Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 10.01.2024
by Daily end-of-shift report 10 Jan '24

10 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-01-2024 18:00 − Mittwoch 10-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Absenderdaten entschlüsselt: China hat wohl Apples Airdrop-Protokoll "geknackt" ∗∗∗ --------------------------------------------- Forensikern aus Peking ist es angeblich gelungen, Telefonnummern und E-Mail-Adressen von Airdrop-Absendern zu entschlüsseln. --------------------------------------------- https://www.golem.de/news/absenderdaten-entschluesselt-china-hat-wohl-apple… ∗∗∗ Jenkins Brute Force Scans, (Tue, Jan 9th) ∗∗∗ --------------------------------------------- Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords. --------------------------------------------- https://isc.sans.edu/diary/rss/30546 ∗∗∗ Vorgaben der CISA: Mehr Sicherheit für die Microsoft-Cloud ∗∗∗ --------------------------------------------- Die Security-Vorgaben der CISA für die Microsoft-Cloud sind fertig. Wir zeigen, was hinter den Empfehlungen steckt und wo sie sich von MS und CIS unterscheiden. --------------------------------------------- https://www.heise.de/-9591800.html ∗∗∗ Patchday Microsoft: Kerberos-Authentifizierung unter Windows verwundbar ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Azure, Office, Windows und Co. erschienen. Attacken können bevorstehen. Ein Bitlocker-Patch macht Probleme. --------------------------------------------- https://www.heise.de/-9592648.html ∗∗∗ Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin ∗∗∗ --------------------------------------------- On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view [...] --------------------------------------------- https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabi… ∗∗∗ Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024 ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities. --------------------------------------------- https://www.securityweek.com/siemens-schneider-electric-release-first-ics-p… ∗∗∗ Achtung: Vermehrt PayLife Phishing-Mails im Umlauf ∗∗∗ --------------------------------------------- Schützen Sie Ihre Kreditkartendaten und nehmen Sie sich vor Phishing-Mails im Namen von PayLife in Acht. Kriminelle behaupten in den E-Mails, dass Sie aufgrund der Verpflichtung zur Zwei-Faktor-Authentifizierung Schritte setzen und einem Link folgen müssen. Sie landen auf einer kaum als Fälschung erkennbaren Kopie der PayLife-Seite. Geben Sie dort keine Daten ein! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vermehrt-paylife-phishing-ma… ∗∗∗ ‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer ∗∗∗ --------------------------------------------- A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors. --------------------------------------------- https://therecord.media/mirai-based-botnet-spreading-akamai ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-expl… ∗∗∗ Apache Applications Targeted by Stealthy Attacker ∗∗∗ --------------------------------------------- Researchers at Aqua Nautilus have uncovered a new attack targeting Apache Hadoop and Flink applications. This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware. The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses. --------------------------------------------- https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-steal… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-01-10 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 6x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Lenovo Security Advisories 2024-01-09 ∗∗∗ --------------------------------------------- - AMI MegaRAC Vulnerabilities - Lenovo XClarity Administrator (LXCA) Vulnerability - Lenovo Vantage Vulnerabilities - Lenovo Tablet Vulnerabilities - TianoCore EDK II BIOS Vulnerabilities --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Patchday Adobe: Mehrere Schwachstellen in Substance 3D Stager geschlossen ∗∗∗ --------------------------------------------- Adobes Anwendung zum Erstellen von 3D-Szenen Substance 3D Stager ist angreifbar. Eine fehlerbereinigte Version steht zum Download bereit. --------------------------------------------- https://www.heise.de/-9592712.html ∗∗∗ Update für Google Chrome: Hochriskantes Sicherheitsleck abgedichtet ∗∗∗ --------------------------------------------- Google hat turnusgemäß den Webbrowser Chrome aktualisiert. Dabei haben die Entwickler eine als hohes Risiko eingestufte Sicherheitslücke gestopft. --------------------------------------------- https://www.heise.de/-9592658.html ∗∗∗ Update gegen Rechteausweitung in FortiOS und FortiProxy ∗∗∗ --------------------------------------------- Fortinet warnt vor einem Fehler in der Rechteverwaltung von FortiOS und FortiProxy in HA Clustern. Bösartige Akteure können ihre Rechte ausweiten. --------------------------------------------- https://www.heise.de/-9592816.html ∗∗∗ Webkonferenzen: Zoom-Sicherheitslücken ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Zoom verteilt aktualisierte Videokonferenz-Software. Sie schließt eine Sicherheitslücke, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://www.heise.de/-9593000.html ∗∗∗ 2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164) ∗∗∗ --------------------------------------------- Modification History 2022-01-12: Initial Publication 2024-01-10: updated the JSA with information on an additional PR which fixed some releases which were not completely fixed originally --------------------------------------------- https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/957340/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SVD-2024-0104: Splunk User Behavior Analytics (UBA) Third-Party Package Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0104 ∗∗∗ SVD-2024-0103: Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0103 ∗∗∗ SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0102 ∗∗∗ SVD-2024-0101: Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2024
by Daily end-of-shift report 09 Jan '24

09 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-01-2024 18:00 − Dienstag 09-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware ∗∗∗ --------------------------------------------- A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023. --------------------------------------------- https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html ∗∗∗ Skrupel nur vorgeschoben? Ransomware-Banden attackieren Kliniken ∗∗∗ --------------------------------------------- Zwar zürnt der Lockbit-Betreiber öffentlich mit einem Handlanger, ist sich dennoch für Krankenhaus-Erpressung nicht zu schade. Andere bedrohen gar Patienten. --------------------------------------------- https://www.heise.de/news/Skrupel-nur-vorgeschoben-Ransomware-Banden-attack… ∗∗∗ Vorsicht vor Phishing-Mails im Namen der KingBill GmbH ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail im Namen der „KingBill GmbH“ werden Sie gebeten, Ihre offenen Zahlungen an KingBill zu sperren. Angeblich werden ausstehende Rechnungen nun auf eine Nebenkontoverbindung verrechnet. Sie werden aufgefordert, umgehend auf das E-Mail zu antworten. Bei diesem E-Mail handelt es sich aber um Betrug, um Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-im-namen… ∗∗∗ Roles allowing to abuse Entra ID federation for persistence and privilege escalation ∗∗∗ --------------------------------------------- Microsoft Entra ID (formerly known as Azure AD) allows delegation of authentication to another identity provider through the legitimate federation feature. However, attackers with elevated privileges can abuse this feature, leading to persistence and privilege escalation. --------------------------------------------- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federa… ∗∗∗ New decryptor for Babuk Tortilla ransomware variant released ∗∗∗ --------------------------------------------- Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. --------------------------------------------- https://blog.talosintelligence.com/decryptor-babuk-tortilla/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: Teils kritische Lücken in Geschäftssoftware ∗∗∗ --------------------------------------------- Der Januar-Patchday von SAP behandelt teils kritische Sicherheitslücken. Zu insgesamt zehn Schwachstellen gibt es Sicherheitsnotizen. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Teils-kritische-Luecken-in-Geschaeft… ∗∗∗ Synology warnt vor Sicherheitslücke im DSM-Betriebssystem ∗∗∗ --------------------------------------------- Synology gibt eine Warnung vor einer Sicherheitslücke im DSM-Betriebssystem für NAS-Systeme heraus. Updates stehen länger bereit. --------------------------------------------- https://www.heise.de/news/Synology-warnt-vor-Sicherheitsluecke-im-DSM-Betri… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (podman), Mageia (dropbear), SUSE (eclipse-jgit, jsch, gcc13, helm3, opusfile, qt6-base, thunderbird, and wireshark), and Ubuntu (clamav, libclamunrar, and qemu). --------------------------------------------- https://lwn.net/Articles/957236/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SSA-794653 V1.0: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-794653.html ∗∗∗ SSA-786191 V1.0: Local Privilege Escalation Vulnerability in Spectrum Power 7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-786191.html ∗∗∗ SSA-777015 V1.0: Multiple Vulnerabilities in SIMATIC CN 4100 before V2.7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-777015.html ∗∗∗ SSA-702935 V1.0: Redfish Server Vulnerability in maxView Storage Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-702935.html ∗∗∗ SSA-589891 V1.0: Multiple PAR File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-589891.html ∗∗∗ SSA-583634 V1.0: Command Injection Vulnerability in the CPCI85 Firmware of SICAM A8000 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-583634.html ∗∗∗ Open Port 8899 in BCC Thermostat Product ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-473852.html ∗∗∗ CVE-2023-48795 Impact of Terrapin SSH Attack (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-48795 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2024
by Daily end-of-shift report 08 Jan '24

08 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-01-2024 18:00 − Montag 08-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Post-Quanten-Kryptografie: Verschlüsselungsverfahren Kyber birgt Schwachstellen ∗∗∗ --------------------------------------------- Durch die Messung der für bestimmte Divisionsoperationen benötigten Rechenzeit lassen sich wohl geheime Kyber-Schlüssel rekonstruieren. --------------------------------------------- https://www.golem.de/news/post-quanten-kryptografie-verschluesselungsverfah… ∗∗∗ Suspicious Prometei Botnet Activity, (Sun, Jan 7th) ∗∗∗ --------------------------------------------- On the 31 Dec 2023, after trying multiple username/password combination, actor using IP 194.30.53.68 successfully loging to the honeypot and uploaded eight files where 2 of them are protected with a 7zip password (updates1.7z & updates2.7z). Some of these files have been identified to be related to the Prometei trojan by Virustotal. --------------------------------------------- https://isc.sans.edu/diary/rss/30538 ∗∗∗ Bypass Cognito Account Enumeration Controls ∗∗∗ --------------------------------------------- Amazon Cognito is a popular “sign-in as a service” offering from AWS. It allows developers to push the responsibility of developing authentication, sign up, and secure credential storage to AWS so they can instead focus on building their app. [..] This bypass was originally reported via a GitHub issue in July 2020 and Cognito is still vulnerable as of early 2024. --------------------------------------------- https://hackingthe.cloud/aws/enumeration/bypass_cognito_user_enumeration_co… ∗∗∗ Jetzt patchen! Attacken auf Messaging-Plattform Apache RocketMQ ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten zurzeit Angriffsversuche auf die Messaging- und Streaming-Plattform Apache RocketMQ. Sicherheitsupdates sind bereits seit Mai 2023 verfügbar. --------------------------------------------- https://www.heise.de/-9590555 ∗∗∗ Sicherheitsupdates: Schadcode- und DoS-Attacken auf Qnap NAS möglich ∗∗∗ --------------------------------------------- Angreifer können Netzwerkspeicher von Qnap ins Visier nehmen. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/-9589870 ∗∗∗ Die OAuth-Hintertür: Google wiegelt ab ∗∗∗ --------------------------------------------- Der Suchmaschinenriese Google sieht keine Sicherheitslücke in der durch Kriminelle ausgenutzten Schnittstelle, sie funktioniere wie vorgesehen. --------------------------------------------- https://www.heise.de/-9589840 ∗∗∗ NIST: No Silver Bullet Against Adversarial Machine Learning Attacks ∗∗∗ --------------------------------------------- NIST has published a report on adversarial machine learning attacks and mitigations, and cautioned that there is no silver bullet for these types of threats. --------------------------------------------- https://www.securityweek.com/nist-no-silver-bullet-against-adversarial-mach… ∗∗∗ Werbung für verlorene Pakete der Post für € 1,95 ist Betrug ∗∗∗ --------------------------------------------- Auf Facebook und im Facebook Messenger kursiert eine Werbung, die verloren gegangene Pakete der Post um € 1,95 verspricht. Die Werbung vermittelt den Eindruck, dass Angebot käme von der Post selbst. In den Paketen befinden sich angeblich hochpreisige Elektronikprodukte wie Laptops, Spielkonsolen oder Smartwatches. Dabei handelt es sich aber um eine betrügerische Werbung, die nichts mit der Österreichischen Post zu tun hat! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-verlorene-pakete-der-po… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices ∗∗∗ --------------------------------------------- Pentagrid identified several vulnerabilities in Lantronixs EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more. --------------------------------------------- https://www.pentagrid.ch/en/blog/multiple-vulnerabilties-in-lantronix-eds-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (chromium, perl-Spreadsheet-ParseExcel, python-aiohttp, python-pysqueezebox, and tinyxml), Gentoo (Apache Batik, Eclipse Mosquitto, firefox, R, Synapse, and util-linux), Mageia (libssh2 and putty), Red Hat (squid), SUSE (libxkbcommon), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/957146/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Qt: Security advisory: Potential Integer Overflow in Qts HTTP2 implementation ∗∗∗ --------------------------------------------- https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-… ∗∗∗ BOSCH-SA-711465: Multiple vulnerabilities in Nexo cordless nutrunner ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-711465.html ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/08/cisa-adds-six-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2024
by Daily end-of-shift report 05 Jan '24

05 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-01-2024 18:00 − Freitag 05-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Schadcode-Lücke gefährdet Ivanti Endpoint Manager ∗∗∗ --------------------------------------------- Unter bestimmten Voraussetzungen können Angreifer Schadcode auf Ivanti-EPM-Servern ausführen. --------------------------------------------- https://www.heise.de/-9587991.html ∗∗∗ Ransomware: Nach der Erpressung folgt umgehend die nächste Erpressung ∗∗∗ --------------------------------------------- Online-Kriminelle werden immer dreister und schlachten Opfer von Erpressungstrojanern gleich mehrfach aus. --------------------------------------------- https://www.heise.de/-9588424.html ∗∗∗ Fitness-App „Mad Muscles“: Kostenfalle statt Unterstützung bei Neujahrsvorsätzen ∗∗∗ --------------------------------------------- Der unseriöse Anbieter „Mad Muscles“ schaltet derzeit massiv Werbung auf Facebook und Instagram. Die Botschaft? „Building muscle isnt as hard as it sounds!“ („Muskelaufbau ist nicht so schwer, wie es klingt!“) - gerade zum Jahreswechsel sind solche Botschaften beliebt, sollen die Angebote doch dabei helfen, Neujahrsvorsätze einzuhalten. Was die Werbung verschweigt: Die Betreiber:innen von madmuscles.com und der dazugehörigen „Mad Muscle App“ machen Informationen zum Unternehmen genauso wenig transparent wie die Gesamtkosten. Hinzu kommt: Kündigungen werden laut Erfahrungsberichten erschwert. --------------------------------------------- https://www.watchlist-internet.at/news/fitness-app-mad-muscles-kostenfalle-… ∗∗∗ The source code of Zeppelin Ransomware sold on a hacking forum ∗∗∗ --------------------------------------------- Researchers from cybersecurity firm KELA reported that a threat actor announced on a cybercrime forum the sale of the source code and a cracked version of the Zeppelin ransomware builder for $500. --------------------------------------------- https://securityaffairs.com/156974/cyber-crime/zeppelin-ransomware-source-c… ∗∗∗ New Bandook RAT Variant Resurfaces, Targeting Windows Machines ∗∗∗ --------------------------------------------- A new variant of remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware. Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.“ --------------------------------------------- https://thehackernews.com/2024/01/new-bandook-rat-variant-resurfaces.html ∗∗∗ SpectralBlur: New macOS Backdoor Threat from North Korean Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [...] --------------------------------------------- https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.ht… ∗∗∗ Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer ∗∗∗ --------------------------------------------- Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-configuration-extraction-techni… ===================== = Vulnerabilities = ===================== ∗∗∗ Inductive Automation Trust Center Updates ∗∗∗ --------------------------------------------- Inductive Automation offers a special thanks to the following security researchers from Trend Micro Zero Day Initiative, Star Labs, Incite Team, and Claroty Research Team82 for their hard work in finding and responsibly disclosing security vulnerabilities described in this tech advisory. All reported issues have been resolved as of Ignition 8.1.35. Inductive Automation recommends upgrading Ignition to the current version to address known vulnerabilities. --------------------------------------------- https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-69… ∗∗∗ QNAP Security Advisories ∗∗∗ --------------------------------------------- - Vulnerability in QcalAgent - Multiple Vulnerabilities in QTS and QuTS hero - Multiple Vulnerabilities in QuMagie - Multiple Vulnerabilities in Video Station - Vulnerability in Netatalk --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/957005/ ∗∗∗ Security Update for Ivanti EPM ∗∗∗ --------------------------------------------- [...] We are reporting this vulnerability as CVE-2023-39366. We have no indication that customers have been impacted by this vulnerability. This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5. If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-epm ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2024
by Daily end-of-shift report 04 Jan '24

04 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-01-2024 18:00 − Donnerstag 04-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Mandiant’s account on X hacked to push cryptocurrency scam ∗∗∗ --------------------------------------------- The Twitter account of American cybersecurity firm and Google subsidiary Mandiant was hijacked earlier today to impersonate the Phantom crypto wallet and share a cryptocurrency scam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mandiants-account-on-x-hacke… ∗∗∗ UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT ∗∗∗ --------------------------------------------- The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software. [..] "Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said. --------------------------------------------- https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html ∗∗∗ Three Ways To Supercharge Your Software Supply Chain Security ∗∗∗ --------------------------------------------- If you make software and ever hope to sell it to one or more federal agencies, you have to pay attention to this. Even if you never plan to sell to a government, understanding your Software Supply Chain and learning how to secure it will pay dividends in a stronger security footing and the benefits it provides. --------------------------------------------- https://thehackernews.com/2024/01/three-ways-to-supercharge-your-software.h… ∗∗∗ Internetstörungen in Spanien: Orange-Konto bei RIPE geknackt ∗∗∗ --------------------------------------------- Im spanischen Internet kam es zu Störungen. Das Konto des Anbieters Orange bei RIPE wurde geknackt, die Angreifer haben Routen umgelenkt. [..] Durch ein schwaches Passwort ("ripeadmin") und den Verzicht auf Zwei-Faktor-Authentifizierung hatte der Angreifer leichtes Spiel. [..] Eine Antwort auf eine Anfrage beim RIPE NCC zu weiteren betroffenen oder gefährdeten Accounts und zu einer möglichen Verpflichtung, RIPE Accounts künftig zwingend mit Zwei-Faktor-Authentifizierung zu schützen, steht noch aus. Orange Spanien ist mit einem blauen Auge davongekommen; offenbar ging es dem Angreifer nur darum, den Provider bloßzustellen. --------------------------------------------- https://www.heise.de/-9587184 ∗∗∗ Terrapin-Attacke: Millionen SSH-Server angreifbar, Risiko trotzdem überschaubar ∗∗∗ --------------------------------------------- Zwar ist mehr als die Hälfte aller im Internet erreichbaren SSH-Server betroffen, Admins können jedoch aufatmen: Ein erfolgreicher Angriff ist schwierig. --------------------------------------------- https://www.heise.de/-9587473 ∗∗∗ Beyond Protocols: How Team Camaraderie Fortifies Security ∗∗∗ --------------------------------------------- The most efficient and effective teams have healthy and constructive cultures that encourage team members to go above and beyond the call of duty. --------------------------------------------- https://www.securityweek.com/beyond-protocols-how-team-camaraderie-fortifie… ∗∗∗ „Sofortiges Handeln erforderlich“: Massenhaft Phishing-Mails im Namen von A1 im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Konsument:innen wenden sich aktuell mit gefälschten E-Mails im Namen von A1 an die Watchlist Internet. Im E-Mail wird behauptet, dass „ungewöhnliche Verbindungen“ festgestellt wurden und daher „Ihre sofortige Aufmerksamkeit“ notwendig ist, „um die Sicherheit Ihres Kontos zu gewährleisten“. Gleichzeitig wird mit der Sperre des Kontos gedroht. Wir können entwarnen: Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/sofortiges-handeln-erforderlich-mass… ∗∗∗ CVE-2022-1471: SnakeYAML Deserialization Deep Dive ∗∗∗ --------------------------------------------- Get an overview of SnakeYAML deserialization vulnerabilities (CVE-2022-1471) - how it works, why it works, and what it affects. --------------------------------------------- https://www.greynoise.io/blog/cve-2022-1471-snakeyaml-deserialization-deep-… ===================== = Vulnerabilities = ===================== ∗∗∗ Update für Google Chrome schließt sechs Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat aktualisierte Chrome-Versionen herausgegeben. Sie schließen sechs Sicherheitslücken, davon mehrere mit hohem Risiko. --------------------------------------------- https://www.heise.de/-9586697 ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte erschleichen ∗∗∗ --------------------------------------------- Android-Geräte sind für Attacken anfällig. Google, Samsung & Co. stellen Sicherheitsupdates bereit. --------------------------------------------- https://www.heise.de/-9586713 ∗∗∗ Netzwerkanalysetool Wireshark gegen mögliche Attacken abgesichert ∗∗∗ --------------------------------------------- Die Wireshark-Entwickler haben in aktuellen Versionen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9587170 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), Red Hat (squid:4), SUSE (exim, libcryptopp, and proftpd), and Ubuntu (openssh and sqlite3). --------------------------------------------- https://lwn.net/Articles/956855/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-02 ∗∗∗ Rockwell Automation FactoryTalk Activation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2024
by Daily end-of-shift report 03 Jan '24

03 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-01-2024 18:00 − Mittwoch 03-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Leaksmas: Auch Cyberkriminelle haben sich zu Weihnachten beschenkt ∗∗∗ --------------------------------------------- Rund um Weihnachten wurden im Darknet mehr als 50 Millionen neue Datensätze aus verschiedenen Quellen veröffentlicht. Der Zeitpunkt war kein Zufall. Cyberkriminelle haben die Weihnachtszeit offenbar genutzt, um sich gegenseitig mit umfangreichen und von verschiedenen Unternehmen und Behörden erbeuteten Datensätzen zu beschenken. --------------------------------------------- https://www.golem.de/news/leaksmas-auch-cyberkriminelle-haben-sich-zu-weihn… ∗∗∗ Google-Konten in Gefahr: Exploit erlaubt böswilligen Zugriff trotz Passwort-Reset ∗∗∗ --------------------------------------------- Durch eine Schwachstelle in einem OAuth-Endpunkt können sich Cyberkriminelle dauerhaft Zugriff auf das Google-Konto einer Zielperson verschaffen. [..] Eine offizielle Stellungnahme zum Missbrauch des Multilogin-Endpunkts gibt es seitens Google wohl noch nicht. Dass dem Unternehmen das Problem bekannt ist, ist angesichts der Abhilfemaßnahmen aber anzunehmen. --------------------------------------------- https://www.golem.de/news/google-konten-in-gefahr-exploit-erlaubt-boeswilli… ∗∗∗ Interesting large and small malspam attachments from 2023, (Wed, Jan 3rd) ∗∗∗ --------------------------------------------- At the end of a year, or at the beginning of a new one, I like to go over all malicious attachments that were caught in my e-mail trap over the last 12 months, since this can provide a good overview of long-term malspam trends and may sometimes lead to other interesting discoveries. --------------------------------------------- https://isc.sans.edu/diary/rss/30524 ∗∗∗ Don’t trust links with known domains: BMW affected by redirect vulnerability ∗∗∗ --------------------------------------------- Cybernews researchers have discovered two BMW subdomains that were vulnerable to SAP redirect vulnerability. They were used to access the internal workplace systems for BMW dealers and could have been useful to attackers for spear-phishing campaigns or malware distribution. [..] Cybernews researchers immediately disclosed the vulnerability to BMW, and it was promptly fixed. --------------------------------------------- https://securityaffairs.com/156843/reports/bmw-affected-by-redirect-vulnera… ∗∗∗ How to Stop a DDoS Attack in 5 Steps ∗∗∗ --------------------------------------------- In this post, we’ll cover some essential fundamentals on how to stop a DDoS attack and prevent them from happening in the future. --------------------------------------------- https://blog.sucuri.net/2024/01/how-to-stop-a-ddos-attack.html ∗∗∗ Nehmen Sie keine unerwarteten Nachnahme-Sendungen an! ∗∗∗ --------------------------------------------- Aktuell erreichen uns gehäuft Meldungen zu unerwarteten Paketzustellungen, welche bei der Annahme per Nachnahme zu bezahlen sind. Nach einer Übernahme stellt sich häufig heraus, dass der Inhalt wertlos ist, beziehungsweise die Ware nie bestellt wurde. Achtung: Nehmen Sie Nachnahmesendungen nur an, wenn Sie ein entsprechendes Paket erwarten und den Absender kennen. Eine Rückerstattung über die Post ist im Problemfall nämlich nicht mehr möglich! --------------------------------------------- https://www.watchlist-internet.at/news/nehmen-sie-keine-unerwarteten-nachna… ∗∗∗ Decoding ethical hacking: A comprehensive exploration of white hat practices ∗∗∗ --------------------------------------------- In summation, ethical hacking emerges as a linchpin in fortifying cybersecurity defenses. Adopting a proactive approach, ethical hackers play a pivotal role in identifying vulnerabilities, assessing risks, and ensuring that organizations exhibit resilience in the face of evolving cyber threats. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/decoding-ethical-ha… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (slurm), Oracle (kernel and postgresql:15), Red Hat (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), SUSE (polkit, postfix, putty, w3m, and webkit2gtk3), and Ubuntu (nodejs). --------------------------------------------- https://lwn.net/Articles/956694/ ∗∗∗ WordPress MyCalendar Plugin — Unauthenticated SQL Injection(CVE-2023–6360) ∗∗∗ --------------------------------------------- WordPress Core is the most popular web Content Management System (CMS). This free and open-source CMS written in PHP allows developers to develop web applications quickly by allowing customization through plugins and themes. In this article, we will analyze an unauthenticated sql injection vulnerability found in the MyCalendar plugin. --------------------------------------------- https://medium.com/tenable-techblog/wordpress-mycalendar-plugin-unauthentic… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2024
by Daily end-of-shift report 02 Jan '24

02 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-12-2023 18:00 − Dienstag 02-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2023/12/cert-ua-uncovers-new-malware-wave.html ∗∗∗ Neue Lücke in altem E-Mail-Protokoll: SMTP smuggling ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwäche im Simple Mail Transfer Protocol (SMTP) entdeckt. Sie hebt das Fälschen des Absenders auf ein neues Niveau. --------------------------------------------- https://www.heise.de/-9584467 ∗∗∗ Ransomware: Fehler in Black-Basta-Programmierung ermöglicht Entschlüsselungstool ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen kann das kostenlose Entschlüsselungstool Black Basta Buster Opfern des Erpressungstrojaners Black Basta helfen. --------------------------------------------- https://www.heise.de/-9584846 ∗∗∗ New DLL Search Order Hijacking Technique Targets WinSxS Folder ∗∗∗ --------------------------------------------- Attackers can abuse a new DLL search order hijacking technique to execute code in applications within the WinSxS folder. --------------------------------------------- https://www.securityweek.com/new-dll-search-order-hijacking-technique-targe… ∗∗∗ Domain (in)security: the state of DMARC ∗∗∗ --------------------------------------------- This blog discusses the state of DMARC, the role that DMARC plays in email authentication, and why it should be a key component of your email security solution. --------------------------------------------- https://www.bitsight.com/blog/domain-insecurity-state-dmarc ===================== = Vulnerabilities = ===================== ∗∗∗ Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise ∗∗∗ --------------------------------------------- In this post I describe the 18 vulnerabilities that I discovered in PandoraFMS Enterprise v7.0NG.767 available at https://pandorafms.com. PandoraFMS is an enterprise scale network monitoring and management application which provides systems administrators with a central ‘hub’ to monitor and manipulate the state of computers (agents) deployed across the network. --------------------------------------------- https://research.nccgroup.com/2024/01/02/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, asterisk, cjson, firefox-esr, kernel, libde265, libreoffice, libspreadsheet-parseexcel-perl, php-guzzlehttp-psr7, thunderbird, tinyxml, and xerces-c), Fedora (podman-tui, proftpd, python-asyncssh, squid, and xerces-c), Mageia (libssh and proftpd), and SUSE (deepin-compressor, gnutls, gstreamer, libreoffice, opera, proftpd, and python-pip). --------------------------------------------- https://lwn.net/Articles/956521/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (Joblib), Red Hat (firefox and thunderbird), SUSE (gstreamer-plugins-bad, libssh2_org, and webkit2gtk3), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/956568/ ∗∗∗ Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7103673 ∗∗∗ Multiple vulnerabilities affect IBM Storage Scale Hadoop Connector ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104389 ∗∗∗ IBM Maximo Application Suite uses axios-0.25.0.tgz which is vulnerable to CVE-2023-45857 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104391 ∗∗∗ IBM Maximo Application Suite uses WebSphere Liberty which is vulnerable to CVE-2023-46158, CVE-2023-44483 and CVE-2023-44487 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104390 ∗∗∗ Vulnerabilities in Apache Ant affect IBM Operations Analytics - Log Analysis (CVE-2020-11023, CVE-2020-23064, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104401 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2023
by Daily end-of-shift report 29 Dec '23

29 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-12-2023 18:00 − Freitag 29-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts ∗∗∗ --------------------------------------------- Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named "MultiLogin" to restore expired authentication cookies and log into users accounts, even if an accounts password was reset. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-… ∗∗∗ Steam game mod breached to push password-stealing malware ∗∗∗ --------------------------------------------- Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/steam-game-mod-breached-to-p… ∗∗∗ Security: Wie man mit Ransomware-Hackern verhandelt ∗∗∗ --------------------------------------------- Wer Opfer einer Ransomware-Attacke wird, kommt an Verhandlungen mit den Kriminellen manchmal nicht vorbei. Dabei gibt es einige Regeln zu beachten. Ein Bericht von Friedhelm Greis --------------------------------------------- https://www.golem.de/news/security-wie-man-mit-ransomware-hackern-verhandel… ∗∗∗ New Version of Meduza Stealer Released in Dark Web ∗∗∗ --------------------------------------------- On Christmas Eve, Resecurity’s HUNTER unit spotted the author of perspective password stealer Meduza has released a new version (2.2). One of the key significant improvements are support of more software clients [...] --------------------------------------------- https://securityaffairs.com/156598/malware/meduza-stealer-released-dark-web… ∗∗∗ Clash of Clans gamers at risk while using third-party app ∗∗∗ --------------------------------------------- An exposed database and secrets on a third-party app puts Clash of Clans players at risk of attacks from threat actors. The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information. With 100,000 downloads on the Google Play store, [...] --------------------------------------------- https://securityaffairs.com/156617/security/clash-of-clans-gamers-at-risk.h… ∗∗∗ The Worst Hacks of 2023 ∗∗∗ --------------------------------------------- It was a year of devastating cyberattacks around the globe, from ransomware attacks on casinos to state-sponsored breaches of critical infrastructure. --------------------------------------------- https://www.wired.com/story/worst-hacks-2023/ ∗∗∗ From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence ∗∗∗ --------------------------------------------- >From October-December, the activities of DarkGate, Pikabot, IcedID and more were seen and shared with the broader community via social media [...] --------------------------------------------- https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/ ∗∗∗ Windows: CVE-2021-43890 ausnutzbar: App-Installer-Protokoll deaktiviert; Storm-1152 ausgeschaltet ∗∗∗ --------------------------------------------- Ich packe zum Jahresende noch einige "Gruselgeschichten" rund um das Thema "Sicherheit in Microsoft-Produkten" zusammen. So hat Microsoft den MSXI-App-Installer-Protokoll deaktiviert, weil dieses von Malware-Gruppen missbraucht wurde. Dann gab es die Schwachstelle CVE-2021-43890, die längst gefixt zu sein schien, jetzt [...] --------------------------------------------- https://www.borncity.com/blog/2023/12/29/microsoft-sicherheitssplitter-cve-… ∗∗∗ Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023 ∗∗∗ --------------------------------------------- Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download. There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform. --------------------------------------------- https://www.rapid7.com/blog/post/2023/12/29/velociraptor-0-7-1-release-sigm… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache OpenOffice 4.1.15 Release Notes ∗∗∗ --------------------------------------------- CVE-2012-5639: Loading internal / external resources without warning, CVE-2022-43680: "Use after free" fixed in libexpat, CVE-2023-1183: Arbitrary file write in Apache OpenOffice Base, CVE-2023-47804: Macro URL arbitrary script execution --------------------------------------------- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.15+Release+Not… ∗∗∗ CVE-2019-3773 Spring Web Services Vulnerability in NetApp Products ∗∗∗ --------------------------------------------- Multiple NetApp products incorporate Spring Web Services. Spring Web Services 2.4.3, 3.0.4, and older unsupported versions are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). [...] CVE-2019-3773 9.8 (CRITICAL) --------------------------------------------- https://security.netapp.com/advisory/ntap-20231227-0011/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2023
by Daily end-of-shift report 28 Dec '23

28 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-12-2023 18:00 − Donnerstag 28-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Lockbit ransomware disrupts emergency care at German hospitals ∗∗∗ --------------------------------------------- German hospital network Katholische Hospitalvereinigung Ostwestfalen (KHO) has confirmed that recent service disruptions were caused by a Lockbit ransomware attack where the threat actors gained access to IT systems and encrypted devices on the network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupts-… ∗∗∗ Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary], (Wed, Dec 27th) ∗∗∗ --------------------------------------------- In this post, I dig into my instance of the DShield honeypot to see what attack vectors malicious actors are trying to exploit. What I found were several attempts to upload the Mirai family of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/30514 ∗∗∗ Operation Triangulation: "Raffiniertester Exploit aller Zeiten" auf iPhones ∗∗∗ --------------------------------------------- Im Sommer wurde bekannt, dass iPhones der russischen Sicherheitsfirma Kaspersky per hoch entwickeltem Exploit übernommen wurden. Auf dem 37C3 gab es Details. --------------------------------------------- https://www.heise.de/-9583427 ∗∗∗ Neuer iPhone-Diebstahlschutz: "Wichtige Orte" als Sicherheitsloch ∗∗∗ --------------------------------------------- Apple will bald die Account-Ausplünderung nach iPhone-Diebstählen erschweren. Ein Sicherheitsfeature bietet allerdings eine Umgehungsmöglichkeit. --------------------------------------------- https://www.heise.de/-9582753 ∗∗∗ Jahresrückblick: Diese Themen beschäftigten uns 2023! ∗∗∗ --------------------------------------------- 2023 geht für die Watchlist Internet erfolgreich zu Ende: Mit rund 3,2 Millionen Besucher:innen konnten wir auch heuer wieder zahlreiche Menschen vor Internetbetrug warnen. Monatlich erreichten uns dabei rund 1.000 Meldungen, die wir 2023 in rund 200 Warnartikel und durch die Veröffentlichung von über 12.000 Domains auf unseren Warnlisten verarbeitet haben. Danke an unsere Leser:innen, die diesen Erfolg ermöglichen. --------------------------------------------- https://www.watchlist-internet.at/news/jahresrueckblick-diese-themen-bescha… ∗∗∗ How to report Gmail messages as spam to improve your life and make you a hero ∗∗∗ --------------------------------------------- The act of marking and reporting an email as spam in Gmail has an important side effect that makes it totally worth a few seconds of your day. --------------------------------------------- https://www.zdnet.com/article/how-to-report-gmail-messages-as-spam-to-impro… ∗∗∗ Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed ∗∗∗ --------------------------------------------- While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected. --------------------------------------------- https://asec.ahnlab.com/en/60054/ ∗∗∗ Cyber Toufan goes Oprah mode, with free Linux system wipes of over 100 organisations ∗∗∗ --------------------------------------------- For the past 6 or so weeks, I’ve been tracking Cyber Toufan on Telegram. They appeared in November, and they’ve been very busy and very naughty boys. They actually set up their infrastructure around October, and started owning things apparently undetected. They’re not a lame DDoS pretend hacktivist group like NoName016 — instead, they claim to be Palestinian state cyber warriors. --------------------------------------------- https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-syste… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: 2023-12 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF03. Severity Assessment (CVSS) Score 9.8 --------------------------------------------- https://supportportal.juniper.net/s/article/2023-12-Security-Bulletin-JSA-S… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy, libssh, and nodejs), Fedora (filezilla and minizip-ng), Gentoo (Git, libssh, and OpenSSH), and SUSE (gstreamer, postfix, webkit2gtk3, and zabbix). --------------------------------------------- https://lwn.net/Articles/956257/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2023
by Daily end-of-shift report 27 Dec '23

27 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-12-2023 18:00 − Mittwoch 27-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Operation Triangulation: The last (hardware) mystery ∗∗∗ --------------------------------------------- Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs. --------------------------------------------- https://securelist.com/operation-triangulation-the-last-hardware-mystery/11… ∗∗∗ Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices ∗∗∗ --------------------------------------------- McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-andro… ∗∗∗ Gefährliche VPN-Extension für Chrome ist millionenfach installiert ∗∗∗ --------------------------------------------- Rund 1,5 Millionen Rechner sind mit Malware infiziert, die sich in den Browsern als VPN-Erweiterung einnistet. [..] Auf den Computern landet die Software über unrechtmäßig kopierte Spiele wie Grand Theft Auto, Assassins Creed und The Sims 4, die von Torrent-Seiten heruntergeladen wurden. --------------------------------------------- https://futurezone.at/digital-life/vpn-extension-chrome-gefaehrlich-million… ∗∗∗ Python Keylogger Using Mailtrap.io, (Sat, Dec 23rd) ∗∗∗ --------------------------------------------- I found another Python keylogger... This is pretty common because Python has plenty of modules to implement this technique in a few lines of code [..} But, in this case, the attacker used another popular online service: mailtrap.io. --------------------------------------------- https://isc.sans.edu/diary/rss/30512 ∗∗∗ New Guide: Broken Access Control ∗∗∗ --------------------------------------------- We are excited to announce the release of our new guide What is Broken Access Control. This handy resource helps you grasp the ins-and-outs of BACs, their potential risks and operation, enabling you to effectively secure your website against unauthorized access and breaches. --------------------------------------------- https://blog.sucuri.net/2023/12/new-guide-broken-access-control.html ∗∗∗ Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft ∗∗∗ --------------------------------------------- Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri. --------------------------------------------- https://thehackernews.com/2023/12/rogue-wordpress-plugin-exposes-e.html ∗∗∗ Tesla: Forscher der TU Berlin verschaffen sich Zugriff auf Autopilot-Hardware ∗∗∗ --------------------------------------------- Mit Hilfe eines kurzen Spannungsabfalls konnten sich drei Doktoranden der TU Berlin Zugriff auf die Platine verschaffen, auf der Teslas Autopilot arbeitet. --------------------------------------------- https://www.heise.de/-9583095 ∗∗∗ Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized Access in Kubernetes ∗∗∗ --------------------------------------------- This article examines two specific issues in Google Kubernetes Engine (GKE). While each issue might not result in significant damage on its own, when combined they create an opportunity for an attacker who already has access to a Kubernetes cluster to escalate their privileges. This article serves as a crucial resource for Kubernetes users and administrators, offering insights on safeguarding their clusters from potential attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/google-kubernetes-engine-privilege-esca… ∗∗∗ Analysis of Attacks That Install Scanners on Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) analyzes attack campaigns against poorly managed Linux SSH servers and shares the results on the ASEC Blog. --------------------------------------------- https://asec.ahnlab.com/en/59972/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack ∗∗∗ --------------------------------------------- A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month. --------------------------------------------- https://thehackernews.com/2023/12/critical-zero-day-in-apache-ofbiz-erp.html ∗∗∗ Kritische Sicherheitslücke in Perl-Bibliothek: Schwachstelle bereits ausgenutzt ∗∗∗ --------------------------------------------- In einer Perl-Bibliothek zum Parsen von Excel-Dateien haben Sicherheitsforscher eine kritische Schwachstelle entdeckt, die Angreifer bereits ausgenutzt haben. [..] Die MITRE hat der Schwachstelle den Eintrag CVE-2023-7101 vergeben. Der Proof of Concept ist von März 2023. Ein Sicherheitspatch ist derzeit noch nicht verfügbar. --------------------------------------------- https://www.heise.de/-9583179 ∗∗∗ Barracuda ESG-Schwachstelle CVE-2023-7102 (Dez. 2023) ∗∗∗ --------------------------------------------- Barracuda hat bei einer laufenden Untersuchung festgestellt, dass ein Bedrohungsakteur die Schwachstelle Schwachstelle CVE-2023-7102 in der Barracuda Email Security Gateway Appliance (ESG) ausnutzt. Die Verwendung einer Bibliothek eines Drittanbieters führte zu dieser Schwachstelle, die die Barracuda ESG Appliance von 5.1.3.001 bis 9.2.1.001 betraf. Barracuda hat zum 21. Dezember 2023 ein Sicherheitsupdate für alle aktiven ESGs bereitgestellt, um die ACE-Schwachstelle zu beheben. --------------------------------------------- https://www.borncity.com/blog/2023/12/27/barracuda-esg-schwachstelle-cve-20… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, openssh, osslsigncode, and putty), Fedora (chromium, filezilla, libfilezilla, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, opensc, thunderbird, unrealircd, and xorg-x11-server-Xwayland), Gentoo (Ceph, FFmpeg, Flatpak, Gitea, and SABnzbd), Mageia (chromium-browser-stable), Slackware (kernel and postfix), and SUSE (cppcheck, distribution, gstreamer-plugins-bad, jbigkit, and ppp). --------------------------------------------- https://lwn.net/Articles/956156/ ∗∗∗ Autodesk: Multiple Vulnerabilities in Autodesk InfoWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0024 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily