-source digital forensics and incident response framework Dissect can now recover this metadata, in addition to recovering quarantined files from the Windows Defender quarantine folder. --------------------------------------------- https://blog.fox-it.com/2023/12/14/reverse-reveal-recover-windows-defender-… ∗∗∗ Mobile Sicherheit. Handlungsempfehlungen und präventive Maßnahmen für die sichere Nutzung von mobilen Endgeräten, 2023 ∗∗∗ --------------------------------------------- Wie so oft stehen aber auch in diesem Bereich Komfort und Sicherheit in einem permanenten Spannungsverhältnis. Ein Mehr an Sicherheit für Ihr Gerät und Ihre Daten kann auf der anderen Seite bedeuten, dass einige durchaus praktische Funktionen nur mehr eingeschränkt oder gar nicht mehr zur Verfügung stehen. Letztlich liegt es an Ihnen, den für Sie bestmöglichen Kompromiss zwischen Funktion, Komfort, Sicherheit und Privatsphäre zu finden. Die vorliegende Broschüre möchte Ihnen dabei helfen. --------------------------------------------- https://www.nis.gv.at/dam/jcr:8165f553-2769-4553-91c8-4b117c752f56/mobile_s… ∗∗∗ Ransomware: AlphV meldet sich zurück, Aufruhr in der Szene ∗∗∗ --------------------------------------------- In der Ransomware-Szene rumort es: Gruppen versuchen, einander Mitglieder abspenstig zu machen, ein Geldwäscher geht ins Netz und Betrüger betrügen einander. --------------------------------------------- https://www.heise.de/-9574446 ∗∗∗ Amazon-Händler:innen wollen über Telegram-Gruppen Bewertungen kaufen? Machen Sie nicht mit! ∗∗∗ --------------------------------------------- Auf Telegram gibt es Kanäle, die gratis Amazon-Produkte versprechen. Die Idee dahinter: Sie suchen sich ein Produkt aus, bestellen es über Ihren privaten Amazon-Account, schreiben eine 5-Sterne-Bewertung und bekommen als Dankeschön das Geld über PayPal zurückerstattet. Mit dieser Masche kaufen sich Marketplace-Händler:innen Bewertungen, um besser gerankt zu werden – eine nicht legale Praktik. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-haendlerinnen-wollen-ueber-te… ∗∗∗ Protecting the enterprise from dark web password leaks ∗∗∗ --------------------------------------------- The trade in compromised passwords in dark web markets is particularly damaging. Cybercriminals often exploit password leaks to access sensitive data, commit fraud or launch further attacks. Let’s explore the various ways passwords are leaked to the dark web and discuss strategies for using dark web data to protect your organization. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/protecting-the-ente… ∗∗∗ Rhadamanthys v0.5.0 – a deep dive into the stealer’s components ∗∗∗ --------------------------------------------- In this article we do a deep dive into the functionality and cooperation between the modules. The first part of the article describes the loading chain that is used to retrieve the package with the stealer components. In the second part, we take a closer look at those components, their structure, abilities, and implementation. --------------------------------------------- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-t… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-1773: (0Day) Intel Driver & Support Assistant Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Intel Driver & Support Assistant. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1773/ ∗∗∗ Paloalto released 7 Security Advisories ∗∗∗ --------------------------------------------- PAN-OS: CVE-2023-6790, CVE-2023-6791, CVE-2023-6794, CVE-2023-6792, CVE-2023-6795, CVE-2023-6793, CVE-2023-6789 --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Zoom behebt Sicherheitslücken unter Windows, Android und iOS ∗∗∗ --------------------------------------------- Durch ungenügende Zugriffskontrolle, Verschlüsselungsprobleme und Pfadmanipulation konnten Angreifer sich zusätzliche Rechte verschaffen. --------------------------------------------- https://www.heise.de/-9574367 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and rabbitmq-server), Fedora (chromium, kernel, perl-CryptX, and python-jupyter-server), Mageia (curl), Oracle (curl and postgresql), Red Hat (gstreamer1-plugins-bad-free, linux-firmware, postgresql, postgresql:10, and postgresql:15), Slackware (xorg), SUSE (catatonit, containerd, runc, container-suseconnect, gimp, kernel, openvswitch, poppler, python-cryptography, python-Twisted, python3-cryptography, qemu, squid, tiff, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (xorg-server and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/955130/ ∗∗∗ Dell Urges Customers to Patch Vulnerabilities in PowerProtect Products ∗∗∗ --------------------------------------------- Dell is informing PowerProtect DD product customers about 8 vulnerabilities, including many rated ‘high severity’, and urging them to install patches. --------------------------------------------- https://www.securityweek.com/dell-urges-customers-to-patch-vulnerabilities-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpr… ∗∗∗ Cambium ePMP 5GHz Force 300-25 Radio ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-01 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.0.0, 6.1.0, 6.1.1, and 6.2.0: SC-202312.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-44 ∗∗∗ Johnson Controls Kantech Gen1 ioSmart ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2023
by Daily end-of-shift report 13 Dec '23

13 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-12-2023 18:00 − Mittwoch 13-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ FakeSG campaign, Akira ransomware and AMOS macOS stealer ∗∗∗ --------------------------------------------- In this report, we share our latest crimeware findings: FakeSG malware distribution campaign delivering NetSupport RAT, new Conti-like Akira ransomware and AMOS stealer for macOS. --------------------------------------------- https://securelist.com/crimeware-report-fakesg-akira-amos/111483/ ∗∗∗ Willhaben: Lassen Sie sich nicht auf WhatsApp und Co locken! ∗∗∗ --------------------------------------------- Wenn Sie auf willhaben über Kleinanzeigen Ware verkaufen oder kaufen wollen, dann sind Sie am besten vor Betrug geschützt, wenn Sie einige einfach Tipps beachten. Insbesondere sollten Sie sich aber nicht über den willhaben-Chat auf externe Kanäle leiten lassen. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-lassen-sie-sich-nicht-auf-… ∗∗∗ A pernicious potpourri of Python packages in PyPI ∗∗∗ --------------------------------------------- The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository --------------------------------------------- https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python… ∗∗∗ Web shell on a SonicWall SMA ∗∗∗ --------------------------------------------- Truesec Cybersecurity Incident Response Team (CSIRT) found a compromised SonicWall Secure Mobile Access (SonicWall SMA) device on which a threat actor (TA) had deployed a web shell, a hiding mechanism, and a way to ensure persistence across firmware upgrades. --------------------------------------------- https://www.truesec.com/hub/blog/web-shell-on-a-sonicwall-sma ∗∗∗ A Day In The Life Of A GreyNoise Researcher: The Path To Understanding The Remote Code Execution Vulnerability Apache (CVE-2023-50164) in Apache Struts2 ∗∗∗ --------------------------------------------- This weakness enables attackers to remotely drop and call a web shell through a public interface. --------------------------------------------- https://www.greynoise.io/blog/a-day-in-the-life-of-a-greynoise-researcher-t… ∗∗∗ Responding to CitrixBleed (CVE-2023-4966): Key Takeaways from Affected Companies ∗∗∗ --------------------------------------------- This critical security flaw has had a significant impact across various industries in the United States, including credit unions and healthcare services, marking it as one of the most critical vulnerabilities of 2023. Its relatively straightforward buffer overflow exploitability has raised major concerns. --------------------------------------------- https://blog.morphisec.com/responding-to-citrixbleed ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft: OAuth apps used to automate BEC and cryptomining attacks ∗∗∗ --------------------------------------------- Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-oauth-apps-used-to… ∗∗∗ Final Patch Tuesday of 2023 goes out with a bang ∗∗∗ --------------------------------------------- Microsoft fixed 36 flaws. Adobe addressed 212. Apple, Google, Cisco, VMware and Atlassian joined the party Its the last Patch Tuesday of 2023, which calls for celebration – just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/12/13/december_202… ∗∗∗ Patchday Microsoft: Outlook kann sich an Schadcode-E-Mail verschlucken ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für Azure, Defender & Co. veröffentlicht. Bislang soll es keine Attacken geben. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-Outlook-kann-sich-an-Schadcode… ∗∗∗ Patchday: Adobe schließt 185 Sicherheitslücken in Experience Manager ∗∗∗ --------------------------------------------- Angreifer können Systeme mit Anwendungen von Adobe ins Visier nehmen. Nun hat der Softwarehersteller Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Adobe-schliesst-185-Sicherheitslue… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support and xorg-server), Fedora (java-17-openjdk, libcmis, and libreoffice), Mageia (fish), Red Hat (buildah, containernetworking-plugins, curl, fence-agents, kernel, kpatch-patch, libxml2, pixman, podman, runc, skopeo, and tracker-miners), SUSE (kernel, SUSE Manager 4.3.10 Release Notes, and SUSE Manager Client Tools), and Ubuntu (gnome-control-center, linux-gcp, linux-kvm, linux-gkeop, linux-gkeop-5.15, linux-hwe-6.2, [...] --------------------------------------------- https://lwn.net/Articles/954921/ ∗∗∗ Mal wieder Apache Struts: CVE-2023-50164 ∗∗∗ --------------------------------------------- Wir haben in der Vergangenheit ernsthaft schlechte Erfahrungen mit Schwachstellen in der Apache Struts Library gemacht. Etwa mit CVE-2017-5638 oder CVE-2017-9805. Insbesondere komplexe Webseiten/Portal, oft von größeren Firmen, wurden öfters in Java entwickelt und waren für eine Massenexploitation anfällig. Daher haben wir die Veröffentlichung einer neuen Schwachstelle in Struts CVE-2023-50164 mit dem CVSS Score von 9.8 initial als besorgniserregend eingestuft. --------------------------------------------- https://cert.at/de/aktuelles/2023/12/mal-wieder-apache-struts-cve-2023-50164 ∗∗∗ Apache Struts Vulnerability Affecting Cisco Products: December 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Atos Unify Security Advisories ∗∗∗ --------------------------------------------- https://unify.com/en/support/security-advisories ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Nagios XI ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulner… ∗∗∗ VMSA-2023-0027 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0027.html ∗∗∗ Command injection vulnerability in Bosch IP Cameras ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-638184-bt.html ∗∗∗ Denial of Service vulnerability in Bosch BT software products ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-092656-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2023
by Daily end-of-shift report 12 Dec '23

12 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 11-12-2023 18:00 − Dienstag 12-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Counter-Strike 2 HTML injection bug exposes players’ IP addresses ∗∗∗ --------------------------------------------- Valve has reportedly fixed an HTML injection flaw in CS2 that was heavily abused today to inject images into games and obtain other players IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/counter-strike-2-html-inject… ∗∗∗ New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam ∗∗∗ --------------------------------------------- A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said. --------------------------------------------- https://thehackernews.com/2023/12/new-mranon-stealer-targeting-german-it.ht… ∗∗∗ Intercepting MFA. Phishing and Adversary in The Middle attacks ∗∗∗ --------------------------------------------- In this post I’ll show you at a high level how attackers carry out such an attack. The main focus here is to understand what artefacts we look for when investigating these types of attacks in a DFIR capacity. I’ll also cover the steps you can take to increase your security to try and stop your team falling foul of them. --------------------------------------------- https://www.pentestpartners.com/security-blog/intercepting-mfa-phishing-and… ∗∗∗ MySQL 5.7 reached EOL. Upgrade to MySQL 8.x today ∗∗∗ --------------------------------------------- In October 2023, MySQL 5.7 reached its end of life. As such, it will no longer be supported and won’t receive security patches or bug fixes anymore. --------------------------------------------- https://mattermost.com/blog/mysql-5-7-reached-eol-upgrade-to-mysql-8-x-toda… ∗∗∗ CISA Releases SCuBA Google Workspace Secure Configuration Baselines for Public Comment ∗∗∗ --------------------------------------------- Today, CISA released the draft Secure Cloud Business Applications (SCuBA) Google Workspace (GWS) Secure Configuration Baselines and the associated assessment tool ScubaGoggles for public comment. The draft baselines offer minimum viable security configurations for nine GWS services: Groups for Business, Google Calendar, Google Common Controls, Google Classroom, Google Meet, Gmail, Google Chat, Google Drive and Docs, and Google Sites. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/12/cisa-releases-scuba-goog… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: SAP behandelt mehr als 15 Schwachstellen ∗∗∗ --------------------------------------------- Am Dezember-Patchday hat SAP 15 neue Sicherheitsmitteilungen herausgegeben. Sie thematisieren teils kritische Lücken. --------------------------------------------- https://www.heise.de/-9571722 ∗∗∗ WordPress Elementor: Halbgarer Sicherheitspatch gefährdete Millionen Websites ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die WordPress-Plug-ins Backup Migration und Elementor. --------------------------------------------- https://www.heise.de/-9571957 ∗∗∗ Sicherheitslücken: Apple-Patches auch für ältere Betriebssysteme – außer iOS 15 ∗∗∗ --------------------------------------------- Parallel zu iOS 17.2 und macOS 14.2 beseitigt der Hersteller auch manche Schwachstellen in früheren Versionen. Für ältere iPhones gibt es kein Update. --------------------------------------------- https://www.heise.de/news/-9572049 ∗∗∗ Xen Security Advisory CVE-2023-46837 / XSA-447 ∗∗∗ --------------------------------------------- A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-447.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and webkit2gtk), Fedora (java-1.8.0-openjdk and seamonkey), Oracle (apr, edk2, kernel, and squid:4), Red Hat (postgresql:12, tracker-miners, and webkit2gtk3), SUSE (curl, go1.20, go1.21, hplip, openvswitch, opera, squid, and xerces-c), and Ubuntu (binutils, ghostscript, libreoffice, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-xilinx-zynqmp, postfixadmin, python3.11, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/954706/ ∗∗∗ Beckhoff Security Advisory 2023-001: Open redirect in TwinCAT/BSD package “authelia-bhf” ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-732 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-051/ ∗∗∗ Phoenix Contact: ProConOS prone to Download of Code Without Integrity Check ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-054/ ∗∗∗ Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-055/ ∗∗∗ Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-056/ ∗∗∗ Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-057/ ∗∗∗ Phoenix Contact: PLCnext Control prone to download of code without integrity check ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-058/ ∗∗∗ Schneider Electric Easy UPS Online Monitoring Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icaa-23-346-01 ∗∗∗ F5: K000137871 : Linux kernel vulnerability CVE-2023-35001 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137871 ∗∗∗ SSA-999588 V1.0: Multiple Vulnerabilities in User Management Component (UMC) before V2.11.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-999588.html ∗∗∗ SSA-892915 V1.0: Multiple Denial of Service Vulnerabilities in the Webserver of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-892915.html ∗∗∗ SSA-887801 V1.0: Information Disclosure Vulnerability in SIMATIC STEP 7 (TIA Portal) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-887801.html ∗∗∗ SSA-844582 V1.0: Electromagnetic Fault Injection in LOGO! V8.3 BM Devices Results in Broken LOGO! V8.3 Product CA ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-844582.html ∗∗∗ SSA-693975 V1.0: Denial-of-Service Vulnerability in the Web Server of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-693975.html ∗∗∗ SSA-592380 V1.0: Denial of Service Vulnerability in SIMATIC S7-1500 CPUs and related products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-592380.html ∗∗∗ SSA-480095 V1.0: Vulnerabilities in the Web Interface of SICAM Q100 Devices before V2.60 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-480095.html ∗∗∗ SSA-398330 V1.0: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-398330.html ∗∗∗ SSA-280603 V1.0: Denial of Service Vulnerability in SINUMERIK ONE and SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-280603.html ∗∗∗ SSA-180704 V1.0: Multiple Vulnerabilities in SCALANCE M-800/S615 Family before V8.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-180704.html ∗∗∗ SSA-118850 V1.0: Denial of Service Vulnerability in the OPC UA Implementation in SINUMERIK ONE and SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-118850.html ∗∗∗ SSA-077170 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-077170.html ∗∗∗ SSA-068047 V1.0: Multiple Vulnerabilities in SCALANCE M-800/S615 Family before V7.2.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-068047.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2023
by Daily end-of-shift report 11 Dec '23

11 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-12-2023 18:00 − Montag 11-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ AutoSpill attack steals credentials from Android password managers ∗∗∗ --------------------------------------------- Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/autospill-attack-steals-cred… ∗∗∗ Over 30% of Log4J apps use a vulnerable version of the library ∗∗∗ --------------------------------------------- Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-app… ∗∗∗ Sicherheitsupdate: WordPress unter bestimmten Bedingungen angreifbar ∗∗∗ --------------------------------------------- In der aktuellen WordPress-Version haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://www.heise.de/-9567923 ∗∗∗ DoS-Schwachstellen: Angreifer können 714 Smartphone-Modelle vom 5G-Netz trennen ∗∗∗ --------------------------------------------- Forscher haben mehrere Schwachstellen in gängigen 5G-Modems offengelegt. Damit können Angreifer vielen Smartphone-Nutzern 5G-Verbindungen verwehren. --------------------------------------------- https://www.golem.de/news/dos-schwachstellen-angreifer-koennen-714-smartpho… ∗∗∗ 40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager ∗∗∗ --------------------------------------------- In today’s post, we’ll take a look at some recent Google Tag Manager containers used in ecommerce malware, examine some newer forms of obfuscation techniques used in the malicious code, and track the evolution of the ATMZOW skimmer linked to widespread Magento website infections since 2015. --------------------------------------------- https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-f… ∗∗∗ Bluetooth-Lücke erlaubt Einschleusen von Tastenanschlägen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Bluetooth-Stacks erlaubt Angreifern, Tastenanschläge einzuschmuggeln. Unter Android, iOS, Linux und macOS. --------------------------------------------- https://www.heise.de/-9570583 ∗∗∗ Achtung Fake-Shop: fressnapfs.shop ∗∗∗ --------------------------------------------- Kriminelle schalten auf Facebook und Instagram Werbung für einen betrügerischen Fressnapf-Online-Shop. Der gefälschte Online-Shop sieht dem echten Shop zum Verwechseln ähnlich. Auch die Internetadresse „fressnapfs.shop“ scheint plausibel. Wenn Sie beim Fake-Shop bestellen, verlieren Sie Ihr Geld und erhalten keine Lieferung! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-fressnapfsshop/ ∗∗∗ To tap or not to tap: Are NFC payments safer? ∗∗∗ --------------------------------------------- Contactless payments are quickly becoming ubiquitous – but are they more secure than traditional payment methods? --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/to-tap-or-not-to-tap-are-nf… ∗∗∗ Kaspersky entdeckt „hochkomplexen“ Proxy-Trojaner für macOS ∗∗∗ --------------------------------------------- Die Malware wird über raubkopierte Software verbreitet. Varianten für Android und Windows sind offenbar auch im Umlauf. --------------------------------------------- https://www.zdnet.de/88413363/kaspersky-entdeckt-hochkomplexen-proxy-trojan… ∗∗∗ Risiko Active Directory-Fehlkonfigurationen; Forest Druid zur Analyse ∗∗∗ --------------------------------------------- Fehlkonfigurationen und Standardeinstellungen des Active Directory können die IT-Sicherheit von Unternehmen gefährden. Bastien Bossiroy von den NVISO Labs hat sich Gedanken um dieses Thema gemacht und bereits Ende Oktober 2023 einen Beitrag zu den häufigsten Fehlkonfigurationen/Standardkonfigurationen des Active Directory, die Unternehmen gefährden, veröffentlicht. Zudem ist mir kürzlich ein Hinweis auf "Forest Druid" untergekommen, ein kostenloses Attack-Path-Management-Tool von Semperis. --------------------------------------------- https://www.borncity.com/blog/2023/12/09/risiko-active-directory-die-hufigs… ∗∗∗ Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang ∗∗∗ --------------------------------------------- Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family “NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity. --------------------------------------------- https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/ ∗∗∗ 2023 Review: Reflecting on Cybersecurity Trends ∗∗∗ --------------------------------------------- With the season of ubiquitous year-ahead predictions around the corner, Trend Micro’s Greg Young and William Malik decided to look back at 2023 and see which forecasted cybersecurity trends came to pass and which, um, didn’t. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/23/l/2023-review-reflecting-on-cybers… ∗∗∗ Analyzing AsyncRATs Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases ∗∗∗ --------------------------------------------- This blog entry delves into MxDRs unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-inje… ===================== = Vulnerabilities = ===================== ∗∗∗ Resolved RCE in Sophos Firewall (CVE-2022-3236) ∗∗∗ --------------------------------------------- The vulnerability was originally fixed in September 2022. In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall. No action is required if organizations have upgraded their firewalls to a supported firmware version after September 2022. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce ∗∗∗ Sicherheitslücken: Angreifer können Schadcode auf Qnap NAS schieben ∗∗∗ --------------------------------------------- Netzwerkspeicher von Qnap sind verwundbar. In aktuellen Versionen haben die Entwickler Sicherheitsprobleme gelöst. --------------------------------------------- https://www.heise.de/-9570375 ∗∗∗ New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164) ∗∗∗ --------------------------------------------- The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution (CVE-2023-50164). --------------------------------------------- https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), Mageia (firefox, thunderbird, and vim), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container), and Ubuntu (freerdp2, glibc, and tinyxml). --------------------------------------------- https://lwn.net/Articles/954092/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, and curl), Red Hat (apr), Slackware (libxml2), and Ubuntu (squid3 and tar). --------------------------------------------- https://lwn.net/Articles/954449/ ∗∗∗ Edge 120.0.2210.61 mit Sicherheitsfixes und neuer Telemetriefunktion ∗∗∗ --------------------------------------------- Microsoft hat zum 7. Dezember 2023 den Edge 120.0.2210.61 im Stable-Channel veröffentlicht. Diese Version schließt gleich drei Schwachstellen (und zudem Chromium-Sicherheitslücken). Der neue Edge kommt zudem mit neuen Richtlinien. --------------------------------------------- https://www.borncity.com/blog/2023/12/08/edge-120-0-2210-61-mit-sicherheits… ∗∗∗ GarageBand 10.4.9 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT214042 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Frauscher: FDS102 for FAdC/FAdCi remote code execution vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-049/ ∗∗∗ Local Privilege Escalation durch MSI installer in PDF24 Creator (geek Software GmbH) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2023
by Daily end-of-shift report 07 Dec '23

07 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-12-2023 18:00 − Donnerstag 07-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA and International Partners Release Advisory on [..] Star Blizzard ∗∗∗ --------------------------------------------- The joint CSA aims to raise awareness of the specific tactics, techniques, and delivery methods [..] Known Star Blizzard techniques include: Impersonating known contacts' email accounts, Creating fake social media profiles, Using webmail addresses from providers such as Outlook, Gmail and others, and Creating malicious domains that resemble legitimate organizations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-p… ∗∗∗ CISA, NSA, FBI and International Cybersecurity Authorities Publish Guide on The Case for Memory Safe Roadmaps ∗∗∗ --------------------------------------------- The guide strongly encourages executives of software manufacturers to prioritize using memory safe programing languages, write and publish memory safe roadmaps and implement changes to eliminate this class of vulnerability and protect their customers. Software developers and support staff should develop the roadmap, which should detail how the manufacturer will modify their software development life cycle (SDLC) to dramatically reduce and eventually eliminate memory unsafe code in their products. This guidance also provides a clear outline of elements that a memory safe roadmap should include. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-fbi-and-international-cybers… ===================== = Vulnerabilities = ===================== ∗∗∗ PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2 ∗∗∗ --------------------------------------------- WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site. We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present. --------------------------------------------- https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Fedora (gmailctl), Oracle (kernel), Red Hat (linux-firmware, postgresql:12, postgresql:13, and squid:4), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, libtorrent-rasterbar, qbittorrent, openssl-3, openvswitch, openvswitch3, and suse-build-key), and Ubuntu (bluez, curl, linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-gcp, open-vm-tools, postgresql-12, postgresql-14, postgresql-15, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/953977/ ∗∗∗ Kritische Sicherheitslücken in mehreren Produkten von Atlassian - Patches verfügbar ∗∗∗ --------------------------------------------- Mehrere Versionen von Produkten des Unternehmens Atlassian enthalten kritische Sicherheitslücken. Die Ausnutzung der Sicherheitslücken ermöglicht Angreifer:innen die vollständige Übernahme von verwundbaren Systemen, sowie den Zugriff auf alle darauf gespeicherten Daten. CVE-Nummer(n): CVE-2023-22522, CVE-2022-1471 CVSS Base Score: 9.0 bzw. 9.8 --------------------------------------------- https://cert.at/de/warnungen/2023/12/kritische-sicherheitslucken-in-mehrere… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-341-01 Mitsubishi Electric FA Engineering Software Products, ICSA-23-341-02 Schweitzer Engineering Laboratories SEL-411L, ICSA-23-341-03 Johnson Controls Metasys and Facility Explorer, ICSA-23-341-05 ControlbyWeb Relay, ICSA-23-341-06 Sierra Wireless AirLink with ALEOS firmware --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-releases-five-indus… ∗∗∗ BIOS Image Parsing Function Vulnerabilities (LogoFAIL) ∗∗∗ --------------------------------------------- Vulnerabilities were reported in the image parsing libraries in AMI, Insyde and Phoenix BIOS which are used to parse personalized boot logos that are loaded from the EFI System Partition that could allow a local attacker with elevated privileges to trigger a denial of service or arbitrary code execution. [..] Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500590-BIOS-IMAGE-PARSING-FUNC… ∗∗∗ Drupal: Group - Less critical - Access bypass - SA-CONTRIB-2023-054 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-054 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2023
by Daily end-of-shift report 06 Dec '23

06 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-12-2023 18:00 − Mittwoch 06-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Trügerische Sicherheit: Angreifer können Lockdown-Modus von iOS fälschen ∗∗∗ --------------------------------------------- Der Lockdown-Modus von iOS soll iPhone-Besitzer vor Cyberangriffen schützen. Forscher haben gezeigt, wie sich die Funktion fälschen lässt. --------------------------------------------- https://www.golem.de/news/truegerische-sicherheit-angreifer-koennen-lockdow… ∗∗∗ Whose packet is it anyway: a new RFC for attribution of internet probes, (Wed, Dec 6th) ∗∗∗ --------------------------------------------- So far, security analysts and administrators have had to rely mostly on WHOIS, RDAP, reverse DNS lookups and third-party data (e.g., data from ISC/DShield) in order to gain some idea of who might be behind a specific scan and whether it was malicious or not. However, authors of the aforementioned RFC came up with several ideas of how originators of “internet probes” might simplify their own identification. --------------------------------------------- https://isc.sans.edu/diary/rss/30456 ∗∗∗ Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks ∗∗∗ --------------------------------------------- Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. --------------------------------------------- https://thehackernews.com/2023/12/qualcomm-releases-details-on-chip.html ∗∗∗ Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts ∗∗∗ --------------------------------------------- Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks. The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis. --------------------------------------------- https://thehackernews.com/2023/12/alert-threat-actors-can-leverage-aws.html ∗∗∗ Blind CSS Exfiltration: exfiltrate unknown web pages ∗∗∗ --------------------------------------------- Why would we want to do blind CSS exfiltration? Imagine youve got a blind HTML injection vulnerability but you cant get XSS because of the sites CSP or perhaps the site has a server-side or DOM-based filter such as DOMPurify. JavaScript is off the table but they allow styles because theyre just styles right? What possible damage can you do with just CSS? --------------------------------------------- https://portswigger.net/research/blind-css-exfiltration ∗∗∗ SLAM: Neue Spectre-Variante gefährdet zukünftige CPU-Generationen ∗∗∗ --------------------------------------------- Forscher tricksen das Speichermanagement kommender CPU-Generationen aus, um vermeintlich geschützte Daten aus dem RAM zu lesen. --------------------------------------------- https://www.heise.de/-9549625 ∗∗∗ Windows 10: Security-Updates nach Support-Ende ∗∗∗ --------------------------------------------- Wer Windows 10 länger als bis 2025 betreiben will, muss entweder in die Microsoft-365-Cloud oder für Patches zahlen. --------------------------------------------- https://www.heise.de/-9566262 ∗∗∗ Achtung Betrug: Rechnung vom "Registergericht" ∗∗∗ --------------------------------------------- Aktuell läuft wohl wieder eine Betrugskampagne, in der Brief mit falschen Rechnungen von einem angeblichen "Registergericht" an Firmen geschickt werden. --------------------------------------------- https://www.borncity.com/blog/2023/12/06/achtung-betrug-rechnung-vom-regist… ∗∗∗ CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud ∗∗∗ --------------------------------------------- While the 10/10 CVE-2023-49103 got all the attention last week, organizations should not quickly overlook CVE-2023-49105! CVE-2023-49105 is an authentication bypass issue affecting ownCloud from version 10.6.0 to version 10.13.0. It allows an attacker to access, modify, or delete any file without authentication if the username is known. Even if the user has no signing key configured, ownCloud accepts pre-signed URLs, enabling the attacker to generate URLs for arbitrary file operations. --------------------------------------------- https://www.greynoise.io/blog/cve-2023-49105-webdav-api-authentication-bypa… ===================== = Vulnerabilities = ===================== ∗∗∗ "Sierra:21" vulnerabilities impact critical infrastructure routers ∗∗∗ --------------------------------------------- A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks. [..] AirLink routers are highly regarded in the field of industrial and mission-critical applications due to high-performance 3G/4G/5G and WiFi and multi-network connectivity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sierra-21-vulnerabilities-im… ∗∗∗ Codeschmuggel in Atlassian-Produkten: Vier kritische Lücken aufgetaucht ∗∗∗ --------------------------------------------- Admins von Confluence, Jira und Bitbucket kommen aus dem Patchen nicht heraus: Erneut hat Atlassian dringende Updates für seine wichtigsten Produkte vorgelegt. --------------------------------------------- https://www.heise.de/-9565780 ∗∗∗ Kiosk Escape Privilege Escalation in One Identity Password Manager Secure Password Extension ∗∗∗ --------------------------------------------- The Password Manager Extension from One Identity can be used to perform two different kiosk escapes on the lock screen of a Windows client. These two escapes allow an attacker to execute commands with the highest permissions of a user with the SYSTEM role. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/kiosk-escape-privilege-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, clevis-pin-tpm2, firefox, keyring-ima-signer, libkrun, perl, perl-PAR-Packer, polymake, poppler, rust-bodhi-cli, rust-coreos-installer, rust-fedora-update-feedback, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sequoia-wot, rust-sevctl, rust-snphost, and rust-tealdeer), Mageia (samba), Red Hat (postgresql:12), SUSE (haproxy and kernel-firmware), and Ubuntu (haproxy, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.1, and redis). --------------------------------------------- https://lwn.net/Articles/953861/ ∗∗∗ Command Injection via CLI des DrayTek Vigor167 (SYSS-2023-023) ∗∗∗ --------------------------------------------- Die Kommandozeile (Command-Line Interface, CLI) des DrayTek Vigor167 mit der Modemfirmware 5.2.2 erlaubt es angemeldeten Angreifenden, beliebigen Code auf dem Modem auszuführen. Nutzende mit Zugang zur Weboberfläche, aber ohne jegliche Berechtigungen, haben ebenfalls Zugriff auf die CLI und können hierüber das Modem übernehmen. --------------------------------------------- https://www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigo… ∗∗∗ Security Advisory - Identity Bypass Vulnerability in Some Huawei Smart Screen Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ibvishssp… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2023
by Daily end-of-shift report 05 Dec '23

05 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 04-12-2023 18:00 − Dienstag 05-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatched Loytec Building Automation Flaws Disclosed 2 Years After Discovery ∗∗∗ --------------------------------------------- Industrial cybersecurity firm TXOne Networks has disclosed the details of 10 unpatched vulnerabilities discovered by its researchers in building automation products made by Austrian company Loytec more than two years ago. --------------------------------------------- https://www.securityweek.com/unpatched-loytec-building-automation-flaws-dis… ∗∗∗ BlueNoroff: new Trojan attacking macOS users ∗∗∗ --------------------------------------------- BlueNoroff has been attacking macOS users with a new loader that delivers unknown malware to the system. --------------------------------------------- https://securelist.com/bluenoroff-new-macos-malware/111290/ ∗∗∗ Zarya Hacktivists: More than just Sharepoint., (Mon, Dec 4th) ∗∗∗ --------------------------------------------- Zarya isn't exactly the type of threat you should be afraid of, but it is sad how these groups can still be effective due to organizations exposing unpatched or badly configured systems to the internet. Most of the attacks sent by Zarya will not succeed even if they hit a vulnerable system. For some added protection, you may consider blocking some of the Aeza network's traffic after ensuring that this network hosts no critical resources you need. Aeza uses ASN 210644. --------------------------------------------- https://isc.sans.edu/diary/rss/30450 ∗∗∗ Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack ∗∗∗ --------------------------------------------- A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when its actually not and carry out covert attacks. --------------------------------------------- https://thehackernews.com/2023/12/warning-for-iphone-users-experts-warn.html ∗∗∗ Sicherheitslücke in iOS 16 soll angeblich leichteres Auslesen ermöglichen ∗∗∗ --------------------------------------------- In Moskau streiten sich zwei Forensikfirmen wegen gestohlenem Programmcode. Dieser aber offenbart eine mögliche neue Sicherheitslücke im iPhone-Betriebssystem. --------------------------------------------- https://www.heise.de/-9548725 ∗∗∗ OSINT. What can you find from a domain or company name ∗∗∗ --------------------------------------------- To help OPSEC people I thought it might be useful to go over some of the key things that can be found using domain and company names. --------------------------------------------- https://www.pentestpartners.com/security-blog/osint-what-can-you-find-from-… ∗∗∗ Viele Beschwerden zu luckyluna.de ∗∗∗ --------------------------------------------- luckyluna.de bietet handgezeichnete Tierportraits. Sie laden ein Foto Ihres Tieres hoch, es wird gezeichnet und Sie erhalten das Bild entweder digital oder auf einer Leinwand – so zumindest das Versprechen. Verärgerte Kund:innen beschweren sich aber, dass die Bilder nicht handgezeichnet sind, sondern die „handgefertigten Portraits“ nur mit Hilfe eines Bildbearbeitungsprogramms erstellt werden. --------------------------------------------- https://www.watchlist-internet.at/news/viele-beschwerden-zu-luckylunade/ ∗∗∗ Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers ∗∗∗ --------------------------------------------- This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Android 11, 12, 13 und 14 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können Android-Smartphones und -Tablets verschiedener Hersteller ins Visier nehmen. Für einige Geräte gibt es Sicherheitsupdates. --------------------------------------------- https://www.heise.de/-9548839 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4). --------------------------------------------- https://lwn.net/Articles/953783/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0011 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-42916, CVE-2023-42917. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0011.html ∗∗∗ Security updates for Ivanti Connect Secure and Ivanti Policy Secure ∗∗∗ --------------------------------------------- We are reporting the Ivanti Connect Secure issues as CVE-2023-39340, CVE-2023-41719 and CVE-2023-41720, and Ivanti Policy Secure issue as CVE-2023-39339. We encourage customers to download the latest releases of ICS and IPS to remediate the issues. --------------------------------------------- https://www.ivanti.com/blog/security-updates-for-ivanti-connect-secure-and-… ∗∗∗ SonicWall SSL-VPN SMA100 Version 10.x Is Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018 ∗∗∗ Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Packet Validation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Wago: Vulnerabilities in IEC61850 Server / Telecontrol ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-044/ ∗∗∗ Wago: Vulnerability in Smart Designer Web-Application ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-045/ ∗∗∗ CODESYS: Multiple products affected by WIBU Codemeter vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-035/ ∗∗∗ CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-066/ ∗∗∗ Pilz : WIBU Vulnerabilitiy in multiple Products (Update A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-033/ ∗∗∗ Pilz: Electron Vulnerabilities in PASvisu and PMI v8xx ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-059/ ∗∗∗ Pilz: Multiple products prone to libwebp vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-048/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-339-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2023
by Daily end-of-shift report 04 Dec '23

04 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-12-2023 18:00 − Montag 04-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks ∗∗∗ --------------------------------------------- The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware. --------------------------------------------- https://thehackernews.com/2023/12/logofail-uefi-vulnerabilities-expose.html ∗∗∗ New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect thats capable of targeting routers and IoT devices. --------------------------------------------- https://thehackernews.com/2023/12/new-p2pinfect-botnet-mips-variant.html ∗∗∗ Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs ∗∗∗ --------------------------------------------- Today, CISA, (FBI), (NSA), (EPA), and (INCD) released a joint Cybersecurity Advisory (CSA) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/01/cisa-and-partners-releas… ∗∗∗ Phishing-Angriffe: Betrüger missbrauchen Hotelbuchungsplattform booking.com ∗∗∗ --------------------------------------------- Mit auf Datendiebstahl spezialisierte Malware griffen Cyberkriminelle zunächst Hotelmitarbeiter an und verschickten dann über Booking betrügerische Mails. --------------------------------------------- https://www.heise.de/-9547507 ∗∗∗ Update your iPhones! Apple fixes two zero-days in iOS ∗∗∗ --------------------------------------------- Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/12/update-your-iphones-apple-fi… ∗∗∗ PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. --------------------------------------------- https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-sca… ∗∗∗ Vorsicht vor gefälschter Microsoft-Sicherheitswarnung ∗∗∗ --------------------------------------------- Beim Surfen im Internet poppt plötzlich eine Sicherheitswarnung auf: „Aus Sicherheitsgründen wurde das Gerät blockiert. Windows-Support Anrufen“. Zusätzlich wird eine Computerstimme abgespielt, die Ihnen erklärt, dass Ihre Kreditkarten- und Facebookdaten sowie persönliche Daten an Hacker weitergegeben werden. Für technische Unterstützung sollen Sie eine Nummer anrufen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschter-microsoft-… ∗∗∗ Zyxel warnt vor kritischen Sicherheitslücken in NAS-Geräten ∗∗∗ --------------------------------------------- Betreibt jemand ein Zyxel NAS in seiner Umgebung? Der taiwanesische Hersteller hat gerade vor mehreren Schwachstellen in der Firmware dieser Geräte gewarnt. Drei kritische Schwachstellen ermöglichen es einem nicht authentifizierten Angreifer Betriebssystembefehle auf anfälligen NAS-Geräten (Network-Attached Storage) auszuführen. --------------------------------------------- https://www.borncity.com/blog/2023/12/02/zyxel-warnt-vor-kritischen-sicherh… ===================== = Vulnerabilities = ===================== ∗∗∗ SQUID-2023:7 Denial of Service in HTTP Message Processing ∗∗∗ --------------------------------------------- Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing[..] This problem allows a remote attacker to perform Denial of Service when sending easily crafted HTTP Messages. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9 ∗∗∗ SQUID-2023:8 Denial of Service in Helper Process management ∗∗∗ --------------------------------------------- Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. [..] This problem allows a trusted client or remote server to perform a Denial of Service attack when the Squid proxy is under load. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27 ∗∗∗ SQUID-2023:9 Denial of Service in HTTP Collapsed Forwarding ∗∗∗ --------------------------------------------- Due to a Use-After-Free bug Squid is vulnerable to a Denial of Service attack against collapsed forwarding [..] This problem allows a remote client to perform Denial of Service attack on demand when Squid is configured with collapsed forwarding. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5 ∗∗∗ GitLab Security Release: 16.6.1, 16.5.3, 16.4.3 ∗∗∗ --------------------------------------------- These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. CVE IDs: CVE-2023-6033, CVE-2023-6396, CVE-2023-3949, CVE-2023-5226, CVE-2023-5995, CVE-2023-4912, CVE-2023-4317, CVE-2023-3964, CVE-2023-4658, CVE-2023-3443 --------------------------------------------- https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1… ∗∗∗ Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call ∗∗∗ --------------------------------------------- Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. This vulnerability could be exploited either by an attacker with physical access to the device, or by obtaining write access to the flash memory through a separate runtime vulnerability. [..] Sonos state an update was released on 2023-11-15 which remediated the issue. --------------------------------------------- https://research.nccgroup.com/2023/12/04/technical-advisory-sonos-era-100-s… ∗∗∗ Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution ∗∗∗ --------------------------------------------- In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin. [..] CVE ID: CVE-2023-6316 / CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/953702/ ∗∗∗ Ruckus Access Point vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN45891816/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2023
by Daily end-of-shift report 01 Dec '23

01 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-11-2023 18:00 − Freitag 01-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ IT threat evolution Q3 2023 ∗∗∗ --------------------------------------------- Non-mobile statistics & Mobile statistics --------------------------------------------- https://securelist.com/it-threat-evolution-q3-2023/111171/ ∗∗∗ Skimming Credit Cards with WebSockets ∗∗∗ --------------------------------------------- In this post we’ll review what web sockets are, why they are beneficial to attackers to use in skimming attacks, and an analysis of several different web socket credit card skimmers that we’ve identified on compromised ecommerce websites. --------------------------------------------- https://blog.sucuri.net/2023/11/skimming-credit-cards-with-websockets.html ∗∗∗ Cyber Resilience Act: EU einigt sich auf Vorschriften für vernetzte Produkte ∗∗∗ --------------------------------------------- Anbieter müssen in der EU zukünftig für längere Zeit Sicherheitsupdates zur Verfügung stellen – in der Regel für fünf Jahre. --------------------------------------------- https://www.heise.de/-9545873 ∗∗∗ Opening Critical Infrastructure: The Current State of Open RAN Security ∗∗∗ --------------------------------------------- The Open Radio Access Network (ORAN) architecture provides standardized interfaces and protocols to previously closed systems. However, our research on ORAN demonstrates the potential threat posed by malicious xApps that are capable of compromising the entire Ran Intelligent Controller (RIC) subsystem. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple security updates and Rapid Security Responses ∗∗∗ --------------------------------------------- WebKit: CVE-2023-42916, CVE-2023-42917 * Safari 17.1.2 * iOS 17.1.2 and iPadOS 17.1.2 * macOS Sonoma 14.1.2 --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ Multiple Vulnerabilities in Autodesk Desktop Licensing Service ∗∗∗ --------------------------------------------- Autodesk Desktop Licensing Service has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities could lead to code execution due to weak permissions. Autodesk Desktop Licensing Installer, libcurl: CVE-2023-38039, CVE-2023-28321, CVE-2023-38545 --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0023 ∗∗∗ VMware Cloud Director 10.5 GA Workaround for CVE-2023-34060 ∗∗∗ --------------------------------------------- VMware released VMware Cloud Director 10.5.1 on November 30th 2023. This version includes a fix for the authentication bypass vulnerability documented in VMSA-2023-0026. --------------------------------------------- https://kb.vmware.com/s/article/95534 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gimp-dds, horizon, libde265, thunderbird, vlc, and zbar), Fedora (java-17-openjdk and xen), Mageia (optipng, roundcubemail, and xrdp), Red Hat (postgresql), Slackware (samba), SUSE (chromium, containerd, docker, runc, libqt4, opera, python-django-grappelli, sqlite3, and traceroute), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, and linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2). --------------------------------------------- https://lwn.net/Articles/953512/ ∗∗∗ Mattermost security updates 9.2.3 / 9.1.4 / 9.0.5 / 8.1.7 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.3, 9.1.4, 9.0.5, and 8.1.7 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-2-3-9-1-4-9-0-5-8… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2023
by Daily end-of-shift report 30 Nov '23

30 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-11-2023 18:00 − Donnerstag 30-11-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FjordPhantom Android malware uses virtualization to evade detection ∗∗∗ --------------------------------------------- A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fjordphantom-android-malware… ∗∗∗ TRAP; RESET; POISON; - Übernahme eines Landes nach Kaminsky Art ∗∗∗ --------------------------------------------- Ein technischer Einblick in die Manipulation der DNS-Namensauflösung eines ganzen Landes. --------------------------------------------- https://sec-consult.com/de/blog/detail/uebernahme-eines-landes-nach-kaminsk… ∗∗∗ CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks ∗∗∗ --------------------------------------------- A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. --------------------------------------------- https://thehackernews.com/2023/11/cactus-ransomware-exploits-qlik-sense.html ∗∗∗ Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data ∗∗∗ --------------------------------------------- Zoom Rooms, the cloud-based video conferencing platform by Zoom, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant. --------------------------------------------- https://www.hackread.com/zoom-vulnerability-hackers-hijack-meetings-data/ ∗∗∗ BLUFFS: Neue Angriffe gefährden Bluetooth-Datensicherheit auf Milliarden Geräten ∗∗∗ --------------------------------------------- Durch eine Lücke im Bluetooth-Protokoll können Angreifer einfach zu knackende Schlüssel erzwingen und so vergangene wie zukünftige Datenübertragung knacken. --------------------------------------------- https://www.heise.de/-9544862 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053 ∗∗∗ --------------------------------------------- The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-053 ∗∗∗ Apache ActiveMQ: Mehrere Codeschmuggel-Lücken von Botnetbetreibern ausgenutzt ∗∗∗ --------------------------------------------- Derweil meldet das ActiveMQ-Projekt eine neue Sicherheitslücke, die ebenfalls zur Ausführung von Schadcode genutzt werden kann. Der Fehler verbirgt sich in der Deserialisierungsroutine der Jolokia-Komponente, setzt aber eine Authentisierung voraus. Während die ActiveMQ-Entwickler von einem mittleren Schweregrad ausgehen, vergeben der Warn- und Informationsdienst des BSI einen CVSS-Wert von 8.8 und stuft den Schweregrad somit als "hoch" ein. CVE ID: CVE-2022-41678 --------------------------------------------- https://www.heise.de/-9544281 ∗∗∗ MOVEit Transfer Service Pack (November 2023) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the MOVEit Transfer November 2023 Service Pack. The Service Pack contains fixes for (2) newly disclosed CVEs described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. CVE IDs: CVE-2023-6217, CVE-2023-6218 --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-Novem… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023) ∗∗∗ --------------------------------------------- Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, gnutls, gst-devtools, gstreamer1, gstreamer1-doc, libcap, mingw-poppler, python-gstreamer1, qbittorrent, webkitgtk, and xen), Mageia (docker, kernel-linus, and python-django), Oracle (dotnet6.0, dotnet7.0, dotnet8.0, firefox, samba, squid, and thunderbird), Red Hat (firefox, postgresql:13, squid, and thunderbird), SUSE (cilium, freerdp, java-1_8_0-ibm, and java-1_8_0-openj9), and Ubuntu (ec2-hibinit-agent, freerdp2, gimp, gst-plugins-bad1.0, openjdk-17, openjdk-21, openjdk-lts, openjdk-8, pypy3, pysha3, and u-boot-nezha). --------------------------------------------- https://lwn.net/Articles/953379/ ∗∗∗ [R1] Nessus Network Monitor 6.3.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Risk Factor: Critical, CVE ID: CVE-2023-5363, CVE-2021-23369, CVE-2021-23383, CVE-2018-9206 --------------------------------------------- https://www.tenable.com/security/tns-2023-43 ∗∗∗ Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products ∗∗∗ --------------------------------------------- Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection. CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/30/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ PTC KEPServerEx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-01 ∗∗∗ Mitsubishi Electric FA Engineering Software Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-04 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2023
by Daily end-of-shift report 29 Nov '23

29 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-11-2023 18:00 − Mittwoch 29-11-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability ∗∗∗ --------------------------------------------- The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat thats capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) [...] --------------------------------------------- https://thehackernews.com/2023/11/gotitan-botnet-spotted-exploiting.html ∗∗∗ DJVU Ransomwares Latest Variant Xaro Disguised as Cracked Software ∗∗∗ --------------------------------------------- A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software. "While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," [...] --------------------------------------------- https://thehackernews.com/2023/11/djvu-ransomwares-latest-variant-xaro.html ∗∗∗ Okta Breach Impacted All Customer Support Users—Not 1 Percent ∗∗∗ --------------------------------------------- Okta upped its original estimate of customer support users affected by a recent breach from 1 percent to 100 percent, citing a “discrepancy.” --------------------------------------------- https://www.wired.com/story/okta-breach-disclosure-all-customer-support-use… ∗∗∗ Scans zu kritischer Sicherheitslücke in ownCloud-Plugin ∗∗∗ --------------------------------------------- Die Schwachstelle im GraphAPI-Plugin kann zur unfreiwilligen Preisgabe der Admin-Zugangsdaten führen. ownCloud-Admins sollten schnell reagieren. --------------------------------------------- https://www.heise.de/-9542895.html ∗∗∗ Sicherheitslücke: Schadcode-Attacken auf Solarwinds Platform möglich ∗∗∗ --------------------------------------------- Die Solarwinds-Entwickler haben zwei Schwachstellen in ihrer Monitoringsoftware geschlossen. --------------------------------------------- https://www.heise.de/-9543391.html ∗∗∗ New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher ∗∗∗ --------------------------------------------- An academic researcher demonstrates BLUFFS, six novel attacks targeting Bluetooth sessions’ forward and future secrecy. --------------------------------------------- https://www.securityweek.com/new-bluffs-bluetooth-attacks-have-large-scale-… ∗∗∗ Deepfake-Videos mit Armin Assinger führen zu Investitionsbetrug! ∗∗∗ --------------------------------------------- Aktuell kursieren auf Facebook, Instagram, TikTok und YouTube Werbevideos mit betrügerischen Inhalten. Dabei wird insbesondere das Gesicht Armin Assingers für Deepfakes eingesetzt. Armin Assinger werden mithilfe von Künstlicher Intelligenz (KI) Worte in den Mund gelegt, sodass dadurch betrügerische Investitionsplattformen beworben werden. Vorsicht: Folgen Sie diesen Links nicht, denn hier sind sämtliche Investments verloren! --------------------------------------------- https://www.watchlist-internet.at/news/deepfake-videos-mit-armin-assinger-f… ∗∗∗ Spyware Employs Various Obfuscation Techniques to Bypass Static Analysis ∗∗∗ --------------------------------------------- A look at some deceptive tactics used by malware authors in an effort to evade analysis. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/spyware-… ∗∗∗ Exploitation of Unitronics PLCs used in Water and Wastewater Systems ∗∗∗ --------------------------------------------- CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-… ∗∗∗ CISA Releases First Secure by Design Alert ∗∗∗ --------------------------------------------- Today, CISA published guidance on How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity as a part of a new Secure by Design (SbD) Alert series. This SbD Alert urges software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles: [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/29/cisa-releases-first-secu… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability ∗∗∗ --------------------------------------------- Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild. Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library. --------------------------------------------- https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-331-01 Delta Electronics InfraSuite Device Master * ICSA-23-331-02 Franklin Electric Fueling Systems Colibri * ICSA-23-331-03 Mitsubishi Electric GX Works2 * ICSMA-23-331-01 BD FACSChorus --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/28/cisa-releases-four-indus… ∗∗∗ SolarWinds Platform 2023.4.2 Release Notes ∗∗∗ --------------------------------------------- SolarWinds Platform 2023.4.2 is a service release providing bug and security fixes for release 2023.4. CVE-2023-40056: SQL Injection Remote Code Execution Vulnerability Severity: 8.0 (high) --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ Arcserve Unified Data Protection Multiple Vulnerabilities ∗∗∗ --------------------------------------------- * CVE-2023-41998 - UDP Unauthenticated RCE * CVE-2023-41999 - UDP Management Authentication Bypass * CVE-2023-42000 - UDP Agent Unauthenticated Path Traversal File Upload Solution: Upgrade to Arcserve UDP version 9.2 or later. --------------------------------------------- https://www.tenable.com/security/research/tra-2023-37 ∗∗∗ Sicherheitslücke in Hikvision-Kameras und NVR ermöglicht unbefugten Zugriff ∗∗∗ --------------------------------------------- Verschiedene Modelle des chinesischen Herstellers gestatteten Angreifern den unbefugten Zugriff. Auch andere Marken sind betroffen, Patches stehen bereit. --------------------------------------------- https://www.heise.de/-9543336.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0 and postgresql-multicorn), Fedora (golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, libcap, nats-server, openvpn, and python-geopandas), Mageia (kernel), Red Hat (c-ares, curl, fence-agents, firefox, kernel, kernel-rt, kpatch-patch, libxml2, pixman, postgresql, and tigervnc), SUSE (python-azure-storage-queue, python-Twisted, and python3-Twisted), and Ubuntu (afflib, ec2-hibinit-agent, linux-nvidia-6.2, linux-starfive-6.2, and poppler). --------------------------------------------- https://lwn.net/Articles/953226/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2023
by Daily end-of-shift report 28 Nov '23

28 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-11-2023 18:00 − Dienstag 28-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a "severe design flaw" in Google Workspaces domain-wide delegation (DWD) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges. --------------------------------------------- https://thehackernews.com/2023/11/design-flaw-in-google-workspace-could.html ∗∗∗ LostTrust Ransomware ∗∗∗ --------------------------------------------- The LostTrust ransomware family has a fairly small victim pool and has compromised victims earlier this year. The encryptor has similar characteristcs to the MetaEncryptor ransomware family including code flow and strings which indicates that the encryptor is a variant from the original MetaEncryptor source. --------------------------------------------- https://www.shadowstackre.com/analysis/losttrust ∗∗∗ Slovenian power company hit by ransomware ∗∗∗ --------------------------------------------- Slovenian power generation company Holding Slovenske Elektrarne (HSE) has been hit by ransomware and has had some of its data encrypted. The attack HSE is a state-owned company that controls numerous hydroelectric, thermal and coal-fired power plants. The company has declined to share any details about the cyber intrusion, but has confirmed that operation of its power plants has not been affected. --------------------------------------------- https://www.helpnetsecurity.com/2023/11/28/slovenian-power-company-ransomwa… ∗∗∗ Exploitation of Critical ownCloud Vulnerability Begins ∗∗∗ --------------------------------------------- Threat actors have started exploiting a critical ownCloud vulnerability leading to sensitive information disclosure. --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-owncloud-vulnerabilit… ∗∗∗ Webinar: Sicheres Online-Shopping ∗∗∗ --------------------------------------------- Darf ich Artikel immer zurücksenden und wie lange habe ich dafür Zeit? Was ist das Rücktrittsrecht und welche Zahlungsmethoden gelten als sicher? Dieses Webinar gibt rechtliche Tipps und Infos zum sicheren Online-Einkauf. Nehmen Sie kostenlos teil: Montag, 11. Dezember 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicheres-online-shopping-2/ ∗∗∗ Betrügerische Plattform für Sportwetten: xxwin.bet ∗∗∗ --------------------------------------------- xxwin.bet ist eine betrügerische Online-Plattform für Sportwetten. Die Plattform wird meist in fragwürdigen Telegram-Kanälen empfohlen. Wenn Sie dort einzahlen, verlieren Sie Ihr Geld, denn die Plattform zahlt keine Gewinne aus. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-plattform-fuer-sportw… ===================== = Vulnerabilities = ===================== ∗∗∗ Missing Certificate Validation & User Enumeration in Anveo Mobile App and Server ∗∗∗ --------------------------------------------- The Anveo Mobile App (Windows version) does not validate server certificates and therefore enables man-in-the-middle attacks. The Anveo Server is also vulnerable against user enumeration because of different error messages for existing vs. non-existing users. The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section further below. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/missing-certificate-vali… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptojs, fastdds, mediawiki, and minizip), Fedora (chromium, kubernetes, and thunderbird), Mageia (lilypond, mariadb, and packages), Red Hat (firefox, linux-firmware, and thunderbird), SUSE (compat-openssl098, gstreamer-plugins-bad, squashfs, squid, thunderbird, vim, and xerces-c), and Ubuntu (libtommath, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, perl, and python3.8, python3.10, python3.11). --------------------------------------------- https://lwn.net/Articles/953099/ ∗∗∗ Critical Vulnerability Found in Ray AI Framework ∗∗∗ --------------------------------------------- Tracked as CVE-2023-48023, the bug exists because Ray does not properly enforce authentication on at least two of its components, namely the dashboard and client. A remote attacker can abuse this issue to submit or delete jobs without authentication. Furthermore, the attacker could retrieve sensitive information and execute arbitrary code, Bishop Fox says. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-ray-ai-framewo… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and APs ∗∗∗ --------------------------------------------- CVEs: CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, CVE-2023-5960 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Joomla: [20231101] - Core - Exposure of environment variables ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/919-20231101-core-exposure… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ FESTO: Multiple products affected by WIBU Codemeter vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-036/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2023
by Daily end-of-shift report 27 Nov '23

27 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-11-2023 18:00 − Montag 27-11-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Atomic Stealer malware strikes macOS via fake browser updates ∗∗∗ --------------------------------------------- The ClearFake fake browser update campaign has expanded to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atomic-stealer-malware-strik… ∗∗∗ EvilSlackbot: A Slack Attack Framework ∗∗∗ --------------------------------------------- To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb or xoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. Now EvilSlackbot is here to automate and streamline that process. You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack. [..] In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind. --------------------------------------------- https://github.com/Drew-Sec/EvilSlackbot ∗∗∗ Scans for ownCloud Vulnerability (CVE-2023-49103), (Mon, Nov 27th) ∗∗∗ --------------------------------------------- Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys. --------------------------------------------- https://isc.sans.edu/diary/rss/30432 ∗∗∗ WordPress Vulnerability & Patch Roundup November 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/11/wordpress-vulnerability-patch-roundup-novem… ∗∗∗ Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections ∗∗∗ --------------------------------------------- A new study has demonstrated that its possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established. [..] The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel. --------------------------------------------- https://thehackernews.com/2023/11/experts-uncover-passive-method-to.html ∗∗∗ Eine Milliarde unsichere Webseiten … Vergessen Sie die Duschmatte nicht! ∗∗∗ --------------------------------------------- In der Werbung aufgebauschte Risiken dienen eher dem Verkauf von Sicherheitsprodukten als der Sicherheit selbst. Im Gegenteil, für diese sind sie oft schädlich. --------------------------------------------- https://www.heise.de/meinung/Eine-Milliarde-unsichere-Webseiten-Vergessen-S… ∗∗∗ BSI und weitere Cybersicherheitsbehörden veröffentlichen KI-Richtlinien ∗∗∗ --------------------------------------------- Das BSI veröffentlicht Richtlinien für sichere KI-Systeme in Zusammenarbeit mit Partnerbehörden aus Großbritannien und den USA. --------------------------------------------- https://www.heise.de/news/BSI-und-weitere-Cybersicherheitsbehoerden-veroeff… ∗∗∗ Free Micropatches For Microsoft Access Forced Authentication Through Firewall (0day) ∗∗∗ --------------------------------------------- On November 9, 2023, Check Point Research published an article about an "information disclosure" / "forced authentication" vulnerability in Microsoft Access that allows an attacker to obtain the victim's NTLM hash by having them open a Microsoft Office document (docx, rtf, accdb, etc.) with an embedded Access database. --------------------------------------------- https://blog.0patch.com/2023/11/free-micropatches-for-microsoft-access.html ∗∗∗ Vorsicht vor Fake-Shops für Skins ∗∗∗ --------------------------------------------- Beim Online-Shop fngalaxy.de finden Sie Skins und Accounts für Fortnite. „Renegade Raider“, „OG Ghoul Trooper“ oder „Black Knight“ werden dort vergünstigt angeboten. Wir raten aber von einer Bestellung ab, da Sie nur mit einem Paysafecard- oder Amazon-Code bezahlen können und Ihre Bestellung nicht erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-fuer-skins/ ∗∗∗ Warnung vor betrügerischen Mails im Namen von Finanz Online ∗∗∗ --------------------------------------------- Die täuschend echt wirkenden E-Mails verlinken auf eine gefälschte Website, auf der die Opfer wiederum ihre Bankdaten eingeben sollen --------------------------------------------- https://www.derstandard.at/story/3000000197015/warnung-betrugs-mails-finanz… ∗∗∗ LKA-Warnung vor gefälschten Temu-Benachrichtigungen ∗∗∗ --------------------------------------------- Das Landeskriminalamt Niedersachsen hat die Tage eine Warnung herausgegeben, die Kunden des chinesischen Billig-Versandhändlers Temu betrifft. Betrüger versuchen Empfänger mit der Vorspiegelung falscher Tatsachen in Form einer vorgeblichen Temu-Benachrichtigung zur Preisgabe persönlicher Informationen zu bringen. Hier ein kurzer Überblick [..] --------------------------------------------- https://www.borncity.com/blog/2023/11/26/lka-warnung-vor-geflschten-temu-be… ∗∗∗ Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) ∗∗∗ --------------------------------------------- While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware. --------------------------------------------- https://asec.ahnlab.com/en/59318/ ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities ∗∗∗ --------------------------------------------- The Spring Framework 6.0.14 release shipped on November 16th includes a fix for CVE-2023-34053. The Spring Boot 2.7.18 release shipped on November 23th includes fixes for CVE-2023-34055. Users are encouraged to update as soon as possible. --------------------------------------------- https://spring.io/blog/2023/11/27/cve-2023-34053-cve-2023-34055-spring-fram… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeimage, gimp, gst-plugins-bad1.0, node-json5, opensc, python-requestbuilder, reportbug, strongswan, symfony, thunderbird, and tiff), Fedora (chromium, galera, golang, kubernetes, mariadb, python-asyncssh, thunderbird, vim, and webkitgtk), Gentoo (AIDE, Apptainer, GLib, GNU Libmicrohttpd, Go, GRUB, LibreOffice, MiniDLNA, multipath-tools, Open vSwitch, phpMyAdmin, QtWebEngine, and RenderDoc), Slackware (vim), SUSE (gstreamer-plugins-bad, java-1_8_0-ibm, openvswitch, poppler, slurm, slurm_22_05, slurm_23_02, sqlite3, vim, webkit2gtk3, and xrdp), and Ubuntu (openvswitch and thunderbird). --------------------------------------------- https://lwn.net/Articles/952923/ ∗∗∗ MISP 2.4.179 released with a host of improvements a security fix and some new tooling. ∗∗∗ --------------------------------------------- MISP 2.4.179 released with a host of improvements a security fix and some new tooling.First baby steps taken towards LLM integration. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2023
by Daily end-of-shift report 24 Nov '23

24 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-11-2023 18:00 − Freitag 24-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Building your first metasploit exploit ∗∗∗ --------------------------------------------- This post outlines the process I followed to transform the authenticated Remote Code Execution (RCE) vulnerability in PRTG, identified as CVE-2023-32781, into a Metasploit exploit. The focus here is on the development of the exploit itself, rather than the steps for exploiting the RCE. For specific details on the vulnerability, please refer to the corresponding post titled PRTG Remote Code Execution. --------------------------------------------- https://baldur.dk/blog/writing-metasploit-exploit.html ∗∗∗ OpenSSL 3.2 implementiert TCP-Nachfolger QUIC ∗∗∗ --------------------------------------------- Das Transportprotokoll QUIC nimmt mit OpenSSL Fahrt auf: Die Open-Source-Kryptobibliothek implementiert es in der neuen Version 3.2 – zumindest teilweise. --------------------------------------------- https://www.heise.de/-9538866.html ∗∗∗ Synology schließt Pwn2Own-Lücke in Router-Manager-Firmware ∗∗∗ --------------------------------------------- Im Betriebssystem für Synology-Router haben IT-Forscher beim Pwn2Own-Wettbewerb Sicherheitslücken aufgedeckt. Ein Update schließt sie. --------------------------------------------- https://www.heise.de/-9538922.html ∗∗∗ Telekopye: Chamber of Neanderthals’ secrets ∗∗∗ --------------------------------------------- Insight into groups operating Telekopye bots that scam people in online marketplaces --------------------------------------------- https://www.welivesecurity.com/en/eset-research/telekopye-chamber-neanderth… ∗∗∗ Atomic Stealer: Mac-Malware täuscht Nutzer mit angeblichen Browser-Updates ∗∗∗ --------------------------------------------- Die Updates bieten die Cyberkriminellen über kompromittierte Websites an. Atomic Stealer hat es unter anderem auf Passwörter in Apple iCloud Keychain abgesehen. --------------------------------------------- https://www.zdnet.de/88413104/atomic-stealer-mac-malware-taeuscht-nutzer-mi… ∗∗∗ Trend Micro Apex One Service Pack 1 Critical Patch (build 12534) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer von Trend Micro Apex One für Windows. Der Hersteller hat zum Service Pack 1 den Critical Patch (build 12534) veröffentlicht (danke an den Leser für den Hinweis). Dieser Patch enthält eine Reihe von Korrekturen und Erweiterungen [...] --------------------------------------------- https://www.borncity.com/blog/2023/11/23/trend-micro-apex-one-service-pack-… ∗∗∗ Intel Arc und Iris Xe Grafiktreiber 31.0.101.4972 fixt Office-Probleme (Nov. 2023) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag von dieser Woche, den ich mal separat herausziehe. Intel hat ein Update seiner Intel Arc und Iris Xe Grafiktreiber auf die Version 31.0.101.4972 veröffentlich. Dieses Update soll eine Reihe von Problemen (z.B bei Starfield (DX12) beheben. --------------------------------------------- https://www.borncity.com/blog/2023/11/24/intel-arc-und-iris-xe-grafiktreibe… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: TunnelCrack Vulnerabilities in VPN Clients ∗∗∗ --------------------------------------------- CVE(s): CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, CVE-2023-36671 Product(s): Sophos Connect Client 2.0 Workaround: Yes --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20231124-tunnelc… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023) ∗∗∗ --------------------------------------------- Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 [...] --------------------------------------------- https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, gnutls28, intel-microcode, and tor), Fedora (chromium, microcode_ctl, openvpn, and vim), Gentoo (LinuxCIFS utils, SQLite, and Zeppelin), Oracle (c-ares, container-tools:4.0, dotnet7.0, kernel, kernel-container, nodejs:20, open-vm-tools, squid:4, and tigervnc), Red Hat (samba and squid), Slackware (mozilla), SUSE (fdo-client, firefox, libxml2, maven, maven-resolver, sbt, xmvn, poppler, python-Pillow, squid, strongswan, and xerces-c), and Ubuntu (apache2, firefox, glusterfs, nghttp2, poppler, python2.7, python3.5, python3.6, tiff, and zfs-linux). --------------------------------------------- https://lwn.net/Articles/952602/ ∗∗∗ ActiveMQ-5.18.2 RCE-shell-reverse-Metasploit ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023110026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2023
by Daily end-of-shift report 23 Nov '23

23 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-11-2023 18:00 − Donnerstag 23-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Proof of Concept Exploit Publicly Available for Critical Windows SmartScreen Flaw ∗∗∗ --------------------------------------------- Threat actors were actively exploiting CVE-2023-36025 before Microsoft patched it in November. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/proof-of-concept-exploi… ∗∗∗ Consumer cyberthreats: predictions for 2024 ∗∗∗ --------------------------------------------- Kaspersky experts review last years predictions on consumer cyberthreats and try to anticipate the trends for 2024. --------------------------------------------- https://securelist.com/kaspersky-security-bulletin-consumer-threats-2024/11… ∗∗∗ Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks ∗∗∗ --------------------------------------------- An active malware campaign is leveraging two zero-day vulnerabilities with remote code execution (RCE) functionality to rope routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet. “The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful,” Akamai said in an advisory. --------------------------------------------- https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.ht… ∗∗∗ The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks ∗∗∗ --------------------------------------------- During the last few months, we conducted a study of some of the top ransomware families (12 in total) that either directly developed ransomware for Linux systems or were developed in languages with a strong cross-platform component, such as Golang or Rust, thereby allowing them to be compiled for both Windows and Linux indiscriminately. Our main objectives were to increase our understanding of the main motivations for developing ransomware targeting Linux instead of Windows systems, which historically have been the main target until now. --------------------------------------------- https://research.checkpoint.com/2023/the-platform-matters-a-comparative-stu… ∗∗∗ Your voice is my password ∗∗∗ --------------------------------------------- AI-driven voice cloning can make things far too easy for scammers – I know because I’ve tested it so that you don’t have to learn about the risks the hard way. --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/your-voice-is-my-password/ ∗∗∗ Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker ∗∗∗ --------------------------------------------- SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar. --------------------------------------------- https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Uninstall Key Caching in Fortra Digital Guardian Agent Uninstaller (CVE-2023-6253) ∗∗∗ --------------------------------------------- The Digital Guardian Management Console is vulnerable to a Stored Cross-Site Scripting attack in the PDF Template functionality. The vendor replied that this is an intended feature. The Digital Guardian Agent Uninstaller File also caches the Uninstall Key which can be extracted by an attacker and be used to terminate and uninstall the agent. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/uninstall-key-caching-in… ∗∗∗ Sicherheitsschwachstellen in easySoft und easyE4 (SYSS-2023-007/-008/-009/-010) ∗∗∗ --------------------------------------------- In der Software „easySoft“ sowie dem Steuerrelais „easyE4“ der Eaton Industries GmbH wurden Schwachstellen gefunden. Diese ermöglichen sowohl das Extrahieren des Projektpassworts aus einer easySoft-Projektdatei als auch das Berechnen von Passwortkandidaten für easyE4-Programme, welche auf einer SD-Karte gespeichert sind. Darüber hinaus können auch Passwortkandidaten aus einem Netzwerkstream extrahiert werden, der z. B. während der Administration eines easyE4 aufgezeichnet wurde. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstellen-in-easysoft-und-… ∗∗∗ ownCloud Security Advisories 2023-11-21 ∗∗∗ --------------------------------------------- ownCloud released 3 security advisories: 2x critical, 1x high --------------------------------------------- https://owncloud.com/security/https://owncloud.com/security/ ∗∗∗ Atlassian rüstet Jira Data Center and Server & Co. gegen mögliche Attacken ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Softwarelösungen von Atlassian. Es kann Schadcode auf Systeme gelangen. --------------------------------------------- https://www.heise.de/-9537138 ∗∗∗ Sicherheitsupdates in Foxit PDF Reader 2023.3 und Foxit PDF Editor 2023.3 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2023
by Daily end-of-shift report 22 Nov '23

22 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-11-2023 18:00 − Mittwoch 22-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ HrServ – Previously unknown web shell used in APT attack ∗∗∗ --------------------------------------------- In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021. --------------------------------------------- https://securelist.com/hrserv-apt-web-shell/111119/ ∗∗∗ ClearFake Campaign Expands to Deliver Atomic Stealer on Macs Systems ∗∗∗ --------------------------------------------- The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake."This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes Jérôme Segura said in a Tuesday analysis. --------------------------------------------- https://thehackernews.com/2023/11/clearfake-campaign-expands-to-deliver.html ∗∗∗ Lumma malware can allegedly restore expired Google auth cookies ∗∗∗ --------------------------------------------- The Lumma information-stealer malware (aka LummaC2) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. [..] This new feature allegedly introduced in recent Lumma releases is yet to be verified by security researchers or Google, so whether or not it works as advertised remains uncertain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lumma-malware-can-allegedly-… ∗∗∗ Windows Hello Fingerprint Authentication Bypassed on Popular Laptops ∗∗∗ --------------------------------------------- Researchers have tested the fingerprint sensors used for Windows Hello on three popular laptops and managed to bypass them. --------------------------------------------- https://www.securityweek.com/windows-hello-fingerprint-authentication-bypas… ∗∗∗ „Ich möchte meine Bankdaten ändern“: Dieses Mail an die Personalabteilung könnte Betrug sein ∗∗∗ --------------------------------------------- Kriminelle geben sich als Mitarbeiter:innen Ihres Unternehmens aus und bitten um Änderung Ihrer Bankdaten für die Gehaltsüberweisung. Wird das E-Mail nicht als Fake erkannt, wird das Gehalt der jeweiligen Mitarbeiter:innen auf das Bankkonto von Kriminellen überwiesen. Wir zeigen Ihnen, woher Kriminelle die Daten kennen und wie Sie sich schützen. --------------------------------------------- https://www.watchlist-internet.at/news/ich-moechte-meine-bankdaten-aendern-… ∗∗∗ The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets ∗∗∗ --------------------------------------------- Exposed Kubernetes secrets pose a critical threat of supply chain attack. Aqua Nautilus researchers found that the exposed Kubernetes secrets of hundreds of organizations and open-source projects allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat. Among the companies were SAP’s Artifacts management system with over 95 million, two top blockchain companies, and various other fortune-500 companies. --------------------------------------------- https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-ku… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in m-privacy TightGate-Pro ∗∗∗ --------------------------------------------- There are several vulnerabilities in the server which enables attackers to view the VNC sessions of other users, infect the VNC session with keyloggers and start internal phishing attacks. Additionally, a TightGate-Pro administrator can push malicious PDFs to the endpoint of the user. Furthermore, the update servers which are only reachable via an SSH-tunnel are severely outdated (2003). CVEs: CVE-2023-47250, CVE-2023-47251 --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Several Critical Vulnerabilities including Privilege Escalation, Authentication Bypass, and More Patched in UserPro WordPress Plugin ∗∗∗ --------------------------------------------- On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities we discovered in Kirotech’s UserPro plugin, which is actively installed on more than 20,000 WordPress websites [..] We made an initial attempt to contact Kirotech, the vendor of UserPro, on May 1, 2023, but we did not receive a response until May 10, 2023, after many additional attempts. After providing full disclosure details, the developer released the first patch on July 27, 2023, and the final patch on October 31, 2023. --------------------------------------------- https://www.wordfence.com/blog/2023/11/several-critical-vulnerabilities-inc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gimp), Fedora (audiofile and firefox), Mageia (postgresql), Red Hat (binutils, c-ares, fence-agents, glibc, kernel, kernel-rt, kpatch-patch, libcap, libqb, linux-firmware, ncurses, pixman, python-setuptools, samba, and tigervnc), Slackware (kernel and mozilla), SUSE (apache2-mod_jk, avahi, container-suseconnect, java-1_8_0-openjdk, libxml2, openssl-1_0_0, openssl-1_1, openvswitch, python3-setuptools, strongswan, ucode-intel, and util-linux), and Ubuntu (frr, gnutls28, hibagent, linux, linux-aws, linux-aws-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-oem-6.1, mosquitto, rabbitmq-server, squid, and tracker-miners). --------------------------------------------- https://lwn.net/Articles/952312/ ∗∗∗ Mozilla Releases Security Updates for Firefox and Thunderbird ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/22/mozilla-releases-securit… ∗∗∗ Fix for BIRT Report Engine that is vulnerable due to nested jtidy.jar r938 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081112 ∗∗∗ Vulnerability in Apache HTTP Server affects IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081354 ∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081403 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2023
by Daily end-of-shift report 21 Nov '23

21 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-11-2023 18:00 − Dienstag 21-11-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits ∗∗∗ --------------------------------------------- The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits."Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the hosts resources to mine cryptocurrencies like Bitcoin, [..] --------------------------------------------- https://thehackernews.com/2023/11/kinsing-hackers-exploit-apache-activemq.h… ∗∗∗ How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography ∗∗∗ --------------------------------------------- Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them. --------------------------------------------- https://thehackernews.com/2023/11/how-multi-stage-phishing-attacks.html ∗∗∗ Gefälschte Zeitungsartikel bewerben betrügerische Investment-Angebote ∗∗∗ --------------------------------------------- Kriminelle fälschen Webseiten von Medien wie oe24 und ORF und füllen diese mit Fake-News. In den gefälschten Artikeln wird eine Möglichkeit beworben, wie man schnell reich wird. Angeblich geben Christoph Grissemann, Miriam Weichselbraun oder Armin Assinger Investitionstipps und erklären, dass jeder Mensch mit nur 250 Euro in wenigen Monaten eine Million machen kann. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-zeitungsartikel-bewerben… ∗∗∗ CISA, FBI, MS-ISAC, and ASD’s ACSC Release Advisory on LockBit Affiliates Exploiting Citrix Bleed ∗∗∗ --------------------------------------------- Today, the (CISA), (FBI), (MS-ISAC), and Australian (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: LockBit Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (along with an accompanying analysis report MAR-10478915-1.v1 Citrix Bleed), in response to LockBit 3.0 ransomware affiliates and multiple threat actor groups exploiting CVE-2023-4966. Labeled Citrix Bleed, the vulnerability affects Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asd… ===================== = Vulnerabilities = ===================== ∗∗∗ Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets ∗∗∗ --------------------------------------------- Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings. CVE Identifiers: CVE-2023-44353, CVE-2023-29300, CVE-2023-38203, CVE-2023-38204 --------------------------------------------- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusio… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, strongswan, and wordpress), Mageia (u-boot), SUSE (avahi, frr, libreoffice, nghttp2, openssl, openssl1, postgresql, postgresql15, postgresql16, python-Twisted, ucode-intel, and xen), and Ubuntu (avahi, hibagent, nodejs, strongswan, tang, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/952088/ ∗∗∗ Synology-SA-23:16 SRM (PWN2OWN 2023) ∗∗∗ --------------------------------------------- The vulnerabilities allow man-in-the-middle attackers to execute arbitrary code or access intranet resources via a susceptible version of Synology Router Manager (SRM).A vulnerability reported by PWN2OWN 2023 has been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_16 ∗∗∗ [nextcloud]: Server-Side Request Forgery (SSRF) in Mail app ∗∗∗ --------------------------------------------- An attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4… ∗∗∗ [nextcloud]: DNS pin middleware can be tricked into DNS rebinding allowing SSRF ∗∗∗ --------------------------------------------- The DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ [nextcloud]: user_ldap app logs user passwords in the log file on level debug ∗∗∗ --------------------------------------------- When the log level was set to debug the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3… ∗∗∗ [nextcloud]: Can enable/disable birthday calendar for any user ∗∗∗ --------------------------------------------- An attacker could enable and disable the birthday calendar for any user on the same server. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ [nextcloud]: Admins can change authentication details of user configured external storage ∗∗∗ --------------------------------------------- It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ [nextcloud]: Self XSS when pasting HTML into Text app with Ctrl+Shift+V ∗∗∗ --------------------------------------------- When a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p… ∗∗∗ [nextcloud]: HTML injection in search UI when selecting a circle with HTML in the display name ∗∗∗ --------------------------------------------- An attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w… ∗∗∗ [nextcloud]: Users can make external storage mount points inaccessible for other users ∗∗∗ --------------------------------------------- A malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f… ∗∗∗ Zyxel security advisory for out-of-bounds write vulnerability in SecuExtender SSL VPN Client software ∗∗∗ --------------------------------------------- The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software could allow a local authenticated user to gain a privilege escalation by sending a crafted CREATE message. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ WAGO: Remote Code execution vulnerability in managed Switches ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-037/ ∗∗∗ PHOENIX CONTACT: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-062/ ∗∗∗ Multiple vulnerabilities on [Bosch Rexroth] ctrlX HMI / WR21 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-175607.html ∗∗∗ IBM Sterling B2B Integrator is affected by vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080105 ∗∗∗ IBM Sterling B2B Integrator dashboard is vulnerable to cross-site request forgery (CVE-2022-35638) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080104 ∗∗∗ IBM Sterling B2B Integrator affected by FasterXML Jackson-data vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080107 ∗∗∗ IBM Sterling B2B Integrator affected by XStream security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080106 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080117 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080118 ∗∗∗ Multiple security vulnerabilities have been identified in DB2 JDBC driver shipped with IBM Tivoli Business Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080122 ∗∗∗ There is an Apache vulnerability in Liberty used by the IBM Maximo Manage application in the IBM Maximo Application Suite (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080157 ∗∗∗ There is a vulnerability in jetty-http-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080156 ∗∗∗ There is a vulnerability in jetty-server-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080155 ∗∗∗ Multiple security vulnerabilities in Snake YAML affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080177 ∗∗∗ IBM Sterling B2B Integrator affected by remote code execution due to Snake Yaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080174 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-25682) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080172 ∗∗∗ IBM Sterling B2B Integrator is affected by sensitive information exposure due to Apache James MIME4J (CVE-2022-45787) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080175 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2023
by Daily end-of-shift report 20 Nov '23

20 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-11-2023 18:00 − Montag 20-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit for CrushFTP RCE chain released, patch now ∗∗∗ --------------------------------------------- A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-cha… ∗∗∗ Lumma Stealer malware now uses trigonometry to evade detection ∗∗∗ --------------------------------------------- The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lumma-stealer-malware-now-us… ∗∗∗ Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits ∗∗∗ --------------------------------------------- The Kinsing malware operator is actively exploiting the CVE-2023-46604 critical vulnerability in the Apache ActiveMQ open-source message broker to compromise Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kinsing-malware-exploits-apa… ∗∗∗ New "Agent Tesla" Variant: Unusual "ZPAQ" Archive Format Delivers Malware ∗∗∗ --------------------------------------------- A new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. But what exactly is this file compression format? What advantage does it provide to threat actors? And why it is assumed that the version of Agent Tesla is “new”? --------------------------------------------- https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq ∗∗∗ DarkGate and PikaBot Malware Resurrect QakBots Tactics in New Phishing Attacks ∗∗∗ --------------------------------------------- Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. “These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery,” Cofense said in a report [...] --------------------------------------------- https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.ht… ∗∗∗ NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors ∗∗∗ --------------------------------------------- Threat actors are targeting the education, government and business services sectors with a remote access trojan called NetSupport RAT. "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report [...] --------------------------------------------- https://thehackernews.com/2023/11/netsupport-rat-infections-on-rise.html ∗∗∗ Visual Studio Code Security: Markdown Vulnerabilities in Third-Party Extensions ∗∗∗ --------------------------------------------- In this blog post, we present code vulnerabilities we found in GitLens (27 million installs) and GitHub Pull Requests and Issues (15 million installs). We will first give some background on VSCode internals, then explain the vulnerable portions of the code, and finally show how these issues can be prevented. --------------------------------------------- https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-i… ∗∗∗ Xen Project Releases Version 4.18 with New Security, Performance, and Architecture Enhancements for AI/ML Applications ∗∗∗ --------------------------------------------- The Xen Project, an open source hypervisor hosted at the Linux Foundation, today announced the release of Xen Project Hypervisor 4.18 with architecture enhancements for High Performance Computing (HPC) and Machine Learning (ML) applications, as well as higher security and performance features. --------------------------------------------- https://xenproject.org/2023/11/20/xen-project-releases-version-4-18-with-ne… ∗∗∗ How to perform basic digital forensics on a Windows computer ∗∗∗ --------------------------------------------- Digital forensics is a critical field in the investigation of cybercrimes, data breaches, and other digital incidents. As our reliance on computers continues to grow, the need for skilled digital forensics professionals is more crucial than ever. In this guide, we will explore the basics of performing digital [...] --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/how-to-perform-basi… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates für Trellix ePolicy Orchestrator schließen Sicherheitslücken ∗∗∗ --------------------------------------------- Trellix, Nachfolger von McAfee und FireEye, hat den ePolicy Orchestrator aktualisiert. Das Update schließt etwa eine hochriskant eingestufte Schwachstelle. --------------------------------------------- https://www.heise.de/-9533816.html ∗∗∗ Synology schließt kritische Firmware-Lücke in Überwachungskameras ∗∗∗ --------------------------------------------- Angreifer können eigenen Code auf Überwachungskameras von Synology ausführen. --------------------------------------------- https://www.heise.de/-9534072.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freerdp2, lwip, netty, and wireshark), Fedora (dotnet6.0, dotnet7.0, golang, gst-devtools, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, podman-tui, prometheus-podman-exporter, python-gstreamer1, syncthing, and tigervnc), Mageia (chromium-browser-stable, haproxy, and tigervnc), Oracle (curl, ghostscript, microcode_ctl, nghttp2, open-vm-tools, samba, and squid), SUSE (gcc13, postgresql14, and yt-dlp), and Ubuntu (iniparser). --------------------------------------------- https://lwn.net/Articles/951999/ ∗∗∗ Schwachstelle CVE-2023-46302 in Apache Submarine ∗∗∗ --------------------------------------------- In Apache Submarine gibt es eine kritische Remote Code Execution-Schwachstelle CVE-2023-46302. Die Schwachstelle rührt von einer Sicherheitslücke in snakeyaml (CVE-2022-1471) her und gefährdet Apache Submarine-Benutzer, da Angreifer beliebigen Code auf verwundbaren Systemen ausführen können. --------------------------------------------- https://www.borncity.com/blog/2023/11/20/schwachstelle-cve-2023-46302-in-ap… ∗∗∗ Multiple vulnerabilities in LuxCal Web Calendar ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN15005948/ ∗∗∗ WAGO: Improper privilege management in web-based management ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-015/ ∗∗∗ [R1] Security Center Version 6.2.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-42 ∗∗∗ CVE-2022-41713 An issue was discovered in deep-object-diff version 1.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079403 ∗∗∗ CVE-2022-24434 An issue was discovered in the npm package dicer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079460 ∗∗∗ Vulnerability in d3-color affects IBM UrbanCode Velocity . WS-2022-0322 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079484 ∗∗∗ IBM Storage Protect for Virtual Environments is vulnerable to arbitrary code execution, sensitive information disclosure, and denial of service due to CVEs in Apache Velocity, Apache Jena, and XStream (woodstox) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079947 ∗∗∗ QRadar Suite Software includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080058 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Go HTML injection vulnerabilitiy [CVE-2023-24539] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080057 ∗∗∗ IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to libcurl and cURL. (CVE-2023-38546, CVE-2023-38545) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7076344 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2023
by Daily end-of-shift report 17 Nov '23

17 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-11-2023 18:00 − Freitag 17-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ MySQL servers targeted by Ddostf DDoS-as-a-Service botnet ∗∗∗ --------------------------------------------- MySQL servers are being targeted by the Ddostf malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-dd… ∗∗∗ Beyond -n: Optimizing tcpdump performance, (Thu, Nov 16th) ∗∗∗ --------------------------------------------- If you ever had to acquire packets from a network, you probably used tcpdump. Other tools (Wireshark, dumpcap, snort...) can do the same thing, but none is as widely used as tcpdump. tcpdump is simple to use, fast, and universally available (and free!). --------------------------------------------- https://isc.sans.edu/diary/rss/30408 ∗∗∗ Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware ∗∗∗ --------------------------------------------- Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER. --------------------------------------------- https://thehackernews.com/2023/11/beware-malicious-google-ads-trick.html ∗∗∗ Understanding the Phobos affiliate structure and activity ∗∗∗ --------------------------------------------- Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants --------------------------------------------- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-struc… ∗∗∗ ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims ∗∗∗ --------------------------------------------- Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts. --------------------------------------------- https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/ ∗∗∗ CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector ∗∗∗ --------------------------------------------- Today, CISA released the Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/17/cisa-releases-mitigation… ===================== = Vulnerabilities = ===================== ∗∗∗ Bildbearbeitung: Angreifer können Gimp Schadcode unterjubeln ∗∗∗ --------------------------------------------- Die freie Open-Source-Bildbearbeitung Gimp ist in Version 2.10.36 erschienen. Sie schließt Sicherheitslücken, die Codeschmuggel erlauben. --------------------------------------------- https://www.heise.de/news/Bildbearbeitung-Angreifer-koennen-Gimp-Schadcode-… ∗∗∗ FortiNet flickt schwere Sicherheitslücken in FortiOS und anderen Produkten ∗∗∗ --------------------------------------------- Neben FortiOS und FortiClient sind auch FortiSIEM, FortiWLM und weitere von zum Teil kritischen Security-Fehlern betroffen. Admins sollten patchen. --------------------------------------------- https://www.heise.de/news/FortiNet-flickt-schwere-Sicherheitsluecken-in-For… ∗∗∗ Anonymisierendes Linux: Tails 5.19.1 behebt Tor-Lücke, Audit-Ergebnisse sind da ∗∗∗ --------------------------------------------- Ein offenbar aus der Ferne ausnutzbarer Bug in Tor führte zum neuerlichen Update. Die Ergebnisse der kürzlichen Sicherheitsprüfung hingegen sind positiv. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Tails-5-19-1-behebt-Tor-Lu… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (microcode_ctl, pack, and tigervnc), Slackware (gimp), SUSE (frr, gcc13, go1.20, go1.20-openssl, go1.21, go1.21-openssl, libnbd, libxml2, python-Pillow, python-urllib3, and xen), and Ubuntu (intel-microcode and openvpn). --------------------------------------------- https://lwn.net/Articles/951801/ ∗∗∗ Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools ∗∗∗ --------------------------------------------- Since August 2023, members of the Huntr bug bounty platform for artificial intelligence (AI) and machine learning (ML) have uncovered over a dozen vulnerabilities exposing AI/ML models to system takeover and sensitive information theft. Identified in tools with hundreds of thousands or millions of downloads per month, such as H2O-3, MLflow, and Ray, these issues potentially impact the entire AI/ML supply chain --------------------------------------------- https://www.securityweek.com/over-a-dozen-exploitable-vulnerabilities-found… ∗∗∗ [R1] Nessus Agent Version 10.4.4 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-41 ∗∗∗ [R1] Nessus Version 10.6.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-40 ∗∗∗ [R1] Nessus Version 10.5.7 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-39 ∗∗∗ Juniper Releases Security Advisory for Juniper Secure Analytics ∗∗∗ --------------------------------------------- Juniper released a security advisory to address multiple vulnerabilities affecting Juniper Secure Analytics. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the Juniper advisory JSA74298 and apply the necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/17/juniper-releases-securit… ∗∗∗ ZDI-23-1716: Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1716/ ∗∗∗ SVD-2023-1107: November 2023 Splunk Universal Forwarder Third-Party Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1107 ∗∗∗ SVD-2023-1106: November 2023 Third-Party Package Updates in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1106 ∗∗∗ SVD-2023-1105: November 2023 Third Party Package updates in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1105 ∗∗∗ SVD-2023-1104: Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1104 ∗∗∗ SVD-2023-1103: Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1103 ∗∗∗ SVD-2023-1102: Third Party Package Update in Splunk Add-on for Google Cloud Platform ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1102 ∗∗∗ SVD-2023-1101: Third Party Package Update in Splunk Add-on for Amazon Web Services ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1101 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077733 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache Ivy information disclosure vulnerabilitiy [CVE-2023-46751] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077734 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077736 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to snappy-java information disclosure vulnerabilitiy [CVE-2023-43642] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077735 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077739 ∗∗∗ IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070736 ∗∗∗ IBM Storage Fusion may be vulnerable to Unauthorized requests (SSRF), Improper path traversal, via k8s.io\/apimachinery, k8s.io\/apiserver (CVE-2022-3172, CVE-2022-3162) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077936 ∗∗∗ InfoSphere Information Server is vulnerable due to improper access control (CVE-2023-40363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070742 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070740 ∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of golang.org\/x\/net, x\/crypto, and x\/text (CVE-2022-30633, CVE-2022-27664, CVE-2022-28131, CVE-2022-41721, CVE-2021-43565, CVE-2022-27191, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077942 ∗∗∗ IBM Planning Analytics is affected by vulnerabilities in IBM Java, IBM Websphere Application Server Liberty and IBM GSKit ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070140 ∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of openshift\/machine-api-operator, openshift\/machine-config-operator (CVE-2020-28851, CVE-2020-28852, CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077938 ∗∗∗ IBM Storage Fusion may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077947 ∗∗∗ Java SE issues disclosed in the Oracle October 2023 Critical Patch Update plus CVE-2023-5676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078433 ∗∗∗ IBM Security SOAR is using a component with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7063706 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to libcurl vulnerabilities (CVE-2023-38546, CVE-2023-38545) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077530 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957156 ∗∗∗ Watson Machine Learning Accelerator on Cloud Pak for Data is affected by multiple vulnerabilities in Grafana ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078751 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078745 ∗∗∗ Red Lion Sixnet RTUs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2023
by Daily end-of-shift report 16 Nov '23

16 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-11-2023 18:00 − Donnerstag 16-11-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups ∗∗∗ --------------------------------------------- A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. --------------------------------------------- https://thehackernews.com/2023/11/zero-day-flaw-in-zimbra-email-software.ht… ∗∗∗ Deep Dive: Learning from Okta – the hidden risk of HAR files ∗∗∗ --------------------------------------------- HAR is short for HTTP Archive, and it’s a way of saving full details of the high-level network traffic in a web browsing session, usually for development, debugging, or testing purposes. --------------------------------------------- https://pducklin.com/2023/11/14/deep-dive-learning-from-okta-the-hidden-ris… ∗∗∗ Fake-Shops locken mit Black-Friday-Angeboten ∗∗∗ --------------------------------------------- Rund um den Blackfriday lässt sich das ein oder andere Schnäppchen ergattern. Wir raten aber dazu, Online-Shops vor einer Bestellung genau zu prüfen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-locken-mit-black-friday-a… ∗∗∗ Attacker – hidden in plain sight for nearly six months – targeting Python developers ∗∗∗ --------------------------------------------- For close to six months, a malicious actor has been stealthily uploading dozens of malicious Python packages, most of them mimicking the names of legitimate ones, to bait unsuspecting developers. --------------------------------------------- https://checkmarx.com/blog/attacker-hidden-in-plain-sight-for-nearly-six-mo… ∗∗∗ FBI and CISA Release Advisory on Scattered Spider Group ∗∗∗ --------------------------------------------- Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Scattered Spider—a cybercriminal group targeting commercial facilities sectors and subsectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/16/fbi-and-cisa-release-adv… ===================== = Vulnerabilities = ===================== ∗∗∗ New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. --------------------------------------------- https://thehackernews.com/2023/11/new-poc-exploit-for-apache-activemq.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvpn), Oracle (kernel, microcode_ctl, plexus-archiver, and python), Red Hat (.NET 6.0, dotnet6.0, dotnet7.0, dotnet8.0, kernel, linux-firmware, and open-vm-tools), SUSE (apache2, chromium, jhead, postgresql12, postgresql13, and qemu), and Ubuntu (dotnet6, dotnet7, dotnet8, frr, python-pip, quagga, and tidy-html5). --------------------------------------------- https://lwn.net/Articles/951681/ ∗∗∗ Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-052 ∗∗∗ FortiOS & FortiProxy VM - Bypass of root file system integrity checks at boot time on VM ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-396 ∗∗∗ FortiOS & FortiProxy - DOS in headers management ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-151 ∗∗∗ Cisco Secure Client Software Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Endpoint for Windows Scanning Evasion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco AppDynamics PHP Agent Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ FortiSIEM - OS command injection in Report Server ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-23-135 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2023-11 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2023-11-Security-Bulletin-JSA-S… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0010 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0010.html ∗∗∗ Released: November 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november… ∗∗∗ Citrix Releases Security Updates for Citrix Hypervisor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/16/citrix-releases-security… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2023
by Daily end-of-shift report 15 Nov '23

15 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-11-2023 18:00 − Mittwoch 15-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IPStorm botnet with 23,000 proxies for malicious traffic dismantled ∗∗∗ --------------------------------------------- The U.S. Department of Justive announced today that Federal Bureau of Investigation took down the network and infrastructure of a botnet proxy service called IPStorm. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ipstorm-botnet-with-23-000-p… ∗∗∗ The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses ∗∗∗ --------------------------------------------- At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. --------------------------------------------- https://blog.fox-it.com/2023/11/15/the-spelling-police-searching-for-malici… ∗∗∗ #StopRansomware: Rhysida Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a ===================== = Vulnerabilities = ===================== ∗∗∗ WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks ∗∗∗ --------------------------------------------- The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the sites database. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp-fastest-cache-plugin-bug-… ∗∗∗ Reptar: Intel-CPU-Schwachstelle ermöglicht Rechteausweitung und DoS ∗∗∗ --------------------------------------------- Entdeckt wurde die Schwachstelle von Google-Forschern. Sie basiert wohl auf der Art und Weise, wie Intel-CPUs redundante Präfixe verarbeiten. --------------------------------------------- https://www.golem.de/news/reptar-intel-cpu-schwachstelle-ermoeglicht-rechte… ∗∗∗ Kein Patch verfügbar: VMware warnt vor kritischer Schwachstelle in Cloud Director ∗∗∗ --------------------------------------------- Die Schwachstelle ermöglicht es Angreifern, die Authentifizierung anfälliger VMware-Systeme zu umgehen und Schadcode einzuschleusen. --------------------------------------------- https://www.golem.de/news/kein-patch-verfuegbar-vmware-warnt-vor-kritischer… ∗∗∗ Cloud-Schutzlösung: IBM Security Guardium vielfältig attackierbar ∗∗∗ --------------------------------------------- Die IBM-Entwickler haben viele Sicherheitslücken in verschiedenen Komponenten von Security Guardium geschlossen. --------------------------------------------- https://www.heise.de/news/Cloud-Schutzloesung-IBM-Security-Guardium-vielfae… ∗∗∗ CacheWarp: Loch in Hardware-Verschlüsselung von AMD-CPUs ∗∗∗ --------------------------------------------- Der jetzt vorgestellte CacheWarp-Angriff überwindet die RAM-Verschlüsselung, mit der AMD-Prozessoren Cloud-Instanzen voneinander abschotten wollen. --------------------------------------------- https://www.heise.de/news/CacheWarp-Loch-in-Hardware-Verschluesselung-von-A… ∗∗∗ Patchday Adobe: Schadcode-Lücken in Acrobat, Photoshop & Co. geschlossen ∗∗∗ --------------------------------------------- Adobe hat Sicherheitsupdates für 15 Anwendungen veröffentlicht. Im schlimmsten Fall können Angreifer eigenen Code auf Systemen ausführen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Schadcode-Luecken-in-Acrobat-Photo… ∗∗∗ Patchday: SAP schließt eine kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Der November-Patchday weicht vom gewohnten Umfang ab: Lediglich drei neue Sicherheitslücken behandelt SAP. --------------------------------------------- https://www.heise.de/news/Patchday-SAP-schliesst-eine-kritische-Sicherheits… ∗∗∗ Sicherheitsupdates: Access Points von Aruba sind verwundbar ∗∗∗ --------------------------------------------- Angreifer können Schadcode auf Acces Points von Aruba ausführen. Sicherheitspatches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Acces-Points-von-Aruba-sind-ve… ∗∗∗ Patchday: Intel patcht sich durch sein Produkportfolio ∗∗∗ --------------------------------------------- Angreifer können mehrere Komponenten von Intel attackieren. In vielen Fällen sind DoS-Attacken möglich. --------------------------------------------- https://www.heise.de/news/Patchday-Intel-patcht-sich-durch-sein-Produkportf… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libclamunrar and ruby-sanitize), Fedora (frr, roundcubemail, and webkitgtk), Mageia (freerdp and tomcat), Red Hat (avahi, bind, c-ares, cloud-init, container-tools:4.0, container-tools:rhel8, cups, dnsmasq, edk2, emacs, flatpak, fwupd, ghostscript, grafana, java-21-openjdk, kernel, kernel-rt, libfastjson, libmicrohttpd, libpq, librabbitmq, libreoffice, libreswan, libX11, linux-firmware, mod_auth_openidc:2.3, nodejs:20, opensc, perl-HTTP-Tiny, [...] --------------------------------------------- https://lwn.net/Articles/951480/ ∗∗∗ November-Patchday: Microsoft schließt 63 Sicherheitslücken ∗∗∗ --------------------------------------------- Fünf Anfälligkeiten sind als kritisch eingestuft. Davon betroffen sind alle unterstützten Versionen von Windows. --------------------------------------------- https://www.zdnet.de/88412929/november-patchday-microsoft-schliesst-63-sich… ∗∗∗ QNX-2023-001 Vulnerability in QNX Networking Stack Impacts BlackBerry QNX Software Development Platform ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ ZDI-23-1636: NETGEAR CAX30 SSO Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1636/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-23583 and CVE-2023-46835 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583037/citrix-hypervisor-security-bul… ∗∗∗ NVIDIA GPU Display Driver Advisory - October 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500588-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ NetApp SnapCenter Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500587-NETAPP-SNAPCENTER-PRIVI… ∗∗∗ AMD Radeon Graphics Kernel Driver Privilege Management Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500586-AMD-RADEON-GRAPHICS-KER… ∗∗∗ AMD Graphics Driver Vulnerabilities- November, 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500583-AMD-GRAPHICS-DRIVER-VUL… ∗∗∗ Intel Graphics Driver Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500584-INTEL-GRAPHICS-DRIVER-A… ∗∗∗ Intel Rapid Storage Technology Software Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500585 ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (November 2023) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500589-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ Fortinet Releases Security Updates for FortiClient and FortiGate ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/14/fortinet-releases-securi… ∗∗∗ K000137584 : Linux kernel vulnerability CVE-2023-1829 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137584 ∗∗∗ K000137582 : BIND vulnerability CVE-2023-3341 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137582 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2023
by Daily end-of-shift report 14 Nov '23

14 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-11-2023 18:00 − Dienstag 14-11-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA warns of actively exploited Juniper pre-auth RCE exploit chain ∗∗∗ --------------------------------------------- CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-explo… ∗∗∗ ChatGPT, Bard und andere: KI-Systeme ermöglichen Ausleiten von Daten ∗∗∗ --------------------------------------------- Durch gezielte Abfragen lassen sich private und geschützte Daten aus KI-Systemen ausleiten. Die Angriffe zeigen ein prinzipielles Problem. --------------------------------------------- https://www.golem.de/news/chatgpt-bard-und-andere-ki-systeme-ermoeglichen-a… ∗∗∗ Noticing command and control channels by reviewing DNS protocols, (Mon, Nov 13th) ∗∗∗ --------------------------------------------- Malicious software pieces installed in computers call home. Some of them can be noticed because they perform DNS lookup and some of them initiates connection without DNS lookup. For this last option, this is abnormal and can be noticed by any Network Detection and Response (NDR) tool that reviews the network traffic by at least two weeks. Most companies do not have money to afford a NDR, so I'm going to show you today an interesting tip that have worked for me to notice APT calling home when they perform DNS lookup. --------------------------------------------- https://isc.sans.edu/diary/rss/30396 ∗∗∗ Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain ∗∗∗ --------------------------------------------- The algorithms are used by TETRA – short for the Terrestrial Trunked Radio protocol – and they are operated by governments, law enforcement, military and emergency services organizations in Europe, the UK, and other countries. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/11/14/tetra_encryp… ∗∗∗ Novel backdoor persists even after critical Confluence vulnerability is patched ∗∗∗ --------------------------------------------- Got a Confluence server? Listen up. Malware said to have wide-ranging capabilities. A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/11/14/novel_backdo… ∗∗∗ Nothing new, still broken, insecure by default since then: Pythons e-mail libraries and certificate verification ∗∗∗ --------------------------------------------- Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication. --------------------------------------------- https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verifica… ∗∗∗ LockBit ransomware group assemble strike team to breach banks, law firms and governments. ∗∗∗ --------------------------------------------- [...] I thought it would be good to break down what is happening and how they’re doing it, since LockBit are breaching some of the world’s largest organisations - many of whom have incredibly large security budgets. Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Recently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed. --------------------------------------------- https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-b… ∗∗∗ CVE Half-Day Watcher ∗∗∗ --------------------------------------------- CVE Half-Day Watcher is a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain. It leverages the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released. By doing so, CVE Half-Day Watcher aims to underscore the window of opportunity for attackers to "harvest" this information and develop exploits. --------------------------------------------- https://github.com/Aqua-Nautilus/CVE-Half-Day-Watcher ∗∗∗ Vorsicht vor Jobangeboten per SMS oder WhatsApp ∗∗∗ --------------------------------------------- Unerwartet erhalten Sie eine Nachricht von einer Personalvermittlungsagentur: Ihnen wird ein Job angeboten. Die Bezahlung ist gut und die Arbeitszeiten sind flexibel. Es geht darum, Hotels und Touristenattraktionen zu bewerten. Bei Interesse sollten Sie dem Arbeitgeber eine WhatsApp-Nachricht schicken. Ignorieren Sie dieses Jobangebot, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-sms-od… ∗∗∗ Ddostf DDoS Bot Malware Attacking MySQL Servers ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that the Ddostf DDoS bot is being installed on vulnerable MySQL servers. Ddostf is a DDoS bot capable of conducting Distributed Denial of Service (DDoS) attacks on specific targets and was first identified around 2016. --------------------------------------------- https://asec.ahnlab.com/en/58878/ ∗∗∗ A Closer Look at ChatGPTs Role in Automated Malware Creation ∗∗∗ --------------------------------------------- This blog entry explores the effectiveness of ChatGPTs safety measures, the potential for AI technologies to be misused by criminal actors, and the limitations of current AI models. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/k/a-closer-look-at-chatgpt-s-r… ∗∗∗ Malicious Abrax666 AI Chatbot Exposed as Potential Scam ∗∗∗ --------------------------------------------- As of now, based on the information regarding the sale of the Abrax666 AI Chatbot, cybersecurity researchers are of the opinion that the chatbot is most likely a scam. --------------------------------------------- https://www.hackread.com/abrax666-ai-chatbot-exposed-as-potential-scam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens has released 14 new and 18 updated Security Advisories. --------------------------------------------- https://www.siemens.com/global/en/products/services/cert.html?d=2023-11#Sie… ∗∗∗ Xen Security Advisory CVE-2023-46835 / XSA-445 - x86/AMD: mismatch in IOMMU quarantine page table levels ∗∗∗ --------------------------------------------- A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-445.html ∗∗∗ Xen Security Advisory CVE-2023-46836 / XSA-446 - x86: BTC/SRSO fixes not fully effective ∗∗∗ --------------------------------------------- An attacker in a PV guest might be able to infer the contents of memory belonging to other guests. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-446.html ∗∗∗ SAP Security Patch Day –November2023 ∗∗∗ --------------------------------------------- On 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. Further, there were 3 updates to previously released Security Notes. --------------------------------------------- https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11, postgresql-13, and postgresql-15), Fedora (chromium, optipng, and radare2), Scientific Linux (plexus-archiver and python), Slackware (tigervnc), SUSE (apache2, containerized-data-importer, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql, postgresql15, postgresql16, postgresql12, postgresql13, python-Django1, squashfs, and xterm), and Ubuntu (firefox and memcached). --------------------------------------------- https://lwn.net/Articles/951311/ ∗∗∗ ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric ∗∗∗ --------------------------------------------- Siemens and Schneider Electric’s Patch Tuesday advisories for November 2023 address 90 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-90-vulnerabilities-addressed… ∗∗∗ Mattermost security updates 9.1.3 / 9.0.4 / 8.1.6 (ESR) / 7.8.15 (ESR) released ∗∗∗ --------------------------------------------- The security update is available for Mattermost dot releases 9.1.3, 9.0.4, 8.1.6 (Extended Support Release), and 7.8.15 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-1-3-9-0-4-8-1-6-e… ∗∗∗ TYPO3-CORE-SA-2023-007: By-passing Cross-Site Scripting Protection in HTML Sanitizer ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-007 ∗∗∗ TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-006 ∗∗∗ TYPO3-CORE-SA-2023-005: Information Disclosure in Install Tool ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-005 ∗∗∗ IBM Integration Bus is vulnerable to multiple CVEs due to Apache Tomcat. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7072626 ∗∗∗ IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities (CVE-2023-2828, CVE-2023-24329, CVE-2022-4839) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7073360 ∗∗∗ IBM Security Guardium is affected by multiple OS level vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7073592 ∗∗∗ AVEVA Operations Control Logger ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01 ∗∗∗ Rockwell Automation SIS Workstation and ISaGRAF Workbench ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2023
by Daily end-of-shift report 13 Nov '23

13 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-11-2023 18:00 − Montag 13-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ In a first, cryptographic keys protecting SSH connections stolen in new attack ∗∗∗ --------------------------------------------- An error as small as a single flipped memory bit is all it takes to expose a private key. --------------------------------------------- https://arstechnica.com/?p=1983026 ∗∗∗ Hackers breach healthcare orgs via ScreenConnect remote access ∗∗∗ --------------------------------------------- Security researchers are warning that hackers are targeting multiple healthcare organizations in the U.S. by abusing the ScreenConnect remote access tool. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-healthcare-or… ∗∗∗ New Ransomware Group Emerges with Hives Source Code and Infrastructure ∗∗∗ --------------------------------------------- The threat actors behind a new ransomware group called Hunters International have acquired the source code and infrastructure from the now-dismantled Hive operation to kick-start its own efforts in the threat landscape. "It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters [...] --------------------------------------------- https://thehackernews.com/2023/11/new-ransomware-group-emerges-with-hives.h… ∗∗∗ Abusing Microsoft Access “Linked Table” Feature to Perform NTLM Forced Authentication Attacks ∗∗∗ --------------------------------------------- 1. Microsoft Access (part of the Office suite) has a “linking to remote SQL Server tables” feature. 2. This feature can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80. 3. The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well 4. This technique allows the attacker to bypass existing Firewall rules designed to block NTLM information stealing initiated by external attacks. --------------------------------------------- https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-… ∗∗∗ Bericht: IT-Sicherheit in Gesundheitsämtern vernachlässigt ∗∗∗ --------------------------------------------- Fehlendes Know-How, knappes Budget und unsichere Software. Ein Bericht schildert gravierende Sicherheitslücken in Gesundheitsämtern. --------------------------------------------- https://www.heise.de/-9404608.html ∗∗∗ Don’t throw a hissy fit; defend against Medusa ∗∗∗ --------------------------------------------- Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. --------------------------------------------- https://research.nccgroup.com/2023/11/13/dont-throw-a-hissy-fit-defend-agai… ∗∗∗ Cyber Threat Intelligence: Den Gegnern auf der Spur ∗∗∗ --------------------------------------------- Durch das Sammeln, Analysieren und Kontextualisieren von Informationen über mögliche Cyber-Bedrohungen, einschließlich der fortschrittlichsten, bietet Threat Intelligence eine wichtige Methode zur Identifizierung, Bewertung und Minderung von Cyber-Risiken --------------------------------------------- https://www.welivesecurity.com/de/business-security/cyber-threat-intelligen… ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/13/cisa-adds-six-known-expl… ∗∗∗ Ransomware tracker: The latest figures [November 2023] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current Ransomware attacks across several key sectors dipped significantly in October, breaking a streak that has gone on for much of 2023. Ransomware gangs posted 243 victims to their extortion sites in October — a sharp decrease from the 455 [...] --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ∗∗∗ RCE-Exploit für Wyze Cam v3 veröffentlicht (Nov. 2023) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Besitzer von Indoor-Kameras des Anbieters Wyze. Deren Modell Wyze Com v3 enthält wohl Schwachstellen, über die Dritte auf die Kameradaten zugreifen können. Inzwischen ist ein RCE-Exploit für die Wyze Cam v3 veröffentlicht worden. --------------------------------------------- https://www.borncity.com/blog/2023/11/11/rce-exploit-fr-wyze-cam-v3-verffen… ∗∗∗ Facebook Fake-Benachrichtigungen "Seiten wegen Verletzung der Gemeinschaftsstandard gesperrt" ∗∗∗ --------------------------------------------- Auf Facebook scheint eine kriminelle Masche über den Messenger zu laufen, bei denen die Empfänger angeblich von Facebook-Meta-Mitarbeitern informiert werden, dass die Seiten wegen Verletzungen der Gemeinschaftsstandards o.ä. gesperrt worden seien. Es kommt ein Link mit Aufforderung zum Entsperren. Das ist aber Fake und ein Phishing-Versuch, um die Zugangsdaten abzufischen. --------------------------------------------- https://www.borncity.com/blog/2023/11/12/facebook-fake-benachrichtigungen-s… ∗∗∗ OracleIV DDoS Botnet Malware Targets Docker Engine API Instances ∗∗∗ --------------------------------------------- OracleIV is not a supply chain attack, it highlights the ongoing threat of misconfigured Docker Engine API deployments. --------------------------------------------- https://www.hackread.com/oracleiv-ddos-botnet-malware-docker-engine-api-ins… ∗∗∗ ACSC and CISA Release Business Continuity in a Box ∗∗∗ --------------------------------------------- Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASDs ACSC) and CISA released Business Continuity in a Box. Business Continuity in a Box, developed by ACSC with contributions from CISA, assists organizations with swiftly and securely standing up critical business functions during or following a cyber incident. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/13/acsc-and-cisa-release-bu… ===================== = Vulnerabilities = ===================== ∗∗∗ Local Privliege Escalation in Check Point Endpoint Security Remediation Service ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. --------------------------------------------- https://support.checkpoint.com/results/sk/sk181597 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (audiofile and ffmpeg), Fedora (keylime, python-pillow, and tigervnc), Mageia (quictls and vorbis-tools), Oracle (grub2), Red Hat (galera, mariadb, plexus-archiver, python, squid, and squid34), and SUSE (clamav, kernel, mupdf, postgresql14, tomcat, tor, and vlc). --------------------------------------------- https://lwn.net/Articles/951237/ ∗∗∗ CVE-2023-5950 Rapid7 Velociraptor Reflected XSS ∗∗∗ --------------------------------------------- This advisory covers a specific issue identified in Velociraptor and disclosed by a security code review. Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/10/cve-2023-5950-rapid7-velocirapt… ∗∗∗ Ivanti EPMM CVE-2023-39335/39337 ∗∗∗ --------------------------------------------- As part of our ongoing strengthening of the security of our products we have discovered two new vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. We are reporting these vulnerabilities as CVE-2023-39335 and CVE-2023-39337. --------------------------------------------- https://www.ivanti.com/blog/ivanti-epmm-cve-2023-39335-39337 ∗∗∗ Mutiple Vulnerabilties Affecting Watson Machine Learning Accelerator on Cloud Pak for Data version ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7071340 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2023
by Daily end-of-shift report 10 Nov '23

10 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-11-2023 18:00 − Freitag 10-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ducktail fashion week ∗∗∗ --------------------------------------------- The Ducktail malware, designed to hijack Facebook business and ads accounts, sends marketing professionals fake ads for jobs with major clothing manufacturers. --------------------------------------------- https://securelist.com/ducktail-fashion-week/111017/ ∗∗∗ Routers Targeted for Gafgyt Botnet [Guest Diary], (Thu, Nov 9th) ∗∗∗ --------------------------------------------- The threat actor attempts to add my honeypot into a botnet so the threat actor can carry out DDoS attacks. The vulnerabilities used for the attack were default credentials and CVE-2017-17215. To prevent these attacks, make sure systems are patched and using strong credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/30390 ∗∗∗ Malware: Mehr als 600 Millionen Downloads 2023 in Google Play ∗∗∗ --------------------------------------------- Kaspersky hat in diesem Jahr bereits mehr als 600 Millionen Malware-Downloads aus dem Google-Play-Store gezählt. Der bleibt aber sicherste Paketquelle. --------------------------------------------- https://www.heise.de/news/Malware-Mehr-als-600-Millionen-Downloads-2023-in-… ∗∗∗ Demystifying Cobalt Strike’s “make_token” Command ∗∗∗ --------------------------------------------- Cobalt Strike provides the make_token command to achieve a similar result to runas /netonly. --------------------------------------------- https://research.nccgroup.com/2023/11/10/demystifying-cobalt-strikes-make_t… ∗∗∗ High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites ∗∗∗ --------------------------------------------- Clickbait articles are highlighted in this article. A jump in compromised sites exploiting CVE-2023-3169 stresses the danger of web-based threats. --------------------------------------------- https://unit42.paloaltonetworks.com/dangers-of-clickbait-sites/ ∗∗∗ Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518 ∗∗∗ --------------------------------------------- We encountered the Cerber ransomware exploiting the Atlassian Confluence vulnerability CVE-2023-22518 in its operations. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/k/cerber-ransomware-exploits-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (community-mysql, matrix-synapse, and xorg-x11-server-Xwayland), Mageia (squid and vim), Oracle (dnsmasq, python3, squid, squid:4, and xorg-x11-server), Red Hat (fence-agents, insights-client, kernel, kpatch-patch, mariadb:10.5, python3, squid, squid:4, tigervnc, and xorg-x11-server), Scientific Linux (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, python-reportlab, python3, squid, thunderbird, and xorg-x11-server), [...] --------------------------------------------- https://lwn.net/Articles/951066/ ∗∗∗ Multiple Vulnerabilities in QuMagie ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-50 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-24 ∗∗∗ AIX is affected by a denial of service (CVE-2023-45167) and a security restrictions bypass (CVE-2023-40217) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7068084 ∗∗∗ Multiple vulnerabilities in Eclipse Jetty affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070298 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2023 - Includes Oracle April 2023 CPU plus CVE-2023-2597 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070548 ∗∗∗ Multiple security vulnerabilities have been identified in IBM DB2 which is shipped with IBM Intelligent Operations Center. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070539 ∗∗∗ IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070736 ∗∗∗ Ivanti Secure Access Client security notifications ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/ivanti-secure-access-client-security-notificati… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2023
by Daily end-of-shift report 09 Nov '23

09 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-11-2023 18:00 − Donnerstag 09-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Highly invasive backdoor snuck into open source packages targets developers ∗∗∗ --------------------------------------------- Packages downloaded thousands of times targeted people working on sensitive projects. --------------------------------------------- https://arstechnica.com/?p=1982281 ∗∗∗ Google ads push malicious CPU-Z app from fake Windows news site ∗∗∗ --------------------------------------------- A threat actor has been abusing Google Ads to distribute a trojanized version of the CPU-Z tool to deliver the Redline info-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ads-push-malicious-cp… ∗∗∗ Visual Examples of Code Injection, (Thu, Nov 9th) ∗∗∗ --------------------------------------------- I spotted an interesting sample that perform this technique and I was able to collect “visible” information. The malware was delivered through a phishing email with a ZIP archive. --------------------------------------------- https://isc.sans.edu/diary/rss/30388 ∗∗∗ Google Play: Extra-Sicherheitsprüfungen sollen Apps vertrauenswürdiger machen ∗∗∗ --------------------------------------------- Ab sofort sind bestimmte Apps in Google Play mit einem neuen Banner gekennzeichnet, der mehr Sicherheit garantieren soll. Den Anfang machen einige VPN-Apps. --------------------------------------------- https://www.heise.de/-9357280 ∗∗∗ Spammers abuse Google Forms’ quiz to deliver scams ∗∗∗ --------------------------------------------- Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. --------------------------------------------- https://blog.talosintelligence.com/google-forms-quiz-spam/ ∗∗∗ GhostLocker - A “Work In Progress” RaaS ∗∗∗ --------------------------------------------- GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/08/ghostlocker-a-work-in-progress-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti and chromium), Fedora (CuraEngine, podman, and rubygem-rmagick), Mageia (gnome-shell, openssl, and zlib), SUSE (salt), and Ubuntu (xrdp). --------------------------------------------- https://lwn.net/Articles/950850/ ∗∗∗ CVE-2023-3282 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine (Severity: MEDIUM) ∗∗∗ --------------------------------------------- This issue is applicable only to Cortex XSOAR engines installed through the shell method that are running on a Linux operating system. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-3282 ∗∗∗ CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest ∗∗∗ --------------------------------------------- A new zero-day vulnerability (CVE-2023-47246) in SysAid IT service management software is being exploited by the threat group responsible for the MOVEit Transfer attack in May 2023. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-… ∗∗∗ Drupal: GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-051 ∗∗∗ Drupal: GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-050 ∗∗∗ Weidmüller: WIBU Vulnerability in multiple Products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-032/ ∗∗∗ Johnson Controls Quantum HD Unity ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01 ∗∗∗ Hitachi Energy eSOMS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-02 ∗∗∗ IBM Security Guardium is affected by denial of service vulnerabilities (CVE-2023-3635, CVE-2023-28118) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069238 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in Apache Struts (CVE-2023-34149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069237 ∗∗∗ Vulnerabilities in Linux Kernel, Samba, Golang, Curl, and openssl can affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069319 ∗∗∗ A vulnerability in Samba affects IBM Storage Scale SMB protocol access method (CVE-2022-2127) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2023
by Daily end-of-shift report 08 Nov '23

08 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-11-2023 18:00 − Mittwoch 08-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Example of Phishing Campaign Project File, (Wed, Nov 8th) ∗∗∗ --------------------------------------------- We all have a love and hate relation with emails. When newcomers on the Internet starts to get emails, they are so happy but their feeling changes quickly. Then, they hope to reduce the flood of emails received daily... Good luck! Of course, tools have been developed to organize marketing campaigns. From marketing to spam or phishing, there is only one step. Bad guys started to use the same programs for malicious purpose. --------------------------------------------- https://isc.sans.edu/diary/rss/30384 ∗∗∗ Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation ∗∗∗ --------------------------------------------- Cybersecurity researchers have developed whats the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft Azure Automation service without racking up any charges. Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victims environment without attracting any attention. --------------------------------------------- https://thehackernews.com/2023/11/researchers-uncover-undetectable-crypto.h… ∗∗∗ Hunderte Experten warnen vor staatlichen Root-Zertifikaten ∗∗∗ --------------------------------------------- Bald sollen EU-Bürger sich auf grenzüberschreitende elektronische Dienste und Vertrauensstellen verlassen müssen. Experten schlagen Alarm. --------------------------------------------- https://www.heise.de/-9355165.html ∗∗∗ Angebliches LinkedIn-Datenleck: Daten von Tätern konstruiert ∗∗∗ --------------------------------------------- Im digitalen Untergrund haben Kriminelle Daten aus einem angeblichen LinkedIn-Leck angeboten. Diese entpuppen sich als künstlich aufgebläht. --------------------------------------------- https://www.heise.de/-9355976.html ∗∗∗ Tool Release: Magisk Module – Conscrypt Trust User Certs ∗∗∗ --------------------------------------------- Android 14 introduced a new feature which allows to remotely install CA certificates. This change implies that instead of using the /system/etc/security/cacerts directory to check the trusted CA’s, this new feature uses the com.android.conscrypt APEX module, and reads the certificates from the directory /apex/com.android.conscrypt/cacerts. Inspired by this blog post by Tim Perry, I decided to create a [...] --------------------------------------------- https://research.nccgroup.com/2023/11/08/tool-release-magisk-module-conscry… ∗∗∗ Sumo Logic Urges Users to Change Credentials Due to Security Breach ∗∗∗ --------------------------------------------- Cloud monitoring and SIEM firm Sumo Logic is urging users to rotate credentials following the discovery of a security breach. --------------------------------------------- https://www.securityweek.com/sumo-logic-urges-users-to-change-credentials-d… ∗∗∗ Vorsicht vor stark verbilligten Amazon-Schnäppchen ∗∗∗ --------------------------------------------- Man glaubt es kaum: Tablets, Smartphones oder Notebooks, die auf Amazon um die Hälfte billiger angeboten werden. Solche Schnäppchen entpuppen sich aber als Lockangebote, um Ihnen Geld zu stehlen. Wir zeigen Ihnen, wie diese Betrugsmasche funktioniert! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-stark-verbilligten-amaz… ∗∗∗ Vorsicht vor vermeintlichen Rechnungen der „Click Office World“ ∗∗∗ --------------------------------------------- Fake-Rechnungen sind nichts Neues in der Welt des Unternehmensbetrugs, aktuell scheinen Betrüger:innen jedoch wieder massenhaft solche Rechnungen zu versenden. So erhalten viele Unternehmen derzeit per Post englischsprachige Rechnungen von „CLICK OFFICE WORLD“, in denen eine 14-tägige Zahlungsfrist und ein Betrag von 955 Euro gefordert werden. Zahlen Sie nichts, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-vermeintlichen-rechnung… ∗∗∗ Warning Against Phobos Ransomware Distributed via Vulnerable RDP ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the active distribution of the Phobos ransomware. Phobos is a variant known for sharing technical and operational similarities with the Dharma and CrySis ransomware. These ransomware strains typically target externally exposed Remote Desktop Protocol (RDP) services with vulnerable securities as attack vectors. --------------------------------------------- https://asec.ahnlab.com/en/58753/ ∗∗∗ Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware ∗∗∗ --------------------------------------------- Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. --------------------------------------------- https://www.hackread.com/lazarus-bluenoroff-apt-macos-objcshellz-malware/ ∗∗∗ A Balanced Approach: New Security Headers Grading Criteria ∗∗∗ --------------------------------------------- The Security Headers grading criteria is something that doesnt change often, but when it does, theres a good reason behind the change. In this blog, I will outline the new grading criteria and the reasons why weve made the change. --------------------------------------------- https://scotthelme.co.uk/a-balanced-approach-new-security-headers-grading-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Kritische System-Lücke bedroht Android 11, 12 und 13 ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für verschiedene Android-Versionen veröffentlicht. --------------------------------------------- https://www.heise.de/-9355953.html ∗∗∗ Malware-Schutz: Rechteausweitung in Trend Micros Apex One möglich ∗∗∗ --------------------------------------------- In Trend Micros Schutzsoftware Apex One können Angreifer Schwachstellen missbrauchen, um ihre Privilegien auszuweiten. Updates korrigieren das. --------------------------------------------- https://www.heise.de/-9356484.html ∗∗∗ Webbrowser: Lücke mit hohem Risiko in Google Chrome geschlossen ∗∗∗ --------------------------------------------- Google schließt mit dem Update von Chrome eine hochriskante Sicherheitslücke, die Webseiten offenbar das Unterschieben von Schadcode ermöglicht. --------------------------------------------- https://www.heise.de/-9355888.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-urllib3 and tang), Fedora (chromium, mlpack, open-vm-tools, and salt), Red Hat (avahi, binutils, buildah, c-ares, cloud-init, containernetworking-plugins, cups, curl, dnsmasq, edk2, flatpak, frr, gdb, ghostscript, glib2, gmp, grafana, haproxy, httpd, mod_http2, java-21-openjdk, kernel, krb5, libfastjson, liblouis, libmicrohttpd, libpq, libqb, librabbitmq, LibRaw, libreoffice, libreswan, libssh, libtiff, libvirt, libX11, linux-firmware, mod_auth_openidc, ncurses, nghttp2, opensc, pcs, perl-CPAN, perl-HTTP-Tiny, podman, procps-ng, protobuf-c, python-cryptography, python-pip, python-tornado, python-wheel, python3.11, python3.11-pip, python3.9, qemu-kvm, qt5 stack, runc, samba, samba, evolution-mapi, openchange, shadow-utils, skopeo, squid, sysstat, tang, tomcat, toolbox, tpm2-tss, webkit2gtk3, wireshark, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), Slackware (sudo), SUSE (squid), and Ubuntu (python-urllib3). --------------------------------------------- https://lwn.net/Articles/950694/ ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29552 Service Location Protocol (SLP) Denial-of-Service Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/08/cisa-adds-one-known-expl… ∗∗∗ GE MiCOM S1 Agile ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to upload malicious files and achieve code execution. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2023
by Daily end-of-shift report 07 Nov '23

07 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-11-2023 18:00 − Dienstag 07-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft Authenticator now blocks suspicious MFA alerts by default ∗∗∗ --------------------------------------------- Microsoft has introduced a new protective feature in the Authenticator app to block notifications that appear suspicious based on specific checks performed during the account login stage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-authenticator-now-… ∗∗∗ MacBook Pro M3 läuft unter Umständen noch mit altem macOS – Update nicht möglich ∗∗∗ --------------------------------------------- Auf manchem neuen MacBook Pro M3 läuft eine Version von macOS 13, die gravierende Sicherheitslücken hat. Sie lässt sich offenbar nicht direkt updaten. --------------------------------------------- https://www.heise.de/-9355709 ∗∗∗ New GootLoader Malware Variant Evades Detection and Spreads Rapidly ∗∗∗ --------------------------------------------- A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. --------------------------------------------- https://thehackernews.com/2023/11/new-gootloader-malware-variant-evades.html ∗∗∗ Phishing With Dynamite ∗∗∗ --------------------------------------------- Token stealing is getting harder. Instead, stealing whole logged-in browser instances may be an easier and more generic approach. One attack, known as “browser-in-the-middle” (BitM), makes it possible to virtually place a user in front of our browser and request them to log in for us. One of my old work buddies referred to it as “phishing with dynamite” after using it on a few social engineering campaigns. --------------------------------------------- https://posts.specterops.io/phishing-with-dynamite-7d33d8fac038 ∗∗∗ D0nut encrypt me, I have a wife and no backups ∗∗∗ --------------------------------------------- Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. In case you missed it, last time we analysed an Incident Response engagement involving BlackCat Ransomware. In this instalment, we take a deeper dive into the D0nut extortion group. --------------------------------------------- https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and… ∗∗∗ Post-exploiting a compromised etcd – Full control over the cluster and its nodes ∗∗∗ --------------------------------------------- When considering the attack surface in Kubernetes, we consider certain unauthenticated components, such as the kube-apiserver and kubelet, as well as leaked tokens or credentials that grant access to certain cluster features, and non-hardened containers that may provide access to the underlying host. However, when discussing etcd, it is often perceived solely as an information storage element within the cluster from which secrets can be extracted. However, etcd is much more than that. --------------------------------------------- https://research.nccgroup.com/2023/11/07/post-exploiting-a-compromised-etcd… ∗∗∗ Generating IDA Type Information Libraries from Windows Type Libraries ∗∗∗ --------------------------------------------- In this quick-post, well explore how to convert Windows type libraries (TLB) into IDA type information libraries (TIL). --------------------------------------------- https://blog.nviso.eu/2023/11/07/generating-ida-type-information-libraries-… ∗∗∗ CISA Published When to Issue VEX Information ∗∗∗ --------------------------------------------- This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/06/cisa-published-when-issu… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Zwei kritische Lücken bedrohen Monitoringtool Veeam One ∗∗∗ --------------------------------------------- Die Entwickler haben in Veeam One unter anderem zwei kritische Schwachstellen geschlossen. Im schlimmsten Fall kann Schadcode auf Systeme gelangen. --------------------------------------------- https://www.heise.de/-9354987 ∗∗∗ WS_FTP Server Arbitrary File Upload CVE-2023-42659 - (CRITICAL) ∗∗∗ --------------------------------------------- In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application. --------------------------------------------- https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-Novembe… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (trapperkeeper-webserver-jetty9-clojure), Mageia (libsndfile, packages, thunderbird, and x11-server), Oracle (.NET 6.0), SUSE (kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, redis, and squid), and Ubuntu (gsl). --------------------------------------------- https://lwn.net/Articles/950523/ ∗∗∗ 37 Vulnerabilities Patched in Android With November 2023 Security Updates ∗∗∗ --------------------------------------------- The Android security updates released this week resolve 37 vulnerabilities, including a critical information disclosure bug. --------------------------------------------- https://www.securityweek.com/37-vulnerabilities-patched-in-android-with-nov… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ GE MiCOM S1 Agile ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-23 ∗∗∗ Zyxel security advisory for improper privilege management vulnerability in GS1900 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2023
by Daily end-of-shift report 06 Nov '23

06 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-11-2023 18:00 − Montag 06-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Exchange: Vier 0-day-Schwachstellen ermöglichen RCE-Angriffe und Datenklau ∗∗∗ --------------------------------------------- Die Zero Day Initiative (ZDI) von Trend Micro hat gerade vier ungepatchte Schwachstellen (sogenannte 0-Days) in Microsoft Exchange öffentlich gemacht. Diese wurden im September 2023 an Microsoft gemeldet und ZDI stuft die mit CVSS-Scores von 7.1 bis 7.5 ein. Microsofts Sicherheitsexperten sehen die Schwachstellen als nicht so schwerwiegend an, dass diese ein sofortiges Handeln erfordern (zur Ausnutzung sei eine Authentifizierung erforderlich). Die Microsoft-Entwickler haben Fixes "für später" angekündigt. Daher ist die Zero Day Initiative an die Öffentlichkeit gegangen, da man trotzdem die Möglichkeit für RCE-Angriffe und Datenklau sieht. --------------------------------------------- https://www.borncity.com/blog/2023/11/04/microsoft-exchange-vier-0-day-schw… ∗∗∗ Sicherheitsupdates QNAP: Angreifer können eigene Befehle auf NAS ausführen ∗∗∗ --------------------------------------------- Wichtige Sicherheitspatches sichern Netzwerkspeicher von QNAP ab. Unbefugte können Daten einsehen. --------------------------------------------- https://www.heise.de/-9354109.html ∗∗∗ E-Mail von A1 mit einer Rechnung über € 289,60 ist Fake ∗∗∗ --------------------------------------------- Aktuell werden A1-Kund:innen mit einer gefälschten Rechnung über € 289,60 verunsichert. Im E-Mail – angeblich von A1 – steht, dass der Rechnungsbetrag „heute“ von Ihrem Bankkonto bzw. Ihrer Kreditkarte abgebucht wird. Im Anhang finden Sie die Infos zu Ihrer Rechnung. Wenn Sie auf den Anhang klicken, werden Sie auf eine gefälschte Login-Seite geführt. Kriminelle stehlen damit Ihre Zugangs- und Bankdaten! --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-a1-mit-einer-rechnung-ueb… ∗∗∗ Socks5Systemz proxy service infects 10,000 systems worldwide ∗∗∗ --------------------------------------------- A proxy botnet called Socks5Systemz has been infecting computers worldwide via the PrivateLoader and Amadey malware loaders, currently counting 10,000 infected devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/socks5systemz-proxy-service-… ∗∗∗ Cybercrime service bypasses Android security to install malware ∗∗∗ --------------------------------------------- A new dropper-as-a-service (DaaS) named SecuriDropper has emerged, using a method that bypasses Android 13s Restricted Settings to install malware on devices and grant them access to the Accessibility Services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-… ∗∗∗ TellYouThePass ransomware joins Apache ActiveMQ RCE attacks ∗∗∗ --------------------------------------------- Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution (RCE) vulnerability previously exploited as a zero-day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-jo… ∗∗∗ Gaming-related cyberthreats in 2023: Minecrafters targeted the most ∗∗∗ --------------------------------------------- Gaming-related threat landscape in 2023: desktop and mobile malware disguised as Minecraft, Roblox and other popular games, and the most widespread phishing schemes. --------------------------------------------- https://securelist.com/game-related-threat-report-2023/110960/ ∗∗∗ Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel ∗∗∗ --------------------------------------------- Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure. The tool, called Google Calendar RAT (GCR), employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023. --------------------------------------------- https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.h… ∗∗∗ Persistence – Windows Telemetry ∗∗∗ --------------------------------------------- Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems [...] TrustedSec has identified that it is feasible to abuse the Windows telemetry mechanism for persistence during red team operations if elevated access has been achieved. --------------------------------------------- https://pentestlab.blog/2023/11/06/persistence-windows-telemetry/ ∗∗∗ What is Classiscam Scam-as-a-Service? ∗∗∗ --------------------------------------------- "The Classiscam scam-as-a-service operation has broadened its reach worldwide, targeting many more brands, countries, and industries, causing more significant financial damage than before,” touts Bleeping Computer. So just what is it? What is Classiscam? It’s a bird. It’s a plane. It’s - a pyramid? Classiscam is an enterprising criminal operation that uses a division of labor to organize low-level phishers into classified site scammers and takes a cut off the top. --------------------------------------------- https://www.tripwire.com/state-of-security/what-classiscam-scam-service ∗∗∗ Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518 ∗∗∗ --------------------------------------------- As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitatio… ∗∗∗ Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II ∗∗∗ --------------------------------------------- Based on our previous research, we also discovered Pre-auth RCE vulnerabilities((CVE-2023-0853、CVE-2023-0854) in other models of Canon printers. For the HP vulnerability, we had a collision with another team. In this section, we will detail the Canon and HP vulnerabilities we exploited during Pwn2own Toronto. --------------------------------------------- https://devco.re/blog/2023/11/06/your-printer-is-not-your-printer-hacking-p… ∗∗∗ Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware ∗∗∗ --------------------------------------------- Beware of Provocative Facebook Ads, Warn Researchers! --------------------------------------------- https://www.hackread.com/provocative-facebook-ads-nodestealer-malware/ ∗∗∗ Scanning KBOM for Vulnerabilities with Trivy ∗∗∗ --------------------------------------------- Early this summer we announced the release of Kubernetes Bills of Material (KBOM) as part of Trivy, our all in one, popular open source security scanner. In the blog we discussed how KBOM is the manifest of all the important components that make up your Kubernetes cluster: Control plane components, Node Components, and Addons, including their versions and images. --------------------------------------------- https://blog.aquasec.com/scanning-kbom-for-vulnerabilities-with-trivy ∗∗∗ Security updates 1.6.5 and 1.5.6 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They all contain a fix for recently reported security vulnerability. [...] We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions. --------------------------------------------- https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, open-vm-tools, openjdk-17, pmix, and trafficserver), Fedora (netconsd, podman, suricata, and usd), Oracle (.NET 6.0, .NET 7.0, binutils, ghostscript, java-1.8.0-openjdk, kernel, and squid), SUSE (apache-ivy, gstreamer-plugins-bad, kernel, nodejs12, opera, poppler, rubygem-activesupport-5.2, tiff, util-linux, and virtualbox), and Ubuntu (krb5). --------------------------------------------- https://lwn.net/Articles/950413/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2023
by Daily end-of-shift report 03 Nov '23

03 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-11-2023 18:00 − Freitag 03-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New macOS KandyKorn malware targets cryptocurrency engineers ∗∗∗ --------------------------------------------- A new macOS malware dubbed KandyKorn has been spotted in a campaign attributed to the North Korean Lazarus hacking group, targeting blockchain engineers of a cryptocurrency exchange platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-macos-kandykorn-malware-… ∗∗∗ Atlassian warns of exploit for Confluence data wiping bug, get patching ∗∗∗ --------------------------------------------- Atlassian warned admins that a public exploit is now available for a critical Confluence security flaw that can be used in data destruction attacks targeting Internet-exposed and unpatched instances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atlassian-warns-of-exploit-f… ∗∗∗ Spyware Designed for Telegram Mods Also Targets WhatsApp Add-Ons ∗∗∗ --------------------------------------------- Researchers discovered spyware designed to steal from Android devices and from Telegram mods can also reach WhatsApp users. --------------------------------------------- https://www.darkreading.com/dr-global/spyware-designed-for-telegram-mods-al… ∗∗∗ Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments ∗∗∗ --------------------------------------------- The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments. --------------------------------------------- https://thehackernews.com/2023/11/kinsing-actors-exploit-linux-flaw-to.html ∗∗∗ 48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems ∗∗∗ --------------------------------------------- A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said. --------------------------------------------- https://thehackernews.com/2023/11/48-malicious-npm-packages-found.html ∗∗∗ Prioritising Vulnerabilities Remedial Actions at Scale with EPSS ∗∗∗ --------------------------------------------- In this article, I’m presenting the Exploit Prediction Scoring System and its practical use cases in tandem with Common Vulnerability Scoring System. --------------------------------------------- https://itnext.io/prioritising-vulnerabilities-remedial-actions-at-scale-wi… ∗∗∗ Einstufung von Sicherheitslücken: Der CVSS-4.0-Standard ist da ∗∗∗ --------------------------------------------- Von niedrig bis kritisch: Das Common Vulnerability Scoring System (CVSS) hat einen Versionssprung vollzogen. --------------------------------------------- https://www.heise.de/-9352555 ∗∗∗ Apples "Wo ist": Keylogger-Tastatur nutzt Ortungsnetz zum Passwortversand ∗∗∗ --------------------------------------------- Eigentlich soll es helfen, verlorene Dinge aufzuspüren. Unsere Keylogger-Tastatur nutzt Apples "Wo ist"-Ortungsnetz jedoch zum Ausschleusen von Daten. --------------------------------------------- https://www.heise.de/-9342791 ∗∗∗ Lücke in VMware ONE UEM ermöglicht Login-Klau ∗∗∗ --------------------------------------------- Durch eine unsichere Weiterleitung können Angreifer SAML-Tokens angemeldeter Nutzer klauen und deren Zugänge übernehmen. VMware stellt Updates bereit. --------------------------------------------- https://www.heise.de/-9352599 ∗∗∗ Should you allow your browser to remember your passwords? ∗∗∗ --------------------------------------------- It’s very convenient to store your passwords in your browser. But is it a good idea? --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/11/should-you-allow-your-browse… ∗∗∗ You’d be surprised to know what devices are still using Windows CE ∗∗∗ --------------------------------------------- Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-nov-2-2023/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP Security Advisories 2023-11-04 ∗∗∗ --------------------------------------------- QNAP released 4 new security advisories (2x Critical, 2x Medium). Music Station, QTS, QuTS hero, QuTScloud, Multimedia Console and Media Streaming add-on. --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (phppgadmin and vlc), Fedora (attract-mode, chromium, and netconsd), Red Hat (.NET 7.0, c-ares, curl, ghostscript, insights-client, python, squid, and squid:4), SUSE (kernel and roundcubemail), and Ubuntu (libsndfile). --------------------------------------------- https://lwn.net/Articles/950061/ ∗∗∗ Vulnerability in IBM SDK, Java Technology Edition may affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7066311 ∗∗∗ Multiple security vulnerabilities in Go may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7066400 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2023
by Daily end-of-shift report 02 Nov '23

02 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-10-2023 18:00 − Donnerstag 02-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New CVSS 4.0 vulnerability severity rating standard released ∗∗∗ --------------------------------------------- The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cvss-40-vulnerability-se… ∗∗∗ Nur zwei wurden gepatcht: Schwachstellen in 34 Treibern gefährden Windows-Systeme ∗∗∗ --------------------------------------------- Sicherheitsforscher der VMware Threat Analysis Unit (Tau) haben Schwachstellen in insgesamt 34 verschiedenen Windows-Gerätetreibern identifiziert. Böswillige Akteure können Firmwares gezielt manipulieren und sich auf Zielsystemen höhere Rechte verschaffen. "Alle Treiber geben Nicht-Admin-Benutzern volle Kontrolle über die Geräte", erklären die Forscher in ihrem Bericht. --------------------------------------------- https://www.golem.de/news/nur-zwei-wurden-gepatcht-schwachstellen-in-34-tre… ∗∗∗ Windows 11, version 23H2 security baseline ∗∗∗ --------------------------------------------- This release includes several changes to further assist in the security of enterprise customers. Changes have been made to provide additional protections to the local admin account, Microsoft Defender Antivirus updates, and a new setting in response to an MSRC bulletin. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows… ∗∗∗ Moderne Telefonbetrüger: Wie Betrüger Geld mit nur einem Telefonanruf stehlen ∗∗∗ --------------------------------------------- In diesem Blogbeitrag wird eine Schwachstelle in einer Bankanwendung beschrieben, die es Angreifern ermöglicht, unbemerkt Geldtransaktionen von bis zu 5.000 € im Namen anderer Benutzer durchzuführen. Darüber hinaus werden weitere mögliche Angriffsszenarien beschrieben, mit denen persönliche Informationen abgegriffen werden können. --------------------------------------------- https://sec-consult.com/de/blog/detail/moderne-telefonbetrueger-wie-betrueg… ∗∗∗ Jetzt patchen! Attacken auf BIG-IP-Appliances beobachtet ∗∗∗ --------------------------------------------- F5 warnt vor Angriffen auf BIG-IP-Appliances. Sicherheitspatches stehen bereit. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/-9350108 ∗∗∗ Sicherheitslücken: Angreifer können Cisco-Firewalls manipulieren ∗∗∗ --------------------------------------------- Mehrere Schwachstellen gefährden unter anderem Cisco Firepower und Identity Services Engine. Patches sind verfügbar. --------------------------------------------- https://www.heise.de/-9351087 ∗∗∗ MITRE ATT&CK v14 released ∗∗∗ --------------------------------------------- MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. MITRE ATT&CK v14 ATT&CK’s goal is to catalog and categorize behaviors of cyber adversaries in real-world attacks. --------------------------------------------- https://www.helpnetsecurity.com/2023/11/02/mitre-attck-v14/ ∗∗∗ Unveiling the Dark Side: A Deep Dive into Active Ransomware Families ∗∗∗ --------------------------------------------- This series will focus on TTP’s deployed by four ransomware families recently observed during NCC Group’s incident response engagements. --------------------------------------------- https://research.nccgroup.com/2023/10/31/unveiling-the-dark-side-a-deep-div… ∗∗∗ Wer hat Mozi getötet? IoT-Zombie-Botnetz wurde endlich zu Grabe tragen ∗∗∗ --------------------------------------------- Wie ESET Research einen Kill-Switch gefunden hat, der dazu benutzt wurde, eines der am weitesten verbreiteten Botnets auszuschalten. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/wer-hat-mozi-getotet-iot-zo… ∗∗∗ Kostenlose Webinar-Reihe „Schutz im Internet“ ∗∗∗ --------------------------------------------- In Kooperation mit der Arbeiterkammer Oberösterreich veranstaltet das ÖIAT (Österreichisches Institut für angewandte Telekommunikation) eine kostenlose Webinar-Reihe zu Themen wie Online-Shopping, Internet-Betrug und Identitätsdiebstahl! --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-schutz-im-i… ∗∗∗ Drupal 9 is end of life - PSA-2023-11-01 ∗∗∗ --------------------------------------------- Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9. --------------------------------------------- https://www.drupal.org/psa-2023-11-01 ∗∗∗ Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking) ∗∗∗ --------------------------------------------- Caution is advised as an Infostealer that prompts the execution of legitimate EXE files is actively being distributed. The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL. This technique is called DLL hijacking and is often used in the distribution of malware. --------------------------------------------- https://asec.ahnlab.com/en/58319/ ∗∗∗ Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox” ∗∗∗ --------------------------------------------- Where there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by scammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams. --------------------------------------------- https://blog.talosintelligence.com/roblox-scam-overview/ ∗∗∗ Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 ∗∗∗ --------------------------------------------- Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Powerful SSRF in Exchange OWA – Getting Response Through Attachments ∗∗∗ --------------------------------------------- As the attacker can abuse this SSRF to retrieve the content of the response, I thought it was a good finding. However, Microsoft did not agree [...] In short: this may get fixed or it may not. If they decide to fix it, the patch may appear in 1 year or in 3 years. In general, we know nothing. Accordingly, we informed Microsoft of our intention to publish this vulnerability as a 0-day advisory and a blog post. As we consider this issue potentially dangerous, we want organizations to be aware of the threat. For this reason, we are providing a PoC HTTP Request to be used for filtering and/or monitoring. --------------------------------------------- https://www.thezdi.com/blog/2023/11/1/unpatched-powerful-ssrf-in-exchange-o… ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco has released 24 new and 4 updated Security Advisories (2x Critical, 11x High, 15x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Critical PHPFox RCE Vulnerability Risked Social Networks ∗∗∗ --------------------------------------------- Heads up, phpFox users! A critical remote code execution vulnerability existed in the phpFox service that allowed community takeovers [...] The researcher urged all phpFox users to update to the latest phpFox release (version 4.8.14 or later) to receive the security fix. --------------------------------------------- https://latesthackingnews.com/2023/10/30/critical-phpfox-rce-vulnerability-… ∗∗∗ Webbrowser: Google Chrome bessert 15 Schwachstellen aus und kann HTTPS-Upgrades ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in Version 119 veröffentlicht. Sie schließt 15 Sicherheitslücken und etabliert den HTTPS-Upgrade-Mechanismus. --------------------------------------------- https://www.heise.de/-9349956 ∗∗∗ Sicherheitsupdates Nvidia: GeForce-Treiberlücken gefährden PCs ∗∗∗ --------------------------------------------- Nvidias Entwickler haben im Grafikkartentreiber und der VGPU-Software mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9351600 ∗∗∗ Solarwinds Platform 2023.4 schließt Codeschmuggel-Lücken ∗∗∗ --------------------------------------------- Solarwinds hat das Platform-Update auf Version 2023.4 veröffentlicht. Neben diversen Fehlerkorrekturen schließt es auch Sicherheitslücken. --------------------------------------------- https://www.heise.de/-9351584 ∗∗∗ VMSA-2023-0025 ∗∗∗ --------------------------------------------- An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products. (CVE-2023-20886) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0025.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (h2o, open-vm-tools, pmix, and zookeeper), Gentoo (GitPython), Oracle (firefox, java-11-openjdk, java-17-openjdk, libguestfs-winsupport, nginx:1.22, and thunderbird), Red Hat (samba), SUSE (container-suseconnect, libsndfile, and slurm), and Ubuntu (krb5, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-laptop, linux-nvidia-6.2, linux-oem-6.1, linux-raspi, open-vm-tools, and xorg-server). --------------------------------------------- https://lwn.net/Articles/949612/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (Netatalk), Oracle (firefox), Red Hat (.NET 6.0, .NET 6.0, .NET 7.0, binutils, and qemu-kvm), SUSE (gcc13, tomcat, and xorg-x11-server), and Ubuntu (axis, libvpx, linux-starfive, thunderbird, and xrdp). --------------------------------------------- https://lwn.net/Articles/949820/ ∗∗∗ [R1] Nessus Version 10.5.6 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-36 ∗∗∗ [R1] Nessus Agent Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-38 ∗∗∗ [R1] Nessus Version 10.6.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-37 ∗∗∗ Drupal: Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-049 ∗∗∗ Open Exchange: 2023-08-01: OXAS-ADV-2023-0004 ∗∗∗ --------------------------------------------- https://documentation.open-xchange.com/security/advisories/txt/oxas-adv-202… ∗∗∗ IBM Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Weintek EasyBuilder Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-05 ∗∗∗ Schneider Electric SpaceLogic C-Bus Toolkit ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-06 ∗∗∗ Franklin Fueling System TS-550 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-04 ∗∗∗ Red Lion Crimson ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02 ∗∗∗ Mitsubishi Electric MELSEC Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2023
by Daily end-of-shift report 31 Oct '23

31 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 30-10-2023 18:00 − Dienstag 31-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CVE-2023-4966 in Citrix NetScaler ADC und NetScaler Gateway wurde bereits als 0-day ausgenutzt ∗∗∗ --------------------------------------------- Uns wurde inzwischen von drei Organisationen in Österreich berichtet, dass Angreifer aufgrund der Sicherheitslücke im Citrix Server in ihren Systemen aktiv geworden sind, bevor Patches von Citrix verfügbar waren. Es wurden Befehle zur Erkundung des Systems und erste Schritte in Richtung lateral Movement beobachtet. Wir gehen inzwischen von einer weitläufigen Ausnutzung dieses 0-days aus. --------------------------------------------- https://cert.at/de/aktuelles/2023/10/cve-2023-4966-0day ∗∗∗ Exploit für Cisco IOS XE veröffentlicht, Infektionszahlen weiter hoch ∗∗∗ --------------------------------------------- Sicherheitsforscher haben den Exploit für Cisco IOS XE untersucht und seinen simplen Trick aufgedeckt. Hunderte Geräte mit Hintertür sind noch online. --------------------------------------------- https://www.heise.de/-9349296 ∗∗∗ Multiple Layers of Anti-Sandboxing Techniques, (Tue, Oct 31st) ∗∗∗ --------------------------------------------- It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing). --------------------------------------------- https://isc.sans.edu/diary/rss/30362 ∗∗∗ Malicious NuGet Packages Caught Distributing SeroXen RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. --------------------------------------------- https://thehackernews.com/2023/10/malicious-nuget-packages-caught.html ∗∗∗ LDAP authentication in Active Directory environments ∗∗∗ --------------------------------------------- Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post introduces them through the lens of Python libraries. --------------------------------------------- https://offsec.almond.consulting/ldap-authentication-in-active-directory-en… ∗∗∗ Programmiersprache: End of Life für PHP 8.0 und Neues für PHP 8.3 ∗∗∗ --------------------------------------------- Die kommende Version 8.3 der Programmiersprache PHP hält einige Neuerungen bereit, und PHP 8.0 nähert sich dem Supportende. --------------------------------------------- https://www.heise.de/-9348772 ∗∗∗ Verkaufen auf etsy: Vorsicht vor betrügerischen Anfragen ∗∗∗ --------------------------------------------- Auf allen gängigen Verkaufsplattformen tummeln sich Kriminelle. Sie nehmen vor allem neue Nutzer:innen ins Visier, die die Abläufe noch nicht kennen. Wir zeigen Ihnen, wie Sie betrügerische Anfragen erkennen und sicher verkaufen! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-etsy-vorsicht-vor-betr… ∗∗∗ Lateral Movement: Abuse the Power of DCOM Excel Application ∗∗∗ --------------------------------------------- In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application. This technique is built upon Matt Nelson’s initial research on “Lateral Movement using Excel.Application and DCOM”. --------------------------------------------- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-… ∗∗∗ Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla) ∗∗∗ --------------------------------------------- While tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of Kazuar. Not only is Kazuar another name for the enormous and dangerous cassowary bird, Kazuar is an advanced and stealthy .NET backdoor that Pensive Ursa usually uses as a second stage payload. --------------------------------------------- https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backd… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Confluence Data Center und Confluence Server ∗∗∗ --------------------------------------------- In allen Versionen von Confluence Data Center und Confluence Server existiert eine kritische Sicherheitslücke (CVE-2023-22518 CVSS: 9.1). Das Ausnutzen der Sicherheitslücke auf betroffenen Geräten ermöglicht nicht authentifizierten Angreifern den Zugriff auf interne Daten des Systems. Obwohl Atlassian bislang keine Informationen zur aktiven Ausnutzung der Lücke hat, wird das zeitnahe Einspielen der verfügbaren Patches empfohlen. --------------------------------------------- https://cert.at/de/warnungen/2023/10/confluence-cve-2023-22518 ∗∗∗ RCE exploit for Wyze Cam v3 publicly released, patch now ∗∗∗ --------------------------------------------- A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices [...] Wyze released firmware update version 4.36.11.7071, which addresses the identified issues, on October 22, 2023, so users are recommended to apply the security update as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rce-exploit-for-wyze-cam-v3-… ∗∗∗ Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets ∗∗∗ --------------------------------------------- Three unpatched high-severity bugs in the NGINX ingress controller can be abused by miscreants to steal credentials and other secrets from Kubernetes clusters. The vulnerabilities, tracked as CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed on October 27, and are listed as currently awaiting triage. It's unclear if any of the flaws have been exploited. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/30/unpatched_ng… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, node-browserify-sign, request-tracker4, and request-tracker5), Fedora (golang-github-altree-bigfloat, golang-github-seancfoley-bintree, golang-github-seancfoley-ipaddress, kitty, slurm, and thunderbird), Gentoo (ConnMan, libxslt, and Salt), Mageia (chromium-browser-stable), Red Hat (firefox, libguestfs-winsupport, and thunderbird), SUSE (clamav, gcc13, gstreamer-plugins-bad, icu73_2, java-17-openjdk, nodejs10, poppler, python-Werkzeug, redis, thunderbird, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (kernel, linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, linux-iot, linux-raspi, linux-raspi-5.4, and mysql-8.0). --------------------------------------------- https://lwn.net/Articles/949391/ ∗∗∗ FujiFilm printer credentials encryption issue fixed ∗∗∗ --------------------------------------------- Many multi-function printers made by FujiFilm Business Innovation Corporation (Fujifilm) which includes Apeos, ApeosPro, PrimeLink and RevoriaPress brands as well as Xerox Corporation (Xerox) which includes VersaLink, PrimeLink, and WorkCentre brands, allow administrators to store credentials on them to allow users to upload scans and other files to FTP and SMB file servers. With the default configuration of these printers, it’s possible to retrieve these credentials in an encrypted format without authenticating to the printer. A vulnerability in the encryption process of these credentials means that you can decrypt them with responses from the web interface. This has been given the ID CVE-2023-46327. --------------------------------------------- https://www.pentestpartners.com/security-blog/fujifilm-printer-credentials-… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.0.0, 6.1.0, 6.1.1, and 6.2.0: SC-202310.1 ∗∗∗ --------------------------------------------- TNS-2023-35 / Critical 9.8 / 8.8 (CVE-2023-38545), 3.7 / 3.4 (CVE-2023-38546) --------------------------------------------- https://www.tenable.com/security/tns-2023-35 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ INEA ME RTU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-02 ∗∗∗ Zavio IP Camera ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-03 ∗∗∗ Sonicwall: TunnelCrack Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2023
by Daily end-of-shift report 30 Oct '23

30 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-10-2023 18:00 − Montag 30-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Flying under the Radar: The Privacy Impact of multicast DNS, (Mon, Oct 30th) ∗∗∗ --------------------------------------------- The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages. --------------------------------------------- https://isc.sans.edu/diary/rss/30358 ∗∗∗ Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware ∗∗∗ --------------------------------------------- A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE. --------------------------------------------- https://thehackernews.com/2023/10/hackers-using-msix-app-packages-to.html ∗∗∗ Turning a boring file move into a privilege escalation on Mac ∗∗∗ --------------------------------------------- Hopefully other people find this trick useful, beyond just Parallels. You can find the code for this exploit on my GitHub [...] 2023-07-06 - fix released in version 18.3.2. --------------------------------------------- https://pwn.win/2023/10/28/file-move-privesc-mac.html ∗∗∗ citrix-logchecker - Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation ∗∗∗ --------------------------------------------- CERT.at stellt via Github ein Skript zur Verfügung, welches genutzt werden kann, um Citrix-Logs nach potenziell übernommenen Sessions zu durchsuchen. Sollten auffällige Sessions gefunden werden, wird eine tiefergehende Analyse empfohlen. --------------------------------------------- https://github.com/certat/citrix-logchecker ∗∗∗ NATO und Behörden von kritischer Lücke in Lernplattform ILIAS betroffen ∗∗∗ --------------------------------------------- Gleich drei Sicherheitslücken in der Open-Source-Lernplattform ILIAS erlauben Codeschmuggel. Der Hersteller stellt eine aktualisierte Version bereit. --------------------------------------------- https://www.heise.de/-9344057.html ∗∗∗ Forscher: Sicherheitslücken beim Roaming bleiben auch bei 5G eine große Gefahr ∗∗∗ --------------------------------------------- Mobilfunker und Regulierer unternehmen laut einem Bericht des Citizen Lab zu wenig, um Sicherheitsschwächen der Roaming- und Abrechnungsprotokolle auszumerzen. --------------------------------------------- https://www.heise.de/-9347577.html ∗∗∗ F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747) ∗∗∗ --------------------------------------------- F5 Networks has released hotfixes for three vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability (CVE-2023-46747) that could lead to unauthenticated remote code execution (RCE). About CVE-2023-46747 Discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security, CVE-2023-46747 is a request smuggling bug in the Apache JServ Protocol (AJP) used by the vulnerable devices. [...] Praetorian has updated their blog post to include all the technical details, since Project Discovery has created a Nuclei template with the full CVE-2023-46747 attack chain. --------------------------------------------- https://www.helpnetsecurity.com/2023/10/30/cve-2023-46747/ ∗∗∗ Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack ∗∗∗ --------------------------------------------- Researchers document the Wiki-Slack attack, a new technique that uses modified Wikipedia pages to target end users on Slack. --------------------------------------------- https://www.securityweek.com/attackers-can-use-modified-wikipedia-pages-to-… ∗∗∗ Vorsicht vor Fake-Shops mit günstigen Lebensmitteln ∗∗∗ --------------------------------------------- Mittlerweile können Sie auch Lebensmittel online bestellen. Bedenken Sie aber: Auch hier gibt es betrügerische Angebote. Kriminelle bieten stark vergünstigte Lebensmittel in Fake-Shops wie leckerwurzede.com an. Wenn Sie dort bestellen, verlieren Sie Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-mit-guenstig… ∗∗∗ CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys ∗∗∗ --------------------------------------------- We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances — which TAs used to perform cryptojacking. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-key… ∗∗∗ NetSupport Intrusion Results in Domain Compromise ∗∗∗ --------------------------------------------- NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrusion, but malicious use of this tool dates back to at least 2016. During this report, we will analyze a case from January 2023 where a NetSupport RAT was utilized to infiltrate a network. The RAT was then used for persistence and command & control, resulting in a full domain compromise. --------------------------------------------- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗ --------------------------------------------- Version 2.4: Updated summary to indicate additional fixed releases and updated fixed release table. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (distro-info, distro-info-data, gst-plugins-bad1.0, node-browserify-sign, nss, openjdk-11, and thunderbird), Fedora (chromium, curl, nghttp2, and xorg-x11-server-Xwayland), Gentoo (Dovecot, Rack, rxvt-unicode, and UnZip), Mageia (apache, bind, and vim), Red Hat (varnish:6), SUSE (nodejs12, opera, python-bugzilla, python-Django, and vorbis-tools), and Ubuntu (exim4, firefox, nodejs, and slurm-llnl, slurm-wlm). --------------------------------------------- https://lwn.net/Articles/949238/ ∗∗∗ Mattermost security updates 9.1.1 / 9.0.2 / 8.1.4 (ESR) / 7.8.13 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.1.1, 9.0.2, 8.1.4 (Extended Support Release), and 7.8.13 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-1-1-9-0-2-8-1-4-e… ∗∗∗ Inkdrop vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN48057522/ ∗∗∗ 2023-10-30: Cyber Security Advisory - ABB COM600 CODESYS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001822&Language… ∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061278 ∗∗∗ IBM i is vulnerable to a local privilege escalation due to flaws in Management Central (CVE-2023-40685, CVE-2023-40686). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7060686 ∗∗∗ Due to use of Java 8.0.7.11 version, InfoSphere Data Replication is vulnerable to crypto attacks. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061888 ∗∗∗ IBM Storage Ceph is vulnerable to a stack overflow attack in Golang (CVE-2022-24675) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061939 ∗∗∗ Multiple vulnerabilities exist in the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062331 ∗∗∗ A vulnerability exists in the IBM SDK, Java Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-22045, CVE-2023-22049). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062330 ∗∗∗ IBM Automation Decision Services October 2023 - Multiple CVEs addressed ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062348 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062415 ∗∗∗ Due to the use of OpenSSL IBM Tivoli Netcool System Service Monitors/Application Service Monitors is vulnerable to a denial of service and security bypass restrictions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062426 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0