Daily

daily@lists.cert.at

1 participants
3083 discussions

Tageszusammenfassung - 15.01.2024
by Daily end-of-shift report 15 Jan '24

15 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-01-2024 18:00 − Montag 15-01-2024 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 2FA war wohl inaktiv: Aufarbeitung des Angriffs auf X-Konto der SEC gefordert ∗∗∗ --------------------------------------------- Die SEC hatte es wohl versäumt, die Zwei-Faktor-Authentifizierung ihres X-Accounts zu aktivieren. Einige US-Senatoren halten dies für "unentschuldbar". --------------------------------------------- https://www.golem.de/news/2fa-war-wohl-inaktiv-aufarbeitung-des-angriffs-au… ∗∗∗ Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow [...] --------------------------------------------- https://thehackernews.com/2024/01/opera-myflaw-bug-could-let-hackers-run.ht… ∗∗∗ Cybersecurity Alert - Self-Service Password Reset ∗∗∗ --------------------------------------------- Effective controls are essential to authenticate users who access your information systems. As configured by some organizations, applications or features that allow users to reset passwords themselves, do not securely authenticate users. If your organization uses, or is considering using, these features (commonly referred to as self-service password reset or SSPR), please review the information below. --------------------------------------------- https://www.dfs.ny.gov/industry_guidance/industry_letters/il20240112_cyber_… ∗∗∗ Nvidia-Updates schließen kritische Sicherheitslücken in KI-Systemen ∗∗∗ --------------------------------------------- Nvidia hat aktualisierte Firmware für die KI-Systeme DGX A100 und H100 veröffentlicht. Sie dichtet kritische Sicherheitslecks ab. --------------------------------------------- https://www.heise.de/-9597460.html ∗∗∗ Vorsicht vor gefälschten FinanzOnline-E-Mails ∗∗∗ --------------------------------------------- „Bitte überprüfen Sie Ihre Angaben zur zusätzlichen Verpflichtung“ lautet der Betreff eines betrügerischen E-Mails angeblich von FinanzOnline. Im Mail wird behauptet, dass sich in Ihrem Briefkasten ein Dokument befindet. Dieses können Sie über einen Link aufrufen. Wenn Sie auf den Link klicken, landen Sie auf einer gefälschten FinanzOnline-Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli… ∗∗∗ Microsoft SharePoint Server: RCE-Schwachstelle CVE-2024-21318 patchen, und alte CVE-2023-29357 wird angegriffen ∗∗∗ --------------------------------------------- Noch ein Nachtrag vom Januar 2024-Patchday zu Microsoft SharePoint Server. Ich hatte in den Patchday-Artikeln die SharePoint Server RCE-Schwachstelle CVE-2024-21318 angesprochen. Diese wurde mit den Sicherheitsupdates vom 9. Januar 2023 geschlossen. Es gibt eine zweite, bereits im Juni 2023 geschlossene, Elevation of Privilege-Schwachstelle CVE-2023-29357, für die ein Exploit bekannt ist. Die US CISA hat eine Warnung veröffentlicht, weil inzwischen Angriffe auf die RCE-Schwachstelle beobachtet wurden. --------------------------------------------- https://www.borncity.com/blog/2024/01/13/microsoft-sharepoint-server-rce-sc… ∗∗∗ Bitdefender findet Schwachstellen in Bosch BCC100-Thermostaten ∗∗∗ --------------------------------------------- Kleiner Nachtrag von dieser Woche, denn der Sicherheitsanbieter Bitdefender hat mich darüber informiert, dass Sicherheitsforscher in seinen Labs Schwachstellen in Bosch BCC100-Thermostaten gefunden haben. Hacker können solche intelligenten Thermostate über diese Schwachstellen unter ihre Kontrolle bringen und sich einen Zugriff auf Smart-Home-Netzwerke verschaffen. --------------------------------------------- https://www.borncity.com/blog/2024/01/14/bitdefender-findet-schwachstellen-… ∗∗∗ Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating ∗∗∗ --------------------------------------------- In a recent engagement I had to deal with some custom encrypted strings inside an Android ARM64 app. I had a lot of fun reversing the app and in the process I learned a few cool new techniques which are discussed in this writeup. This is mostly a beginner guide which explains step-by-step how you [...] --------------------------------------------- https://blog.nviso.eu/2024/01/15/deobfuscating-android-arm64-strings-with-g… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL Security Advisory - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) ∗∗∗ --------------------------------------------- Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. --------------------------------------------- https://www.openssl.org/news/secadv/20240115.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, cups, curl, firefox, ipa, iperf3, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, linux-firmware, open-vm-tools, openssh, postgresql, python, python3, squid, thunderbird, tigervnc, and xorg-x11-server), Fedora (chromium, python-flask-security-too, and tkimg), Gentoo (libgit2, Opera, QPDF, and zlib), Mageia (chromium-browser-stable, gnutls, openssh, packages, and vlc), Oracle (.NET 6.0, fence-agents, frr, ipa, kernel, nss, pixman, and tomcat), and SUSE (gstreamer-plugins-bad). --------------------------------------------- https://lwn.net/Articles/958315/ ∗∗∗ Mattermost security updates 9.2.4 / 9.1.5 / 8.1.8 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.4, 9.1.5, and 8.1.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-2-4-9-1-5-8-1-8-e… ∗∗∗ CVE-2024-0057 NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- Revised the Security Updates table as follows: Added PowerShell 7.2, PowerShell 7.3, and PowerShell 7.4 because these versions of PowerShell 7 are affected by this vulnerability. See [https://github.com/PowerShell/Announcements/issues/72](https://github.com/P… for more information. Corrected Download and Article links for .NET Framework 3.5 and 4.8.1 installed on Windows 10 version 22H2. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057 ∗∗∗ ZDI-24-073: Paessler PRTG Network Monitor Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-073/ ∗∗∗ ZDI-24-072: Synology RT6600ax Qualcomm LDB Service Improper Input Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-072/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138219 : libssh2 vulnerability CVE-2020-22218 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138219 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2024
by Daily end-of-shift report 12 Jan '24

12 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-01-2024 18:00 − Freitag 12-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden ∗∗∗ --------------------------------------------- Ein niederländischer Radiosender bekam 80 Gigabyte an Standortdaten von der Berliner Plattform Datarade in die Hände und konnte so etwa Offiziere beschatten. --------------------------------------------- https://www.heise.de/-9596230.html ∗∗∗ Microsoft liefert Abhilfe zur Installation von Updates in WinRE-Partition ∗∗∗ --------------------------------------------- Am Januar-Patchday schlägt die Update-Intallation unter Windows 10 oft mit Fehler 0x80070643 fehl. Ein Microsoft-Skript soll helfen. --------------------------------------------- https://www.heise.de/-9595312.html ∗∗∗ Jetzt patchen! Kritische Sicherheitslücke in GitLab ermöglicht Accountklau ∗∗∗ --------------------------------------------- Der Fehler wird bereits aktiv von Kriminellen ausgenutzt, Administratoren sollten zügig handeln und ihre GitLab-Instanzen aktualisieren oder abschotten. --------------------------------------------- https://www.heise.de/-9595848.html ∗∗∗ Datenleck bei Halara: Persönliche Daten von 941.910 Kunden stehen wohl im Netz ∗∗∗ --------------------------------------------- Die Daten zahlreicher Halara-Kunden sind in einem Hackerforum aufgetaucht. Abgeflossen sein sollen sie über eine Schwachstelle in der Webseiten-API. --------------------------------------------- https://www.golem.de/news/bekleidungshersteller-halara-kundendaten-in-hacke… ∗∗∗ New Balada Injector campaign infects 6,700 WordPress sites ∗∗∗ --------------------------------------------- A new Balada Injector campaign launched in mid-December has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign… ∗∗∗ Over 150k WordPress sites at takeover risk via vulnerable plugin ∗∗∗ --------------------------------------------- Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at… ∗∗∗ One File, Two Payloads, (Fri, Jan 12th) ∗∗∗ --------------------------------------------- It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75[1]) --------------------------------------------- https://isc.sans.edu/diary/rss/30558 ∗∗∗ Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier [...] --------------------------------------------- https://thehackernews.com/2024/01/cryptominers-targeting-misconfigured.html ∗∗∗ Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families ∗∗∗ --------------------------------------------- As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said [...] --------------------------------------------- https://thehackernews.com/2024/01/nation-state-actors-weaponize-ivanti.html ∗∗∗ Akira ransomware attackers are wiping NAS and tape backups ∗∗∗ --------------------------------------------- “The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,” the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations. --------------------------------------------- https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/ ∗∗∗ Joomla! vulnerability is being actively exploited ∗∗∗ --------------------------------------------- A vulnerability in the popular Joomla! CMS has been added to CISAs known exploited vulnerabilities catalog. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/01/joomla-vulnerability-is-bein… ∗∗∗ An Introduction to AWS Security ∗∗∗ --------------------------------------------- Cloud providers are becoming a core part of IT infrastructure. Amazon Web Services (AWS), the worlds biggest cloud provider, is used by millions of organizations worldwide and is commonly used to run sensitive and mission-critical workloads. This makes it critical for IT and security professionals to understand the basics of AWS security and take measures to protect their data and workloads. --------------------------------------------- https://www.tripwire.com/state-of-security/introduction-aws-security ∗∗∗ Financial Fraud APK Campaign ∗∗∗ --------------------------------------------- Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-u… ∗∗∗ CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign ∗∗∗ --------------------------------------------- This blog delves into the Phemedrone Stealer campaigns exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malwares payload. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for… ===================== = Vulnerabilities = ===================== ∗∗∗ Pufferüberlauf und andere Sicherheitslücken in IBM Business Automation Workflow ∗∗∗ --------------------------------------------- Angreifer können Code einschleusen, Komponenten zum Stillstand bringen und geheime Informationen abgreifen. IBM informiert Kunden über Gegenmaßnahmen. --------------------------------------------- https://www.heise.de/-9596204.html ∗∗∗ Splunk, cacti, checkmk: Sicherheitslücken in Monitoring-Software ∗∗∗ --------------------------------------------- In drei beliebten Monitoring-Produkten gibt es Sicherheitsprobleme. Admins sollten sich um Updates kümmern. --------------------------------------------- https://www.heise.de/-9595021.html ∗∗∗ Bluetooth-Lücke: Apple sichert Tastaturen mit neuer Firmware ab ∗∗∗ --------------------------------------------- Aufgrund eines Bugs war es möglich, Bluetooth-Datenverkehr mitzuzeichnen. Allerdings brauchte der Angreifer physischen Zugriff auf die Tastatur. --------------------------------------------- https://www.heise.de/-9595522.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c). --------------------------------------------- https://lwn.net/Articles/958124/ ∗∗∗ Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000296153?language=en_US ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2024
by Daily end-of-shift report 11 Jan '24

11 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-01-2024 18:00 − Donnerstag 11-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Atomic Stealer rings in the new year with updated version ∗∗∗ --------------------------------------------- Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware is stealthy thanks to added encryption and obfuscation of its code. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-steale… ∗∗∗ SECGlitcher (Part 1) - Reproducible Voltage Glitching on STM32 Microcontrollers ∗∗∗ --------------------------------------------- Voltage glitching is a technique used in hardware security testing to try to bypass or modify the normal operation of a device by injecting a glitch. --------------------------------------------- https://sec-consult.com/blog/detail/secglitcher-part-1-reproducible-voltage… ∗∗∗ Achtung Nachahmer: Gefahren durch gefälschte Messaging-Apps und App-Mods ∗∗∗ --------------------------------------------- Klone und Mods von WhatsApp, Telegram und Signal sind nach wie vor ein beliebtes Mittel zur Verbreitung von Malware. Lassen Sie sich nicht für dumm verkaufen. --------------------------------------------- https://www.welivesecurity.com/de/mobile-sicherheit/achtung-nachahmer-gefah… ∗∗∗ Vorsicht vor Promi-Klonen auf Social Media: So täuschen Kriminelle treue Fans ∗∗∗ --------------------------------------------- Christina Stürmer, Hubert von Goisern oder Christopher Seiler: Das sind nur 3 von zahlreichen österreichischen Prominenten, die auf Facebook und Instagram vertreten sind -allerdings nicht nur mit einem einzigen Profil. Denn Kriminelle erstellen Fake-Profile, auf denen sie sich als diese Stars ausgeben, um den treuen Fans das Geld aus der Tasche zu ziehen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-promi-klonen-auf-social… ∗∗∗ Medusa Ransomware Turning Your Files into Stone ∗∗∗ --------------------------------------------- Medusa ransomware gang has not only escalated activities but launched a leak site. We also analyze new TTPS encountered in an incident response case. --------------------------------------------- https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Kein Patch verfügbar: Ivanti Connect Secure und Policy Secure sind angreifbar ∗∗∗ --------------------------------------------- In Ivanti Connect Secure und Policy Secure klaffen aktiv ausgenutzte Sicherheitslücken. Patches gibt es bisher nicht - nur einen Workaround. --------------------------------------------- https://www.golem.de/news/kein-patch-verfuegbar-ivanti-connect-secure-und-p… ∗∗∗ Zoho ManageEngine: Codeschmuggel in ADSelfService Plus möglich ∗∗∗ --------------------------------------------- In Zoho ManageEngine ADSelfService Plus klafft eine kritische Sicherheitslücke. Angreifer können dadurch Schadcode einschleusen. --------------------------------------------- https://www.heise.de/news/Zoho-ManageEngine-Codeschmuggel-in-ADSelfService-… ∗∗∗ Sicherheitspatch: API-Fehler in Cisco Unity Connection macht Angreifer zum Root ∗∗∗ --------------------------------------------- Verschiedene Netzwerkprodukte von Cisco sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-API-Fehler-in-Cisco-Unity-Connec… ∗∗∗ BIOS-Sicherheitsupdates von Dell und Lenovo ∗∗∗ --------------------------------------------- Dell stellt aktualisierte BIOS-Versionen für einige Geräte bereit. AMI schließt mehrere Sicherheitslücken, Lenovo reicht diese durch. --------------------------------------------- https://www.heise.de/news/BIOS-Sicherheitsupdates-von-Dell-und-Lenovo-95940… ∗∗∗ Sicherheitspatch: IBM Security Verify für Root-Attacken anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben in IBMs Zugriffsmanagementlösung Security Verify mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-IBM-Security-Verify-fuer-Root-At… ∗∗∗ Juniper Networks bessert zahlreiche Schwachstellen aus ∗∗∗ --------------------------------------------- Juniper Networks hat 27 Sicherheitsmitteilungen veröffentlicht. Sie betreffen Junos OS, Junos OS Evolved und diverse Hardware. --------------------------------------------- https://www.heise.de/news/Juniper-Networks-bessert-zahlreiche-Schwachstelle… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (chromium, python-paramiko, tigervnc, and xorg-x11-server), Oracle (ipa, libxml2, python-urllib3, python3, and squid), Red Hat (.NET 6.0, .NET 7.0, .NET 8.0, container-tools:4.0, fence-agents, frr, gnutls, idm:DL1, ipa, kernel, kernel-rt, libarchive, libxml2, nss, openssl, pixman, python-urllib3, python3, tigervnc, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (gstreamer-plugins-bad), and Ubuntu (firefox, Go, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/958029/ ∗∗∗ Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN ∗∗∗ --------------------------------------------- Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). --------------------------------------------- https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-da… ∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Apache ActiveMQ OpenWire Protocol Class Type Manipulation Arbitrary Code Execution Vulnerability affects Atos Unify OpenScape UC and Atos Unify Common Management Platform ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2401-02.pdf ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rapid Software LLC Rapid SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2024
by Daily end-of-shift report 10 Jan '24

10 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-01-2024 18:00 − Mittwoch 10-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Absenderdaten entschlüsselt: China hat wohl Apples Airdrop-Protokoll "geknackt" ∗∗∗ --------------------------------------------- Forensikern aus Peking ist es angeblich gelungen, Telefonnummern und E-Mail-Adressen von Airdrop-Absendern zu entschlüsseln. --------------------------------------------- https://www.golem.de/news/absenderdaten-entschluesselt-china-hat-wohl-apple… ∗∗∗ Jenkins Brute Force Scans, (Tue, Jan 9th) ∗∗∗ --------------------------------------------- Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords. --------------------------------------------- https://isc.sans.edu/diary/rss/30546 ∗∗∗ Vorgaben der CISA: Mehr Sicherheit für die Microsoft-Cloud ∗∗∗ --------------------------------------------- Die Security-Vorgaben der CISA für die Microsoft-Cloud sind fertig. Wir zeigen, was hinter den Empfehlungen steckt und wo sie sich von MS und CIS unterscheiden. --------------------------------------------- https://www.heise.de/-9591800.html ∗∗∗ Patchday Microsoft: Kerberos-Authentifizierung unter Windows verwundbar ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Azure, Office, Windows und Co. erschienen. Attacken können bevorstehen. Ein Bitlocker-Patch macht Probleme. --------------------------------------------- https://www.heise.de/-9592648.html ∗∗∗ Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin ∗∗∗ --------------------------------------------- On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view [...] --------------------------------------------- https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabi… ∗∗∗ Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024 ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities. --------------------------------------------- https://www.securityweek.com/siemens-schneider-electric-release-first-ics-p… ∗∗∗ Achtung: Vermehrt PayLife Phishing-Mails im Umlauf ∗∗∗ --------------------------------------------- Schützen Sie Ihre Kreditkartendaten und nehmen Sie sich vor Phishing-Mails im Namen von PayLife in Acht. Kriminelle behaupten in den E-Mails, dass Sie aufgrund der Verpflichtung zur Zwei-Faktor-Authentifizierung Schritte setzen und einem Link folgen müssen. Sie landen auf einer kaum als Fälschung erkennbaren Kopie der PayLife-Seite. Geben Sie dort keine Daten ein! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vermehrt-paylife-phishing-ma… ∗∗∗ ‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer ∗∗∗ --------------------------------------------- A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors. --------------------------------------------- https://therecord.media/mirai-based-botnet-spreading-akamai ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-expl… ∗∗∗ Apache Applications Targeted by Stealthy Attacker ∗∗∗ --------------------------------------------- Researchers at Aqua Nautilus have uncovered a new attack targeting Apache Hadoop and Flink applications. This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware. The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses. --------------------------------------------- https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-steal… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-01-10 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 6x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Lenovo Security Advisories 2024-01-09 ∗∗∗ --------------------------------------------- - AMI MegaRAC Vulnerabilities - Lenovo XClarity Administrator (LXCA) Vulnerability - Lenovo Vantage Vulnerabilities - Lenovo Tablet Vulnerabilities - TianoCore EDK II BIOS Vulnerabilities --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Patchday Adobe: Mehrere Schwachstellen in Substance 3D Stager geschlossen ∗∗∗ --------------------------------------------- Adobes Anwendung zum Erstellen von 3D-Szenen Substance 3D Stager ist angreifbar. Eine fehlerbereinigte Version steht zum Download bereit. --------------------------------------------- https://www.heise.de/-9592712.html ∗∗∗ Update für Google Chrome: Hochriskantes Sicherheitsleck abgedichtet ∗∗∗ --------------------------------------------- Google hat turnusgemäß den Webbrowser Chrome aktualisiert. Dabei haben die Entwickler eine als hohes Risiko eingestufte Sicherheitslücke gestopft. --------------------------------------------- https://www.heise.de/-9592658.html ∗∗∗ Update gegen Rechteausweitung in FortiOS und FortiProxy ∗∗∗ --------------------------------------------- Fortinet warnt vor einem Fehler in der Rechteverwaltung von FortiOS und FortiProxy in HA Clustern. Bösartige Akteure können ihre Rechte ausweiten. --------------------------------------------- https://www.heise.de/-9592816.html ∗∗∗ Webkonferenzen: Zoom-Sicherheitslücken ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Zoom verteilt aktualisierte Videokonferenz-Software. Sie schließt eine Sicherheitslücke, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://www.heise.de/-9593000.html ∗∗∗ 2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164) ∗∗∗ --------------------------------------------- Modification History 2022-01-12: Initial Publication 2024-01-10: updated the JSA with information on an additional PR which fixed some releases which were not completely fixed originally --------------------------------------------- https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/957340/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SVD-2024-0104: Splunk User Behavior Analytics (UBA) Third-Party Package Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0104 ∗∗∗ SVD-2024-0103: Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0103 ∗∗∗ SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0102 ∗∗∗ SVD-2024-0101: Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2024
by Daily end-of-shift report 09 Jan '24

09 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-01-2024 18:00 − Dienstag 09-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware ∗∗∗ --------------------------------------------- A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023. --------------------------------------------- https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html ∗∗∗ Skrupel nur vorgeschoben? Ransomware-Banden attackieren Kliniken ∗∗∗ --------------------------------------------- Zwar zürnt der Lockbit-Betreiber öffentlich mit einem Handlanger, ist sich dennoch für Krankenhaus-Erpressung nicht zu schade. Andere bedrohen gar Patienten. --------------------------------------------- https://www.heise.de/news/Skrupel-nur-vorgeschoben-Ransomware-Banden-attack… ∗∗∗ Vorsicht vor Phishing-Mails im Namen der KingBill GmbH ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail im Namen der „KingBill GmbH“ werden Sie gebeten, Ihre offenen Zahlungen an KingBill zu sperren. Angeblich werden ausstehende Rechnungen nun auf eine Nebenkontoverbindung verrechnet. Sie werden aufgefordert, umgehend auf das E-Mail zu antworten. Bei diesem E-Mail handelt es sich aber um Betrug, um Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-im-namen… ∗∗∗ Roles allowing to abuse Entra ID federation for persistence and privilege escalation ∗∗∗ --------------------------------------------- Microsoft Entra ID (formerly known as Azure AD) allows delegation of authentication to another identity provider through the legitimate federation feature. However, attackers with elevated privileges can abuse this feature, leading to persistence and privilege escalation. --------------------------------------------- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federa… ∗∗∗ New decryptor for Babuk Tortilla ransomware variant released ∗∗∗ --------------------------------------------- Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. --------------------------------------------- https://blog.talosintelligence.com/decryptor-babuk-tortilla/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: Teils kritische Lücken in Geschäftssoftware ∗∗∗ --------------------------------------------- Der Januar-Patchday von SAP behandelt teils kritische Sicherheitslücken. Zu insgesamt zehn Schwachstellen gibt es Sicherheitsnotizen. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Teils-kritische-Luecken-in-Geschaeft… ∗∗∗ Synology warnt vor Sicherheitslücke im DSM-Betriebssystem ∗∗∗ --------------------------------------------- Synology gibt eine Warnung vor einer Sicherheitslücke im DSM-Betriebssystem für NAS-Systeme heraus. Updates stehen länger bereit. --------------------------------------------- https://www.heise.de/news/Synology-warnt-vor-Sicherheitsluecke-im-DSM-Betri… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (podman), Mageia (dropbear), SUSE (eclipse-jgit, jsch, gcc13, helm3, opusfile, qt6-base, thunderbird, and wireshark), and Ubuntu (clamav, libclamunrar, and qemu). --------------------------------------------- https://lwn.net/Articles/957236/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SSA-794653 V1.0: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-794653.html ∗∗∗ SSA-786191 V1.0: Local Privilege Escalation Vulnerability in Spectrum Power 7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-786191.html ∗∗∗ SSA-777015 V1.0: Multiple Vulnerabilities in SIMATIC CN 4100 before V2.7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-777015.html ∗∗∗ SSA-702935 V1.0: Redfish Server Vulnerability in maxView Storage Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-702935.html ∗∗∗ SSA-589891 V1.0: Multiple PAR File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-589891.html ∗∗∗ SSA-583634 V1.0: Command Injection Vulnerability in the CPCI85 Firmware of SICAM A8000 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-583634.html ∗∗∗ Open Port 8899 in BCC Thermostat Product ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-473852.html ∗∗∗ CVE-2023-48795 Impact of Terrapin SSH Attack (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-48795 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2024
by Daily end-of-shift report 08 Jan '24

08 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-01-2024 18:00 − Montag 08-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Post-Quanten-Kryptografie: Verschlüsselungsverfahren Kyber birgt Schwachstellen ∗∗∗ --------------------------------------------- Durch die Messung der für bestimmte Divisionsoperationen benötigten Rechenzeit lassen sich wohl geheime Kyber-Schlüssel rekonstruieren. --------------------------------------------- https://www.golem.de/news/post-quanten-kryptografie-verschluesselungsverfah… ∗∗∗ Suspicious Prometei Botnet Activity, (Sun, Jan 7th) ∗∗∗ --------------------------------------------- On the 31 Dec 2023, after trying multiple username/password combination, actor using IP 194.30.53.68 successfully loging to the honeypot and uploaded eight files where 2 of them are protected with a 7zip password (updates1.7z & updates2.7z). Some of these files have been identified to be related to the Prometei trojan by Virustotal. --------------------------------------------- https://isc.sans.edu/diary/rss/30538 ∗∗∗ Bypass Cognito Account Enumeration Controls ∗∗∗ --------------------------------------------- Amazon Cognito is a popular “sign-in as a service” offering from AWS. It allows developers to push the responsibility of developing authentication, sign up, and secure credential storage to AWS so they can instead focus on building their app. [..] This bypass was originally reported via a GitHub issue in July 2020 and Cognito is still vulnerable as of early 2024. --------------------------------------------- https://hackingthe.cloud/aws/enumeration/bypass_cognito_user_enumeration_co… ∗∗∗ Jetzt patchen! Attacken auf Messaging-Plattform Apache RocketMQ ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten zurzeit Angriffsversuche auf die Messaging- und Streaming-Plattform Apache RocketMQ. Sicherheitsupdates sind bereits seit Mai 2023 verfügbar. --------------------------------------------- https://www.heise.de/-9590555 ∗∗∗ Sicherheitsupdates: Schadcode- und DoS-Attacken auf Qnap NAS möglich ∗∗∗ --------------------------------------------- Angreifer können Netzwerkspeicher von Qnap ins Visier nehmen. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/-9589870 ∗∗∗ Die OAuth-Hintertür: Google wiegelt ab ∗∗∗ --------------------------------------------- Der Suchmaschinenriese Google sieht keine Sicherheitslücke in der durch Kriminelle ausgenutzten Schnittstelle, sie funktioniere wie vorgesehen. --------------------------------------------- https://www.heise.de/-9589840 ∗∗∗ NIST: No Silver Bullet Against Adversarial Machine Learning Attacks ∗∗∗ --------------------------------------------- NIST has published a report on adversarial machine learning attacks and mitigations, and cautioned that there is no silver bullet for these types of threats. --------------------------------------------- https://www.securityweek.com/nist-no-silver-bullet-against-adversarial-mach… ∗∗∗ Werbung für verlorene Pakete der Post für € 1,95 ist Betrug ∗∗∗ --------------------------------------------- Auf Facebook und im Facebook Messenger kursiert eine Werbung, die verloren gegangene Pakete der Post um € 1,95 verspricht. Die Werbung vermittelt den Eindruck, dass Angebot käme von der Post selbst. In den Paketen befinden sich angeblich hochpreisige Elektronikprodukte wie Laptops, Spielkonsolen oder Smartwatches. Dabei handelt es sich aber um eine betrügerische Werbung, die nichts mit der Österreichischen Post zu tun hat! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-verlorene-pakete-der-po… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices ∗∗∗ --------------------------------------------- Pentagrid identified several vulnerabilities in Lantronixs EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more. --------------------------------------------- https://www.pentagrid.ch/en/blog/multiple-vulnerabilties-in-lantronix-eds-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (chromium, perl-Spreadsheet-ParseExcel, python-aiohttp, python-pysqueezebox, and tinyxml), Gentoo (Apache Batik, Eclipse Mosquitto, firefox, R, Synapse, and util-linux), Mageia (libssh2 and putty), Red Hat (squid), SUSE (libxkbcommon), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/957146/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Qt: Security advisory: Potential Integer Overflow in Qts HTTP2 implementation ∗∗∗ --------------------------------------------- https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-… ∗∗∗ BOSCH-SA-711465: Multiple vulnerabilities in Nexo cordless nutrunner ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-711465.html ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/08/cisa-adds-six-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2024
by Daily end-of-shift report 05 Jan '24

05 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-01-2024 18:00 − Freitag 05-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Schadcode-Lücke gefährdet Ivanti Endpoint Manager ∗∗∗ --------------------------------------------- Unter bestimmten Voraussetzungen können Angreifer Schadcode auf Ivanti-EPM-Servern ausführen. --------------------------------------------- https://www.heise.de/-9587991.html ∗∗∗ Ransomware: Nach der Erpressung folgt umgehend die nächste Erpressung ∗∗∗ --------------------------------------------- Online-Kriminelle werden immer dreister und schlachten Opfer von Erpressungstrojanern gleich mehrfach aus. --------------------------------------------- https://www.heise.de/-9588424.html ∗∗∗ Fitness-App „Mad Muscles“: Kostenfalle statt Unterstützung bei Neujahrsvorsätzen ∗∗∗ --------------------------------------------- Der unseriöse Anbieter „Mad Muscles“ schaltet derzeit massiv Werbung auf Facebook und Instagram. Die Botschaft? „Building muscle isnt as hard as it sounds!“ („Muskelaufbau ist nicht so schwer, wie es klingt!“) - gerade zum Jahreswechsel sind solche Botschaften beliebt, sollen die Angebote doch dabei helfen, Neujahrsvorsätze einzuhalten. Was die Werbung verschweigt: Die Betreiber:innen von madmuscles.com und der dazugehörigen „Mad Muscle App“ machen Informationen zum Unternehmen genauso wenig transparent wie die Gesamtkosten. Hinzu kommt: Kündigungen werden laut Erfahrungsberichten erschwert. --------------------------------------------- https://www.watchlist-internet.at/news/fitness-app-mad-muscles-kostenfalle-… ∗∗∗ The source code of Zeppelin Ransomware sold on a hacking forum ∗∗∗ --------------------------------------------- Researchers from cybersecurity firm KELA reported that a threat actor announced on a cybercrime forum the sale of the source code and a cracked version of the Zeppelin ransomware builder for $500. --------------------------------------------- https://securityaffairs.com/156974/cyber-crime/zeppelin-ransomware-source-c… ∗∗∗ New Bandook RAT Variant Resurfaces, Targeting Windows Machines ∗∗∗ --------------------------------------------- A new variant of remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware. Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.“ --------------------------------------------- https://thehackernews.com/2024/01/new-bandook-rat-variant-resurfaces.html ∗∗∗ SpectralBlur: New macOS Backdoor Threat from North Korean Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [...] --------------------------------------------- https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.ht… ∗∗∗ Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer ∗∗∗ --------------------------------------------- Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-configuration-extraction-techni… ===================== = Vulnerabilities = ===================== ∗∗∗ Inductive Automation Trust Center Updates ∗∗∗ --------------------------------------------- Inductive Automation offers a special thanks to the following security researchers from Trend Micro Zero Day Initiative, Star Labs, Incite Team, and Claroty Research Team82 for their hard work in finding and responsibly disclosing security vulnerabilities described in this tech advisory. All reported issues have been resolved as of Ignition 8.1.35. Inductive Automation recommends upgrading Ignition to the current version to address known vulnerabilities. --------------------------------------------- https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-69… ∗∗∗ QNAP Security Advisories ∗∗∗ --------------------------------------------- - Vulnerability in QcalAgent - Multiple Vulnerabilities in QTS and QuTS hero - Multiple Vulnerabilities in QuMagie - Multiple Vulnerabilities in Video Station - Vulnerability in Netatalk --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/957005/ ∗∗∗ Security Update for Ivanti EPM ∗∗∗ --------------------------------------------- [...] We are reporting this vulnerability as CVE-2023-39366. We have no indication that customers have been impacted by this vulnerability. This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5. If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-epm ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2024
by Daily end-of-shift report 04 Jan '24

04 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-01-2024 18:00 − Donnerstag 04-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Mandiant’s account on X hacked to push cryptocurrency scam ∗∗∗ --------------------------------------------- The Twitter account of American cybersecurity firm and Google subsidiary Mandiant was hijacked earlier today to impersonate the Phantom crypto wallet and share a cryptocurrency scam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mandiants-account-on-x-hacke… ∗∗∗ UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT ∗∗∗ --------------------------------------------- The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software. [..] "Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said. --------------------------------------------- https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html ∗∗∗ Three Ways To Supercharge Your Software Supply Chain Security ∗∗∗ --------------------------------------------- If you make software and ever hope to sell it to one or more federal agencies, you have to pay attention to this. Even if you never plan to sell to a government, understanding your Software Supply Chain and learning how to secure it will pay dividends in a stronger security footing and the benefits it provides. --------------------------------------------- https://thehackernews.com/2024/01/three-ways-to-supercharge-your-software.h… ∗∗∗ Internetstörungen in Spanien: Orange-Konto bei RIPE geknackt ∗∗∗ --------------------------------------------- Im spanischen Internet kam es zu Störungen. Das Konto des Anbieters Orange bei RIPE wurde geknackt, die Angreifer haben Routen umgelenkt. [..] Durch ein schwaches Passwort ("ripeadmin") und den Verzicht auf Zwei-Faktor-Authentifizierung hatte der Angreifer leichtes Spiel. [..] Eine Antwort auf eine Anfrage beim RIPE NCC zu weiteren betroffenen oder gefährdeten Accounts und zu einer möglichen Verpflichtung, RIPE Accounts künftig zwingend mit Zwei-Faktor-Authentifizierung zu schützen, steht noch aus. Orange Spanien ist mit einem blauen Auge davongekommen; offenbar ging es dem Angreifer nur darum, den Provider bloßzustellen. --------------------------------------------- https://www.heise.de/-9587184 ∗∗∗ Terrapin-Attacke: Millionen SSH-Server angreifbar, Risiko trotzdem überschaubar ∗∗∗ --------------------------------------------- Zwar ist mehr als die Hälfte aller im Internet erreichbaren SSH-Server betroffen, Admins können jedoch aufatmen: Ein erfolgreicher Angriff ist schwierig. --------------------------------------------- https://www.heise.de/-9587473 ∗∗∗ Beyond Protocols: How Team Camaraderie Fortifies Security ∗∗∗ --------------------------------------------- The most efficient and effective teams have healthy and constructive cultures that encourage team members to go above and beyond the call of duty. --------------------------------------------- https://www.securityweek.com/beyond-protocols-how-team-camaraderie-fortifie… ∗∗∗ „Sofortiges Handeln erforderlich“: Massenhaft Phishing-Mails im Namen von A1 im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Konsument:innen wenden sich aktuell mit gefälschten E-Mails im Namen von A1 an die Watchlist Internet. Im E-Mail wird behauptet, dass „ungewöhnliche Verbindungen“ festgestellt wurden und daher „Ihre sofortige Aufmerksamkeit“ notwendig ist, „um die Sicherheit Ihres Kontos zu gewährleisten“. Gleichzeitig wird mit der Sperre des Kontos gedroht. Wir können entwarnen: Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/sofortiges-handeln-erforderlich-mass… ∗∗∗ CVE-2022-1471: SnakeYAML Deserialization Deep Dive ∗∗∗ --------------------------------------------- Get an overview of SnakeYAML deserialization vulnerabilities (CVE-2022-1471) - how it works, why it works, and what it affects. --------------------------------------------- https://www.greynoise.io/blog/cve-2022-1471-snakeyaml-deserialization-deep-… ===================== = Vulnerabilities = ===================== ∗∗∗ Update für Google Chrome schließt sechs Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat aktualisierte Chrome-Versionen herausgegeben. Sie schließen sechs Sicherheitslücken, davon mehrere mit hohem Risiko. --------------------------------------------- https://www.heise.de/-9586697 ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte erschleichen ∗∗∗ --------------------------------------------- Android-Geräte sind für Attacken anfällig. Google, Samsung & Co. stellen Sicherheitsupdates bereit. --------------------------------------------- https://www.heise.de/-9586713 ∗∗∗ Netzwerkanalysetool Wireshark gegen mögliche Attacken abgesichert ∗∗∗ --------------------------------------------- Die Wireshark-Entwickler haben in aktuellen Versionen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9587170 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), Red Hat (squid:4), SUSE (exim, libcryptopp, and proftpd), and Ubuntu (openssh and sqlite3). --------------------------------------------- https://lwn.net/Articles/956855/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-02 ∗∗∗ Rockwell Automation FactoryTalk Activation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2024
by Daily end-of-shift report 03 Jan '24

03 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-01-2024 18:00 − Mittwoch 03-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Leaksmas: Auch Cyberkriminelle haben sich zu Weihnachten beschenkt ∗∗∗ --------------------------------------------- Rund um Weihnachten wurden im Darknet mehr als 50 Millionen neue Datensätze aus verschiedenen Quellen veröffentlicht. Der Zeitpunkt war kein Zufall. Cyberkriminelle haben die Weihnachtszeit offenbar genutzt, um sich gegenseitig mit umfangreichen und von verschiedenen Unternehmen und Behörden erbeuteten Datensätzen zu beschenken. --------------------------------------------- https://www.golem.de/news/leaksmas-auch-cyberkriminelle-haben-sich-zu-weihn… ∗∗∗ Google-Konten in Gefahr: Exploit erlaubt böswilligen Zugriff trotz Passwort-Reset ∗∗∗ --------------------------------------------- Durch eine Schwachstelle in einem OAuth-Endpunkt können sich Cyberkriminelle dauerhaft Zugriff auf das Google-Konto einer Zielperson verschaffen. [..] Eine offizielle Stellungnahme zum Missbrauch des Multilogin-Endpunkts gibt es seitens Google wohl noch nicht. Dass dem Unternehmen das Problem bekannt ist, ist angesichts der Abhilfemaßnahmen aber anzunehmen. --------------------------------------------- https://www.golem.de/news/google-konten-in-gefahr-exploit-erlaubt-boeswilli… ∗∗∗ Interesting large and small malspam attachments from 2023, (Wed, Jan 3rd) ∗∗∗ --------------------------------------------- At the end of a year, or at the beginning of a new one, I like to go over all malicious attachments that were caught in my e-mail trap over the last 12 months, since this can provide a good overview of long-term malspam trends and may sometimes lead to other interesting discoveries. --------------------------------------------- https://isc.sans.edu/diary/rss/30524 ∗∗∗ Don’t trust links with known domains: BMW affected by redirect vulnerability ∗∗∗ --------------------------------------------- Cybernews researchers have discovered two BMW subdomains that were vulnerable to SAP redirect vulnerability. They were used to access the internal workplace systems for BMW dealers and could have been useful to attackers for spear-phishing campaigns or malware distribution. [..] Cybernews researchers immediately disclosed the vulnerability to BMW, and it was promptly fixed. --------------------------------------------- https://securityaffairs.com/156843/reports/bmw-affected-by-redirect-vulnera… ∗∗∗ How to Stop a DDoS Attack in 5 Steps ∗∗∗ --------------------------------------------- In this post, we’ll cover some essential fundamentals on how to stop a DDoS attack and prevent them from happening in the future. --------------------------------------------- https://blog.sucuri.net/2024/01/how-to-stop-a-ddos-attack.html ∗∗∗ Nehmen Sie keine unerwarteten Nachnahme-Sendungen an! ∗∗∗ --------------------------------------------- Aktuell erreichen uns gehäuft Meldungen zu unerwarteten Paketzustellungen, welche bei der Annahme per Nachnahme zu bezahlen sind. Nach einer Übernahme stellt sich häufig heraus, dass der Inhalt wertlos ist, beziehungsweise die Ware nie bestellt wurde. Achtung: Nehmen Sie Nachnahmesendungen nur an, wenn Sie ein entsprechendes Paket erwarten und den Absender kennen. Eine Rückerstattung über die Post ist im Problemfall nämlich nicht mehr möglich! --------------------------------------------- https://www.watchlist-internet.at/news/nehmen-sie-keine-unerwarteten-nachna… ∗∗∗ Decoding ethical hacking: A comprehensive exploration of white hat practices ∗∗∗ --------------------------------------------- In summation, ethical hacking emerges as a linchpin in fortifying cybersecurity defenses. Adopting a proactive approach, ethical hackers play a pivotal role in identifying vulnerabilities, assessing risks, and ensuring that organizations exhibit resilience in the face of evolving cyber threats. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/decoding-ethical-ha… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (slurm), Oracle (kernel and postgresql:15), Red Hat (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), SUSE (polkit, postfix, putty, w3m, and webkit2gtk3), and Ubuntu (nodejs). --------------------------------------------- https://lwn.net/Articles/956694/ ∗∗∗ WordPress MyCalendar Plugin — Unauthenticated SQL Injection(CVE-2023–6360) ∗∗∗ --------------------------------------------- WordPress Core is the most popular web Content Management System (CMS). This free and open-source CMS written in PHP allows developers to develop web applications quickly by allowing customization through plugins and themes. In this article, we will analyze an unauthenticated sql injection vulnerability found in the MyCalendar plugin. --------------------------------------------- https://medium.com/tenable-techblog/wordpress-mycalendar-plugin-unauthentic… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2024
by Daily end-of-shift report 02 Jan '24

02 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-12-2023 18:00 − Dienstag 02-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2023/12/cert-ua-uncovers-new-malware-wave.html ∗∗∗ Neue Lücke in altem E-Mail-Protokoll: SMTP smuggling ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwäche im Simple Mail Transfer Protocol (SMTP) entdeckt. Sie hebt das Fälschen des Absenders auf ein neues Niveau. --------------------------------------------- https://www.heise.de/-9584467 ∗∗∗ Ransomware: Fehler in Black-Basta-Programmierung ermöglicht Entschlüsselungstool ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen kann das kostenlose Entschlüsselungstool Black Basta Buster Opfern des Erpressungstrojaners Black Basta helfen. --------------------------------------------- https://www.heise.de/-9584846 ∗∗∗ New DLL Search Order Hijacking Technique Targets WinSxS Folder ∗∗∗ --------------------------------------------- Attackers can abuse a new DLL search order hijacking technique to execute code in applications within the WinSxS folder. --------------------------------------------- https://www.securityweek.com/new-dll-search-order-hijacking-technique-targe… ∗∗∗ Domain (in)security: the state of DMARC ∗∗∗ --------------------------------------------- This blog discusses the state of DMARC, the role that DMARC plays in email authentication, and why it should be a key component of your email security solution. --------------------------------------------- https://www.bitsight.com/blog/domain-insecurity-state-dmarc ===================== = Vulnerabilities = ===================== ∗∗∗ Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise ∗∗∗ --------------------------------------------- In this post I describe the 18 vulnerabilities that I discovered in PandoraFMS Enterprise v7.0NG.767 available at https://pandorafms.com. PandoraFMS is an enterprise scale network monitoring and management application which provides systems administrators with a central ‘hub’ to monitor and manipulate the state of computers (agents) deployed across the network. --------------------------------------------- https://research.nccgroup.com/2024/01/02/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, asterisk, cjson, firefox-esr, kernel, libde265, libreoffice, libspreadsheet-parseexcel-perl, php-guzzlehttp-psr7, thunderbird, tinyxml, and xerces-c), Fedora (podman-tui, proftpd, python-asyncssh, squid, and xerces-c), Mageia (libssh and proftpd), and SUSE (deepin-compressor, gnutls, gstreamer, libreoffice, opera, proftpd, and python-pip). --------------------------------------------- https://lwn.net/Articles/956521/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (Joblib), Red Hat (firefox and thunderbird), SUSE (gstreamer-plugins-bad, libssh2_org, and webkit2gtk3), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/956568/ ∗∗∗ Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7103673 ∗∗∗ Multiple vulnerabilities affect IBM Storage Scale Hadoop Connector ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104389 ∗∗∗ IBM Maximo Application Suite uses axios-0.25.0.tgz which is vulnerable to CVE-2023-45857 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104391 ∗∗∗ IBM Maximo Application Suite uses WebSphere Liberty which is vulnerable to CVE-2023-46158, CVE-2023-44483 and CVE-2023-44487 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104390 ∗∗∗ Vulnerabilities in Apache Ant affect IBM Operations Analytics - Log Analysis (CVE-2020-11023, CVE-2020-23064, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104401 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily