Daily

daily@lists.cert.at

1 participants
3137 discussions

Tageszusammenfassung - 16.02.2024
by Daily end-of-shift report 16 Feb '24

16 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-02-2024 18:00 − Freitag 16-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RansomHouse gang automates VMware ESXi attacks with new MrAgent tool ∗∗∗ --------------------------------------------- The RansomHouse ransomware operation has created a new tool named MrAgent that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomhouse-gang-automates-v… ∗∗∗ Berliner Kritis-Lieferant: PSI Software nimmt Systeme nach Cyberangriff offline ∗∗∗ --------------------------------------------- Der Softwarekonzern beliefert unter anderem Betreiber von Energienetzen und Verkehrsinfrastrukturen sowie Kunden aus den Bereichen Industrie und Logistik. --------------------------------------------- https://www.golem.de/news/berliner-kritis-lieferant-psi-software-nimmt-syst… ∗∗∗ Phishing und Spoofing: BSI gibt Hinweise zur E-Mail-Authentifizierung ∗∗∗ --------------------------------------------- Gewappnet mit Standards wie SPF, DKIM und DMARC könnten Anbieter selbst neue Angriffe wie SMTP-Smuggling erschweren, heißt es in einer Technischen Richtlinie. --------------------------------------------- https://www.heise.de/-9631309 ∗∗∗ F5 behebt 20 Sicherheitslücken in Big-IP-Loadbalancer, WAF und nginx ∗∗∗ --------------------------------------------- Unter anderem konnten Angreifer eigenen Code in den Loadbalancer einschmuggeln, nginx hingegen verschluckte sich an HTTP3/QUIC-Anfragen. --------------------------------------------- https://www.heise.de/-9629983 ∗∗∗ Falsche DHL-Boten fordern am Telefon SMS-Code für vermeintliche Paketzustellung ∗∗∗ --------------------------------------------- Kriminelle ergaunern SMS-Codes für Paket-Zustellungen. Dabei geben sich die Täter gegenüber potenziellen Opfern als angebliche DHL-Mitarbeiter aus. --------------------------------------------- https://www.heise.de/-9630541 ∗∗∗ Alpha Ransomware Emerges From NetWalker Ashes ∗∗∗ --------------------------------------------- Alpha, a new ransomware that first appeared in February 2023 and stepped up its operations in recent weeks, has strong similarities to the long-defunct NetWalker ransomware, which disappeared in January 2021 following an international law enforcement operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/alpha-ne… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that its being likely exploited in Akira ransomware attacks. --------------------------------------------- https://thehackernews.com/2024/02/cisa-warning-akira-ransomware.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow). --------------------------------------------- https://lwn.net/Articles/962506/ ∗∗∗ Eight Vulnerabilities Disclosed in the AI Development Supply Chain ∗∗∗ --------------------------------------------- Details of eight vulnerabilities found in the open source supply chain used to develop in-house AI and ML models have been disclosed. All have CVE numbers, one has critical severity, and seven have high severity. [..] They are: CVE-2023-6975: arbitrary file write in MLFLow, CVSS 9.8, CVE-2023-6753: arbitrary file write on Windows in MLFlow, CVSS 9.6, CVE-2023-6730: RCE in Hugging Face Transformers via RagRetriever.from_pretrained(), CVSS 9.0, CVE-2023-6940: server side template injection bypass in MLFlow, CVSS 9.0, CVE-2023-6976: arbitrary file upload patch bypass in MLFlow, CVSS 8.8, CVE-2023-31036: RCE via arbitrary file overwrite in Triton Inference Server, CVSS 7.5, CVE-2023-6909: local file inclusion in MLFlow, CVSS 7.5, CVE-2024-0964: LFI in Gradio, CVSS 7.5 --------------------------------------------- https://www.securityweek.com/eight-vulnerabilities-disclosed-in-the-ai-deve… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2024
by Daily end-of-shift report 15 Feb '24

15 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-02-2024 18:00 − Donnerstag 15-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Warnung vor kritischer Outlook RCE-Schwachstelle CVE-2024-21413 ∗∗∗ --------------------------------------------- In Microsoft Outlook wurde eine als kritisch eingestufte CVE-2024-21413 bekannt, die mit den Februar 2024 Sicherheitsupdates geschlossen wird. Die Remote Code Execution-Schwachstelle lässt sich geradezu trivial ausnutzen. [..] Die von Checkpoint Security aufgedeckte Schwachstelle ermöglicht einem Angreifer die geschützte Office-Ansicht zu umgehen und das Dokument im Bearbeitungsmodus statt im geschützten Modus zu öffnen. [..] Dazu muss der Angreifer einen bösartigen Link erstellen, der das Protected View-Protokoll umgeht. Das führt dann zum Abfluss lokaler NTLM-Anmeldeinformationen und zur Remotecodeausführung (RCE). --------------------------------------------- https://www.borncity.com/blog/2024/02/15/warnung-vor-kritischer-outlook-rce… ∗∗∗ Nachlese zu CU 14 für Exchange 2019 und Schwachstelle CVE-2024-21410 (Feb. 2024) ∗∗∗ --------------------------------------------- Zum 13. Februar 2024 wurde ja eine kritische Schwachstelle CVE-2024-21410 in Microsoft Exchange Server öffentlich. [..] Was ist mit Exchange Server 2016 und was muss ich tun, um vor CVE-2024-21410 geschützt zu sein. Hier eine Nachlese mit einem groben Abriss. --------------------------------------------- https://www.borncity.com/blog/2024/02/15/nachlese-zu-cu-14-fr-exchange-2019… ∗∗∗ New ‘Gold Pickaxe’ Android, iOS malware steals your face for fraud ∗∗∗ --------------------------------------------- A new iOS and Android trojan named GoldPickaxe employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios… ∗∗∗ QR Phishing. Fact or Fiction? ∗∗∗ --------------------------------------------- To understand the attack you need understand the challenge that the attacker faces. Currently, most initial access attempts are carried out with social engineering, commonly phishing. Why is that? Well, it looks like people have finally got good at patching. According to the 2022 Verizon data breach incident report only 5% of data breaches investigated by them were caused by software vulnerabilities. --------------------------------------------- https://www.pentestpartners.com/security-blog/qr-phishing-fact-or-fiction/ ∗∗∗ Vorsicht vor dieser Fake Erste Bank SMS ∗∗∗ --------------------------------------------- Kriminelle versenden SMS im Namen der Erste Bank bzw. George. Darin behaupten sie, dass eine Überweisung über einen hohen Geldbetrag freigegeben oder ein Darlehen aufgenommen wurde und bitten um Kontaktaufnahmen. Kontaktieren Sie nicht die angegebene Nummer, Sie werden dazu verleitet Schadsoftware zu installieren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-erste-bank-… ∗∗∗ The Complete Guide to Advanced Persistent Threats ∗∗∗ --------------------------------------------- Understanding the mechanics and implications of APTs is essential to safeguard organizations and individuals. In this comprehensive guide, we explore the world of APTs, explaining their nature, mechanisms, and the best strategies to counteract them. --------------------------------------------- https://www.emsisoft.com/en/blog/44815/the-complete-guide-to-advanced-persi… ∗∗∗ TinyTurla Next Generation - Turla APT spies on Polish NGOs ∗∗∗ --------------------------------------------- Talos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new backdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). [..] Talos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them. This campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024. However, we assess that the campaign may have started as early as November 2023 based on malware compilation dates. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-next-generation/ ===================== = Vulnerabilities = ===================== ∗∗∗ AlphaESS Wechselrichter: WLAN-Zugang mit unveränderlichem Passwort ∗∗∗ --------------------------------------------- Wechselrichter und Speichersysteme von AlphaESS kommen mit optionalem WLAN-Modul. Das spannt einen Zugangspunkt mit Standard-Passwort auf. --------------------------------------------- https://www.heise.de/-9628912 ∗∗∗ Node.js: Sicherheitsupdates beheben Codeschmuggel und Serverabstürze ∗∗∗ --------------------------------------------- Neben Problemen im Kern des Projekts aktualisiert das Node-Projekt auch einige externe Bibliotheken. --------------------------------------------- https://www.heise.de/-9629299 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (edk2, postgresql-13, and postgresql-15), Fedora (engrampa, vim, and xen), Mageia (mbedtls and quictls), Oracle (nss, openssh, and tcpdump), Red Hat (.NET 8.0), SUSE (hugin, kernel, pdns-recursor, python3, tomcat, and tomcat10), and Ubuntu (clamav, edk2, linux-gcp-6.2, linux-intel-iotg-5.15, linux-oem-6.1, and ujson). --------------------------------------------- https://lwn.net/Articles/962284/ ∗∗∗ Drupal: CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-009 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ Autodesk: ZDI reported security vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 ∗∗∗ Palo Alto: CVE-2024-0011 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0011 ∗∗∗ Palo Alto: CVE-2024-0008 PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0008 ∗∗∗ Palo Alto: CVE-2024-0010 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Portal (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0010 ∗∗∗ Palo Alto: CVE-2024-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0007 ∗∗∗ Palo Alto: CVE-2024-0009 PAN-OS: Improper IP Address Verification in GlobalProtect Gateway (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0009 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2024
by Daily end-of-shift report 14 Feb '24

14 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-02-2024 18:00 − Mittwoch 14-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ubuntu command-not-found tool can be abused to spread malware ∗∗∗ --------------------------------------------- A logic flaw between Ubuntus command-not-found package suggestion system and the snap package repository could enable attackers to promote malicious Linux packages to unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ubuntu-command-not-found-too… ∗∗∗ Security review for Microsoft Edge version 121 ∗∗∗ --------------------------------------------- Microsoft Edge version 121 introduced 11 new computer settings and 11 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Fake-Angebote für Samsungs Galaxy S24, S24+ und S24 Ultra mit Nachnahmezahlung! ∗∗∗ --------------------------------------------- Vor wenigen Wochen hat Samsung das Galaxy S24, das Galaxy S24+ sowie das Galaxy S24 Ultra vorgestellt. Die Preise für die neuen Geräte bewegen sich zum Marktstart zwischen 780 und 1800 Euro für die unterschiedlichen Modelle. Um vieles billiger versprechen Kriminelle das Gerät. Für 269 Euro per Nachnahme gibt es das teuerste Gerät auf shop.mgmmgme.shop. So viel ist sicher: Das versprochene Gerät wird hier nie geliefert und Zahlungen per Nachnahme sind verloren. --------------------------------------------- https://www.watchlist-internet.at/news/fake-angebote-fuer-samsungs-galaxy-s… ∗∗∗ The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture ∗∗∗ --------------------------------------------- Recently, Check Point Research released a white paper titled “The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors”, detailing various attack vectors on Outlook to help the industry understand the security risks the popular Outlook app may bring into organizations. As mentioned in the paper, we discovered an interesting security issue in Outlook when the app handles specific hyperlinks. In this blog post, we will share our research on the issue with the security community and help defend against it. We will also highlight the broader impact of this bug in other software. --------------------------------------------- https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-mi… ∗∗∗ TicTacToe Dropper ∗∗∗ --------------------------------------------- We analyzed multiple samples of this dropper. The executable malware file was usually delivered through an .iso file. From cases directly observed in the wild, these iso files were delivered to the victim via phishing as an attachment (T1566.001). This technique of packing malware inside an iso file is typically employed to avoid detection by antivirus software and as a mark-of-the-web (MOTW) bypass technique (T1553.005). --------------------------------------------- https://feeds.fortinet.com/~/869921006/0/fortinet/blogs~TicTacToe-Dropper ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Acrobat & Co. ∗∗∗ --------------------------------------------- Für mehrere Adobe-Produkte sind wichtige Sicherheitsupdates erschienen. Damit haben die Entwickler unter anderem kritische Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de-9627753 ∗∗∗ Webkonferenz-Tool Zoom: Rechteausweitung durch kritische Schwachstelle ∗∗∗ --------------------------------------------- Zoom warnt vor mehreren Schwachstellen in den Produkten des Unternehmens. Eine gilt als kritisches Sicherheitsrisiko. --------------------------------------------- https://www.heise.de/-9627817 ∗∗∗ Microsoft Security Update Summary (13. Februar 2024) ∗∗∗ --------------------------------------------- Am 13. Februar 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 73 Schwachstellen (CVEs), zwei sind 0-day Sicherheitslücken, die bereits ausgenutzt werden. --------------------------------------------- https://www.borncity.com/blog/2024/02/13/microsoft-security-update-summary-… ∗∗∗ Released: 2024 H1 Cumulative Update for Exchange Server ∗∗∗ --------------------------------------------- Today we are announcing the availability of the 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (aka CU14). CU14 includes fixes for customer reported issues, a security change, and all previously released Security Updates (SUs). --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2024-h1-… ∗∗∗ Chipmaker Patch Tuesday: AMD and Intel Patch Over 100 Vulnerabilities ∗∗∗ --------------------------------------------- AMD and Intel patch dozens of vulnerabilities on February 2024 Patch Tuesday, including multiple high-severity bugs.The post Chipmaker Patch Tuesday: AMD and Intel Patch Over 100 Vulnerabilities appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/chipmaker-patch-tuesday-amd-and-intel-patch-ov… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and unbound), Fedora (clamav, firecracker, libkrun, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, and virtiofsd), Red Hat (.NET 6.0, dotnet6.0, and dotnet7.0), Slackware (bind and dnsmasq), and Ubuntu (dotnet6, dotnet7, dotnet8, linux-lowlatency, linux-raspi, linux-nvidia-6.2, and ujson). --------------------------------------------- https://lwn.net/Articles/962077/ ∗∗∗ F5: K000138353 : Quarterly Security Notification (February 2024) ∗∗∗ --------------------------------------------- On February 14, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000138353 ∗∗∗ F5: K98606833 : BIG-IP and BIG-IQ scp vulnerability CVE-2024-21782 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K98606833 ∗∗∗ F5: K91054692 : BIG-IP Appliance mode iAppsLX vulnerability CVE-2024-23976 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K91054692 ∗∗∗ F5: K000137521 : BIG-IP AFM vulnerability CVE-2024-21763 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137521 ∗∗∗ F5: K000137334 : F5 Application Visibility and Reporting module and BIG-IP Advanced WAF/ASM vulnerability CVE-2024-23805 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137334 ∗∗∗ 2024-02-14: Cyber Security Advisory - B&R APROL SSH service vulnerable to Terrapin attack ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P004_SSH_Service_Vulnerable_To_… ∗∗∗ tenable: [R1] Security Center Version 6.3.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-02 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lenovo Security Advisories ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/en/product_security/home -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2024
by Daily end-of-shift report 13 Feb '24

13 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 12-02-2024 18:00 − Dienstag 13-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ The (D)Evolution of Pikabot ∗∗∗ --------------------------------------------- Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage in the second half of 2023 following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time. In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. --------------------------------------------- https://www.zscaler.com/blogs/security-research/d-evolution-pikabot ∗∗∗ GMX, Web.de, Online-Dienste: Angriffe auf Zugangsdaten nehmen zu ∗∗∗ --------------------------------------------- Etwas alarmistisch melden einige Medien, dass es vermehrt Angriffe auf Zugangskonten von GMX oder Web.de gebe, die unter anderem sehr populäre Webmail-Dienste bereitstellen. Es werden dort bei zahlreichen Konten sehr hohe Zahlen für fehlerhafte Log-in-Versuche angezeigt. Es handelt sich offenbar um die alltäglichen Angriffe auf Zugangsdaten von Cyberkriminellen, die versuchen, mit gestohlenen Accountinformationen auf Online-Dienste zuzugreifen. --------------------------------------------- https://www.heise.de/-9626994 ∗∗∗ Vorsicht vor gefälschten WKÖ-E-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Wirtschaftskammer Österreich aus und bitten Unternehmen in einem E-Mail, Kontaktdaten zu aktualisieren. Klicken Sie keinesfalls auf den Link, Sie werden auf eine gefälschte WKÖ-Seite geführt. Dort stehlen Kriminelle Firmen- und Bankdaten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-wkoe-e-mai… ∗∗∗ Directory.ReadWrite.All Is Not As Powerful As You Might Think ∗∗∗ --------------------------------------------- Directory.ReadWrite.All is an MS Graph permission that is frequently cited as granting high amounts of privilege, even being equated to the Global Admin Entra ID role [..] Misleading or incorrect documentation create most of the misconceptions regarding this permission. --------------------------------------------- https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-y… ∗∗∗ Ongoing Microsoft Azure account hijacking campaign targets executives ∗∗∗ --------------------------------------------- A phishing campaign detected in late November 2023 has compromised hundreds of user accounts in dozens of Microsoft Azure environments, including those of senior executives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ongoing-microsoft-azure-acco… ∗∗∗ Fileless Revenge RAT Malware ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred. --------------------------------------------- https://asec.ahnlab.com/en/61584/ ===================== = Vulnerabilities = ===================== ∗∗∗ Request Tracker Write-up (CVE-2023-41259, CVE-2023-41260) ∗∗∗ --------------------------------------------- Without authentication we were able to extract file-attachments that were uploaded to RT, including e-mails received from and to users regarding tickets and issues. We also found it was possible to obtain information about tickets and users. --------------------------------------------- https://www.linkedin.com/pulse/request-tracker-write-up-tom-wolters-ygsae ∗∗∗ PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor ∗∗∗ --------------------------------------------- An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor’s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service. Note that any resolver following the RFCs can be impacted, this is not a problem of this particular implementation. --------------------------------------------- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-202… ∗∗∗ DNS-Server: Bind und Unbound stolpern über Sicherheitslücke "KeyTrap" ∗∗∗ --------------------------------------------- Mit einer präparierten DNS-Anfrage können Angreifer eine hohe Prozessorlast verursachen und den Dienst für legitime Nutzer so blockieren. Patches stehen bereit. --------------------------------------------- https://www.heise.de/-9627276 ∗∗∗ Sicherheitslücken: Angreifer können Dell Unity kompromittieren ∗∗∗ --------------------------------------------- Die Fehler stecken in Dell Unity Operating Enviroment (OE). Die Entwickler geben an, die Ausgabe 5.4.0.0.5.094 repariert zu haben. Von den Sicherheitsproblemen sind unter anderem Dell EMC Unity, Dell EMC Unity XT 380F und Dell EMC Unity Hybrid betroffen. Alle verwundbaren Produkte sind in der Warnmeldung aufgelistet. --------------------------------------------- https://www.heise.de/-9626407 ∗∗∗ Qnap: Sicherheitslücken in Firmware erlauben Einschleusen von Befehlen ∗∗∗ --------------------------------------------- In der Sicherheitswarnung schreibt Qnap, dass es sich um zwei Schwachstellen handelt. Die Beschreibung für beide lautet: Eine Befehlsschmuggel-Schwachstelle wurde in mehreren Qnap-Betriebssystemversionen gemeldet. Sofern sie missbraucht werden, erlauben sie Nutzern, Befehle über das Netzwerk auszuführen (CVE-2023-47218, CVE-2023-50358, CVSS 5.8, Risiko "mittel"). --------------------------------------------- https://www.heise.de/-9626319 ∗∗∗ SAP patcht: 13 Sicherheitslücken abgedichtet ∗∗∗ --------------------------------------------- SAP verteilt Software-Updates, die Schwachstellen aus 13 Sicherheitsmitteilungen ausbessern. Eine Lücke ist kritisch. --------------------------------------------- https://www.heise.de/-9626592 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (clamav and virtiofsd), Oracle (gimp), Red Hat (gnutls and nss), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t and squid), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/961937/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ TYPO3 Security Advisories ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Autodesk: Multiple Vulnerabilities in Autodesk InfraWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0001 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series Safety CPU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-044-01 ∗∗∗ HIMA: Multiple products affected by DoS and Port-Based-VLAN Crossing ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-013/ ∗∗∗ Schneider Electric Security Advisories ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ SSA-943925 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-943925.html ∗∗∗ SSA-871717 V1.0: Multiple Vulnerabilities in Polarion ALM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-871717.html ∗∗∗ SSA-806742 V1.0: Multiple Vulnerabilities in SCALANCE XCM-/XRM-300 before V2.4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-806742.html ∗∗∗ SSA-797296 V1.0: XT File Parsing Vulnerability in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-797296.html ∗∗∗ SSA-753746 V1.0: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-753746.html ∗∗∗ SSA-716164 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-716164.html ∗∗∗ SSA-665034 V1.0: Vulnerability in Nozomi Guardian/CMC before 23.3.0 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-665034.html ∗∗∗ SSA-647068 V1.0: Ripple20 in SIMATIC RTLS Gateways ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-647068.html ∗∗∗ SSA-602936 V1.0: Multiple Vulnerabilities in SCALANCE SC-600 Family before V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-602936.html ∗∗∗ SSA-580228 V1.0: Use of Hard-Coded Credentials Vulnerability in Location Intelligence before V4.3 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-580228.html ∗∗∗ SSA-543502 V1.0: Local Privilege Escalation Vulnerability in Unicam FX ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-543502.html ∗∗∗ SSA-516818 V1.0: TCP Sequence Number Validation Vulnerability in the TCP/IP Stack of CP343-1 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-516818.html ∗∗∗ SSA-108696 V1.0: Multiple Vulnerabilities in SIDIS Prime before V4.0.400 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-108696.html ∗∗∗ SSA-017796 V1.0: Multiple File Parsing Vulnerabilities in Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-017796.html ∗∗∗ SSA-000072 V1.0: Multiple File Parsing Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-000072.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.02.2024
by Daily end-of-shift report 12 Feb '24

12 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-02-2024 18:00 − Montag 12-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Free Rhysida ransomware decryptor for Windows exploits RNG flaw ∗∗∗ --------------------------------------------- South Korean researchers have publicly disclosed an encryption flaw in the Rhysida ransomware encryptor, allowing the creation of a Windows decryptor to recover files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-rhysida-ransomware-decr… ∗∗∗ Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor ∗∗∗ --------------------------------------------- Hackers are exploiting a server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy the new DSLog backdoor on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-ivanti-ssrf-… ∗∗∗ Exploit against Unnamed "Bytevalue" router vulnerability included in Mirai Bot, (Mon, Feb 12th) ∗∗∗ --------------------------------------------- Today, I noticed the following URL showing up in our "First Seen" list: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/30642 ∗∗∗ Microsoft Defender: Der Erkennung mit Komma entgehen ∗∗∗ --------------------------------------------- Ein IT-Forscher hat entdeckt, dass sich die Erkennung des Microsoft Defenders mit einem Komma austricksen lässt. --------------------------------------------- https://www.heise.de/-9625770.html ∗∗∗ SiCat: Open-source exploit finder ∗∗∗ --------------------------------------------- SiCat is an open-source tool for exploit research designed to source and compile information about exploits from open channels and internal databases. Its primary aim is to assist in cybersecurity, enabling users to search the internet for potential vulnerabilities and corresponding exploits. --------------------------------------------- https://www.helpnetsecurity.com/2024/02/12/sicat-open-source-exploit-finder/ ∗∗∗ Warzone RAT Shut Down by Law Enforcement, Two Arrested ∗∗∗ --------------------------------------------- Warzone RAT dismantled in international law enforcement operation that also involved arrests of suspects in Malta and Nigeria. --------------------------------------------- https://www.securityweek.com/warzone-rat-shut-down-by-law-enforcement-two-a… ∗∗∗ Diving Into Gluptebas UEFI Bootkit ∗∗∗ --------------------------------------------- A 2023 Glupteba campaign includes an unreported feature - a UEFI bootkit. We analyze its complex architecture and how this botnet has evolved. --------------------------------------------- https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/ ∗∗∗ Bitdefender warnt vor neuer Backdoor für macOS ∗∗∗ --------------------------------------------- Sie bleibt vermutlich mindestens drei Monate unentdeckt. RustDoor erlaubt die gezielte Suche nach Daten und deren Übertragung an einen externen Server. --------------------------------------------- https://www.zdnet.de/88414203/bitdefender-warnt-vor-neuer-backdoor-fuer-mac… ∗∗∗ Angreifer spoofen Temu ∗∗∗ --------------------------------------------- Die Popularität des E-Commerce-Shops lockt Betrüger, die sich auf gefälschte Werbegeschenkcodes spezialisieren. --------------------------------------------- https://www.zdnet.de/88414209/angreifer-spoofen-temu/ ===================== = Vulnerabilities = ===================== ∗∗∗ ExpressVPN: Fehler führt zu ungeschützter Übertragung von DNS-Anfragen ∗∗∗ --------------------------------------------- Durch den Fehler können Drittanbieter potenziell nachverfolgen, welche Webseiten ExpressVPN-Nutzer besucht haben - trotz aktiver VPN-Verbindung. --------------------------------------------- https://www.golem.de/news/expressvpn-fehler-fuehrt-zu-ungeschuetzter-uebert… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2024-21762 Fortinet FortiOS Out-of-Bound Write Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/09/cisa-adds-one-known-expl… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2023-43770 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/12/cisa-adds-one-known-expl… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgit2), Fedora (chromium, firecracker, libkrun, openssh, python-nikola, runc, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, virtiofsd, webkitgtk, and wireshark), Mageia (filezilla and xpdf), Oracle (gimp), Red Hat (libmaxminddb, linux-firmware, squid:4, and tcpdump), Slackware (xpdf), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont and suse-build-key), and Ubuntu (python-glance-store and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/961842/ ∗∗∗ Mehrere Cross-Site Scripting Schwachstellen in Statamic CMS ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-cross-site-sc… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2024
by Daily end-of-shift report 09 Feb '24

09 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-02-2024 18:00 − Freitag 09-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SonicOS SSL-VPN: Angreifer können Authentifzierung umgehen ∗∗∗ --------------------------------------------- Sonicwall warnt vor einer Sicherheitslücke im SonicOS SSL-VPN, durch die Angreifer die Authentifizierung umgehen können. --------------------------------------------- https://www.heise.de/-9623611.html ∗∗∗ Sicherheitsupdates: Authentifizierung von Ivanti Connect Secure & Co. defekt ∗∗∗ --------------------------------------------- Angreifer können ohne Anmeldung auf Ivanti Connect Secure, Policy Secure und ZTA Gateway zugreifen. --------------------------------------------- https://www.heise.de/-9623653.html ∗∗∗ Elastic Stack: Pufferüberlauf ermöglicht Codeschmuggel in Kibana-Komponente ∗∗∗ --------------------------------------------- Der in Kibana integrierte Chromium-Browser verursachte das Problem nur auf bestimmten Plattformen. Updates und eine Übergangslösung stehen bereit. --------------------------------------------- https://www.heise.de/-9624274.html ∗∗∗ Android XLoader malware can now auto-execute after installation ∗∗∗ --------------------------------------------- A new version of the XLoader Android malware was discovered that automatically executes on devices it infects, requiring no user interaction to launch. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-xloader-malware-can-… ∗∗∗ New RustDoor macOS malware impersonates Visual Studio update ∗∗∗ --------------------------------------------- A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rustdoor-macos-malware-i… ∗∗∗ Form Tools Remote Code Execution: We Need To Talk About PHP ∗∗∗ --------------------------------------------- To whet your appetite for what we’re going to demonstrate, below is a deep dive into a Local File Inclusion vulnerability which can lead to Remote Code Execution in installations of ‘Form Tools’, an open-source PHP-based application for creating, storing and sharing forms on the Internet, of over 15 year vintage. A short search across open data platforms reveals over 1,000 installations with "we just discovered Shodan"-tier fingerprints. --------------------------------------------- https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/ ∗∗∗ Juniper Support Portal Exposed Customer Device Info ∗∗∗ --------------------------------------------- Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including the exact devices each customer bought, as well as each devices warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal. --------------------------------------------- https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer… ∗∗∗ Zahlreiche betrügerische E-Mails im Namen der Österreichischen Gesundheitskasse im Umlauf! ∗∗∗ --------------------------------------------- Derzeit werden der Watchlist Internet zahlreiche E-Mails gemeldet, die Kriminelle im Namen der Österreichischen Gesundheitskasse versenden. Angeblich erhalten die Empfänger:innen eine Rückerstattung durch die Krankenasse. Dazu sollen sie einen Link anklicken und Kreditkartendaten eingeben. Machen Sie das auf keinen Fall, da es sich um eine Phishing-Falle handelt. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-e-mails-im… ∗∗∗ CISA Partners With OpenSSF Securing Software Repositories Working Group to Release Principles for Package Repository Security ∗∗∗ --------------------------------------------- Today, CISA partnered with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish the Principles for Package Repository Security framework. Recognizing the critical role package repositories play in securing open source software ecosystems, this framework lays out voluntary security maturity levels for package repositories. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/08/cisa-partners-openssf-se… ∗∗∗ Raspberry Robin: Evolving Cyber Threat with Advanced Exploits and Stealth Tactics ∗∗∗ --------------------------------------------- Raspberry Robin leverages new 1-day Local Privilege Escalation (LPE) exploits developed ahead of public knowledge, hinting at either an in-house development capability or access to a sophisticated exploit market. --------------------------------------------- https://blog.checkpoint.com/security/raspberry-robin-evolving-cyber-threat-… ∗∗∗ January 2024’s Most Wanted Malware: Major VexTrio Broker Operation Uncovered and Lockbit3 Tops the Ransomware Threats ∗∗∗ --------------------------------------------- Researchers uncovered a large cyber threat distributor known as VexTrio, which serves as a major traffic broker for cybercriminals to distribute malicious content. Meanwhile, LockBit3 topped the list of active ransomware groups and Education was the most impacted industry worldwide --------------------------------------------- https://blog.checkpoint.com/research/january-2024s-most-wanted-malware-majo… ∗∗∗ Niederlande: Militärnetzwerk über FortiGate gehackt; Volt Typhoon-Botnetz seit 5 Jahren in US-Systemen ∗∗∗ --------------------------------------------- Gerade ist eine Spionageaktion der chinesischen Regierung in einem Computernetzwerk des niederländischen Militärs aufgeflogen. Das Militärnetzwerk wurde über eine Schwachstelle in FortiGate gehackt. Das ist auch für andere Fortinet-Kunden relevant. Und mittlerweile wurde bekannt, dass das mutmaßlich von staatsnahen chinesischen [...] --------------------------------------------- https://www.borncity.com/blog/2024/02/08/niederlande-militrnetzwerk-ber-for… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (atril, chromium, gnutls, python-aiohttp, and webkitgtk), Gentoo (libxml2), Mageia (gnutls, gpac, kernel, kernel-linus, microcode, pam, and postfix), Red Hat (container-tools:2.0, container-tools:3.0, container-tools:4.0, container-tools:rhel8, gimp, libmaxminddb, python-pillow, runc, and unbound), SUSE (cosign, netpbm, python, python-Pillow, python3, and python36), and Ubuntu (libde265, linux-gcp, linux-gcp-5.4, and linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/961584/ ∗∗∗ Kritische Sicherheitslücken in Fortinet FortiOS, Updates verfügbar ∗∗∗ --------------------------------------------- Fortinet hat zwei kritische Security Advisories veröffentlicht. Beide Security Advisories behandeln Sicherheitslücken, die es unauthentifizierten Angreifer:innen erlauben, Code auf betroffenen Geräten auszuführen. Fortinet gibt bezüglich einer dieser Sicherheitslücken an, dass diese potentiell bereits aktiv für Angriffe ausgenutzt wird. --------------------------------------------- https://cert.at/de/warnungen/2024/2/kritische-sicherheitslucken-in-fortinet… ∗∗∗ Wichtige ESET Produkt-Updates verfügbar (8. Feb. 2024) ∗∗∗ --------------------------------------------- Kurzer, weiterer Informationssplitter für Administratoren, die ESET Endpoint Antivirus/Security unter Windows einsetzen. Der Hersteller hat ein wichtiges Produkt-Update für seine Windows-Produktlinie herausgegeben, welches sofort installiert werden sollte. Das Update behebt eine Schwachstelle, [...] --------------------------------------------- https://www.borncity.com/blog/2024/02/08/wichtige-eset-produkt-updates-verf… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ FortiClientEMS - Improper privilege management for site super administrator ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-357 ∗∗∗ FortiManager - Informative error messages ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-268 ∗∗∗ FortiNAC - XSS in Show Audit Log ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-063 ∗∗∗ FortiOS - Format String Bug in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-029 ∗∗∗ FortiOS - Fortilink lack of certificate validation ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-301 ∗∗∗ FortiOS - Out-of-bound Write in sslvpnd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-015 ∗∗∗ FortiOS & FortiProxy - CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-397 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2024
by Daily end-of-shift report 08 Feb '24

08 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-02-2024 18:00 − Donnerstag 08-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fortinet: APTs Exploiting FortiOS Vulnerabilities in Critical Infrastructure Attacks ∗∗∗ --------------------------------------------- One of the exploited vulnerabilities is CVE-2022-42475, which Fortinet patched in December 2022, when it warned that it had been aware of in-the-wild exploitation. [..] The second vulnerability described in Fortinet’s new warning is CVE-2023-27997, which came to light in June 2023, when the cybersecurity firm informed customers that it had been exploited as a zero-day in limited attacks. Fortinet noted on Wednesday that some customers have yet to patch the two FortiOS vulnerabilities and the company has seen several attacks and attack clusters, including ones aimed at the government, service provider, manufacturing, consultancy, and critical infrastructure sectors. --------------------------------------------- https://www.securityweek.com/fortinet-apts-exploiting-fortios-vulnerabiliti… ∗∗∗ State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus). --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a ∗∗∗ Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure ∗∗∗ --------------------------------------------- Fortinet is warning of two new unpatched patch bypasses for a critical remote code execution vulnerability in FortiSIEM, Fortinets SIEM solution. [..] Earlier today, BleepingComputer published an article that the CVEs were released by mistake after being told by Fortinet that they were duplicates of the original CVE-2023-34992. [..] After contacting Fortinet once again, we were told their previous statement was “misstated” and that the two new CVEs are variants of the original flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortis… ∗∗∗ Coyote: A multi-stage banking Trojan abusing the Squirrel installer ∗∗∗ --------------------------------------------- We will delve into the workings of the infection chain and explore the capabilities of the new Trojan that specifically targets users of more than 60 banking institutions, mainly from Brazil. --------------------------------------------- https://securelist.com/coyote-multi-stage-banking-trojan/111846/ ∗∗∗ Facebook ads push new Ov3r_Stealer password-stealing malware ∗∗∗ --------------------------------------------- A new password-stealing malware named Ov3r_Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-ads-push-new-ov3r-s… ∗∗∗ The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world ∗∗∗ --------------------------------------------- No, three million smart toothbrushes didnt launch a DDoS attack against a Swiss company. --------------------------------------------- https://grahamcluley.com/the-toothbrush-ddos-attack-how-misinformation-spre… ∗∗∗ Fake LastPass password manager spotted on Apple’s App Store ∗∗∗ --------------------------------------------- LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-lastpass-password-manag… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiGate / FortiOS 7.4.3 FortiOS Release Notes ∗∗∗ --------------------------------------------- 2024-02-07 Initial release --------------------------------------------- https://docs.fortinet.com/document/fortigate/7.4.3/fortios-release-notes/55… ∗∗∗ SonicOS SSL-VPN Improper Authentication ∗∗∗ --------------------------------------------- An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication.This issue affects only firmware version SonicOS 7.1.1-7040. CVE: CVE-2024-22394 Last updated: Feb. 6, 2024, 4:44 p.m. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0003 ∗∗∗ SSD Advisory – TOTOLINK LR1200GB Auth Bypass ∗∗∗ --------------------------------------------- A vulnerability in TOTOLINK LR1200GB allows remote unauthenticated attackers to become authenticated due to a stack overflow vulnerability in the web interface. [..] Multiple emails to the vendor went unanswered, we are releasing this information without being able to get from the vendor a patch or response. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-totolink-lr1200gb-auth-bypass/ ∗∗∗ Sicherheitslücken: Codeschmuggel und Leistungsverweigerung bei ClamAV ∗∗∗ --------------------------------------------- Der Parser für das OLE2-Dateiformat enthält einen Pufferüberlauf und mit speziell präparierten Dateinamen lassen sich offenbar eigene Befehlszeilen ausführen. --------------------------------------------- https://www.heise.de/-9622674 ∗∗∗ Samsung Magician: Update stopft Sicherheitsleck im SSD-Tool ∗∗∗ --------------------------------------------- Samsung bietet mit Magician eine Software zum Verwalten von SSDs, Speichersticks und -Karten des Herstellers. Ein Update schließt eine Lücke darin. --------------------------------------------- https://www.heise.de/-9622729 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Red Hat (gimp, kernel, kernel-rt, and runc), Slackware (expat), SUSE (libavif), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive). --------------------------------------------- https://lwn.net/Articles/961330/ ∗∗∗ Drupal: Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-008 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ Qolsys IQ Panel 4, IQ4 HUB ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2024
by Daily end-of-shift report 07 Feb '24

07 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-02-2024 18:00 − Mittwoch 07-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fortinet snafu: Critical FortiSIEM CVEs are duplicates, issued in error ∗∗∗ --------------------------------------------- It turns out that critical Fortinet FortiSIEM vulnerabilities tracked as CVE-2024-23108 and CVE-2024-23109 are not new and have been published this year in error. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-snafu-critical-fort… ∗∗∗ Schlüssel ausgelesen: Bastler umgeht Bitlocker-Schutz mit Raspberry Pi Pico ∗∗∗ --------------------------------------------- Möglich war ihm dies durch das Abfangen der Kommunikation des auf dem Mainboard des Notebooks verlöteten TPM-Chips mit der CPU. [..] Auf die Möglichkeit solcher Angriffe auf Systeme mit externen TPM-Chips wiesen Sicherheitsforscher schon im Sommer 2021 hin. Grund dafür sei die unverschlüsselte Übertragung des Verschlüsselungsschlüssels, so dass sich der Schlüssel einfach über die Kontakte des TPMs abfangen lasse, hieß es schon damals. --------------------------------------------- https://www.golem.de/news/schluessel-ausgelesen-bastler-umgeht-bitlocker-sc… ∗∗∗ Unleashing the Power of Scapy for Network Fuzzing ∗∗∗ --------------------------------------------- Cybersecurity is a critical aspect of any network or software system, and fuzzing is arguably one of the most potent techniques used to identify such security vulnerabilities. Fuzzing involves injecting unexpected or invalid data into the system, which can trigger unforeseen behaviours, potentially leading to security breaches or crashes. Scapy is one of the many tools that can be used for fuzzing, and it stands out as a versatile and efficient option. --------------------------------------------- https://www.darkrelay.com/post/unleashing-the-power-of-scapy-for-network-fu… ∗∗∗ Anydesk-Einbruch: Französisches BSI-Pendant vermutet Dezember als Einbruchsdatum ∗∗∗ --------------------------------------------- Der IT-Sicherheitsvorfall bei Anydesk datiert womöglich auf den Dezember 2023, wie den Hinweisen der französischen IT-Sicherheitsbehörde zu entnehmen ist. --------------------------------------------- https://www.heise.de/news/Anydesk-Einbruch-datiert-vermutlich-auf-Dezember-… ∗∗∗ E-Mail von DNS EU ist betrügerisch ∗∗∗ --------------------------------------------- Derzeit erhalten viele Website-Betreiber:innen E-Mails von einer vermeintlichen Firma namens DNS EU. Im E-Mail behauptet das Unternehmen, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, diese Domain für € 297,50 zu kaufen. Ignorieren Sie dieses E-Mail, das Angebot ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-dns-eu-ist-betruegerisch/ ∗∗∗ Vermehrte Ransomware-Angriffe mit Lockbit 3.0 ∗∗∗ --------------------------------------------- In den letzten Tagen sind österreichische Unternehmen und Organisationen vermehrt von Angriffen mit der Ransomware Lockbit 3.0 betroffen. Dabei handelt es sich um Ransomware-as-a-Service, was es einer Vielzahl von Kriminellen ermöglicht, unabhängig voneinander zu agieren und eine grössere Anzahl von Zielen zu attackieren. Bedrohungsakteure, die im Rahmen ihrer Angriffe Lockbit 3.0 einsetzen erlangen vor allem über den Missbrauch von RDP-Verbindungen (beispielsweise unter Einsatz anderweitig gestohlener Zugangsdaten) und die Ausnutzung von Schwachstellen in aus dem Internet erreichbaren Applikationen Zugang zu den Netzwerken ihrer Opfer. Wir empfehlen nachdrücklich, die eigenen Sicherheitsmaßnahmen zu überprüfen [..] --------------------------------------------- https://cert.at/de/aktuelles/2024/2/vermehrte-ransomware-angriffe-mit-lockb… ∗∗∗ Cyber Security Glossary: The Ultimate List ∗∗∗ --------------------------------------------- If you have anything to do with cyber security, you know it employs its own unique and ever-evolving language. Jargon and acronyms are the enemies of clear writing—and are beloved by cyber security experts. So Morphisec has created a comprehensive cyber security glossary that explains commonly used cybersecurity terms, phrases, and technologies. We designed this list to demystify the terms that security professionals use when describing security tools, threats, processes, and techniques. We will periodically update it, and hope you find it useful. --------------------------------------------- https://blog.morphisec.com/cyber-security-glossary ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in JetBrains TeamCity On-Premises ∗∗∗ --------------------------------------------- Das Softwareunternehmen JetBrains hat Informationen über eine kritische Sicherheitslücke in JetBrains TeamCity On-Premises veröffentlicht. Eine Ausnutzung der Schwachstelle, CVE-2024-23917, erlaubt unauthentifizierten Angreifer:innen mit HTTP(s)-Zugriff auf eine verwundbare Instanz von TeamCity das Umgehen von Authentifizierungskontrollen und somit die vollständige Übernahme der betroffenen Installation. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/kritische-sicherheitslucke-in-jetbrains… ∗∗∗ Shim: Kritische Schwachstelle gefährdet Secure Boot unter Linux ∗∗∗ --------------------------------------------- In einer von den meisten gängigen Linux-Distributionen verwendeten EFI-Anwendung namens Shim wurde eine kritische Schwachstelle entdeckt, die es Angreifern ermöglicht, Schadcode auszuführen und die vollständige Kontrolle über ein Zielsystem zu übernehmen. Ausgenutzt werden könne der Fehler durch eine speziell gestaltete HTTP-Anfrage, die zu einem kontrollierten Out-of-bounds-Schreibvorgang führe, heißt es in der Beschreibung zu CVE-2023-40547. --------------------------------------------- https://www.golem.de/news/shim-kritische-schwachstelle-gefaehrdet-secure-bo… ∗∗∗ Zeroshell vulnerable to OS command injection ∗∗∗ --------------------------------------------- Zeroshell Linux distribution contains an OS command injection vulnerability. This vulnerability was reported on August 2020. The Zeroshell project reached EOL on April 2021. The communication with the developer was established on November 2023, and this JVN publication was agreed upon. --------------------------------------------- https://jvn.jp/en/jp/JVN44033918/ ∗∗∗ Cisco: (High) ClamAV OLE2 File Format Parsing Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. CVE-2024-20290 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco: (Critical) Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device. CVE-2024-20255, CVE-2024-20254, CVE-2024-20252 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ SolarWinds Platform 2024.1 Release Notes ∗∗∗ --------------------------------------------- SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited and has not been reported outside of the initial report by the researcher. 8.0 High, CVE-2023-50395, CVE-2023-35188 --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ VMware Aria: Sicherheitslücken erlauben etwa Rechteausweitung ∗∗∗ --------------------------------------------- Insgesamt fünf Sicherheitslücken dichtet VMware in Aria Operations for Networks – ehemals mit dem Namen vRealize im Umlauf – mit aktualisierter Software ab. Der Schweregrad reicht nach Einschätzung der Entwickler des Unternehmens bis zur Risikostufe "hoch". Bösartige Akteure können durch die Schwachstellen unbefugt ihre Rechte an verwundbaren Systemen erhöhen. --------------------------------------------- https://www.heise.de/-9621415 ∗∗∗ Rechtausweitung durch Lücken in Veeam Recovery Orchestrator möglich ∗∗∗ --------------------------------------------- Veeam flickt die Recovery Orchestrator-Software. Sicherheitslücken darin erlauben bösartigen Akteuren die Ausweitung von Rechten. --------------------------------------------- https://www.heise.de/-9621609 ∗∗∗ Sicherheitsupdates: Dell schließt ältere Lücken in Backuplösungen wie Avamar ∗∗∗ --------------------------------------------- Schwachstellen in Komponenten von Drittanbietern gefährden die Sicherheit von Dell-Backup-Software. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://www.heise.de/9621283 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (gimp) and Ubuntu (firefox, linux-oracle, linux-oracle-5.15, and python-django). --------------------------------------------- https://lwn.net/Articles/961173/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Google Chrome 121.0.6167.160/161 / 120.0.6099.283 mit Sicherheitsfixes ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/02/07/google-chrome-121-0-6167-160-161-1… ∗∗∗ [R1] Nessus Version 10.7.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2024
by Daily end-of-shift report 06 Feb '24

06 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 05-02-2024 18:00 − Dienstag 06-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- We have analyzed all critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorized the vulnerability root causes, and attempted to analyze if the current efforts in the information security industry match with the current threat vectors being abused. --------------------------------------------- https://www.horizon3.ai/analysis-of-2023s-known-exploited-vulnerabilities/ ∗∗∗ Unseriöse Dirndl-Shops drohen mit Anzeige? Ignorieren Sie die Nachrichten! ∗∗∗ --------------------------------------------- Zahlreiche Betroffene wenden sich aktuell an die Watchlist Internet, weil unseriöse Bekleidungs- und Dirndl-Shops Monate nach den Bestellungen versuchen, Kund:innen einzuschüchtern und zu einer Zahlung zu drängen. Da völlig falsche Produkte geliefert wurden, besteht aber kein Grund zur Zahlung und somit auch kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-dirndl-shops-drohen-mit-a… ∗∗∗ How are user credentials stolen and used by threat actors? ∗∗∗ --------------------------------------------- You’ve probably heard the phrase, “Attackers don’t hack anyone these days. They log on.” In this blog, we describe the various tools and techniques bad actors are using to steal credentials so they can log on with valid account details, and outline our recommendations for defense. --------------------------------------------- https://blog.talosintelligence.com/how-are-user-credentials-stolen-and-used… ∗∗∗ Navigating the Rising Tide of CI/CD Vulnerabilities: The Jenkins and TeamCity Case Studies ∗∗∗ --------------------------------------------- In the evolving landscape of cybersecurity, a new threat has emerged, targeting the core of software development processes. Recently, an alarming incident has brought to light a significant vulnerability in Jenkins CI/CD servers. Approximately 45,000 Jenkins servers have been left exposed to remote code execution (RCE) attacks, leveraging multiple exploit public POCs. This breach is not just a standalone event but a symptom of a growing trend of attacks on Continuous Integration/Continuous Deployment (CI/CD) software supply chains. --------------------------------------------- https://checkmarx.com/blog/navigating-the-rising-tide-of-ci-cd-vulnerabilit… ∗∗∗ Experts Detail New Flaws in Azure HDInsight Spark, Kafka, and Hadoop Services ∗∗∗ --------------------------------------------- Three new security vulnerabilities have been discovered in Azure HDInsights Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition. [..] Following responsible disclosure, Microsoft has rolled out fixes as part of updates released on October 26, 2023. --------------------------------------------- https://thehackernews.com/2024/02/high-severity-flaws-found-in-azure.html ∗∗∗ Exploring the (Not So) Secret Code of Black Hunt Ransomware ∗∗∗ --------------------------------------------- In this analysis we examined the BlackHunt sample shared on X (formerly Twitter). During our analysis we found notable similarities between BlackHunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware. --------------------------------------------- https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-cod… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Kritische Schadcode-Lücke auf Systemebene geschlossen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden Android-Geräte. Für bestimmte Smartphones und Tablets sind Updates erschienen. --------------------------------------------- https://www.heise.de/-9619910 ∗∗∗ Sicherheitsupdate: Mehrere Lücken gefährden Server-Monitoring-Tool Nagios XI ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen können Angreifer Schadcode auf Server mit Nagios XI laden. Ein Sicherheitsupdate schließt diese und weitere Schwachstellen. --------------------------------------------- https://www.heise.de/-9620155 ∗∗∗ Kritische Schwachstellen in Multifunktions- und Laserdruckern von Canon ∗∗∗ --------------------------------------------- Canon warnt vor kritischen Sicherheitslücken in einigen SOHO-Multifunktions- und Laserdruckern. Gegenmaßnahmen sollen helfen. --------------------------------------------- https://www.heise.de/-9620345 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc). --------------------------------------------- https://lwn.net/Articles/961083/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2024-23222, CVE-2024-23206, CVE-2024-23213, CVE-2023-40414, CVE-2023-42833, CVE-2014-1745 --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0001.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- Google Chromium V8 Type Confusion Vulnerability CVE-2023-4762 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/06/cisa-adds-one-known-expl… ∗∗∗ MISP 2.4.184 released with performance improvements, security and bugs fixes. ∗∗∗ --------------------------------------------- A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.184 ∗∗∗ ZDI-24-086: TP-Link Omada ER605 Access Control Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-086/ ∗∗∗ ZDI-24-085: (Pwn2Own) TP-Link Omada ER605 DHCPv6 Client Options Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-085/ ∗∗∗ ZDI-24-087: (Pwn2Own) Western Digital MyCloud PR4100 RESTSDK Server-Side Request Forgery Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-087/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Pilz: Multiple products affected by uC/HTTP vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-002/ ∗∗∗ HID Global Encoders ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-01 ∗∗∗ HID Global Reader Configuration Cards ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2024
by Daily end-of-shift report 05 Feb '24

05 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-02-2024 18:00 − Montag 05-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Newest Ivanti SSRF zero-day now under mass exploitation ∗∗∗ --------------------------------------------- An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/newest-ivanti-ssrf-zero-day-… ∗∗∗ Cyberangriff: Fernwartungssoftware-Anbieter Anydesk gehackt ∗∗∗ --------------------------------------------- Anydesk ist Opfer eines Cyberangriffs geworden. Die Folgen sind noch nicht klar, aber möglicherweise gravierend. --------------------------------------------- https://www.golem.de/news/cyberangriff-fernwartungssoftware-anbieter-anydes… ∗∗∗ Darknet: Anydesk-Zugangsdaten in Hackerforen aufgetaucht ∗∗∗ --------------------------------------------- Quelle der Daten ist nach aktuellen Erkenntnissen wohl nicht der jüngste Sicherheitsvorfall bei Anydesk. Ein Passwortwechsel wird dennoch empfohlen. --------------------------------------------- https://www.golem.de/news/darknet-anydesk-zugangsdaten-in-hackerforen-aufge… ∗∗∗ How to hack the Airbus NAVBLUE Flysmart+ Manager ∗∗∗ --------------------------------------------- Airbus Navblue Flysmart+ Manager allowed attackers to tamper with the engine performance calculations and intercept data. Flysmart+ is a suite of apps for pilot EFBs, helping deliver efficient and safe departure and arrival of flights. Researchers from Pen Test Partners discovered a vulnerability in Navblue Flysmart+ Manager that can be exploited [...] --------------------------------------------- https://securityaffairs.com/158661/hacking/airbus-flysmart-flaw.html ∗∗∗ Encrypted Attacks: Impact on Public Sector ∗∗∗ --------------------------------------------- Following FBI and CISA warnings to public sector defenders in November regarding increased targeting by infamous ransomware groups, the imperative to understand and defend against evolving - and increasingly covert - cyber threats has intensified. According to Zscaler ThreatLabz analysis of the 2023 threat landscape, 86% of threats hide within encrypted traffic. What does this mean for the public sector? --------------------------------------------- https://www.zscaler.com/blogs/security-research/encrypted-attacks-impact-pu… ∗∗∗ Hacking a Smart Home Device ∗∗∗ --------------------------------------------- How I reverse engineered an ESP32-based smart home device to gain remote control access and integrate it with Home Assistant. --------------------------------------------- https://jmswrnr.com/blog/hacking-a-smart-home-device ∗∗∗ Videokonferenz voller KI-Klone: Angestellter schickt Betrügern 24 Millionen Euro ∗∗∗ --------------------------------------------- Bislang werden im Rahmen der "Chef-Masche" Angestellte zumeist von einer Person überzeugt, Geld herauszugeben. Ein Fall in Hongkong hat nun eine neue Qualität. --------------------------------------------- https://www.heise.de/-9618064.html ∗∗∗ Hartkodiertes Passwort: Wärmepumpen von Alpha Innotec und Novelan angreifbar ∗∗∗ --------------------------------------------- Ein IT-Forscher hat in der Firmware von Alpha Innotec- und Novelan-Wärmepumpen das hartkodierte Root-Passwort gefunden. Updates bieten Abhilfe. --------------------------------------------- https://www.heise.de/-9618846.html ∗∗∗ Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin ∗∗∗ --------------------------------------------- TL;dr NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024: [...] --------------------------------------------- https://research.nccgroup.com/2024/02/05/ivanti-zero-day-threat-actors-obse… ∗∗∗ Achtung: E-Card mit 500 Euro Guthaben für Apothekenkäufe ist Fake ∗∗∗ --------------------------------------------- Auf Facebook wird eine „E-Card-Gutscheinkarte“ beworben. Wenn Sie eine kurze Umfrage ausfüllen und 2 Euro überweisen, erhalten Sie angeblich 500 Euro für Apothekeneinkäufe. Achtung, dabei handelt es sich um Betrug. Ein solches Angebot gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-e-card-mit-500-euro-guthaben… ∗∗∗ Sicherheitsvorfall bei der AnyDesk Software GmbH ∗∗∗ --------------------------------------------- Der deutsche Softwarehersteller AnyDesk Software GmbH, Entwickler der Fernwartungssoftware AnyDesk, hat am Abend des 02.02.2024 im Rahmen einer Pressemeldung über einen erfolgreichen Angriff gegen seine Infrastruktur informiert. Laut dem Unternehmen wurde direkt nach Entdeckung des Vorfalles ein externer Sicherheitsdienstleister zur Behandlung des Vorfalls hinzugezogen und die zuständigen Behörden informiert. Weiters gibt das Unternehmen an, dass keinerlei private Schlüssel, [...] --------------------------------------------- https://cert.at/de/aktuelles/2024/2/sicherheitsvorfall-bei-der-anydesk-soft… ===================== = Vulnerabilities = ===================== ∗∗∗ Docker, Kubernetes und co.: Hacker können aus Containern auf Hostsysteme zugreifen ∗∗∗ --------------------------------------------- Die Schwachstellen dafür beziehen sich auf Buildkit und das CLI-Tool runc. Eine davon erreicht mit einem CVSS von 10 den maximal möglichen Schweregrad. --------------------------------------------- https://www.golem.de/news/docker-kubernetes-und-co-hacker-koennen-aus-conta… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rear, runc, sudo, and zbar), Fedora (chromium, grub2, libebml, mingw-python-pygments, and python-aiohttp), Gentoo (FreeType, GNAT Ada Suite, Microsoft Edge, NBD Tools, OpenSSL, QtGui, SDDM, Wireshark, and Xen), Mageia (dracut, glibc, nss and firefox, openssl, packages, perl, and thunderbird), Slackware (libxml2), SUSE (java-11-openjdk, java-17-openjdk, perl, python-uamqp, slurm, and xerces-c), and Ubuntu (libssh and openssl). --------------------------------------------- https://lwn.net/Articles/960952/ ∗∗∗ 2024-02-05: Cyber Security Advisory - B&R Automation Runtime FTP uses unsecure encryption mechanisms ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA23P004_FTP_uses_unsecure_encrypti… ∗∗∗ Canon: CPE2024-001 – Regarding vulnerabilities for Small Office Multifunction Printers and Laser Printers – 05 February 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ QNAP: Neue Firmware-Versionen beheben Befehlsschmuggel-Lücke ∗∗∗ --------------------------------------------- https://www.heise.de/-9617332.html ∗∗∗ IT-Sicherheitsüberwachung Juniper JSA für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- https://www.heise.de/-9617677.html ∗∗∗ HCL schließt Sicherheitslücken in Bigfix, Devops Deploy und Launch ∗∗∗ --------------------------------------------- https://www.heise.de/-9618224.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily