Daily

daily@lists.cert.at

1 participants
3149 discussions

Tageszusammenfassung - 22.11.2023
by Daily end-of-shift report 22 Nov '23

22 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-11-2023 18:00 − Mittwoch 22-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ HrServ – Previously unknown web shell used in APT attack ∗∗∗ --------------------------------------------- In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021. --------------------------------------------- https://securelist.com/hrserv-apt-web-shell/111119/ ∗∗∗ ClearFake Campaign Expands to Deliver Atomic Stealer on Macs Systems ∗∗∗ --------------------------------------------- The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake."This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes Jérôme Segura said in a Tuesday analysis. --------------------------------------------- https://thehackernews.com/2023/11/clearfake-campaign-expands-to-deliver.html ∗∗∗ Lumma malware can allegedly restore expired Google auth cookies ∗∗∗ --------------------------------------------- The Lumma information-stealer malware (aka LummaC2) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. [..] This new feature allegedly introduced in recent Lumma releases is yet to be verified by security researchers or Google, so whether or not it works as advertised remains uncertain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lumma-malware-can-allegedly-… ∗∗∗ Windows Hello Fingerprint Authentication Bypassed on Popular Laptops ∗∗∗ --------------------------------------------- Researchers have tested the fingerprint sensors used for Windows Hello on three popular laptops and managed to bypass them. --------------------------------------------- https://www.securityweek.com/windows-hello-fingerprint-authentication-bypas… ∗∗∗ „Ich möchte meine Bankdaten ändern“: Dieses Mail an die Personalabteilung könnte Betrug sein ∗∗∗ --------------------------------------------- Kriminelle geben sich als Mitarbeiter:innen Ihres Unternehmens aus und bitten um Änderung Ihrer Bankdaten für die Gehaltsüberweisung. Wird das E-Mail nicht als Fake erkannt, wird das Gehalt der jeweiligen Mitarbeiter:innen auf das Bankkonto von Kriminellen überwiesen. Wir zeigen Ihnen, woher Kriminelle die Daten kennen und wie Sie sich schützen. --------------------------------------------- https://www.watchlist-internet.at/news/ich-moechte-meine-bankdaten-aendern-… ∗∗∗ The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets ∗∗∗ --------------------------------------------- Exposed Kubernetes secrets pose a critical threat of supply chain attack. Aqua Nautilus researchers found that the exposed Kubernetes secrets of hundreds of organizations and open-source projects allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat. Among the companies were SAP’s Artifacts management system with over 95 million, two top blockchain companies, and various other fortune-500 companies. --------------------------------------------- https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-ku… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in m-privacy TightGate-Pro ∗∗∗ --------------------------------------------- There are several vulnerabilities in the server which enables attackers to view the VNC sessions of other users, infect the VNC session with keyloggers and start internal phishing attacks. Additionally, a TightGate-Pro administrator can push malicious PDFs to the endpoint of the user. Furthermore, the update servers which are only reachable via an SSH-tunnel are severely outdated (2003). CVEs: CVE-2023-47250, CVE-2023-47251 --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Several Critical Vulnerabilities including Privilege Escalation, Authentication Bypass, and More Patched in UserPro WordPress Plugin ∗∗∗ --------------------------------------------- On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities we discovered in Kirotech’s UserPro plugin, which is actively installed on more than 20,000 WordPress websites [..] We made an initial attempt to contact Kirotech, the vendor of UserPro, on May 1, 2023, but we did not receive a response until May 10, 2023, after many additional attempts. After providing full disclosure details, the developer released the first patch on July 27, 2023, and the final patch on October 31, 2023. --------------------------------------------- https://www.wordfence.com/blog/2023/11/several-critical-vulnerabilities-inc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gimp), Fedora (audiofile and firefox), Mageia (postgresql), Red Hat (binutils, c-ares, fence-agents, glibc, kernel, kernel-rt, kpatch-patch, libcap, libqb, linux-firmware, ncurses, pixman, python-setuptools, samba, and tigervnc), Slackware (kernel and mozilla), SUSE (apache2-mod_jk, avahi, container-suseconnect, java-1_8_0-openjdk, libxml2, openssl-1_0_0, openssl-1_1, openvswitch, python3-setuptools, strongswan, ucode-intel, and util-linux), and Ubuntu (frr, gnutls28, hibagent, linux, linux-aws, linux-aws-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-oem-6.1, mosquitto, rabbitmq-server, squid, and tracker-miners). --------------------------------------------- https://lwn.net/Articles/952312/ ∗∗∗ Mozilla Releases Security Updates for Firefox and Thunderbird ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/22/mozilla-releases-securit… ∗∗∗ Fix for BIRT Report Engine that is vulnerable due to nested jtidy.jar r938 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081112 ∗∗∗ Vulnerability in Apache HTTP Server affects IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081354 ∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081403 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2023
by Daily end-of-shift report 21 Nov '23

21 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-11-2023 18:00 − Dienstag 21-11-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits ∗∗∗ --------------------------------------------- The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits."Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the hosts resources to mine cryptocurrencies like Bitcoin, [..] --------------------------------------------- https://thehackernews.com/2023/11/kinsing-hackers-exploit-apache-activemq.h… ∗∗∗ How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography ∗∗∗ --------------------------------------------- Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them. --------------------------------------------- https://thehackernews.com/2023/11/how-multi-stage-phishing-attacks.html ∗∗∗ Gefälschte Zeitungsartikel bewerben betrügerische Investment-Angebote ∗∗∗ --------------------------------------------- Kriminelle fälschen Webseiten von Medien wie oe24 und ORF und füllen diese mit Fake-News. In den gefälschten Artikeln wird eine Möglichkeit beworben, wie man schnell reich wird. Angeblich geben Christoph Grissemann, Miriam Weichselbraun oder Armin Assinger Investitionstipps und erklären, dass jeder Mensch mit nur 250 Euro in wenigen Monaten eine Million machen kann. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-zeitungsartikel-bewerben… ∗∗∗ CISA, FBI, MS-ISAC, and ASD’s ACSC Release Advisory on LockBit Affiliates Exploiting Citrix Bleed ∗∗∗ --------------------------------------------- Today, the (CISA), (FBI), (MS-ISAC), and Australian (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: LockBit Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (along with an accompanying analysis report MAR-10478915-1.v1 Citrix Bleed), in response to LockBit 3.0 ransomware affiliates and multiple threat actor groups exploiting CVE-2023-4966. Labeled Citrix Bleed, the vulnerability affects Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asd… ===================== = Vulnerabilities = ===================== ∗∗∗ Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets ∗∗∗ --------------------------------------------- Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings. CVE Identifiers: CVE-2023-44353, CVE-2023-29300, CVE-2023-38203, CVE-2023-38204 --------------------------------------------- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusio… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, strongswan, and wordpress), Mageia (u-boot), SUSE (avahi, frr, libreoffice, nghttp2, openssl, openssl1, postgresql, postgresql15, postgresql16, python-Twisted, ucode-intel, and xen), and Ubuntu (avahi, hibagent, nodejs, strongswan, tang, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/952088/ ∗∗∗ Synology-SA-23:16 SRM (PWN2OWN 2023) ∗∗∗ --------------------------------------------- The vulnerabilities allow man-in-the-middle attackers to execute arbitrary code or access intranet resources via a susceptible version of Synology Router Manager (SRM).A vulnerability reported by PWN2OWN 2023 has been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_16 ∗∗∗ [nextcloud]: Server-Side Request Forgery (SSRF) in Mail app ∗∗∗ --------------------------------------------- An attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4… ∗∗∗ [nextcloud]: DNS pin middleware can be tricked into DNS rebinding allowing SSRF ∗∗∗ --------------------------------------------- The DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ [nextcloud]: user_ldap app logs user passwords in the log file on level debug ∗∗∗ --------------------------------------------- When the log level was set to debug the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3… ∗∗∗ [nextcloud]: Can enable/disable birthday calendar for any user ∗∗∗ --------------------------------------------- An attacker could enable and disable the birthday calendar for any user on the same server. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ [nextcloud]: Admins can change authentication details of user configured external storage ∗∗∗ --------------------------------------------- It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ [nextcloud]: Self XSS when pasting HTML into Text app with Ctrl+Shift+V ∗∗∗ --------------------------------------------- When a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p… ∗∗∗ [nextcloud]: HTML injection in search UI when selecting a circle with HTML in the display name ∗∗∗ --------------------------------------------- An attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w… ∗∗∗ [nextcloud]: Users can make external storage mount points inaccessible for other users ∗∗∗ --------------------------------------------- A malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f… ∗∗∗ Zyxel security advisory for out-of-bounds write vulnerability in SecuExtender SSL VPN Client software ∗∗∗ --------------------------------------------- The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software could allow a local authenticated user to gain a privilege escalation by sending a crafted CREATE message. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ WAGO: Remote Code execution vulnerability in managed Switches ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-037/ ∗∗∗ PHOENIX CONTACT: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-062/ ∗∗∗ Multiple vulnerabilities on [Bosch Rexroth] ctrlX HMI / WR21 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-175607.html ∗∗∗ IBM Sterling B2B Integrator is affected by vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080105 ∗∗∗ IBM Sterling B2B Integrator dashboard is vulnerable to cross-site request forgery (CVE-2022-35638) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080104 ∗∗∗ IBM Sterling B2B Integrator affected by FasterXML Jackson-data vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080107 ∗∗∗ IBM Sterling B2B Integrator affected by XStream security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080106 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080117 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080118 ∗∗∗ Multiple security vulnerabilities have been identified in DB2 JDBC driver shipped with IBM Tivoli Business Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080122 ∗∗∗ There is an Apache vulnerability in Liberty used by the IBM Maximo Manage application in the IBM Maximo Application Suite (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080157 ∗∗∗ There is a vulnerability in jetty-http-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080156 ∗∗∗ There is a vulnerability in jetty-server-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080155 ∗∗∗ Multiple security vulnerabilities in Snake YAML affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080177 ∗∗∗ IBM Sterling B2B Integrator affected by remote code execution due to Snake Yaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080174 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-25682) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080172 ∗∗∗ IBM Sterling B2B Integrator is affected by sensitive information exposure due to Apache James MIME4J (CVE-2022-45787) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080175 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2023
by Daily end-of-shift report 20 Nov '23

20 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-11-2023 18:00 − Montag 20-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit for CrushFTP RCE chain released, patch now ∗∗∗ --------------------------------------------- A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-cha… ∗∗∗ Lumma Stealer malware now uses trigonometry to evade detection ∗∗∗ --------------------------------------------- The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lumma-stealer-malware-now-us… ∗∗∗ Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits ∗∗∗ --------------------------------------------- The Kinsing malware operator is actively exploiting the CVE-2023-46604 critical vulnerability in the Apache ActiveMQ open-source message broker to compromise Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kinsing-malware-exploits-apa… ∗∗∗ New "Agent Tesla" Variant: Unusual "ZPAQ" Archive Format Delivers Malware ∗∗∗ --------------------------------------------- A new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. But what exactly is this file compression format? What advantage does it provide to threat actors? And why it is assumed that the version of Agent Tesla is “new”? --------------------------------------------- https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq ∗∗∗ DarkGate and PikaBot Malware Resurrect QakBots Tactics in New Phishing Attacks ∗∗∗ --------------------------------------------- Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. “These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery,” Cofense said in a report [...] --------------------------------------------- https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.ht… ∗∗∗ NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors ∗∗∗ --------------------------------------------- Threat actors are targeting the education, government and business services sectors with a remote access trojan called NetSupport RAT. "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report [...] --------------------------------------------- https://thehackernews.com/2023/11/netsupport-rat-infections-on-rise.html ∗∗∗ Visual Studio Code Security: Markdown Vulnerabilities in Third-Party Extensions ∗∗∗ --------------------------------------------- In this blog post, we present code vulnerabilities we found in GitLens (27 million installs) and GitHub Pull Requests and Issues (15 million installs). We will first give some background on VSCode internals, then explain the vulnerable portions of the code, and finally show how these issues can be prevented. --------------------------------------------- https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-i… ∗∗∗ Xen Project Releases Version 4.18 with New Security, Performance, and Architecture Enhancements for AI/ML Applications ∗∗∗ --------------------------------------------- The Xen Project, an open source hypervisor hosted at the Linux Foundation, today announced the release of Xen Project Hypervisor 4.18 with architecture enhancements for High Performance Computing (HPC) and Machine Learning (ML) applications, as well as higher security and performance features. --------------------------------------------- https://xenproject.org/2023/11/20/xen-project-releases-version-4-18-with-ne… ∗∗∗ How to perform basic digital forensics on a Windows computer ∗∗∗ --------------------------------------------- Digital forensics is a critical field in the investigation of cybercrimes, data breaches, and other digital incidents. As our reliance on computers continues to grow, the need for skilled digital forensics professionals is more crucial than ever. In this guide, we will explore the basics of performing digital [...] --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/how-to-perform-basi… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates für Trellix ePolicy Orchestrator schließen Sicherheitslücken ∗∗∗ --------------------------------------------- Trellix, Nachfolger von McAfee und FireEye, hat den ePolicy Orchestrator aktualisiert. Das Update schließt etwa eine hochriskant eingestufte Schwachstelle. --------------------------------------------- https://www.heise.de/-9533816.html ∗∗∗ Synology schließt kritische Firmware-Lücke in Überwachungskameras ∗∗∗ --------------------------------------------- Angreifer können eigenen Code auf Überwachungskameras von Synology ausführen. --------------------------------------------- https://www.heise.de/-9534072.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freerdp2, lwip, netty, and wireshark), Fedora (dotnet6.0, dotnet7.0, golang, gst-devtools, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, podman-tui, prometheus-podman-exporter, python-gstreamer1, syncthing, and tigervnc), Mageia (chromium-browser-stable, haproxy, and tigervnc), Oracle (curl, ghostscript, microcode_ctl, nghttp2, open-vm-tools, samba, and squid), SUSE (gcc13, postgresql14, and yt-dlp), and Ubuntu (iniparser). --------------------------------------------- https://lwn.net/Articles/951999/ ∗∗∗ Schwachstelle CVE-2023-46302 in Apache Submarine ∗∗∗ --------------------------------------------- In Apache Submarine gibt es eine kritische Remote Code Execution-Schwachstelle CVE-2023-46302. Die Schwachstelle rührt von einer Sicherheitslücke in snakeyaml (CVE-2022-1471) her und gefährdet Apache Submarine-Benutzer, da Angreifer beliebigen Code auf verwundbaren Systemen ausführen können. --------------------------------------------- https://www.borncity.com/blog/2023/11/20/schwachstelle-cve-2023-46302-in-ap… ∗∗∗ Multiple vulnerabilities in LuxCal Web Calendar ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN15005948/ ∗∗∗ WAGO: Improper privilege management in web-based management ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-015/ ∗∗∗ [R1] Security Center Version 6.2.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-42 ∗∗∗ CVE-2022-41713 An issue was discovered in deep-object-diff version 1.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079403 ∗∗∗ CVE-2022-24434 An issue was discovered in the npm package dicer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079460 ∗∗∗ Vulnerability in d3-color affects IBM UrbanCode Velocity . WS-2022-0322 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079484 ∗∗∗ IBM Storage Protect for Virtual Environments is vulnerable to arbitrary code execution, sensitive information disclosure, and denial of service due to CVEs in Apache Velocity, Apache Jena, and XStream (woodstox) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079947 ∗∗∗ QRadar Suite Software includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080058 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Go HTML injection vulnerabilitiy [CVE-2023-24539] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080057 ∗∗∗ IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to libcurl and cURL. (CVE-2023-38546, CVE-2023-38545) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7076344 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2023
by Daily end-of-shift report 17 Nov '23

17 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-11-2023 18:00 − Freitag 17-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ MySQL servers targeted by Ddostf DDoS-as-a-Service botnet ∗∗∗ --------------------------------------------- MySQL servers are being targeted by the Ddostf malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-dd… ∗∗∗ Beyond -n: Optimizing tcpdump performance, (Thu, Nov 16th) ∗∗∗ --------------------------------------------- If you ever had to acquire packets from a network, you probably used tcpdump. Other tools (Wireshark, dumpcap, snort...) can do the same thing, but none is as widely used as tcpdump. tcpdump is simple to use, fast, and universally available (and free!). --------------------------------------------- https://isc.sans.edu/diary/rss/30408 ∗∗∗ Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware ∗∗∗ --------------------------------------------- Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER. --------------------------------------------- https://thehackernews.com/2023/11/beware-malicious-google-ads-trick.html ∗∗∗ Understanding the Phobos affiliate structure and activity ∗∗∗ --------------------------------------------- Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants --------------------------------------------- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-struc… ∗∗∗ ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims ∗∗∗ --------------------------------------------- Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts. --------------------------------------------- https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/ ∗∗∗ CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector ∗∗∗ --------------------------------------------- Today, CISA released the Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/17/cisa-releases-mitigation… ===================== = Vulnerabilities = ===================== ∗∗∗ Bildbearbeitung: Angreifer können Gimp Schadcode unterjubeln ∗∗∗ --------------------------------------------- Die freie Open-Source-Bildbearbeitung Gimp ist in Version 2.10.36 erschienen. Sie schließt Sicherheitslücken, die Codeschmuggel erlauben. --------------------------------------------- https://www.heise.de/news/Bildbearbeitung-Angreifer-koennen-Gimp-Schadcode-… ∗∗∗ FortiNet flickt schwere Sicherheitslücken in FortiOS und anderen Produkten ∗∗∗ --------------------------------------------- Neben FortiOS und FortiClient sind auch FortiSIEM, FortiWLM und weitere von zum Teil kritischen Security-Fehlern betroffen. Admins sollten patchen. --------------------------------------------- https://www.heise.de/news/FortiNet-flickt-schwere-Sicherheitsluecken-in-For… ∗∗∗ Anonymisierendes Linux: Tails 5.19.1 behebt Tor-Lücke, Audit-Ergebnisse sind da ∗∗∗ --------------------------------------------- Ein offenbar aus der Ferne ausnutzbarer Bug in Tor führte zum neuerlichen Update. Die Ergebnisse der kürzlichen Sicherheitsprüfung hingegen sind positiv. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Tails-5-19-1-behebt-Tor-Lu… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (microcode_ctl, pack, and tigervnc), Slackware (gimp), SUSE (frr, gcc13, go1.20, go1.20-openssl, go1.21, go1.21-openssl, libnbd, libxml2, python-Pillow, python-urllib3, and xen), and Ubuntu (intel-microcode and openvpn). --------------------------------------------- https://lwn.net/Articles/951801/ ∗∗∗ Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools ∗∗∗ --------------------------------------------- Since August 2023, members of the Huntr bug bounty platform for artificial intelligence (AI) and machine learning (ML) have uncovered over a dozen vulnerabilities exposing AI/ML models to system takeover and sensitive information theft. Identified in tools with hundreds of thousands or millions of downloads per month, such as H2O-3, MLflow, and Ray, these issues potentially impact the entire AI/ML supply chain --------------------------------------------- https://www.securityweek.com/over-a-dozen-exploitable-vulnerabilities-found… ∗∗∗ [R1] Nessus Agent Version 10.4.4 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-41 ∗∗∗ [R1] Nessus Version 10.6.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-40 ∗∗∗ [R1] Nessus Version 10.5.7 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-39 ∗∗∗ Juniper Releases Security Advisory for Juniper Secure Analytics ∗∗∗ --------------------------------------------- Juniper released a security advisory to address multiple vulnerabilities affecting Juniper Secure Analytics. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the Juniper advisory JSA74298 and apply the necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/17/juniper-releases-securit… ∗∗∗ ZDI-23-1716: Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1716/ ∗∗∗ SVD-2023-1107: November 2023 Splunk Universal Forwarder Third-Party Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1107 ∗∗∗ SVD-2023-1106: November 2023 Third-Party Package Updates in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1106 ∗∗∗ SVD-2023-1105: November 2023 Third Party Package updates in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1105 ∗∗∗ SVD-2023-1104: Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1104 ∗∗∗ SVD-2023-1103: Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1103 ∗∗∗ SVD-2023-1102: Third Party Package Update in Splunk Add-on for Google Cloud Platform ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1102 ∗∗∗ SVD-2023-1101: Third Party Package Update in Splunk Add-on for Amazon Web Services ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1101 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077733 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache Ivy information disclosure vulnerabilitiy [CVE-2023-46751] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077734 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077736 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to snappy-java information disclosure vulnerabilitiy [CVE-2023-43642] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077735 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077739 ∗∗∗ IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070736 ∗∗∗ IBM Storage Fusion may be vulnerable to Unauthorized requests (SSRF), Improper path traversal, via k8s.io\/apimachinery, k8s.io\/apiserver (CVE-2022-3172, CVE-2022-3162) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077936 ∗∗∗ InfoSphere Information Server is vulnerable due to improper access control (CVE-2023-40363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070742 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070740 ∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of golang.org\/x\/net, x\/crypto, and x\/text (CVE-2022-30633, CVE-2022-27664, CVE-2022-28131, CVE-2022-41721, CVE-2021-43565, CVE-2022-27191, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077942 ∗∗∗ IBM Planning Analytics is affected by vulnerabilities in IBM Java, IBM Websphere Application Server Liberty and IBM GSKit ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070140 ∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of openshift\/machine-api-operator, openshift\/machine-config-operator (CVE-2020-28851, CVE-2020-28852, CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077938 ∗∗∗ IBM Storage Fusion may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077947 ∗∗∗ Java SE issues disclosed in the Oracle October 2023 Critical Patch Update plus CVE-2023-5676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078433 ∗∗∗ IBM Security SOAR is using a component with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7063706 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to libcurl vulnerabilities (CVE-2023-38546, CVE-2023-38545) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077530 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957156 ∗∗∗ Watson Machine Learning Accelerator on Cloud Pak for Data is affected by multiple vulnerabilities in Grafana ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078751 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078745 ∗∗∗ Red Lion Sixnet RTUs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2023
by Daily end-of-shift report 16 Nov '23

16 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-11-2023 18:00 − Donnerstag 16-11-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups ∗∗∗ --------------------------------------------- A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. --------------------------------------------- https://thehackernews.com/2023/11/zero-day-flaw-in-zimbra-email-software.ht… ∗∗∗ Deep Dive: Learning from Okta – the hidden risk of HAR files ∗∗∗ --------------------------------------------- HAR is short for HTTP Archive, and it’s a way of saving full details of the high-level network traffic in a web browsing session, usually for development, debugging, or testing purposes. --------------------------------------------- https://pducklin.com/2023/11/14/deep-dive-learning-from-okta-the-hidden-ris… ∗∗∗ Fake-Shops locken mit Black-Friday-Angeboten ∗∗∗ --------------------------------------------- Rund um den Blackfriday lässt sich das ein oder andere Schnäppchen ergattern. Wir raten aber dazu, Online-Shops vor einer Bestellung genau zu prüfen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-locken-mit-black-friday-a… ∗∗∗ Attacker – hidden in plain sight for nearly six months – targeting Python developers ∗∗∗ --------------------------------------------- For close to six months, a malicious actor has been stealthily uploading dozens of malicious Python packages, most of them mimicking the names of legitimate ones, to bait unsuspecting developers. --------------------------------------------- https://checkmarx.com/blog/attacker-hidden-in-plain-sight-for-nearly-six-mo… ∗∗∗ FBI and CISA Release Advisory on Scattered Spider Group ∗∗∗ --------------------------------------------- Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Scattered Spider—a cybercriminal group targeting commercial facilities sectors and subsectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/16/fbi-and-cisa-release-adv… ===================== = Vulnerabilities = ===================== ∗∗∗ New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. --------------------------------------------- https://thehackernews.com/2023/11/new-poc-exploit-for-apache-activemq.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvpn), Oracle (kernel, microcode_ctl, plexus-archiver, and python), Red Hat (.NET 6.0, dotnet6.0, dotnet7.0, dotnet8.0, kernel, linux-firmware, and open-vm-tools), SUSE (apache2, chromium, jhead, postgresql12, postgresql13, and qemu), and Ubuntu (dotnet6, dotnet7, dotnet8, frr, python-pip, quagga, and tidy-html5). --------------------------------------------- https://lwn.net/Articles/951681/ ∗∗∗ Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-052 ∗∗∗ FortiOS & FortiProxy VM - Bypass of root file system integrity checks at boot time on VM ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-396 ∗∗∗ FortiOS & FortiProxy - DOS in headers management ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-151 ∗∗∗ Cisco Secure Client Software Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Endpoint for Windows Scanning Evasion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco AppDynamics PHP Agent Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ FortiSIEM - OS command injection in Report Server ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-23-135 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2023-11 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2023-11-Security-Bulletin-JSA-S… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0010 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0010.html ∗∗∗ Released: November 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november… ∗∗∗ Citrix Releases Security Updates for Citrix Hypervisor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/16/citrix-releases-security… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2023
by Daily end-of-shift report 15 Nov '23

15 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-11-2023 18:00 − Mittwoch 15-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IPStorm botnet with 23,000 proxies for malicious traffic dismantled ∗∗∗ --------------------------------------------- The U.S. Department of Justive announced today that Federal Bureau of Investigation took down the network and infrastructure of a botnet proxy service called IPStorm. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ipstorm-botnet-with-23-000-p… ∗∗∗ The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses ∗∗∗ --------------------------------------------- At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. --------------------------------------------- https://blog.fox-it.com/2023/11/15/the-spelling-police-searching-for-malici… ∗∗∗ #StopRansomware: Rhysida Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a ===================== = Vulnerabilities = ===================== ∗∗∗ WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks ∗∗∗ --------------------------------------------- The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the sites database. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp-fastest-cache-plugin-bug-… ∗∗∗ Reptar: Intel-CPU-Schwachstelle ermöglicht Rechteausweitung und DoS ∗∗∗ --------------------------------------------- Entdeckt wurde die Schwachstelle von Google-Forschern. Sie basiert wohl auf der Art und Weise, wie Intel-CPUs redundante Präfixe verarbeiten. --------------------------------------------- https://www.golem.de/news/reptar-intel-cpu-schwachstelle-ermoeglicht-rechte… ∗∗∗ Kein Patch verfügbar: VMware warnt vor kritischer Schwachstelle in Cloud Director ∗∗∗ --------------------------------------------- Die Schwachstelle ermöglicht es Angreifern, die Authentifizierung anfälliger VMware-Systeme zu umgehen und Schadcode einzuschleusen. --------------------------------------------- https://www.golem.de/news/kein-patch-verfuegbar-vmware-warnt-vor-kritischer… ∗∗∗ Cloud-Schutzlösung: IBM Security Guardium vielfältig attackierbar ∗∗∗ --------------------------------------------- Die IBM-Entwickler haben viele Sicherheitslücken in verschiedenen Komponenten von Security Guardium geschlossen. --------------------------------------------- https://www.heise.de/news/Cloud-Schutzloesung-IBM-Security-Guardium-vielfae… ∗∗∗ CacheWarp: Loch in Hardware-Verschlüsselung von AMD-CPUs ∗∗∗ --------------------------------------------- Der jetzt vorgestellte CacheWarp-Angriff überwindet die RAM-Verschlüsselung, mit der AMD-Prozessoren Cloud-Instanzen voneinander abschotten wollen. --------------------------------------------- https://www.heise.de/news/CacheWarp-Loch-in-Hardware-Verschluesselung-von-A… ∗∗∗ Patchday Adobe: Schadcode-Lücken in Acrobat, Photoshop & Co. geschlossen ∗∗∗ --------------------------------------------- Adobe hat Sicherheitsupdates für 15 Anwendungen veröffentlicht. Im schlimmsten Fall können Angreifer eigenen Code auf Systemen ausführen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Schadcode-Luecken-in-Acrobat-Photo… ∗∗∗ Patchday: SAP schließt eine kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Der November-Patchday weicht vom gewohnten Umfang ab: Lediglich drei neue Sicherheitslücken behandelt SAP. --------------------------------------------- https://www.heise.de/news/Patchday-SAP-schliesst-eine-kritische-Sicherheits… ∗∗∗ Sicherheitsupdates: Access Points von Aruba sind verwundbar ∗∗∗ --------------------------------------------- Angreifer können Schadcode auf Acces Points von Aruba ausführen. Sicherheitspatches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Acces-Points-von-Aruba-sind-ve… ∗∗∗ Patchday: Intel patcht sich durch sein Produkportfolio ∗∗∗ --------------------------------------------- Angreifer können mehrere Komponenten von Intel attackieren. In vielen Fällen sind DoS-Attacken möglich. --------------------------------------------- https://www.heise.de/news/Patchday-Intel-patcht-sich-durch-sein-Produkportf… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libclamunrar and ruby-sanitize), Fedora (frr, roundcubemail, and webkitgtk), Mageia (freerdp and tomcat), Red Hat (avahi, bind, c-ares, cloud-init, container-tools:4.0, container-tools:rhel8, cups, dnsmasq, edk2, emacs, flatpak, fwupd, ghostscript, grafana, java-21-openjdk, kernel, kernel-rt, libfastjson, libmicrohttpd, libpq, librabbitmq, libreoffice, libreswan, libX11, linux-firmware, mod_auth_openidc:2.3, nodejs:20, opensc, perl-HTTP-Tiny, [...] --------------------------------------------- https://lwn.net/Articles/951480/ ∗∗∗ November-Patchday: Microsoft schließt 63 Sicherheitslücken ∗∗∗ --------------------------------------------- Fünf Anfälligkeiten sind als kritisch eingestuft. Davon betroffen sind alle unterstützten Versionen von Windows. --------------------------------------------- https://www.zdnet.de/88412929/november-patchday-microsoft-schliesst-63-sich… ∗∗∗ QNX-2023-001 Vulnerability in QNX Networking Stack Impacts BlackBerry QNX Software Development Platform ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ ZDI-23-1636: NETGEAR CAX30 SSO Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1636/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-23583 and CVE-2023-46835 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583037/citrix-hypervisor-security-bul… ∗∗∗ NVIDIA GPU Display Driver Advisory - October 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500588-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ NetApp SnapCenter Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500587-NETAPP-SNAPCENTER-PRIVI… ∗∗∗ AMD Radeon Graphics Kernel Driver Privilege Management Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500586-AMD-RADEON-GRAPHICS-KER… ∗∗∗ AMD Graphics Driver Vulnerabilities- November, 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500583-AMD-GRAPHICS-DRIVER-VUL… ∗∗∗ Intel Graphics Driver Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500584-INTEL-GRAPHICS-DRIVER-A… ∗∗∗ Intel Rapid Storage Technology Software Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500585 ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (November 2023) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500589-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ Fortinet Releases Security Updates for FortiClient and FortiGate ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/14/fortinet-releases-securi… ∗∗∗ K000137584 : Linux kernel vulnerability CVE-2023-1829 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137584 ∗∗∗ K000137582 : BIND vulnerability CVE-2023-3341 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137582 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2023
by Daily end-of-shift report 14 Nov '23

14 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-11-2023 18:00 − Dienstag 14-11-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA warns of actively exploited Juniper pre-auth RCE exploit chain ∗∗∗ --------------------------------------------- CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-explo… ∗∗∗ ChatGPT, Bard und andere: KI-Systeme ermöglichen Ausleiten von Daten ∗∗∗ --------------------------------------------- Durch gezielte Abfragen lassen sich private und geschützte Daten aus KI-Systemen ausleiten. Die Angriffe zeigen ein prinzipielles Problem. --------------------------------------------- https://www.golem.de/news/chatgpt-bard-und-andere-ki-systeme-ermoeglichen-a… ∗∗∗ Noticing command and control channels by reviewing DNS protocols, (Mon, Nov 13th) ∗∗∗ --------------------------------------------- Malicious software pieces installed in computers call home. Some of them can be noticed because they perform DNS lookup and some of them initiates connection without DNS lookup. For this last option, this is abnormal and can be noticed by any Network Detection and Response (NDR) tool that reviews the network traffic by at least two weeks. Most companies do not have money to afford a NDR, so I'm going to show you today an interesting tip that have worked for me to notice APT calling home when they perform DNS lookup. --------------------------------------------- https://isc.sans.edu/diary/rss/30396 ∗∗∗ Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain ∗∗∗ --------------------------------------------- The algorithms are used by TETRA – short for the Terrestrial Trunked Radio protocol – and they are operated by governments, law enforcement, military and emergency services organizations in Europe, the UK, and other countries. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/11/14/tetra_encryp… ∗∗∗ Novel backdoor persists even after critical Confluence vulnerability is patched ∗∗∗ --------------------------------------------- Got a Confluence server? Listen up. Malware said to have wide-ranging capabilities. A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/11/14/novel_backdo… ∗∗∗ Nothing new, still broken, insecure by default since then: Pythons e-mail libraries and certificate verification ∗∗∗ --------------------------------------------- Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication. --------------------------------------------- https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verifica… ∗∗∗ LockBit ransomware group assemble strike team to breach banks, law firms and governments. ∗∗∗ --------------------------------------------- [...] I thought it would be good to break down what is happening and how they’re doing it, since LockBit are breaching some of the world’s largest organisations - many of whom have incredibly large security budgets. Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Recently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed. --------------------------------------------- https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-b… ∗∗∗ CVE Half-Day Watcher ∗∗∗ --------------------------------------------- CVE Half-Day Watcher is a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain. It leverages the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released. By doing so, CVE Half-Day Watcher aims to underscore the window of opportunity for attackers to "harvest" this information and develop exploits. --------------------------------------------- https://github.com/Aqua-Nautilus/CVE-Half-Day-Watcher ∗∗∗ Vorsicht vor Jobangeboten per SMS oder WhatsApp ∗∗∗ --------------------------------------------- Unerwartet erhalten Sie eine Nachricht von einer Personalvermittlungsagentur: Ihnen wird ein Job angeboten. Die Bezahlung ist gut und die Arbeitszeiten sind flexibel. Es geht darum, Hotels und Touristenattraktionen zu bewerten. Bei Interesse sollten Sie dem Arbeitgeber eine WhatsApp-Nachricht schicken. Ignorieren Sie dieses Jobangebot, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-sms-od… ∗∗∗ Ddostf DDoS Bot Malware Attacking MySQL Servers ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that the Ddostf DDoS bot is being installed on vulnerable MySQL servers. Ddostf is a DDoS bot capable of conducting Distributed Denial of Service (DDoS) attacks on specific targets and was first identified around 2016. --------------------------------------------- https://asec.ahnlab.com/en/58878/ ∗∗∗ A Closer Look at ChatGPTs Role in Automated Malware Creation ∗∗∗ --------------------------------------------- This blog entry explores the effectiveness of ChatGPTs safety measures, the potential for AI technologies to be misused by criminal actors, and the limitations of current AI models. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/k/a-closer-look-at-chatgpt-s-r… ∗∗∗ Malicious Abrax666 AI Chatbot Exposed as Potential Scam ∗∗∗ --------------------------------------------- As of now, based on the information regarding the sale of the Abrax666 AI Chatbot, cybersecurity researchers are of the opinion that the chatbot is most likely a scam. --------------------------------------------- https://www.hackread.com/abrax666-ai-chatbot-exposed-as-potential-scam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens has released 14 new and 18 updated Security Advisories. --------------------------------------------- https://www.siemens.com/global/en/products/services/cert.html?d=2023-11#Sie… ∗∗∗ Xen Security Advisory CVE-2023-46835 / XSA-445 - x86/AMD: mismatch in IOMMU quarantine page table levels ∗∗∗ --------------------------------------------- A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-445.html ∗∗∗ Xen Security Advisory CVE-2023-46836 / XSA-446 - x86: BTC/SRSO fixes not fully effective ∗∗∗ --------------------------------------------- An attacker in a PV guest might be able to infer the contents of memory belonging to other guests. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-446.html ∗∗∗ SAP Security Patch Day –November2023 ∗∗∗ --------------------------------------------- On 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. Further, there were 3 updates to previously released Security Notes. --------------------------------------------- https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11, postgresql-13, and postgresql-15), Fedora (chromium, optipng, and radare2), Scientific Linux (plexus-archiver and python), Slackware (tigervnc), SUSE (apache2, containerized-data-importer, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql, postgresql15, postgresql16, postgresql12, postgresql13, python-Django1, squashfs, and xterm), and Ubuntu (firefox and memcached). --------------------------------------------- https://lwn.net/Articles/951311/ ∗∗∗ ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric ∗∗∗ --------------------------------------------- Siemens and Schneider Electric’s Patch Tuesday advisories for November 2023 address 90 vulnerabilities affecting their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-90-vulnerabilities-addressed… ∗∗∗ Mattermost security updates 9.1.3 / 9.0.4 / 8.1.6 (ESR) / 7.8.15 (ESR) released ∗∗∗ --------------------------------------------- The security update is available for Mattermost dot releases 9.1.3, 9.0.4, 8.1.6 (Extended Support Release), and 7.8.15 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-1-3-9-0-4-8-1-6-e… ∗∗∗ TYPO3-CORE-SA-2023-007: By-passing Cross-Site Scripting Protection in HTML Sanitizer ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-007 ∗∗∗ TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-006 ∗∗∗ TYPO3-CORE-SA-2023-005: Information Disclosure in Install Tool ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-005 ∗∗∗ IBM Integration Bus is vulnerable to multiple CVEs due to Apache Tomcat. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7072626 ∗∗∗ IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities (CVE-2023-2828, CVE-2023-24329, CVE-2022-4839) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7073360 ∗∗∗ IBM Security Guardium is affected by multiple OS level vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7073592 ∗∗∗ AVEVA Operations Control Logger ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01 ∗∗∗ Rockwell Automation SIS Workstation and ISaGRAF Workbench ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2023
by Daily end-of-shift report 13 Nov '23

13 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-11-2023 18:00 − Montag 13-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ In a first, cryptographic keys protecting SSH connections stolen in new attack ∗∗∗ --------------------------------------------- An error as small as a single flipped memory bit is all it takes to expose a private key. --------------------------------------------- https://arstechnica.com/?p=1983026 ∗∗∗ Hackers breach healthcare orgs via ScreenConnect remote access ∗∗∗ --------------------------------------------- Security researchers are warning that hackers are targeting multiple healthcare organizations in the U.S. by abusing the ScreenConnect remote access tool. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-healthcare-or… ∗∗∗ New Ransomware Group Emerges with Hives Source Code and Infrastructure ∗∗∗ --------------------------------------------- The threat actors behind a new ransomware group called Hunters International have acquired the source code and infrastructure from the now-dismantled Hive operation to kick-start its own efforts in the threat landscape. "It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters [...] --------------------------------------------- https://thehackernews.com/2023/11/new-ransomware-group-emerges-with-hives.h… ∗∗∗ Abusing Microsoft Access “Linked Table” Feature to Perform NTLM Forced Authentication Attacks ∗∗∗ --------------------------------------------- 1. Microsoft Access (part of the Office suite) has a “linking to remote SQL Server tables” feature. 2. This feature can be abused by attackers to automatically leak the Windows user’s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80. 3. The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well 4. This technique allows the attacker to bypass existing Firewall rules designed to block NTLM information stealing initiated by external attacks. --------------------------------------------- https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-… ∗∗∗ Bericht: IT-Sicherheit in Gesundheitsämtern vernachlässigt ∗∗∗ --------------------------------------------- Fehlendes Know-How, knappes Budget und unsichere Software. Ein Bericht schildert gravierende Sicherheitslücken in Gesundheitsämtern. --------------------------------------------- https://www.heise.de/-9404608.html ∗∗∗ Don’t throw a hissy fit; defend against Medusa ∗∗∗ --------------------------------------------- Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. --------------------------------------------- https://research.nccgroup.com/2023/11/13/dont-throw-a-hissy-fit-defend-agai… ∗∗∗ Cyber Threat Intelligence: Den Gegnern auf der Spur ∗∗∗ --------------------------------------------- Durch das Sammeln, Analysieren und Kontextualisieren von Informationen über mögliche Cyber-Bedrohungen, einschließlich der fortschrittlichsten, bietet Threat Intelligence eine wichtige Methode zur Identifizierung, Bewertung und Minderung von Cyber-Risiken --------------------------------------------- https://www.welivesecurity.com/de/business-security/cyber-threat-intelligen… ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/13/cisa-adds-six-known-expl… ∗∗∗ Ransomware tracker: The latest figures [November 2023] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current Ransomware attacks across several key sectors dipped significantly in October, breaking a streak that has gone on for much of 2023. Ransomware gangs posted 243 victims to their extortion sites in October — a sharp decrease from the 455 [...] --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ∗∗∗ RCE-Exploit für Wyze Cam v3 veröffentlicht (Nov. 2023) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Besitzer von Indoor-Kameras des Anbieters Wyze. Deren Modell Wyze Com v3 enthält wohl Schwachstellen, über die Dritte auf die Kameradaten zugreifen können. Inzwischen ist ein RCE-Exploit für die Wyze Cam v3 veröffentlicht worden. --------------------------------------------- https://www.borncity.com/blog/2023/11/11/rce-exploit-fr-wyze-cam-v3-verffen… ∗∗∗ Facebook Fake-Benachrichtigungen "Seiten wegen Verletzung der Gemeinschaftsstandard gesperrt" ∗∗∗ --------------------------------------------- Auf Facebook scheint eine kriminelle Masche über den Messenger zu laufen, bei denen die Empfänger angeblich von Facebook-Meta-Mitarbeitern informiert werden, dass die Seiten wegen Verletzungen der Gemeinschaftsstandards o.ä. gesperrt worden seien. Es kommt ein Link mit Aufforderung zum Entsperren. Das ist aber Fake und ein Phishing-Versuch, um die Zugangsdaten abzufischen. --------------------------------------------- https://www.borncity.com/blog/2023/11/12/facebook-fake-benachrichtigungen-s… ∗∗∗ OracleIV DDoS Botnet Malware Targets Docker Engine API Instances ∗∗∗ --------------------------------------------- OracleIV is not a supply chain attack, it highlights the ongoing threat of misconfigured Docker Engine API deployments. --------------------------------------------- https://www.hackread.com/oracleiv-ddos-botnet-malware-docker-engine-api-ins… ∗∗∗ ACSC and CISA Release Business Continuity in a Box ∗∗∗ --------------------------------------------- Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASDs ACSC) and CISA released Business Continuity in a Box. Business Continuity in a Box, developed by ACSC with contributions from CISA, assists organizations with swiftly and securely standing up critical business functions during or following a cyber incident. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/13/acsc-and-cisa-release-bu… ===================== = Vulnerabilities = ===================== ∗∗∗ Local Privliege Escalation in Check Point Endpoint Security Remediation Service ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. --------------------------------------------- https://support.checkpoint.com/results/sk/sk181597 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (audiofile and ffmpeg), Fedora (keylime, python-pillow, and tigervnc), Mageia (quictls and vorbis-tools), Oracle (grub2), Red Hat (galera, mariadb, plexus-archiver, python, squid, and squid34), and SUSE (clamav, kernel, mupdf, postgresql14, tomcat, tor, and vlc). --------------------------------------------- https://lwn.net/Articles/951237/ ∗∗∗ CVE-2023-5950 Rapid7 Velociraptor Reflected XSS ∗∗∗ --------------------------------------------- This advisory covers a specific issue identified in Velociraptor and disclosed by a security code review. Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/10/cve-2023-5950-rapid7-velocirapt… ∗∗∗ Ivanti EPMM CVE-2023-39335/39337 ∗∗∗ --------------------------------------------- As part of our ongoing strengthening of the security of our products we have discovered two new vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. We are reporting these vulnerabilities as CVE-2023-39335 and CVE-2023-39337. --------------------------------------------- https://www.ivanti.com/blog/ivanti-epmm-cve-2023-39335-39337 ∗∗∗ Mutiple Vulnerabilties Affecting Watson Machine Learning Accelerator on Cloud Pak for Data version ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7071340 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2023
by Daily end-of-shift report 10 Nov '23

10 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-11-2023 18:00 − Freitag 10-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ducktail fashion week ∗∗∗ --------------------------------------------- The Ducktail malware, designed to hijack Facebook business and ads accounts, sends marketing professionals fake ads for jobs with major clothing manufacturers. --------------------------------------------- https://securelist.com/ducktail-fashion-week/111017/ ∗∗∗ Routers Targeted for Gafgyt Botnet [Guest Diary], (Thu, Nov 9th) ∗∗∗ --------------------------------------------- The threat actor attempts to add my honeypot into a botnet so the threat actor can carry out DDoS attacks. The vulnerabilities used for the attack were default credentials and CVE-2017-17215. To prevent these attacks, make sure systems are patched and using strong credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/30390 ∗∗∗ Malware: Mehr als 600 Millionen Downloads 2023 in Google Play ∗∗∗ --------------------------------------------- Kaspersky hat in diesem Jahr bereits mehr als 600 Millionen Malware-Downloads aus dem Google-Play-Store gezählt. Der bleibt aber sicherste Paketquelle. --------------------------------------------- https://www.heise.de/news/Malware-Mehr-als-600-Millionen-Downloads-2023-in-… ∗∗∗ Demystifying Cobalt Strike’s “make_token” Command ∗∗∗ --------------------------------------------- Cobalt Strike provides the make_token command to achieve a similar result to runas /netonly. --------------------------------------------- https://research.nccgroup.com/2023/11/10/demystifying-cobalt-strikes-make_t… ∗∗∗ High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites ∗∗∗ --------------------------------------------- Clickbait articles are highlighted in this article. A jump in compromised sites exploiting CVE-2023-3169 stresses the danger of web-based threats. --------------------------------------------- https://unit42.paloaltonetworks.com/dangers-of-clickbait-sites/ ∗∗∗ Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518 ∗∗∗ --------------------------------------------- We encountered the Cerber ransomware exploiting the Atlassian Confluence vulnerability CVE-2023-22518 in its operations. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/k/cerber-ransomware-exploits-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (community-mysql, matrix-synapse, and xorg-x11-server-Xwayland), Mageia (squid and vim), Oracle (dnsmasq, python3, squid, squid:4, and xorg-x11-server), Red Hat (fence-agents, insights-client, kernel, kpatch-patch, mariadb:10.5, python3, squid, squid:4, tigervnc, and xorg-x11-server), Scientific Linux (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, python-reportlab, python3, squid, thunderbird, and xorg-x11-server), [...] --------------------------------------------- https://lwn.net/Articles/951066/ ∗∗∗ Multiple Vulnerabilities in QuMagie ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-50 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-24 ∗∗∗ AIX is affected by a denial of service (CVE-2023-45167) and a security restrictions bypass (CVE-2023-40217) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7068084 ∗∗∗ Multiple vulnerabilities in Eclipse Jetty affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070298 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2023 - Includes Oracle April 2023 CPU plus CVE-2023-2597 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070548 ∗∗∗ Multiple security vulnerabilities have been identified in IBM DB2 which is shipped with IBM Intelligent Operations Center. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070539 ∗∗∗ IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070736 ∗∗∗ Ivanti Secure Access Client security notifications ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/ivanti-secure-access-client-security-notificati… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2023
by Daily end-of-shift report 09 Nov '23

09 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-11-2023 18:00 − Donnerstag 09-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Highly invasive backdoor snuck into open source packages targets developers ∗∗∗ --------------------------------------------- Packages downloaded thousands of times targeted people working on sensitive projects. --------------------------------------------- https://arstechnica.com/?p=1982281 ∗∗∗ Google ads push malicious CPU-Z app from fake Windows news site ∗∗∗ --------------------------------------------- A threat actor has been abusing Google Ads to distribute a trojanized version of the CPU-Z tool to deliver the Redline info-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ads-push-malicious-cp… ∗∗∗ Visual Examples of Code Injection, (Thu, Nov 9th) ∗∗∗ --------------------------------------------- I spotted an interesting sample that perform this technique and I was able to collect “visible” information. The malware was delivered through a phishing email with a ZIP archive. --------------------------------------------- https://isc.sans.edu/diary/rss/30388 ∗∗∗ Google Play: Extra-Sicherheitsprüfungen sollen Apps vertrauenswürdiger machen ∗∗∗ --------------------------------------------- Ab sofort sind bestimmte Apps in Google Play mit einem neuen Banner gekennzeichnet, der mehr Sicherheit garantieren soll. Den Anfang machen einige VPN-Apps. --------------------------------------------- https://www.heise.de/-9357280 ∗∗∗ Spammers abuse Google Forms’ quiz to deliver scams ∗∗∗ --------------------------------------------- Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. --------------------------------------------- https://blog.talosintelligence.com/google-forms-quiz-spam/ ∗∗∗ GhostLocker - A “Work In Progress” RaaS ∗∗∗ --------------------------------------------- GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/08/ghostlocker-a-work-in-progress-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti and chromium), Fedora (CuraEngine, podman, and rubygem-rmagick), Mageia (gnome-shell, openssl, and zlib), SUSE (salt), and Ubuntu (xrdp). --------------------------------------------- https://lwn.net/Articles/950850/ ∗∗∗ CVE-2023-3282 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine (Severity: MEDIUM) ∗∗∗ --------------------------------------------- This issue is applicable only to Cortex XSOAR engines installed through the shell method that are running on a Linux operating system. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-3282 ∗∗∗ CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest ∗∗∗ --------------------------------------------- A new zero-day vulnerability (CVE-2023-47246) in SysAid IT service management software is being exploited by the threat group responsible for the MOVEit Transfer attack in May 2023. --------------------------------------------- https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-… ∗∗∗ Drupal: GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-051 ∗∗∗ Drupal: GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-050 ∗∗∗ Weidmüller: WIBU Vulnerability in multiple Products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-032/ ∗∗∗ Johnson Controls Quantum HD Unity ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01 ∗∗∗ Hitachi Energy eSOMS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-02 ∗∗∗ IBM Security Guardium is affected by denial of service vulnerabilities (CVE-2023-3635, CVE-2023-28118) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069238 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in Apache Struts (CVE-2023-34149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069237 ∗∗∗ Vulnerabilities in Linux Kernel, Samba, Golang, Curl, and openssl can affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7069319 ∗∗∗ A vulnerability in Samba affects IBM Storage Scale SMB protocol access method (CVE-2022-2127) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily