Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 07.12.2023
by Daily end-of-shift report 07 Dec '23

07 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-12-2023 18:00 − Donnerstag 07-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA and International Partners Release Advisory on [..] Star Blizzard ∗∗∗ --------------------------------------------- The joint CSA aims to raise awareness of the specific tactics, techniques, and delivery methods [..] Known Star Blizzard techniques include: Impersonating known contacts' email accounts, Creating fake social media profiles, Using webmail addresses from providers such as Outlook, Gmail and others, and Creating malicious domains that resemble legitimate organizations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-p… ∗∗∗ CISA, NSA, FBI and International Cybersecurity Authorities Publish Guide on The Case for Memory Safe Roadmaps ∗∗∗ --------------------------------------------- The guide strongly encourages executives of software manufacturers to prioritize using memory safe programing languages, write and publish memory safe roadmaps and implement changes to eliminate this class of vulnerability and protect their customers. Software developers and support staff should develop the roadmap, which should detail how the manufacturer will modify their software development life cycle (SDLC) to dramatically reduce and eventually eliminate memory unsafe code in their products. This guidance also provides a clear outline of elements that a memory safe roadmap should include. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-fbi-and-international-cybers… ===================== = Vulnerabilities = ===================== ∗∗∗ PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2 ∗∗∗ --------------------------------------------- WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site. We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present. --------------------------------------------- https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Fedora (gmailctl), Oracle (kernel), Red Hat (linux-firmware, postgresql:12, postgresql:13, and squid:4), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, libtorrent-rasterbar, qbittorrent, openssl-3, openvswitch, openvswitch3, and suse-build-key), and Ubuntu (bluez, curl, linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-gcp, open-vm-tools, postgresql-12, postgresql-14, postgresql-15, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/953977/ ∗∗∗ Kritische Sicherheitslücken in mehreren Produkten von Atlassian - Patches verfügbar ∗∗∗ --------------------------------------------- Mehrere Versionen von Produkten des Unternehmens Atlassian enthalten kritische Sicherheitslücken. Die Ausnutzung der Sicherheitslücken ermöglicht Angreifer:innen die vollständige Übernahme von verwundbaren Systemen, sowie den Zugriff auf alle darauf gespeicherten Daten. CVE-Nummer(n): CVE-2023-22522, CVE-2022-1471 CVSS Base Score: 9.0 bzw. 9.8 --------------------------------------------- https://cert.at/de/warnungen/2023/12/kritische-sicherheitslucken-in-mehrere… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-341-01 Mitsubishi Electric FA Engineering Software Products, ICSA-23-341-02 Schweitzer Engineering Laboratories SEL-411L, ICSA-23-341-03 Johnson Controls Metasys and Facility Explorer, ICSA-23-341-05 ControlbyWeb Relay, ICSA-23-341-06 Sierra Wireless AirLink with ALEOS firmware --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-releases-five-indus… ∗∗∗ BIOS Image Parsing Function Vulnerabilities (LogoFAIL) ∗∗∗ --------------------------------------------- Vulnerabilities were reported in the image parsing libraries in AMI, Insyde and Phoenix BIOS which are used to parse personalized boot logos that are loaded from the EFI System Partition that could allow a local attacker with elevated privileges to trigger a denial of service or arbitrary code execution. [..] Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500590-BIOS-IMAGE-PARSING-FUNC… ∗∗∗ Drupal: Group - Less critical - Access bypass - SA-CONTRIB-2023-054 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-054 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2023
by Daily end-of-shift report 06 Dec '23

06 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-12-2023 18:00 − Mittwoch 06-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Trügerische Sicherheit: Angreifer können Lockdown-Modus von iOS fälschen ∗∗∗ --------------------------------------------- Der Lockdown-Modus von iOS soll iPhone-Besitzer vor Cyberangriffen schützen. Forscher haben gezeigt, wie sich die Funktion fälschen lässt. --------------------------------------------- https://www.golem.de/news/truegerische-sicherheit-angreifer-koennen-lockdow… ∗∗∗ Whose packet is it anyway: a new RFC for attribution of internet probes, (Wed, Dec 6th) ∗∗∗ --------------------------------------------- So far, security analysts and administrators have had to rely mostly on WHOIS, RDAP, reverse DNS lookups and third-party data (e.g., data from ISC/DShield) in order to gain some idea of who might be behind a specific scan and whether it was malicious or not. However, authors of the aforementioned RFC came up with several ideas of how originators of “internet probes” might simplify their own identification. --------------------------------------------- https://isc.sans.edu/diary/rss/30456 ∗∗∗ Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks ∗∗∗ --------------------------------------------- Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. --------------------------------------------- https://thehackernews.com/2023/12/qualcomm-releases-details-on-chip.html ∗∗∗ Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts ∗∗∗ --------------------------------------------- Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks. The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis. --------------------------------------------- https://thehackernews.com/2023/12/alert-threat-actors-can-leverage-aws.html ∗∗∗ Blind CSS Exfiltration: exfiltrate unknown web pages ∗∗∗ --------------------------------------------- Why would we want to do blind CSS exfiltration? Imagine youve got a blind HTML injection vulnerability but you cant get XSS because of the sites CSP or perhaps the site has a server-side or DOM-based filter such as DOMPurify. JavaScript is off the table but they allow styles because theyre just styles right? What possible damage can you do with just CSS? --------------------------------------------- https://portswigger.net/research/blind-css-exfiltration ∗∗∗ SLAM: Neue Spectre-Variante gefährdet zukünftige CPU-Generationen ∗∗∗ --------------------------------------------- Forscher tricksen das Speichermanagement kommender CPU-Generationen aus, um vermeintlich geschützte Daten aus dem RAM zu lesen. --------------------------------------------- https://www.heise.de/-9549625 ∗∗∗ Windows 10: Security-Updates nach Support-Ende ∗∗∗ --------------------------------------------- Wer Windows 10 länger als bis 2025 betreiben will, muss entweder in die Microsoft-365-Cloud oder für Patches zahlen. --------------------------------------------- https://www.heise.de/-9566262 ∗∗∗ Achtung Betrug: Rechnung vom "Registergericht" ∗∗∗ --------------------------------------------- Aktuell läuft wohl wieder eine Betrugskampagne, in der Brief mit falschen Rechnungen von einem angeblichen "Registergericht" an Firmen geschickt werden. --------------------------------------------- https://www.borncity.com/blog/2023/12/06/achtung-betrug-rechnung-vom-regist… ∗∗∗ CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud ∗∗∗ --------------------------------------------- While the 10/10 CVE-2023-49103 got all the attention last week, organizations should not quickly overlook CVE-2023-49105! CVE-2023-49105 is an authentication bypass issue affecting ownCloud from version 10.6.0 to version 10.13.0. It allows an attacker to access, modify, or delete any file without authentication if the username is known. Even if the user has no signing key configured, ownCloud accepts pre-signed URLs, enabling the attacker to generate URLs for arbitrary file operations. --------------------------------------------- https://www.greynoise.io/blog/cve-2023-49105-webdav-api-authentication-bypa… ===================== = Vulnerabilities = ===================== ∗∗∗ "Sierra:21" vulnerabilities impact critical infrastructure routers ∗∗∗ --------------------------------------------- A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks. [..] AirLink routers are highly regarded in the field of industrial and mission-critical applications due to high-performance 3G/4G/5G and WiFi and multi-network connectivity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sierra-21-vulnerabilities-im… ∗∗∗ Codeschmuggel in Atlassian-Produkten: Vier kritische Lücken aufgetaucht ∗∗∗ --------------------------------------------- Admins von Confluence, Jira und Bitbucket kommen aus dem Patchen nicht heraus: Erneut hat Atlassian dringende Updates für seine wichtigsten Produkte vorgelegt. --------------------------------------------- https://www.heise.de/-9565780 ∗∗∗ Kiosk Escape Privilege Escalation in One Identity Password Manager Secure Password Extension ∗∗∗ --------------------------------------------- The Password Manager Extension from One Identity can be used to perform two different kiosk escapes on the lock screen of a Windows client. These two escapes allow an attacker to execute commands with the highest permissions of a user with the SYSTEM role. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/kiosk-escape-privilege-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, clevis-pin-tpm2, firefox, keyring-ima-signer, libkrun, perl, perl-PAR-Packer, polymake, poppler, rust-bodhi-cli, rust-coreos-installer, rust-fedora-update-feedback, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sequoia-wot, rust-sevctl, rust-snphost, and rust-tealdeer), Mageia (samba), Red Hat (postgresql:12), SUSE (haproxy and kernel-firmware), and Ubuntu (haproxy, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.1, and redis). --------------------------------------------- https://lwn.net/Articles/953861/ ∗∗∗ Command Injection via CLI des DrayTek Vigor167 (SYSS-2023-023) ∗∗∗ --------------------------------------------- Die Kommandozeile (Command-Line Interface, CLI) des DrayTek Vigor167 mit der Modemfirmware 5.2.2 erlaubt es angemeldeten Angreifenden, beliebigen Code auf dem Modem auszuführen. Nutzende mit Zugang zur Weboberfläche, aber ohne jegliche Berechtigungen, haben ebenfalls Zugriff auf die CLI und können hierüber das Modem übernehmen. --------------------------------------------- https://www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigo… ∗∗∗ Security Advisory - Identity Bypass Vulnerability in Some Huawei Smart Screen Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ibvishssp… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2023
by Daily end-of-shift report 05 Dec '23

05 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 04-12-2023 18:00 − Dienstag 05-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatched Loytec Building Automation Flaws Disclosed 2 Years After Discovery ∗∗∗ --------------------------------------------- Industrial cybersecurity firm TXOne Networks has disclosed the details of 10 unpatched vulnerabilities discovered by its researchers in building automation products made by Austrian company Loytec more than two years ago. --------------------------------------------- https://www.securityweek.com/unpatched-loytec-building-automation-flaws-dis… ∗∗∗ BlueNoroff: new Trojan attacking macOS users ∗∗∗ --------------------------------------------- BlueNoroff has been attacking macOS users with a new loader that delivers unknown malware to the system. --------------------------------------------- https://securelist.com/bluenoroff-new-macos-malware/111290/ ∗∗∗ Zarya Hacktivists: More than just Sharepoint., (Mon, Dec 4th) ∗∗∗ --------------------------------------------- Zarya isn't exactly the type of threat you should be afraid of, but it is sad how these groups can still be effective due to organizations exposing unpatched or badly configured systems to the internet. Most of the attacks sent by Zarya will not succeed even if they hit a vulnerable system. For some added protection, you may consider blocking some of the Aeza network's traffic after ensuring that this network hosts no critical resources you need. Aeza uses ASN 210644. --------------------------------------------- https://isc.sans.edu/diary/rss/30450 ∗∗∗ Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack ∗∗∗ --------------------------------------------- A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when its actually not and carry out covert attacks. --------------------------------------------- https://thehackernews.com/2023/12/warning-for-iphone-users-experts-warn.html ∗∗∗ Sicherheitslücke in iOS 16 soll angeblich leichteres Auslesen ermöglichen ∗∗∗ --------------------------------------------- In Moskau streiten sich zwei Forensikfirmen wegen gestohlenem Programmcode. Dieser aber offenbart eine mögliche neue Sicherheitslücke im iPhone-Betriebssystem. --------------------------------------------- https://www.heise.de/-9548725 ∗∗∗ OSINT. What can you find from a domain or company name ∗∗∗ --------------------------------------------- To help OPSEC people I thought it might be useful to go over some of the key things that can be found using domain and company names. --------------------------------------------- https://www.pentestpartners.com/security-blog/osint-what-can-you-find-from-… ∗∗∗ Viele Beschwerden zu luckyluna.de ∗∗∗ --------------------------------------------- luckyluna.de bietet handgezeichnete Tierportraits. Sie laden ein Foto Ihres Tieres hoch, es wird gezeichnet und Sie erhalten das Bild entweder digital oder auf einer Leinwand – so zumindest das Versprechen. Verärgerte Kund:innen beschweren sich aber, dass die Bilder nicht handgezeichnet sind, sondern die „handgefertigten Portraits“ nur mit Hilfe eines Bildbearbeitungsprogramms erstellt werden. --------------------------------------------- https://www.watchlist-internet.at/news/viele-beschwerden-zu-luckylunade/ ∗∗∗ Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers ∗∗∗ --------------------------------------------- This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Android 11, 12, 13 und 14 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können Android-Smartphones und -Tablets verschiedener Hersteller ins Visier nehmen. Für einige Geräte gibt es Sicherheitsupdates. --------------------------------------------- https://www.heise.de/-9548839 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4). --------------------------------------------- https://lwn.net/Articles/953783/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0011 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-42916, CVE-2023-42917. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0011.html ∗∗∗ Security updates for Ivanti Connect Secure and Ivanti Policy Secure ∗∗∗ --------------------------------------------- We are reporting the Ivanti Connect Secure issues as CVE-2023-39340, CVE-2023-41719 and CVE-2023-41720, and Ivanti Policy Secure issue as CVE-2023-39339. We encourage customers to download the latest releases of ICS and IPS to remediate the issues. --------------------------------------------- https://www.ivanti.com/blog/security-updates-for-ivanti-connect-secure-and-… ∗∗∗ SonicWall SSL-VPN SMA100 Version 10.x Is Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018 ∗∗∗ Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Packet Validation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Wago: Vulnerabilities in IEC61850 Server / Telecontrol ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-044/ ∗∗∗ Wago: Vulnerability in Smart Designer Web-Application ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-045/ ∗∗∗ CODESYS: Multiple products affected by WIBU Codemeter vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-035/ ∗∗∗ CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-066/ ∗∗∗ Pilz : WIBU Vulnerabilitiy in multiple Products (Update A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-033/ ∗∗∗ Pilz: Electron Vulnerabilities in PASvisu and PMI v8xx ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-059/ ∗∗∗ Pilz: Multiple products prone to libwebp vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-048/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-339-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2023
by Daily end-of-shift report 04 Dec '23

04 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-12-2023 18:00 − Montag 04-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks ∗∗∗ --------------------------------------------- The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware. --------------------------------------------- https://thehackernews.com/2023/12/logofail-uefi-vulnerabilities-expose.html ∗∗∗ New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect thats capable of targeting routers and IoT devices. --------------------------------------------- https://thehackernews.com/2023/12/new-p2pinfect-botnet-mips-variant.html ∗∗∗ Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs ∗∗∗ --------------------------------------------- Today, CISA, (FBI), (NSA), (EPA), and (INCD) released a joint Cybersecurity Advisory (CSA) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/01/cisa-and-partners-releas… ∗∗∗ Phishing-Angriffe: Betrüger missbrauchen Hotelbuchungsplattform booking.com ∗∗∗ --------------------------------------------- Mit auf Datendiebstahl spezialisierte Malware griffen Cyberkriminelle zunächst Hotelmitarbeiter an und verschickten dann über Booking betrügerische Mails. --------------------------------------------- https://www.heise.de/-9547507 ∗∗∗ Update your iPhones! Apple fixes two zero-days in iOS ∗∗∗ --------------------------------------------- Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/12/update-your-iphones-apple-fi… ∗∗∗ PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. --------------------------------------------- https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-sca… ∗∗∗ Vorsicht vor gefälschter Microsoft-Sicherheitswarnung ∗∗∗ --------------------------------------------- Beim Surfen im Internet poppt plötzlich eine Sicherheitswarnung auf: „Aus Sicherheitsgründen wurde das Gerät blockiert. Windows-Support Anrufen“. Zusätzlich wird eine Computerstimme abgespielt, die Ihnen erklärt, dass Ihre Kreditkarten- und Facebookdaten sowie persönliche Daten an Hacker weitergegeben werden. Für technische Unterstützung sollen Sie eine Nummer anrufen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschter-microsoft-… ∗∗∗ Zyxel warnt vor kritischen Sicherheitslücken in NAS-Geräten ∗∗∗ --------------------------------------------- Betreibt jemand ein Zyxel NAS in seiner Umgebung? Der taiwanesische Hersteller hat gerade vor mehreren Schwachstellen in der Firmware dieser Geräte gewarnt. Drei kritische Schwachstellen ermöglichen es einem nicht authentifizierten Angreifer Betriebssystembefehle auf anfälligen NAS-Geräten (Network-Attached Storage) auszuführen. --------------------------------------------- https://www.borncity.com/blog/2023/12/02/zyxel-warnt-vor-kritischen-sicherh… ===================== = Vulnerabilities = ===================== ∗∗∗ SQUID-2023:7 Denial of Service in HTTP Message Processing ∗∗∗ --------------------------------------------- Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing[..] This problem allows a remote attacker to perform Denial of Service when sending easily crafted HTTP Messages. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9 ∗∗∗ SQUID-2023:8 Denial of Service in Helper Process management ∗∗∗ --------------------------------------------- Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. [..] This problem allows a trusted client or remote server to perform a Denial of Service attack when the Squid proxy is under load. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27 ∗∗∗ SQUID-2023:9 Denial of Service in HTTP Collapsed Forwarding ∗∗∗ --------------------------------------------- Due to a Use-After-Free bug Squid is vulnerable to a Denial of Service attack against collapsed forwarding [..] This problem allows a remote client to perform Denial of Service attack on demand when Squid is configured with collapsed forwarding. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5 ∗∗∗ GitLab Security Release: 16.6.1, 16.5.3, 16.4.3 ∗∗∗ --------------------------------------------- These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. CVE IDs: CVE-2023-6033, CVE-2023-6396, CVE-2023-3949, CVE-2023-5226, CVE-2023-5995, CVE-2023-4912, CVE-2023-4317, CVE-2023-3964, CVE-2023-4658, CVE-2023-3443 --------------------------------------------- https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1… ∗∗∗ Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call ∗∗∗ --------------------------------------------- Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. This vulnerability could be exploited either by an attacker with physical access to the device, or by obtaining write access to the flash memory through a separate runtime vulnerability. [..] Sonos state an update was released on 2023-11-15 which remediated the issue. --------------------------------------------- https://research.nccgroup.com/2023/12/04/technical-advisory-sonos-era-100-s… ∗∗∗ Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution ∗∗∗ --------------------------------------------- In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin. [..] CVE ID: CVE-2023-6316 / CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/953702/ ∗∗∗ Ruckus Access Point vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN45891816/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2023
by Daily end-of-shift report 01 Dec '23

01 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-11-2023 18:00 − Freitag 01-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ IT threat evolution Q3 2023 ∗∗∗ --------------------------------------------- Non-mobile statistics & Mobile statistics --------------------------------------------- https://securelist.com/it-threat-evolution-q3-2023/111171/ ∗∗∗ Skimming Credit Cards with WebSockets ∗∗∗ --------------------------------------------- In this post we’ll review what web sockets are, why they are beneficial to attackers to use in skimming attacks, and an analysis of several different web socket credit card skimmers that we’ve identified on compromised ecommerce websites. --------------------------------------------- https://blog.sucuri.net/2023/11/skimming-credit-cards-with-websockets.html ∗∗∗ Cyber Resilience Act: EU einigt sich auf Vorschriften für vernetzte Produkte ∗∗∗ --------------------------------------------- Anbieter müssen in der EU zukünftig für längere Zeit Sicherheitsupdates zur Verfügung stellen – in der Regel für fünf Jahre. --------------------------------------------- https://www.heise.de/-9545873 ∗∗∗ Opening Critical Infrastructure: The Current State of Open RAN Security ∗∗∗ --------------------------------------------- The Open Radio Access Network (ORAN) architecture provides standardized interfaces and protocols to previously closed systems. However, our research on ORAN demonstrates the potential threat posed by malicious xApps that are capable of compromising the entire Ran Intelligent Controller (RIC) subsystem. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple security updates and Rapid Security Responses ∗∗∗ --------------------------------------------- WebKit: CVE-2023-42916, CVE-2023-42917 * Safari 17.1.2 * iOS 17.1.2 and iPadOS 17.1.2 * macOS Sonoma 14.1.2 --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ Multiple Vulnerabilities in Autodesk Desktop Licensing Service ∗∗∗ --------------------------------------------- Autodesk Desktop Licensing Service has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities could lead to code execution due to weak permissions. Autodesk Desktop Licensing Installer, libcurl: CVE-2023-38039, CVE-2023-28321, CVE-2023-38545 --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0023 ∗∗∗ VMware Cloud Director 10.5 GA Workaround for CVE-2023-34060 ∗∗∗ --------------------------------------------- VMware released VMware Cloud Director 10.5.1 on November 30th 2023. This version includes a fix for the authentication bypass vulnerability documented in VMSA-2023-0026. --------------------------------------------- https://kb.vmware.com/s/article/95534 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gimp-dds, horizon, libde265, thunderbird, vlc, and zbar), Fedora (java-17-openjdk and xen), Mageia (optipng, roundcubemail, and xrdp), Red Hat (postgresql), Slackware (samba), SUSE (chromium, containerd, docker, runc, libqt4, opera, python-django-grappelli, sqlite3, and traceroute), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, and linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2). --------------------------------------------- https://lwn.net/Articles/953512/ ∗∗∗ Mattermost security updates 9.2.3 / 9.1.4 / 9.0.5 / 8.1.7 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.3, 9.1.4, 9.0.5, and 8.1.7 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-2-3-9-1-4-9-0-5-8… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2023
by Daily end-of-shift report 30 Nov '23

30 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-11-2023 18:00 − Donnerstag 30-11-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FjordPhantom Android malware uses virtualization to evade detection ∗∗∗ --------------------------------------------- A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fjordphantom-android-malware… ∗∗∗ TRAP; RESET; POISON; - Übernahme eines Landes nach Kaminsky Art ∗∗∗ --------------------------------------------- Ein technischer Einblick in die Manipulation der DNS-Namensauflösung eines ganzen Landes. --------------------------------------------- https://sec-consult.com/de/blog/detail/uebernahme-eines-landes-nach-kaminsk… ∗∗∗ CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks ∗∗∗ --------------------------------------------- A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. --------------------------------------------- https://thehackernews.com/2023/11/cactus-ransomware-exploits-qlik-sense.html ∗∗∗ Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data ∗∗∗ --------------------------------------------- Zoom Rooms, the cloud-based video conferencing platform by Zoom, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant. --------------------------------------------- https://www.hackread.com/zoom-vulnerability-hackers-hijack-meetings-data/ ∗∗∗ BLUFFS: Neue Angriffe gefährden Bluetooth-Datensicherheit auf Milliarden Geräten ∗∗∗ --------------------------------------------- Durch eine Lücke im Bluetooth-Protokoll können Angreifer einfach zu knackende Schlüssel erzwingen und so vergangene wie zukünftige Datenübertragung knacken. --------------------------------------------- https://www.heise.de/-9544862 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053 ∗∗∗ --------------------------------------------- The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-053 ∗∗∗ Apache ActiveMQ: Mehrere Codeschmuggel-Lücken von Botnetbetreibern ausgenutzt ∗∗∗ --------------------------------------------- Derweil meldet das ActiveMQ-Projekt eine neue Sicherheitslücke, die ebenfalls zur Ausführung von Schadcode genutzt werden kann. Der Fehler verbirgt sich in der Deserialisierungsroutine der Jolokia-Komponente, setzt aber eine Authentisierung voraus. Während die ActiveMQ-Entwickler von einem mittleren Schweregrad ausgehen, vergeben der Warn- und Informationsdienst des BSI einen CVSS-Wert von 8.8 und stuft den Schweregrad somit als "hoch" ein. CVE ID: CVE-2022-41678 --------------------------------------------- https://www.heise.de/-9544281 ∗∗∗ MOVEit Transfer Service Pack (November 2023) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the MOVEit Transfer November 2023 Service Pack. The Service Pack contains fixes for (2) newly disclosed CVEs described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. CVE IDs: CVE-2023-6217, CVE-2023-6218 --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-Novem… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023) ∗∗∗ --------------------------------------------- Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, gnutls, gst-devtools, gstreamer1, gstreamer1-doc, libcap, mingw-poppler, python-gstreamer1, qbittorrent, webkitgtk, and xen), Mageia (docker, kernel-linus, and python-django), Oracle (dotnet6.0, dotnet7.0, dotnet8.0, firefox, samba, squid, and thunderbird), Red Hat (firefox, postgresql:13, squid, and thunderbird), SUSE (cilium, freerdp, java-1_8_0-ibm, and java-1_8_0-openj9), and Ubuntu (ec2-hibinit-agent, freerdp2, gimp, gst-plugins-bad1.0, openjdk-17, openjdk-21, openjdk-lts, openjdk-8, pypy3, pysha3, and u-boot-nezha). --------------------------------------------- https://lwn.net/Articles/953379/ ∗∗∗ [R1] Nessus Network Monitor 6.3.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Risk Factor: Critical, CVE ID: CVE-2023-5363, CVE-2021-23369, CVE-2021-23383, CVE-2018-9206 --------------------------------------------- https://www.tenable.com/security/tns-2023-43 ∗∗∗ Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products ∗∗∗ --------------------------------------------- Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection. CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/30/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ PTC KEPServerEx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-01 ∗∗∗ Mitsubishi Electric FA Engineering Software Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-04 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2023
by Daily end-of-shift report 29 Nov '23

29 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-11-2023 18:00 − Mittwoch 29-11-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability ∗∗∗ --------------------------------------------- The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat thats capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) [...] --------------------------------------------- https://thehackernews.com/2023/11/gotitan-botnet-spotted-exploiting.html ∗∗∗ DJVU Ransomwares Latest Variant Xaro Disguised as Cracked Software ∗∗∗ --------------------------------------------- A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software. "While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," [...] --------------------------------------------- https://thehackernews.com/2023/11/djvu-ransomwares-latest-variant-xaro.html ∗∗∗ Okta Breach Impacted All Customer Support Users—Not 1 Percent ∗∗∗ --------------------------------------------- Okta upped its original estimate of customer support users affected by a recent breach from 1 percent to 100 percent, citing a “discrepancy.” --------------------------------------------- https://www.wired.com/story/okta-breach-disclosure-all-customer-support-use… ∗∗∗ Scans zu kritischer Sicherheitslücke in ownCloud-Plugin ∗∗∗ --------------------------------------------- Die Schwachstelle im GraphAPI-Plugin kann zur unfreiwilligen Preisgabe der Admin-Zugangsdaten führen. ownCloud-Admins sollten schnell reagieren. --------------------------------------------- https://www.heise.de/-9542895.html ∗∗∗ Sicherheitslücke: Schadcode-Attacken auf Solarwinds Platform möglich ∗∗∗ --------------------------------------------- Die Solarwinds-Entwickler haben zwei Schwachstellen in ihrer Monitoringsoftware geschlossen. --------------------------------------------- https://www.heise.de/-9543391.html ∗∗∗ New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher ∗∗∗ --------------------------------------------- An academic researcher demonstrates BLUFFS, six novel attacks targeting Bluetooth sessions’ forward and future secrecy. --------------------------------------------- https://www.securityweek.com/new-bluffs-bluetooth-attacks-have-large-scale-… ∗∗∗ Deepfake-Videos mit Armin Assinger führen zu Investitionsbetrug! ∗∗∗ --------------------------------------------- Aktuell kursieren auf Facebook, Instagram, TikTok und YouTube Werbevideos mit betrügerischen Inhalten. Dabei wird insbesondere das Gesicht Armin Assingers für Deepfakes eingesetzt. Armin Assinger werden mithilfe von Künstlicher Intelligenz (KI) Worte in den Mund gelegt, sodass dadurch betrügerische Investitionsplattformen beworben werden. Vorsicht: Folgen Sie diesen Links nicht, denn hier sind sämtliche Investments verloren! --------------------------------------------- https://www.watchlist-internet.at/news/deepfake-videos-mit-armin-assinger-f… ∗∗∗ Spyware Employs Various Obfuscation Techniques to Bypass Static Analysis ∗∗∗ --------------------------------------------- A look at some deceptive tactics used by malware authors in an effort to evade analysis. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/spyware-… ∗∗∗ Exploitation of Unitronics PLCs used in Water and Wastewater Systems ∗∗∗ --------------------------------------------- CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-… ∗∗∗ CISA Releases First Secure by Design Alert ∗∗∗ --------------------------------------------- Today, CISA published guidance on How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity as a part of a new Secure by Design (SbD) Alert series. This SbD Alert urges software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles: [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/29/cisa-releases-first-secu… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability ∗∗∗ --------------------------------------------- Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild. Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library. --------------------------------------------- https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-331-01 Delta Electronics InfraSuite Device Master * ICSA-23-331-02 Franklin Electric Fueling Systems Colibri * ICSA-23-331-03 Mitsubishi Electric GX Works2 * ICSMA-23-331-01 BD FACSChorus --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/28/cisa-releases-four-indus… ∗∗∗ SolarWinds Platform 2023.4.2 Release Notes ∗∗∗ --------------------------------------------- SolarWinds Platform 2023.4.2 is a service release providing bug and security fixes for release 2023.4. CVE-2023-40056: SQL Injection Remote Code Execution Vulnerability Severity: 8.0 (high) --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ Arcserve Unified Data Protection Multiple Vulnerabilities ∗∗∗ --------------------------------------------- * CVE-2023-41998 - UDP Unauthenticated RCE * CVE-2023-41999 - UDP Management Authentication Bypass * CVE-2023-42000 - UDP Agent Unauthenticated Path Traversal File Upload Solution: Upgrade to Arcserve UDP version 9.2 or later. --------------------------------------------- https://www.tenable.com/security/research/tra-2023-37 ∗∗∗ Sicherheitslücke in Hikvision-Kameras und NVR ermöglicht unbefugten Zugriff ∗∗∗ --------------------------------------------- Verschiedene Modelle des chinesischen Herstellers gestatteten Angreifern den unbefugten Zugriff. Auch andere Marken sind betroffen, Patches stehen bereit. --------------------------------------------- https://www.heise.de/-9543336.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0 and postgresql-multicorn), Fedora (golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, libcap, nats-server, openvpn, and python-geopandas), Mageia (kernel), Red Hat (c-ares, curl, fence-agents, firefox, kernel, kernel-rt, kpatch-patch, libxml2, pixman, postgresql, and tigervnc), SUSE (python-azure-storage-queue, python-Twisted, and python3-Twisted), and Ubuntu (afflib, ec2-hibinit-agent, linux-nvidia-6.2, linux-starfive-6.2, and poppler). --------------------------------------------- https://lwn.net/Articles/953226/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2023
by Daily end-of-shift report 28 Nov '23

28 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-11-2023 18:00 − Dienstag 28-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a "severe design flaw" in Google Workspaces domain-wide delegation (DWD) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges. --------------------------------------------- https://thehackernews.com/2023/11/design-flaw-in-google-workspace-could.html ∗∗∗ LostTrust Ransomware ∗∗∗ --------------------------------------------- The LostTrust ransomware family has a fairly small victim pool and has compromised victims earlier this year. The encryptor has similar characteristcs to the MetaEncryptor ransomware family including code flow and strings which indicates that the encryptor is a variant from the original MetaEncryptor source. --------------------------------------------- https://www.shadowstackre.com/analysis/losttrust ∗∗∗ Slovenian power company hit by ransomware ∗∗∗ --------------------------------------------- Slovenian power generation company Holding Slovenske Elektrarne (HSE) has been hit by ransomware and has had some of its data encrypted. The attack HSE is a state-owned company that controls numerous hydroelectric, thermal and coal-fired power plants. The company has declined to share any details about the cyber intrusion, but has confirmed that operation of its power plants has not been affected. --------------------------------------------- https://www.helpnetsecurity.com/2023/11/28/slovenian-power-company-ransomwa… ∗∗∗ Exploitation of Critical ownCloud Vulnerability Begins ∗∗∗ --------------------------------------------- Threat actors have started exploiting a critical ownCloud vulnerability leading to sensitive information disclosure. --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-owncloud-vulnerabilit… ∗∗∗ Webinar: Sicheres Online-Shopping ∗∗∗ --------------------------------------------- Darf ich Artikel immer zurücksenden und wie lange habe ich dafür Zeit? Was ist das Rücktrittsrecht und welche Zahlungsmethoden gelten als sicher? Dieses Webinar gibt rechtliche Tipps und Infos zum sicheren Online-Einkauf. Nehmen Sie kostenlos teil: Montag, 11. Dezember 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicheres-online-shopping-2/ ∗∗∗ Betrügerische Plattform für Sportwetten: xxwin.bet ∗∗∗ --------------------------------------------- xxwin.bet ist eine betrügerische Online-Plattform für Sportwetten. Die Plattform wird meist in fragwürdigen Telegram-Kanälen empfohlen. Wenn Sie dort einzahlen, verlieren Sie Ihr Geld, denn die Plattform zahlt keine Gewinne aus. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-plattform-fuer-sportw… ===================== = Vulnerabilities = ===================== ∗∗∗ Missing Certificate Validation & User Enumeration in Anveo Mobile App and Server ∗∗∗ --------------------------------------------- The Anveo Mobile App (Windows version) does not validate server certificates and therefore enables man-in-the-middle attacks. The Anveo Server is also vulnerable against user enumeration because of different error messages for existing vs. non-existing users. The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section further below. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/missing-certificate-vali… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptojs, fastdds, mediawiki, and minizip), Fedora (chromium, kubernetes, and thunderbird), Mageia (lilypond, mariadb, and packages), Red Hat (firefox, linux-firmware, and thunderbird), SUSE (compat-openssl098, gstreamer-plugins-bad, squashfs, squid, thunderbird, vim, and xerces-c), and Ubuntu (libtommath, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, perl, and python3.8, python3.10, python3.11). --------------------------------------------- https://lwn.net/Articles/953099/ ∗∗∗ Critical Vulnerability Found in Ray AI Framework ∗∗∗ --------------------------------------------- Tracked as CVE-2023-48023, the bug exists because Ray does not properly enforce authentication on at least two of its components, namely the dashboard and client. A remote attacker can abuse this issue to submit or delete jobs without authentication. Furthermore, the attacker could retrieve sensitive information and execute arbitrary code, Bishop Fox says. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-ray-ai-framewo… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and APs ∗∗∗ --------------------------------------------- CVEs: CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, CVE-2023-5960 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Joomla: [20231101] - Core - Exposure of environment variables ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/919-20231101-core-exposure… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ FESTO: Multiple products affected by WIBU Codemeter vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-036/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2023
by Daily end-of-shift report 27 Nov '23

27 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-11-2023 18:00 − Montag 27-11-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Atomic Stealer malware strikes macOS via fake browser updates ∗∗∗ --------------------------------------------- The ClearFake fake browser update campaign has expanded to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atomic-stealer-malware-strik… ∗∗∗ EvilSlackbot: A Slack Attack Framework ∗∗∗ --------------------------------------------- To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb or xoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. Now EvilSlackbot is here to automate and streamline that process. You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack. [..] In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind. --------------------------------------------- https://github.com/Drew-Sec/EvilSlackbot ∗∗∗ Scans for ownCloud Vulnerability (CVE-2023-49103), (Mon, Nov 27th) ∗∗∗ --------------------------------------------- Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys. --------------------------------------------- https://isc.sans.edu/diary/rss/30432 ∗∗∗ WordPress Vulnerability & Patch Roundup November 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/11/wordpress-vulnerability-patch-roundup-novem… ∗∗∗ Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections ∗∗∗ --------------------------------------------- A new study has demonstrated that its possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established. [..] The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel. --------------------------------------------- https://thehackernews.com/2023/11/experts-uncover-passive-method-to.html ∗∗∗ Eine Milliarde unsichere Webseiten … Vergessen Sie die Duschmatte nicht! ∗∗∗ --------------------------------------------- In der Werbung aufgebauschte Risiken dienen eher dem Verkauf von Sicherheitsprodukten als der Sicherheit selbst. Im Gegenteil, für diese sind sie oft schädlich. --------------------------------------------- https://www.heise.de/meinung/Eine-Milliarde-unsichere-Webseiten-Vergessen-S… ∗∗∗ BSI und weitere Cybersicherheitsbehörden veröffentlichen KI-Richtlinien ∗∗∗ --------------------------------------------- Das BSI veröffentlicht Richtlinien für sichere KI-Systeme in Zusammenarbeit mit Partnerbehörden aus Großbritannien und den USA. --------------------------------------------- https://www.heise.de/news/BSI-und-weitere-Cybersicherheitsbehoerden-veroeff… ∗∗∗ Free Micropatches For Microsoft Access Forced Authentication Through Firewall (0day) ∗∗∗ --------------------------------------------- On November 9, 2023, Check Point Research published an article about an "information disclosure" / "forced authentication" vulnerability in Microsoft Access that allows an attacker to obtain the victim's NTLM hash by having them open a Microsoft Office document (docx, rtf, accdb, etc.) with an embedded Access database. --------------------------------------------- https://blog.0patch.com/2023/11/free-micropatches-for-microsoft-access.html ∗∗∗ Vorsicht vor Fake-Shops für Skins ∗∗∗ --------------------------------------------- Beim Online-Shop fngalaxy.de finden Sie Skins und Accounts für Fortnite. „Renegade Raider“, „OG Ghoul Trooper“ oder „Black Knight“ werden dort vergünstigt angeboten. Wir raten aber von einer Bestellung ab, da Sie nur mit einem Paysafecard- oder Amazon-Code bezahlen können und Ihre Bestellung nicht erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-fuer-skins/ ∗∗∗ Warnung vor betrügerischen Mails im Namen von Finanz Online ∗∗∗ --------------------------------------------- Die täuschend echt wirkenden E-Mails verlinken auf eine gefälschte Website, auf der die Opfer wiederum ihre Bankdaten eingeben sollen --------------------------------------------- https://www.derstandard.at/story/3000000197015/warnung-betrugs-mails-finanz… ∗∗∗ LKA-Warnung vor gefälschten Temu-Benachrichtigungen ∗∗∗ --------------------------------------------- Das Landeskriminalamt Niedersachsen hat die Tage eine Warnung herausgegeben, die Kunden des chinesischen Billig-Versandhändlers Temu betrifft. Betrüger versuchen Empfänger mit der Vorspiegelung falscher Tatsachen in Form einer vorgeblichen Temu-Benachrichtigung zur Preisgabe persönlicher Informationen zu bringen. Hier ein kurzer Überblick [..] --------------------------------------------- https://www.borncity.com/blog/2023/11/26/lka-warnung-vor-geflschten-temu-be… ∗∗∗ Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) ∗∗∗ --------------------------------------------- While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware. --------------------------------------------- https://asec.ahnlab.com/en/59318/ ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities ∗∗∗ --------------------------------------------- The Spring Framework 6.0.14 release shipped on November 16th includes a fix for CVE-2023-34053. The Spring Boot 2.7.18 release shipped on November 23th includes fixes for CVE-2023-34055. Users are encouraged to update as soon as possible. --------------------------------------------- https://spring.io/blog/2023/11/27/cve-2023-34053-cve-2023-34055-spring-fram… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeimage, gimp, gst-plugins-bad1.0, node-json5, opensc, python-requestbuilder, reportbug, strongswan, symfony, thunderbird, and tiff), Fedora (chromium, galera, golang, kubernetes, mariadb, python-asyncssh, thunderbird, vim, and webkitgtk), Gentoo (AIDE, Apptainer, GLib, GNU Libmicrohttpd, Go, GRUB, LibreOffice, MiniDLNA, multipath-tools, Open vSwitch, phpMyAdmin, QtWebEngine, and RenderDoc), Slackware (vim), SUSE (gstreamer-plugins-bad, java-1_8_0-ibm, openvswitch, poppler, slurm, slurm_22_05, slurm_23_02, sqlite3, vim, webkit2gtk3, and xrdp), and Ubuntu (openvswitch and thunderbird). --------------------------------------------- https://lwn.net/Articles/952923/ ∗∗∗ MISP 2.4.179 released with a host of improvements a security fix and some new tooling. ∗∗∗ --------------------------------------------- MISP 2.4.179 released with a host of improvements a security fix and some new tooling.First baby steps taken towards LLM integration. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2023
by Daily end-of-shift report 24 Nov '23

24 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-11-2023 18:00 − Freitag 24-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Building your first metasploit exploit ∗∗∗ --------------------------------------------- This post outlines the process I followed to transform the authenticated Remote Code Execution (RCE) vulnerability in PRTG, identified as CVE-2023-32781, into a Metasploit exploit. The focus here is on the development of the exploit itself, rather than the steps for exploiting the RCE. For specific details on the vulnerability, please refer to the corresponding post titled PRTG Remote Code Execution. --------------------------------------------- https://baldur.dk/blog/writing-metasploit-exploit.html ∗∗∗ OpenSSL 3.2 implementiert TCP-Nachfolger QUIC ∗∗∗ --------------------------------------------- Das Transportprotokoll QUIC nimmt mit OpenSSL Fahrt auf: Die Open-Source-Kryptobibliothek implementiert es in der neuen Version 3.2 – zumindest teilweise. --------------------------------------------- https://www.heise.de/-9538866.html ∗∗∗ Synology schließt Pwn2Own-Lücke in Router-Manager-Firmware ∗∗∗ --------------------------------------------- Im Betriebssystem für Synology-Router haben IT-Forscher beim Pwn2Own-Wettbewerb Sicherheitslücken aufgedeckt. Ein Update schließt sie. --------------------------------------------- https://www.heise.de/-9538922.html ∗∗∗ Telekopye: Chamber of Neanderthals’ secrets ∗∗∗ --------------------------------------------- Insight into groups operating Telekopye bots that scam people in online marketplaces --------------------------------------------- https://www.welivesecurity.com/en/eset-research/telekopye-chamber-neanderth… ∗∗∗ Atomic Stealer: Mac-Malware täuscht Nutzer mit angeblichen Browser-Updates ∗∗∗ --------------------------------------------- Die Updates bieten die Cyberkriminellen über kompromittierte Websites an. Atomic Stealer hat es unter anderem auf Passwörter in Apple iCloud Keychain abgesehen. --------------------------------------------- https://www.zdnet.de/88413104/atomic-stealer-mac-malware-taeuscht-nutzer-mi… ∗∗∗ Trend Micro Apex One Service Pack 1 Critical Patch (build 12534) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer von Trend Micro Apex One für Windows. Der Hersteller hat zum Service Pack 1 den Critical Patch (build 12534) veröffentlicht (danke an den Leser für den Hinweis). Dieser Patch enthält eine Reihe von Korrekturen und Erweiterungen [...] --------------------------------------------- https://www.borncity.com/blog/2023/11/23/trend-micro-apex-one-service-pack-… ∗∗∗ Intel Arc und Iris Xe Grafiktreiber 31.0.101.4972 fixt Office-Probleme (Nov. 2023) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag von dieser Woche, den ich mal separat herausziehe. Intel hat ein Update seiner Intel Arc und Iris Xe Grafiktreiber auf die Version 31.0.101.4972 veröffentlich. Dieses Update soll eine Reihe von Problemen (z.B bei Starfield (DX12) beheben. --------------------------------------------- https://www.borncity.com/blog/2023/11/24/intel-arc-und-iris-xe-grafiktreibe… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: TunnelCrack Vulnerabilities in VPN Clients ∗∗∗ --------------------------------------------- CVE(s): CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, CVE-2023-36671 Product(s): Sophos Connect Client 2.0 Workaround: Yes --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20231124-tunnelc… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023) ∗∗∗ --------------------------------------------- Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 [...] --------------------------------------------- https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, gnutls28, intel-microcode, and tor), Fedora (chromium, microcode_ctl, openvpn, and vim), Gentoo (LinuxCIFS utils, SQLite, and Zeppelin), Oracle (c-ares, container-tools:4.0, dotnet7.0, kernel, kernel-container, nodejs:20, open-vm-tools, squid:4, and tigervnc), Red Hat (samba and squid), Slackware (mozilla), SUSE (fdo-client, firefox, libxml2, maven, maven-resolver, sbt, xmvn, poppler, python-Pillow, squid, strongswan, and xerces-c), and Ubuntu (apache2, firefox, glusterfs, nghttp2, poppler, python2.7, python3.5, python3.6, tiff, and zfs-linux). --------------------------------------------- https://lwn.net/Articles/952602/ ∗∗∗ ActiveMQ-5.18.2 RCE-shell-reverse-Metasploit ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023110026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily