=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 06-09-2023 18:00 − Donnerstag 07-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Next-Generation Context Aware Password Cracking ∗∗∗
---------------------------------------------
TLDR; Using ChatGPT, an attacker can generate a list of password guesses based on the context of the target such as a company’s description or social media accounts.
---------------------------------------------
https://medium.com/@doctoreww/next-generation-context-aware-password-cracki…
∗∗∗ Cisco warnt vor teils kritischen Lücken und liefert Updates für mehrere Produkte ∗∗∗
---------------------------------------------
In mehreren Cisco-Produkten lauern Sicherheitslücken, die Updates schließen sollen. Eine gilt sogar als kritisch.
---------------------------------------------
https://heise.de/-9297182
∗∗∗ FreeWorld ransomware attacks MSSQL—get your databases off the Internet ∗∗∗
---------------------------------------------
When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the internet is of interest to cybercriminals.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/09/freeworld-ransomware-attacks…
∗∗∗ Ozempic, Wegovy & Co: Vorsicht vor Fake-Shops mit „Schlankheitsmitteln“ ∗∗∗
---------------------------------------------
Diabetes-Medikamente wie Ozempic, Saxenda oder Metformin sind seit einiger Zeit von Lieferengpässen betroffen. Der Grund: Elon Musk, Kim Kardashian und andere Prominente nutzen diese und ähnliche Medikamente zum Abnehmen, der Hype dieser „Abnehmspritzen“ ließ nicht lange auf sich warten. Ein Trend, den sich auch Kriminelle zunutze machen. Sie bieten die eigentlich verschreibungspflichtigen Medikamente in Fake-Shops als Schlankheitsmittel an.
---------------------------------------------
https://www.watchlist-internet.at/news/ozempic-wegovy-co-vorsicht-vor-fake-…
∗∗∗ A classification of CTI Data feeds ∗∗∗
---------------------------------------------
We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria’s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic.
---------------------------------------------
https://cert.at/en/blog/2023/9/cti-data-feeds
∗∗∗ Cybercriminals target graphic designers with GPU miners ∗∗∗
---------------------------------------------
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware including PhoenixMiner and lolMiner on infected machines.
---------------------------------------------
https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-…
∗∗∗ CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells ∗∗∗
---------------------------------------------
This Cybersecurity Advisory has been updated with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/09/06/cisa-releases-update-thr…
∗∗∗ MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 ∗∗∗
---------------------------------------------
CISA received 4 files for analysis from an incident response engagement conducted at an Aeronautical Sector organization [..] CISA has provided indicators of compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR).
---------------------------------------------
https://www.cisa.gov/news-events/analysis-reports/ar23-250a
=====================
= Vulnerabilities =
=====================
∗∗∗ Aruba-Controller und -Gateways mit hochriskanten Sicherheitslücken ∗∗∗
---------------------------------------------
Für Aruba-Controller und -Gateways der Serien 9000 und 9200 gibt es Updates, die hochriskante Sicherheitslücken schließen.
---------------------------------------------
https://heise.de/-9297925
∗∗∗ Cisco Security Advisories 2023-09-06 - 2023-09-06 ∗∗∗
---------------------------------------------
Cisco has released 6 security advisories: (1x Critical, 1x High, 4x Medium)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ Sicherheitsupdates: Unbefugte Zugriffe auf TP-Link-Router möglich ∗∗∗
---------------------------------------------
Angreifer können verschiedene Router von TP-Link attackieren und im schlimmsten Fall eigene Befehle auf Geräten ausführen.
---------------------------------------------
https://heise.de/-9297306
∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗
---------------------------------------------
Update - September 5th 2023: A new variant of the SRX upload vulnerability has been published by external researchers (CVE-2023-36851). All fixes listed under Solution below break the RCE chain
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-B…
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023) ∗∗∗
---------------------------------------------
Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week.
---------------------------------------------
https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpr…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox).
---------------------------------------------
https://lwn.net/Articles/943856/
∗∗∗ CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed) ∗∗∗
---------------------------------------------
CVE-2023-4528 affects all versions of JSCAPE MFT Server prior to version 2023.1.9 on all platforms (Windows, Linux, and MacOS). See the JSCAPE advisory for more information [..] CVE-2023-4528 has been addressed in JSCAPE version 2023.1.9 which is now available for customer deployment.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/09/07/cve-2023-4528-java-deserializat…
∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-23-250-01 Dover Fueling Solutions MAGLINK LX Console (CVSS v3 9.1),
ICSA-23-250-02 Phoenix Contact TC ROUTER and TC CLOUD CLIENT (CVSS v3 9.6),
ICSA-23-250-03 Socomec MOD3GP-SY-120K (CVSS v3 10.0),
ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft (Update) (CVSS v3 7.8)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/09/07/cisa-releases-four-indus…
∗∗∗ Drupal: WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-044
∗∗∗ Drupal: highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-043
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 05-09-2023 18:00 − Mittwoch 06-09-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Patchday: Schadcode-Attacken auf Android 11, 12, 13 möglich ∗∗∗
---------------------------------------------
Google und weitere Hersteller von Android-Geräten haben wichtige Sicherheitsupdates veröffentlicht.
---------------------------------------------
https://heise.de/-9296497
∗∗∗ Microsoft überarbeitet Downfall-Empfehlungen; MSI liefert BIOS-Update für UNSUPPORTED_PROCESSOR-Problem ∗∗∗
---------------------------------------------
Im August war die sogenannte Downfall-Schwachstelle in Prozessoren bekannt geworden, die ein Abfließen von Informationen ermöglicht. Nun hat Microsoft seinen Support-Beitrag mit Hinweisen zur Downfall-Schwachstelle unter Windows aktualisiert und Informationen zum Deaktivieren der Schutzmaßnahmen entfernt. Weiterhin gab es nach Installation [..]
---------------------------------------------
https://www.borncity.com/blog/2023/09/06/microsoft-berarbeitet-downfall-emp…
∗∗∗ Pandoras box is now open: the well-known Mirai trojan arrives in a new disguise to Android-based TV sets and TV boxes ∗∗∗
---------------------------------------------
Doctor Web has identified a family of Android.Pandora trojans that compromise Android devices, either during firmware updates or when applications for viewing pirated video content are installed. This backdoor inherited its advanced DDoS-attack capabilities from its ancestor, the well-known Linux.Mirai trojan.
---------------------------------------------
https://news.drweb.com/show/?i=14743
∗∗∗ Security Relevant DNS Records, (Wed, Sep 6th) ∗∗∗
---------------------------------------------
DNS has a big security impact. DNS is in part responsible for your traffic reaching the correct host on the internet. But there is more to DNS then name resolution. I am going to mention a few security relevant record types here, in no particular order: [..]
---------------------------------------------
https://isc.sans.edu/diary/rss/30194
∗∗∗ Bogus URL Shorteners Go Mobile-Only in AdSense Fraud Campaign ∗∗∗
---------------------------------------------
Since September 2022, our team has been tracking a bogus URL shortener redirect campaign that started with just a single domain: ois[.]is. By the beginning of 2023, this malware campaign had expanded to over a hundred domain names to redirect traffic to low quality Q&A sites and monetize traffic via Google AdSense. In fact, since the beginning of this year alone, Sucuri’s remote website scanner has detected various strains of this malware on over 24,000 websites.
---------------------------------------------
https://blog.sucuri.net/2023/09/bogus-url-shorteners-go-mobile-only-in-adse…
∗∗∗ Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant ∗∗∗
---------------------------------------------
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week.
---------------------------------------------
https://thehackernews.com/2023/09/alert-phishing-campaigns-deliver-new.html
∗∗∗ Lord Of The Ring0 - Part 5 ∗∗∗
---------------------------------------------
In this blog post, I’ll explain two common hooking methods (IRP Hooking and SSDT Hooking) and two different injection techniques from the kernel to the user mode for both shellcode and DLL (APC and CreateThread) with code snippets and examples from Nidhogg.
---------------------------------------------
https://idov31.github.io/2023/07/19/lord-of-the-ring0-p5.html
∗∗∗ A review of SolarWinds attack on Orion platform using persistent threat agents and techniques for gaining unauthorized access ∗∗∗
---------------------------------------------
This paper of work examines the SolarWinds attack, designed on Orion Platform security incident. It analyses the persistent threats agents and potential technical attack techniques to gain unauthorized access. [..] It concludes with necessary remediation actions on cyber hygiene countermeasures, common vulnerabilities and exposure analysis and solutions.
---------------------------------------------
https://arxiv.org/abs/2308.10294
∗∗∗ What is ISO 27002:2022 Control 8.9? A Quick Look at the Essentials ∗∗∗
---------------------------------------------
Configuration management is now presented as a new control in the new, revised edition of ISO 27002:2022 (Control 8.9). It is a crucial component of an organizations security management. This blog will guide you through the essentials of Control 8.9.
---------------------------------------------
https://www.tripwire.com/state-of-security/what-iso-270022022-control-89-qu…
∗∗∗ Peeking under the bonnet of the Litter Robot 3 ∗∗∗
---------------------------------------------
I began to wonder what interesting things I may find when doing a small tear down of the Litter Robot’s components including the PCB, firmware, and mobile application. [..] So, please follow me on my journey to understanding the extraction and analysis of an ESP32 IOT device, reverse engineering a Flutter mobile application, and capturing and analysing the network traffic between the device, the mobile app and the internet.
---------------------------------------------
https://www.elttam.com/blog/re-of-lr3/
∗∗∗ Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach ∗∗∗
---------------------------------------------
[..] Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials [..] Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections [..] According to MetaMask’s Monahan, users who stored any important passwords with LastPass [..] should change those credentials immediately
---------------------------------------------
https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-s…
∗∗∗ Android 14 blocks all modification of system certificates, even as root ∗∗∗
---------------------------------------------
If youre an Android developer, tester, reverse engineer, or anybody else interested in directly controlling who your device trusts, this is going to create some new challenges. Before we get into the finer details, first I want to talk a little about the context around Android CA management and how we got here [..]
---------------------------------------------
https://httptoolkit.com/blog/android-14-breaks-system-certificate-installat…
∗∗∗ You patched yet? Years-old Microsoft security holes still hot targets for cyber-crooks ∗∗∗
---------------------------------------------
And so we can believe it when Qualys yesterday said 15 of the 20 most-exploited software vulnerabilities it has observed are in Microsofts code. [..] The No. 1 flaw on the list was patched in November 2017, a code execution hole in Microsoft Offices Equation Editor wed have hoped had been mostly mitigated by now.
---------------------------------------------
https://www.theregister.com/2023/09/05/qualys_top_20_vulnerabilities/
∗∗∗ Code Vulnerabilities Leak Emails in Proton Mail ∗∗∗
---------------------------------------------
In this blog post, we first present the technical details of the vulnerabilities we found in Proton Mail. We show how an innocent-looking piece of code led to a Cross-Site Scripting issue that made it possible for attackers to steal unencrypted emails and impersonate victims. As part of a 3-post series, we will cover other severe vulnerabilities we found in Skiff and Tutanota Desktop in the coming weeks.
---------------------------------------------
https://www.sonarsource.com/blog/code-vulnerabilities-leak-emails-in-proton…
∗∗∗ 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets ∗∗∗
---------------------------------------------
We scanned the Alexa Top 1 Million Websites for leaked secrets. We found thousands of exposed source code repositories and hundreds of live API keys. These are our top 5 takeaways
---------------------------------------------
https://trufflesecurity.com/blog/4500-of-the-top-1-million-websites-leaked-…
∗∗∗ Apache Superset Part II: RCE, Credential Harvesting and More ∗∗∗
---------------------------------------------
In this post, we disclose all the issues we’ve reported to Superset, including two new high severity vulnerabilities, CVE-2023-39265 and CVE-2023-37941, that are fixed in the just released 2.1.1 version of Superset. We strongly recommend that all Superset users upgrade to this version.
---------------------------------------------
https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-a…
∗∗∗ New phishing tool hijacked thousands of Microsoft business email accounts ∗∗∗
---------------------------------------------
Researchers have uncovered a hidden “phishing empire” targeting businesses in Europe, Australia and the U.S. with a sophisticated new tool. A hacking group called W3LL, which has been active since at least 2017, has created an English-language underground marketplace to sell a phishing kit that can bypass multi-factor authentication, according to a report [..]
---------------------------------------------
https://therecord.media/w3ll-phishing-toolkit-bec-microsoft-365-accounts
∗∗∗ Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft) ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor’s server to carry out additional malicious behaviors.
---------------------------------------------
https://asec.ahnlab.com/en/56756/
∗∗∗ SapphireStealer: Open-source information stealer enables credential and data theft ∗∗∗
---------------------------------------------
SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.
---------------------------------------------
https://blog.talosintelligence.com/sapphirestealer-goes-open-source/
∗∗∗ Threat Actor Continues to Plague the Open-Source Ecosystem with Sophisticated Info-Stealing Malware ∗∗∗
---------------------------------------------
In May, we sounded the alarm about PYTA31, an advanced persistent threat actor distributing the “WhiteSnake” malware. Since then, we’ve been rigorously monitoring this group, which has been active from April through mid-August, distributing malicious PyPI packages laced with “WhiteSnake Malware.”
---------------------------------------------
https://checkmarx.com/blog/threat-actor-continues-to-plague-the-open-source…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdates: Angreifer können Kontrolle über Asus-Router erlangen ∗∗∗
---------------------------------------------
Mehrere Sicherheitslücken gefährden verschiedene Router-Modelle von Asus. Patches sichern Geräte ab.
---------------------------------------------
https://heise.de/-9296210
∗∗∗ Webbrowser: Hochriskante Schwachstellen in Google Chrome geschlossen ∗∗∗
---------------------------------------------
Google stopft mit aktualisiertern Chrome-Versionen vier als hochriskant eingestufte Sicherheitslücken.
---------------------------------------------
https://heise.de/-9295977
∗∗∗ Researchers Discover Critical Vulnerability in PHPFusion CMS ∗∗∗
---------------------------------------------
No patch is available yet for the bug, which can enable remote code execution under the correct circumstances.
---------------------------------------------
https://www.darkreading.com/application-security/researchers-discover-criti…
∗∗∗ Forthcoming OpenSSL Release ∗∗∗
---------------------------------------------
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1w. This release will be made available on Monday 11th September 2023 between 1300-1700 UTC. This is a security-fix release. The highest severity issue fixed in this release is Low
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2023-September/000271.ht…
∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗
---------------------------------------------
2023-09-05: Important update for SRX customers
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-B…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (aom and php7.3), Fedora (freeimage and mingw-freeimage), Scientific Linux (thunderbird), SUSE (amazon-ssm-agent, chromium, container-suseconnect, docker, glib2, php7, python-Django1, and rubygem-rails-html-sanitizer), and Ubuntu (kernel, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-ibm, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-gcp, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia).
---------------------------------------------
https://lwn.net/Articles/943679/
∗∗∗ VU#304455: Authentication Bypass in Tenda N300 Wireless N VDSL2 Modem Router ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/304455
∗∗∗ Stored Cross-Site Scripting Vulnerability Patched in Newsletter WordPress Plugin ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2023/09/stored-cross-site-scripting-vulnerab…
∗∗∗ AtlasVPN to Patch IP Leak Vulnerability After Public Disclosure ∗∗∗
---------------------------------------------
https://www.securityweek.com/atlasvpn-to-patch-ip-leak-vulnerability-after-…
∗∗∗ Dozens of Unpatched Flaws Expose Security Cameras Made by Defunct Company Zavio ∗∗∗
---------------------------------------------
https://www.securityweek.com/dozens-of-unpatched-flaws-expose-security-came…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 04-09-2023 18:00 − Dienstag 05-09-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers exploit MinIO storage system to breach corporate networks ∗∗∗
---------------------------------------------
Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-minio-storag…
∗∗∗ DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates ∗∗∗
---------------------------------------------
A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate."The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week.
---------------------------------------------
https://thehackernews.com/2023/08/darkgate-malware-activity-spikes-as.html
∗∗∗ New Python Variant of Chaes Malware Targets Banking and Logistics Industries ∗∗∗
---------------------------------------------
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes."It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up [..]
---------------------------------------------
https://thehackernews.com/2023/09/new-python-variant-of-chaes-malware.html
∗∗∗ New BLISTER Malware Update Fuelling Stealthy Network Infiltration ∗∗∗
---------------------------------------------
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic.“New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,” Elastic Security Labs researchers [..]
---------------------------------------------
https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html
∗∗∗ Nascent Malware Campaign Targets npm, PyPI, and RubyGems Developers ∗∗∗
---------------------------------------------
Python Malware: On the morning of September 3, 2023, our automated platform notified us of the first package in this campaign: kwxiaodian [..] This follows a common pattern we see across many early campaigns and one we witnessed a few weeks back [..] Obfuscated Javascript Packages: At roughly the same time, we received notifications about malicious package publications on npm. Rubygems Package: The Rubygems package follows similar patterns to both the PyPI and npm packages.
---------------------------------------------
https://blog.phylum.io/malware-campaign-targets-npm-pypi-and-rubygems-devel…
∗∗∗ Common usernames submitted to honeypots ∗∗∗
---------------------------------------------
Based on reader feedback, I decided to take a look at usernames submitted to honeypots. The usernames that are seen on a daily basis look very familiar. [..] I exported the username data from my honeypot, which is a little over 16 months of data
---------------------------------------------
https://isc.sans.edu/diary/rss/30188
∗∗∗ Uncovering Web Cache Deception: A Missed Vulnerability in the Most Unexpected Places ∗∗∗
---------------------------------------------
During the assessment of the target application, it was observed that the server had implemented restrictions to prevent Web Cache Deception attacks on API/Web endpoints that had session tokens or data in the response. Unfortunately, the same precautions were not implemented on the /404 page or any /nonexistingurl. We discovered that the response for any endpoint that doesnt exist contained PII information without any cache controls in place.
---------------------------------------------
https://blog.agilehunt.com/blogs/security/web-cache-deception-attack-on-404…
∗∗∗ Whats in a name? [..] The .kids TLD is not alright ∗∗∗
---------------------------------------------
Cisco Talos successfully registered the domain name: your-dns-needs-immediate-attention.kids. Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.” [..] we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.
---------------------------------------------
https://blog.talosintelligence.com/whats-in-a-name/
∗∗∗ Inconsistencies in the Common Vulnerability Scoring System (CVSS) ∗∗∗
---------------------------------------------
The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users.
---------------------------------------------
https://www.schneier.com/blog/archives/2023/09/inconsistencies-in-the-commo…
∗∗∗ CVE-2023-4634 - Tricky Unauthenticated RCE on Wordpress Media Library Assistant Plugin using a good old Imagick ∗∗∗
---------------------------------------------
As discussed in many of our articles, you already know that WordPress and related plugins are taking up a large space in the global attack surface [..] The vulnerability described below is a perfect example
---------------------------------------------
https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
∗∗∗ When URL parsers disagree (CVE-2023-38633) ∗∗∗
---------------------------------------------
Discovery and walkthrough of CVE-2023-38633 in librsvg, when two URL parser implementations (Rust and Glib) disagree on file scheme parsing leading to path traversal.
---------------------------------------------
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-3…
∗∗∗ Vorsicht vor betrügerischen PayPal-Anrufen ∗∗∗
---------------------------------------------
Ihr Telefon klingelt. Sie heben ab und eine Tonbandstimme meldet sich: „Hallo, hier ist PayPal. Sie haben soeben 738 Euro überwiesen. Um den Zahlvorgang abzubrechen, drücken Sie die 1.“ Drücken Sie keinesfalls die 1, hierbei handelt es sich um eine Betrugsmasche. Legen Sie auf!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-paypal-…
=====================
= Vulnerabilities =
=====================
∗∗∗ ASUS routers vulnerable to critical remote code execution flaws ∗∗∗
---------------------------------------------
Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/asus-routers-vulnerable-to-c…
∗∗∗ Multiple vulnerabilities in F-RevoCRM ∗∗∗
---------------------------------------------
* An attacker who can access the product may execute an arbitrary OS command on the server where the product is running - CVE-2023-41149
* An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-41150
---------------------------------------------
https://jvn.jp/en/jp/JVN78113802/
∗∗∗ Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions (CVE-2023-3634) ∗∗∗
---------------------------------------------
Festo developed the products according to the respective state of the art. As a result, the protocols used no longer fully meet todays security requirements. The products are designed and developed for use in sealed-off (industrial) networks. If the network is not adequately sealed off, unauthorized access to the product can cause damage or malfunctions, particularly Denial of Service (DoS) or loss of integrity. Remediation: Update of user documentation in next product version.
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-020/
∗∗∗ 9 Vulnerabilities Patched in SEL Power System Management Products ∗∗∗
---------------------------------------------
Researchers at industrial cybersecurity firm Nozomi Networks have analyzed the company’s SEL-5030 acSELerator QuickSet and SEL-5037 Grid Configurator, software products designed to allow engineers and technicians to configure and manage devices for power system protection, control, metering and monitoring, and to create and deploy settings for SEL power system devices. Nozomi researchers discovered a total of nine vulnerabilities, including four that have been assigned a ‘high severity’ rating
---------------------------------------------
https://www.securityweek.com/9-vulnerabilities-patched-in-sel-power-system-…
∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-248-01 Fujitsu Limited Real-time Video Transmission Gear IP series: CVE-2023-38433
* ICSMA-23-248-01 Softneta MedDream PACS Premium: CVE-2023-40150, CVE-2023-39227
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/09/05/cisa-releases-two-indust…
∗∗∗ AVM: Fritzbox-Firmware 7.57 und 7.31 stopfen Sicherheitsleck ∗∗∗
---------------------------------------------
AVM hat für zahlreiche Fritzboxen die Firmware 7.57 und 7.31 veröffentlicht. Es handelt sich um ein Stabilitäts- und Sicherheitsupdate.
---------------------------------------------
https://heise.de/-9294758
∗∗∗ Xen XSA-437: arm32: The cache may not be properly cleaned/invalidated ∗∗∗
---------------------------------------------
A malicious guest may be able to read sensitive data from memory that previously belonged to another guest.
CVE ID: CVE-2023-34321
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-437.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (file and thunderbird), Fedora (exercism, libtommath, moby-engine, and python-pyramid), Oracle (cups and kernel), Red Hat (firefox, kernel, kernel-rt, kpatch-patch, and thunderbird), SUSE (amazon-ecs-init, buildah, busybox, djvulibre, exempi, firefox, gsl, keylime, kubernetes1.18, php7, and sccache), and Ubuntu (docker-registry and linux-azure-5.4).
---------------------------------------------
https://lwn.net/Articles/943584/
∗∗∗ IBM UrbanCode Build is vulnerable to CVE-2023-24998 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030594
∗∗∗ IBM UrbanCode Build is vulnerable to CVE-2023-28708 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030596
∗∗∗ Vulnerabilities found in batik-all-1.7.jar, batik-dom-1.7.jar which is shipped with IBM Intelligent Operations Center(CVE-2018-8013, CVE-2017-5662, CVE-2015-0250) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030598
∗∗∗ Due to use of FasterXML Jackson-databind, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial of service. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030601
∗∗∗ Due to use of Kafka, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to obtain sensitive information. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030604
∗∗∗ Due to use of Spark from Hadoop, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to traverse directories on the system. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030603
∗∗∗ Due to use of Apache Cassandra , IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to an authenticated attacker to gaining elevated privileges. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030602
∗∗∗ Due to use of IBM WebSphere Application Server Liberty, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030610
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository due to July 2023 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030605
∗∗∗ Due to use of NodeJS, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030612
∗∗∗ A security vulnerability has been identified in IBM SDK, Java Technology Edition shipped with IBM Tivoli Business Service Manager (CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030613
∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030614
∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030615
∗∗∗ Vulnerability found in commons-io-1.3.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2021-29425) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030617
∗∗∗ Vulnerabilities found in poi-ooxml-3.9.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-5644, CVE-2019-12415, CVE-2014-3574, CVE-2014-3529) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030627
∗∗∗ Vulnerability found in pdfbox-1.8.1.jar which is shipped with IBM Intelligent Operations Center(220742, CVE-2018-11797, CVE-2016-2175) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030626
∗∗∗ Vulnerabilities found in poi-3.9.jar, poi-scratchpad-3.9.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-12626, CVE-2014-9527) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030629
∗∗∗ Vulnerabilities found in jackson-mapper-asl-1.9.13.jar which is shipped with IBM Intelligent Operations Center(CVE-2019-10202, CVE-2019-10172) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030623
∗∗∗ Multiple Vulnerabilities found in Turf.js which is shipped with IBM Intelligent Operations Center(CVE-2020-15168, CVE-2022-0235) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030624
∗∗∗ Vulnerability found in fontbox-1.8.1.jarr which is shipped with IBM Intelligent Operations Center(CVE-2018-8036) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030622
∗∗∗ Vulnerabilities found in cxf-rt-transports-http-3.0.3.jar which is shipped with IBM Intelligent Operations Center(CVE-2016-6812, CVE-2018-8039, CVE-2020-13954) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030618
∗∗∗ Vulnerability found in fop-1.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-5661) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030621
∗∗∗ Multiple Vulnerabilities found in Turf.js which is shipped with IBM Intelligent Operations Center(CVE-2021-44906, CVE-2020-7598) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030625
∗∗∗ Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2018-1000632) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030619
∗∗∗ Vulnerability found in commons-codec-1.5.jar which is shipped with IBM Intelligent Operations Center(177835) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030616
∗∗∗ IBM MQ is affected by a denial of service vulnerability in OpenSSL (CVE-2023-2650) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027922
∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030632
∗∗∗ A Vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030634
∗∗∗ Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2020-10683) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030636
∗∗∗ Vulnerability found in xmlgraphics-commons-1.5.jar which is shipped with IBM Intelligent Operations Center(CVE-2020-11988) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030630
∗∗∗ Multiple Vulnerabilities found in IBM DB2 which is shipped with IBM Intelligent Operations Center(CVE-2022-43929, CVE-2022-43927, CVE-2014-3577, CVE-2022-43930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030638
∗∗∗ Vulnerabilities found in batik-bridge-1.7.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-40146, CVE-2022-38648, CVE-2022-38398) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030631
∗∗∗ Vulnerability found in cxf-core-3.5.4.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-46364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030633
∗∗∗ Vulnerability found in cxf-rt-transports-http-3.5.3.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-46363) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030635
∗∗∗ Vulnerability found in commons-net-1.4.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2021-37533) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030637
∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21426) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030641
∗∗∗ Vulnerabilities found in jackson-mapper-asl which is shipped with IBM Intelligent Operations Center(CVE-2019-10172, CVE-2019-10202) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030639
∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2023-21830, CVE-2023-21843) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030640
∗∗∗ A vulnerability found in IBM WebSphere Application Server Liberty which is shipped with IBM Intelligent Operations Center(CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030642
∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030643
∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030644
∗∗∗ Multiple Angular vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2023-26116, CVE-2023-26117, CVE-2023-26118, CVE-2022-25869, CVE-2022-25844) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030667
∗∗∗ IBM SDK, Java Technology Edition, Security Update August 2023 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030664
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager (CVE-2023-22045, CVE-2023-22049) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030666
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 01-09-2023 18:00 − Montag 04-09-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Chrome extensions can steal plaintext passwords from websites ∗∗∗
---------------------------------------------
A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a websites source code.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-…
∗∗∗ New ‘YouPorn’ sextortion scam threatens to leak your sex tape ∗∗∗
---------------------------------------------
A new sextortion scam is making the rounds that pretends to be an email from the adult site YouPorn, warning that a sexually explicit video of you was uploaded to the site and suggesting you pay to have it taken down.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-youporn-sextortion-scam-…
∗∗∗ Yes, theres an npm package called @(-.-)/env and some others like it ∗∗∗
---------------------------------------------
Strangely named npm packages like -, @!-!/-, @(-.-)/env, and --hepl continue to exist on the internets largest software registry. While not all of these may necessarily pose an obvious security risk, some were named before npm enforced naming guidelines and could potentially break tooling.
---------------------------------------------
https://www.bleepingcomputer.com/news/technology/yes-theres-an-npm-package-…
∗∗∗ PoC Exploit Released for Critical VMware Arias SSH Auth Bypass Vulnerability ∗∗∗
---------------------------------------------
Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight). The flaw, tracked as CVE-2023-34039, is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation.
---------------------------------------------
https://thehackernews.com/2023/09/poc-exploit-released-for-critical.html
∗∗∗ Webinar: Betrugsfallen im Internet erkennen ∗∗∗
---------------------------------------------
Wie schütze ich mich vor Internetkriminalität? Wie kann ich einen Fake Shop von einem seriösen Online-Shop unterscheiden? Wo lauern die dreistesten Abo-Fallen? Wie verschaffen sich Kriminelle Zugang zu meinen Daten? Das Webinar informiert über gängige Betrugsfallen im Internet und hilft, diese zu erkennen. Nehmen Sie kostenlos teil: Dienstag 12. September 2023, 18:30 - 20:00 Uhr via zoom
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-betrugsfallen-im-internet-er…
∗∗∗ Neue Phishing-Mails im Namen der ÖGK und des Finanzamtes unterwegs ∗∗∗
---------------------------------------------
Aktuell sind zwei neue Phishing-Mails im Umlauf. In der einen geben sich Kriminelle als Österreichische Gesundheitskasse (ÖGK) aus und behaupten, dass Sie eine Erstattung erhalten. Im anderen Mail wird Ihnen im Namen von FinanzOnline eine Erhöhung der Rente versprochen. Beide Mails fordern Sie auf, auf einen Link zu klicken. Ignorieren Sie diese Mails. Kriminelle stehlen damit Ihre Bankdaten.
---------------------------------------------
https://www.watchlist-internet.at/news/neue-phishing-mails-im-namen-der-oeg…
∗∗∗ Decryptor für Key Group Ransomware verfügbar ∗∗∗
---------------------------------------------
Sicherheitsforscher von ElectricIQ haben in den Routinen der Key Group Ransomware eine Schwachstelle entdeckt, die es ermöglichte, Entschlüsselungs-Tools zur Wiederherstellung verschlüsselter Dateien zu entwickeln.
---------------------------------------------
https://www.borncity.com/blog/2023/09/03/decryptor-fr-key-group-ransomware-…
∗∗∗ Firmware-Updates: Surface Laptop 4 und Surface Duo ∗∗∗
---------------------------------------------
Microsoft hat zum 31. August 2023 ein Firmware-Update für seinen Surface Laptop 4 veröffentlicht, welches Sicherheitsprobleme und ein Lade-Problem beheben soll. Zudem gibt es wohl das (vermutlich) letzte Firmware-Update für das Smartphone Surface Duo.
---------------------------------------------
https://www.borncity.com/blog/2023/09/03/firmware-updates-surface-laptop-4-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change ∗∗∗
---------------------------------------------
The application suffers from an insecure access control allowing an unauthenticated attacker to change accounts passwords and bypass authentication gaining panel control access.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php
∗∗∗ Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC ∗∗∗
---------------------------------------------
An unauthenticated attacker can retrieve the controllers configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (thunderbird), Fedora (firefox, kernel, kubernetes, and mediawiki), Mageia (openldap), SUSE (terraform), and Ubuntu (atftp, busybox, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/943492/
∗∗∗ Mattermost security updates 8.1.1 (ESR) / 8.0.2 / 7.8.10 (ESR) released ∗∗∗
---------------------------------------------
We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 8.1.1 (Extended Support Release), 8.0.2, and 7.8.10 (Extended Support Release), for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-8-1-1-esr-8-0-2-7-8…
∗∗∗ Sicherheitslücken (CVE-2023-40481, CVE-2023-31102) in 7-ZIP; Fix in Version 23.00 (August 2023) ∗∗∗
---------------------------------------------
Kurzer Nachtrag vom Ende August 2023. Im Programm 7-Zip, welches zum Packen und Entpacken von ZIP-Archivdateien eingesetzt wird, haben Sicherheitsforscher gleich zwei Schwachstellen gefunden. Die Schwachstellen CVE-2023-40481 und CVE-2023-31102 werden vom Sicherheitsaspekt als hoch riskant eingestuft [..] Beide Schwachstellen wurden am 21. November 2022 an die 7-ZIP-Entwickler gemeldet und laut der Zero-Day-Initiative vom 23. August 2023 mit einem Update der Software auf die Version 23.00 (damals noch Beta) geschlossen.
---------------------------------------------
https://www.borncity.com/blog/2023/09/03/sicherheitslcken-cve-2023-40481-cv…
∗∗∗ IBM MQ Explorer is affected by vulnerabilities in Eclipse Jetty (CVE-2023-26048, CVE-2023-26049) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027923
∗∗∗ IBM MQ is affected by a denial of service vulnerability in OpenSSL (CVE-2023-2650) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027922
∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030429
∗∗∗ IBM Security Verify Information Queue has multiple information exposure vulnerabilities (CVE-2023-33833, CVE-2023-33834, CVE-2023-33835) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029584
∗∗∗ IBM Sterling Connect:Direct Browser User Interface vulnerable to remote code execution due to IBM Java (CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030442
∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to IBM Java (CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030443
∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030450
∗∗∗ The IBM Engineering Lifecycle Engineering product using WebSphere Application Server Liberty is vulnerable to denial of service (CVE-2023-38737) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030449
∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM\u00ae SDK, Java\u2122 Technology Edition is affected by multiple vulnerabilities (CVE-2023-22045, CVE-2023-22049) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030448
∗∗∗ IBM Event Endpoint Management is vulnerable to a denial of service in Netty (CVE-2023-34462) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030456
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow CVE-2023-38737) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030458
∗∗∗ A vulnerability found in IBM WebSphere Application Server Liberty which is shipped with IBM\u00ae Intelligent Operations Center(CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030460
∗∗∗ IBM Cloud Pak for Network Automation 2.6 addresses multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030469
∗∗∗ Multiple CVEs may affect Operating System packages shipped with IBM CICS TX Advanced 10.1 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030462
∗∗∗ Multiple CVEs may affect Operating System packages shipped with IBM CICS TX Advanced 10.1 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030461
∗∗∗ IBM Cloud Pak for Network Automation 2.6.1 fixes multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030470
∗∗∗ Multiple vulnerabilities may affect IBM SDK, Java\u2122 Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030463
∗∗∗ CVE-2022-40609 may affect Java Technology Edition used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030466
∗∗∗ CVE-2023-34149 may affect Apache Struts used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030464
∗∗∗ CVE-2023-34396 may affect Apache Struts used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030465
∗∗∗ IBM Java SDK update forJava deserialization filters (JEP 290) ignored during IBM ORB deserialization ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030522
∗∗∗ The Transformation Advisor Tool in IBM App Connect Enterprise is vulnerable to a denial of service due to Apache Johnzon (CVE-2023-33008) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030531
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 31-08-2023 18:00 − Freitag 01-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Monitoring aus der Cloud: Kundensysteme dank schwacher Standardpasswörter gehackt ∗∗∗
---------------------------------------------
Hacker haben offenbar aufgrund schwacher Standardpasswörter eine Ransomware auf lokalen Systemen von Logicmonitor-Kunden verbreitet.
---------------------------------------------
https://www.golem.de/news/monitoring-aus-der-cloud-kundensysteme-dank-schwa…
∗∗∗ WordPress Vulnerability & Patch Roundup August 2023 ∗∗∗
---------------------------------------------
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2023/08/wordpress-vulnerability-patch-roundup-augus…
∗∗∗ Potential Weaponizing of Honeypot Logs ∗∗∗
---------------------------------------------
Escape sequences have long been used to create ASCII art on screens and allow for customization of a user’s terminal. Because most terminals support some kind of escape sequences, it could be possible to manipulate the analyst’s terminal, and hypothetically allow for remote code execution on the analysist’s system.
---------------------------------------------
https://isc.sans.edu/diary/rss/30178
∗∗∗ MONDEO: Multistage Botnet Detection ∗∗∗
---------------------------------------------
MONDEO is a multistage mechanism with a flexible design to detect DNS-based botnet malware. MONDEO is lightweight and can be deployed without requiring the deployment of software, agents, or configuration in mobile devices, allowing easy integration in core networks. MONDEO comprises four detection stages: Blacklisting/Whitelisting, Query rate analysis, DGA analysis, and Machine learning evaluation. [..] The implementation is available at github.
---------------------------------------------
https://arxiv.org/abs/2308.16570
∗∗∗ Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd ∗∗∗
---------------------------------------------
Using the vulnerability described in this advisory an attacker may take control of an encrypted Linux computer during the early boot process, manually unlock TPM-based disk encryption and either modify or read sensitive information stored on the computer’s disk. This blog post runs through how this vulnerability was identified and exploited - no tiny soldering required.
---------------------------------------------
https://pulsesecurity.co.nz/advisories/tpm-luks-bypass
∗∗∗ BitLocker, TPM and Pluton | What Are They and How Do They Work ∗∗∗
---------------------------------------------
The optimal kind of security measure is imperceptible to the user during deployment and usage. Whenever there is a potential delay or difficulty due to a security feature, there is a high probability that users will attempt to circumvent security. This situation is particularly prevalent for data protection, and that is a scenario that organizations need to prevent.
---------------------------------------------
https://github.com/HotCakeX/Harden-Windows-Security/wiki/BitLocker,-TPM-and…
∗∗∗ NetNTLMv1 Downgrade to compromise ∗∗∗
---------------------------------------------
In this blogpost I’m going to blow your mind with some easy to understand NetNTLMv1 downgrade and relaying stuff. I will keep this blogpost simple, so that everyone can follow these steps, but I will link further resources for those who want to get the bigger picture at the end of this post.
---------------------------------------------
https://www.r-tec.net/r-tec-blog-netntlmv1-downgrade-to-compromise.html
∗∗∗ Free Decryptor Available for ‘Key Group’ Ransomware ∗∗∗
---------------------------------------------
EclecticIQ has released a free decryption tool to help victims of the Key Group ransomware recover their data without paying a ransom.
---------------------------------------------
https://www.securityweek.com/free-decryptor-available-for-key-group-ransomw…
∗∗∗ How companies can get a grip on ‘business email compromise’ ∗∗∗
---------------------------------------------
The delivery methods vary but the most exploited vector is email as a vehicle for a credential harvesting phishing campaign. Phishing, in general, has grown in scale and sophistication in recent years, with the most damaging form of phishing from a financial perspective being “business email compromise” (BEC). According to Check Point Research, credential harvesting makes up about 15% of all email-based attacks but is the most financially damaging category.
---------------------------------------------
https://blog.checkpoint.com/security/how-companies-can-get-a-grip-on-busine…
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple vulnerabilities in i-PRO VI Web Client ∗∗∗
---------------------------------------------
VI Web Client provided by i-PRO Co., Ltd. contains multiple vulnerabilities. Update the software to the latest version according to the information provided by the developer. These vulnerabilities have been addressed in VI Web Client 7.9.6.
---------------------------------------------
https://jvn.jp/en/jp/JVN60140221/
∗∗∗ Tinycontrol LAN Controller v3 (LK3) Remote Denial Of Service ∗∗∗
---------------------------------------------
The controller suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php
∗∗∗ Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗
---------------------------------------------
Autodesk AutoCAD and certain AutoCAD-based products have been affected by Out-of-Bounds Write, Heap-based Buffer Overflow, Untrusted Pointer Dereference, and Memory Corruption vulnerabilities. CVE IDs: CVE-2023-29073, CVE-2023-29074, CVE-2023-29075, CVE-2023-29076, CVE-2023-41139, CVE-2023-41140
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018
∗∗∗ Acronis: Updates dichten Sicherheitslecks in mehreren Produkten ab ∗∗∗
---------------------------------------------
Acronis hat Sicherheitsmeldungen zu insgesamt zwölf Schwachstellen in mehreren Produkten herausgegeben. Updates stehen länger bereit.
---------------------------------------------
https://heise.de/-9291446
∗∗∗ Kritische Lücke in VPN von Securepoint ∗∗∗
---------------------------------------------
Updates sollen eine kritische Sicherheitslücke in der VPN-Software von Securepoint schließen, durch die Angreifer ihre Rechte ausweiten können.
---------------------------------------------
https://heise.de/-9291723
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, firefox-esr, and gst-plugins-ugly1.0), Fedora (firefox, libeconf, libwebsockets, mosquitto, and rust-rustls-webpki), SUSE (amazon-ssm-agent, open-vm-tools, and terraform-provider-helm), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp-5.15, linux-gcp-5.4, linux-oracle-5.4, linux-gkeop, linux-gkeop-5.15, linux-intel-iotg, linux-kvm, linux-oracle, and python-git).
---------------------------------------------
https://lwn.net/Articles/943302/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 30-08-2023 18:00 − Donnerstag 31-08-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature ∗∗∗
---------------------------------------------
A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud."The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques [..]
---------------------------------------------
https://thehackernews.com/2023/08/mmrat-android-trojan-executes-remote.html
∗∗∗ North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository ∗∗∗
---------------------------------------------
Three additional malicious Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors.The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro.
---------------------------------------------
https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html
∗∗∗ CISA and FBI Publish Joint Advisory on QakBot Infrastructure ∗∗∗
---------------------------------------------
CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/30/cisa-and-fbi-publish-joi…
∗∗∗ Converting Tokens to Session Cookies for Outlook Web Application ∗∗∗
---------------------------------------------
More and more organizations are adopting cloud-based solutions and federating with various identity providers. As these deployments increase in complexity, ensuring that Conditional Access Policies (CAPs) always act as expected can become a challenge. Today, we will share a technique weve been using to gain access to Outlook Web Application (OWA) in a browser by utilizing Bearer and Refresh tokens for the outlook.office365.com or outlook.office.com endpoints.
---------------------------------------------
https://labs.lares.com/owa-cap-bypass/
∗∗∗ Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework ∗∗∗
---------------------------------------------
Starting with Windows Server 2016, Microsoft released its own version of this solution, Windows Containers, which offers process and Hyper-V isolation modes. The presentation covered the basics of Windows containers, broke down its file system isolation framework, reverse-engineered its main mini-filter driver, and detailed how it can be utilized and manipulated by a bad actor to bypass EDR products in multiple domains.
---------------------------------------------
https://www.deepinstinct.com/blog/contain-yourself-staying-undetected-using…
∗∗∗ NosyMonkey: API hooking and code injection made easy ∗∗∗
---------------------------------------------
As a researcher I often run into situations in which I need to make a compiled binary do things that it wouldn’t normally do or change the way it works in some way. [..] Enter, NosyMonkey: a library to inject code and place hooks that does almost everything for you. No need to write complicated ASM shellcode, or even think about allocating code, hot patching and other dirty business.
---------------------------------------------
https://www.anvilsecure.com/blog/nosymonkey.html
∗∗∗ Bypassing Defender’s LSASS dump detection and PPL protection In Go ∗∗∗
---------------------------------------------
This blog reviews the technique that can be used to bypass Protected Process Light protection for any Windows process using theProcess Explorer driver and explores methods to bypass Windows Defender’s signature-based mechanisms for process dump detection. The tool introduced in this blog (PPLBlade), is written entirely in GO and can be used as a POC for the techniques overviewed below.
---------------------------------------------
https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-…
∗∗∗ Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows ∗∗∗
---------------------------------------------
In today’s post, we look at action pinning, one of the profound mitigations against supply chain attacks in the GitHub Actions ecosystem. It turns out, though, that action pinning comes with a downside — a pitfall we call "unpinnable actions" that allows attackers to execute code in GitHub Actions workflows.
---------------------------------------------
https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-githu…
∗∗∗ Trojanized Signal, Telegram apps found on Google Play, Samsung Galaxy Store ∗∗∗
---------------------------------------------
ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications [..]
---------------------------------------------
https://www.helpnetsecurity.com/2023/08/31/fake-signal-telegram-apps/
∗∗∗ Infamous Chisel Malware Analysis Report ∗∗∗
---------------------------------------------
Infamous Chisel is a collection of components targeting Android devices.This malware is associated with Sandworm activity.It performs periodic scanning of files and network information for exfiltration.System and application configuration files are exfiltrated from an infected device.
---------------------------------------------
https://www.cisa.gov/news-events/analysis-reports/ar23-243a
∗∗∗ A Deep Dive into Brute Ratel C4 payloads ∗∗∗
---------------------------------------------
Summary Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework.
---------------------------------------------
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
=====================
= Vulnerabilities =
=====================
∗∗∗ WordPress migration add-on flaw could lead to data breaches ∗∗∗
---------------------------------------------
All-in-One WP Migration, a popular data migration plugin for WordPress sites that has 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-f…
∗∗∗ Wordpress: Cloud-Extensions für Migrationstool ermöglichen Datenklau ∗∗∗
---------------------------------------------
Die Box-, Google-Drive-, Onedrive- und Dropbox-Erweiterungen für ein weitverbreitetes Wordpress-Migrations-Plug-in sind anfällig für Datenklau.
---------------------------------------------
https://www.golem.de/news/wordpress-cloud-extensions-fuer-migrationstool-er…
∗∗∗ Drupal: Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041 ∗∗∗
---------------------------------------------
This module makes PatternLab's custom Twig functions available to Drupal theming.
The module's included examples don't sufficiently filter data.
This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-041
∗∗∗ Drupal: Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042 ∗∗∗
---------------------------------------------
This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesnt sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-042
∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-243-01 ARDEREG Sistemas SCADA, CVE-2023-4485
* ICSA-23-243-02 GE Digital CIMPLICITY, CVE-2023-4487
* ICSA-23-243-03 PTC Kepware KepServerEX, CVE-2023-29444, CVE-2023-29445, CVE-2023-29446, CVE-2023-29447
* ICSA-23-243-04 Digi RealPort Protocol, CVE-2023-4299
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/31/cisa-releases-four-indus…
∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Aruba-Switches möglich ∗∗∗
---------------------------------------------
Verschiedene Switch-Modelle von Aruba sind verwundbar. Abgesicherte Ausgaben von ArubaOS schaffen Abhilfe.
---------------------------------------------
https://heise.de/-9290375
∗∗∗ Big Data: Splunk dichtet hochriskante Lücken ab ∗∗∗
---------------------------------------------
Die Big-Data-Experten von Splunk haben aktualisierte Software bereitgestellt, die teils hochriskante Schwachstellen in der Analysesoftware ausbessert.
---------------------------------------------
https://heise.de/-9290325
∗∗∗ VMware Tools: Schwachstelle ermöglicht Angreifern unbefugte Aktionen in Gästen ∗∗∗
---------------------------------------------
VMware warnt vor einer Sicherheitslücke in VMware Tools. Sie ermöglicht eine Man-in-the-Middle-Attacke auf Gastsysteme.
---------------------------------------------
https://heise.de/-9290783
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023) ∗∗∗
---------------------------------------------
Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week.
---------------------------------------------
https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, json-c, opendmarc, and otrs2), Red Hat (java-1.8.0-ibm and kpatch-patch), Scientific Linux (kernel), Slackware (mozilla), SUSE (haproxy, php7, vim, and xen), and Ubuntu (elfutils, frr, and linux-gcp, linux-starfive).
---------------------------------------------
https://lwn.net/Articles/943192/
∗∗∗ Mozilla Releases Security Updates for Firefox and Firefox ESR ∗∗∗
---------------------------------------------
Mozilla has released security updates to address vulnerabilities for Firefox 117, Firefox ESR 115.2, and Firefox ESR 102.15. A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/30/mozilla-releases-securit…
∗∗∗ Weitere Windows-Rechteausweitung über Razer Synapse (SYSS-2023-002) ∗∗∗
---------------------------------------------
In Razer Synapse kann über eine Time-of-check Time-of-use Race Condition die Überprüfung fremder Bibliotheken durch den Dienst überlistet werden.
---------------------------------------------
https://www.syss.de/pentest-blog/weitere-windows-rechteausweitung-ueber-raz…
∗∗∗ Cisco Unified Communications Products Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Multiple vulnerabilities in IBM Storage Defender Data Protect ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029861
∗∗∗ Security Vulnerability in the IBM Java Runtime Environment (JRE) affect the 3592 Enterprise Tape Controller ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/691223
∗∗∗ Vulnerability in SSLv3 affects IBM System Storage Tape Controller 3592 Model C07 (CVE-2014-3566) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690117
∗∗∗ IBM Java Runtime (JRE) security vulnerabilities CVE-2022-21426 in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983442
∗∗∗ Security vulnerability in IBM Java Object Request Broker (ORB) in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027874
∗∗∗ IBM Java Runtime (JRE) security vulnerabilities CVE-2023-21830, CVE-2023-21843 in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983440
∗∗∗ Multiple Security vulnerabilities in IBM Java in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7001699
∗∗∗ IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029864
∗∗∗ TADDM affected by vulnerability due to IBM Java and its runtime ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029984
∗∗∗ Due to use of Mozilla Firefox, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029986
∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are used in IBM Security Guardium Key Lifecycle Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7006475
∗∗∗ A vulnerability in Microsoft ASP.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2022-29117) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029527
∗∗∗ A vulnerability in Microsoft Azure SDK for .NET affects IBM Robotic Process Automation and could allow a remote authenticated attacker to obtain sensitive information (CVE-2022-26907). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029524
∗∗∗ Multiple security vulnerabilities affect IBM Robotic Process Automation ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7026754
∗∗∗ A vulnerability in MicrosoftAspNetCore.Identity affects IBM Robotic Process Automation and may result in allowing an attacker to bypass secrity restrictions (CVE-2023-33170). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029540
∗∗∗ Multiple security vulnerabilities in Java affect IBM Robotic Process Automation ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7026758
∗∗∗ IBM Security Guardium is affected by an Hazardous Input Validation vulnerability (CVE-2022-43903) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030110
∗∗∗ IBM MQ is affected by OpenSSL vulnerability (CVE-2023-2650) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030100
∗∗∗ IBM MQ is affected by a sensitive information disclosure vulnerability (CVE-2023-28514) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030101
∗∗∗ IBM MQ is affected by a denial of service vulnerability (CVE-2023-28513) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030102
∗∗∗ IBM MQ is vulnerable to a denial of service attack (CVE-2023-26285) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030103
∗∗∗ IBM Edge Application Manager 4.5.2 addresses the security vulnerabilities listed in the CVEs below. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030159
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 29-08-2023 18:00 − Mittwoch 30-08-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Border Gateway Protocol: Der Klebstoff des Internets hat eine Schwachstelle ∗∗∗
---------------------------------------------
Durch eine neu entdeckte Schwachstelle im Border Gateway Protocol können Angreifer potenziell Teile des Internets abschotten.
---------------------------------------------
https://www.golem.de/news/border-gateway-protocol-der-klebstoff-des-interne…
∗∗∗ Kritische Sicherheitslücke in VMware Aria Operations for Networks ∗∗∗
---------------------------------------------
VMware schließt Sicherheitslücken in Aria Operations for Networks. Eine gilt als kritisch und erlaubt den Zugriff ohne Anmeldung.
---------------------------------------------
https://heise.de/-9288934
∗∗∗ Botnet: Internationale Strafverfolger deinstallieren 700.000 Qakbot-Drohnen ∗∗∗
---------------------------------------------
Zusammen mit internationalen Strafverfolgern hat das FBI das Qakbot-Botnetz vorerst außer Gefecht gesetzt. Von 700.000 Systemen entfernten sie die Malware.
---------------------------------------------
https://heise.de/-9289070
∗∗∗ Cisco warnt vor Ransomware-Angriffen auf VPNs ohne Mehrfaktorauthentifizierung ∗∗∗
---------------------------------------------
Cisco warnt vor Angriffen mit der Akira-Ransomware, die auf VPNs des Herstellers zielt. Bei nicht genutzter Mehrfaktorauthentifizierung gelingen Einbrüche.
---------------------------------------------
https://heise.de/-9289242
∗∗∗ Vorsicht vor Jobs auf zalandoovip.vip und remote-rpo-at.com! ∗∗∗
---------------------------------------------
Auf remote-rpo-at.com wird Ihnen ein lukratives Job-Angebot präsentiert. „Seien Sie Ihr Eigener Chef Und Verdienen Sie Bis zu €1260 Pro Woche!“, heißt es da auf der Startseite. Sie sollen im weiteren Verlauf auf der betrügerischen Website zalandoovip.vip für Zalando Produktbewertungen abgeben und so angeblich Verkäufe steigern. Sobald Sie Ihr verdientes Geld auszahlen lassen wollen, folgt die böse Überraschung: [...]
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-jobs-auf-zalandoovipvip…
∗∗∗ Tausende Organisationen verwundbar auf Subdomain Hijacking ∗∗∗
---------------------------------------------
Subdomain-Hijacking stellt ein besorgniserregendes Szenario dar, bei dem Angreifer die Kontrolle über Websites übernehmen, die auf Subdomains seriöser Organisationen gehostet werden. Dies ermöglicht Angreifern zum Beispiel die Verbreitung von Schadsoftware und Desinformationen oder die Durchführung Phishing-Angriffen.
---------------------------------------------
https://certitude.consulting/blog/de/subdomain-hijacking-2/
∗∗∗ Trojanized Signal and Telegram apps on Google Play delivered spyware ∗∗∗
---------------------------------------------
Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trojanized-signal-and-telegr…
∗∗∗ Getting into AWS cloud security research as a n00bcake ∗∗∗
---------------------------------------------
Today, AWS security research can feel impenetrable, like understanding the latest meme that’s already gone through three ironic revivals. But if I’m being honest, I might suggest AWS security research is far more accessible than the other insane research in our industry. That’s why I attempt it. I’m just too dumb to write shellcode or disassemble a binary. So don’t be scared, let’s do it together!
---------------------------------------------
https://dagrz.com/writing/aws-security/getting-into-aws-security-research/
∗∗∗ CISA Releases IOCs Associated with Malicious Barracuda Activity ∗∗∗
---------------------------------------------
CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/29/cisa-releases-iocs-assoc…
∗∗∗ Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) ∗∗∗
---------------------------------------------
On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we will detail additional tactics, techniques, and procedures (TTPs) employed by UNC4841 that have since been uncovered through Mandiant’s incident response engagements, as well as through collaborative efforts with Barracuda Networks and our International Government partners. Over the course of this
---------------------------------------------
https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-rem…
∗∗∗ Pay our ransom instead of a GDPR fine, cybercrime gang tells its targets ∗∗∗
---------------------------------------------
Researchers are tracking a new cybercrime group that uses a never-seen-before extortion tactic. The gang, which operates through a blog called Ransomed, tells victims that if they don’t pay to protect stolen files, they will face fines under data protection laws like the EU’s GDPR, according to a new report by cybersecurity firm Flashpoint.
---------------------------------------------
https://therecord.media/ransomed-cybercrime-group-extortion-gdpr
=====================
= Vulnerabilities =
=====================
∗∗∗ Netgear: Security Advisory for Post-authentication Command Injection on the Prosafe® Network Management System, PSV-2023-0037 ∗∗∗
---------------------------------------------
NETGEAR is aware of a post-authentication command injection security vulnerability on NMS300 and strongly recommends that you download the latest version of NMS300 as soon as possible.
---------------------------------------------
https://kb.netgear.com/000065705/Security-Advisory-for-Post-authentication-…
∗∗∗ Netgear: Security Advisory for Authentication Bypass on the RBR760, PSV-2023-0052 ∗∗∗
---------------------------------------------
NETGEAR is aware of an authentication bypass security vulnerability on the RBR760. This vulnerability requires an attacker to have your WiFi password or an Ethernet connection to a device on your network to be exploited.
---------------------------------------------
https://kb.netgear.com/000065734/Security-Advisory-for-Authentication-Bypas…
∗∗∗ Webbrowser: Google-Chrome-Update stopft hochriskante Sicherheitslücke ∗∗∗
---------------------------------------------
Google bessert im Webbrowser Chrome eine als hochriskant eingestufte Schwachstelle aus.
---------------------------------------------
https://heise.de/-9288903
∗∗∗ Entwickler von Notepad++ ignoriert offensichtlich Sicherheitslücken ∗∗∗
---------------------------------------------
Mehrere Sicherheitslücken gefährden den Texteditor Notepad++. Trotz Informationen zu den Lücken und möglichen Fixes steht ein Sicherheitsupdate noch aus.
---------------------------------------------
https://heise.de/-9289124
∗∗∗ VMSA-2023-0018 ∗∗∗
---------------------------------------------
Synopsis: VMware Aria Operations for Networks updates address multiple vulnerabilities.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0018.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (qpdf, ring, and tryton-server), Fedora (mingw-qt5-qtbase and moby-engine), Red Hat (cups, kernel, kernel-rt, kpatch-patch, librsvg2, and virt:rhel and virt-devel:rhel), and Ubuntu (amd64-microcode, firefox, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-hwe-6.2, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-bluefield, linux-ibm, linux-oem-6.1, and openjdk-lts, openjdk-17).
---------------------------------------------
https://lwn.net/Articles/943087/
∗∗∗ Remote Code Execution in RTS VLink Virtual Matrix ∗∗∗
---------------------------------------------
BOSCH-SA-893251-BT: A security vulnerability has been uncovered in the admin interface of the RTS VLink Virtual Matrix Software. The vulnerability will allow a Remote Code Execution (RCE) attack.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-893251-bt.html
∗∗∗ 2023-08-29 Out-of-Cycle Security Bulletin: Junos OS and Junos OS Evolved: A crafted BGP UPDATE message allows a remote attacker to de-peer (reset) BGP sessions (CVE-2023-4481) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-08-29-Out-of-Cycle-Securit…
∗∗∗ [R1] Nessus Version 10.6.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-29
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 28-08-2023 18:00 − Dienstag 29-08-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year ∗∗∗
---------------------------------------------
Three malware loaders — QBot, SocGholish, and Raspberry Robin — are responsible for 80 percent of observed attacks on computers and networks so far this year.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/08/28/top_malware_…
∗∗∗ Leaking File Contents with a Blind File Oracle in Flarum ∗∗∗
---------------------------------------------
Flarum is a free, open source PHP-based forum software used for everything from gaming hobbyist sites to cryptocurrency discussion. [..] Through our research we were able to leak the contents of arbitrary local files in Flarum through a blind oracle, and conduct blind SSRF attacks with only a basic user account.
---------------------------------------------
https://blog.assetnote.io/2023/08/28/leaking-file-contents-with-a-blind-fil…
∗∗∗ Compromised OpenCart Payment Module Steals Credit Card Information ∗∗∗
---------------------------------------------
It seems that the attackers had manually modified one of the key files responsible for the processing of payment information on their OpenCart website; this is very similar to another credit card skimmer that we recently wrote about.
---------------------------------------------
https://blog.sucuri.net/2023/08/opencart-payment-module-steals-credit-card-…
∗∗∗ Jetzt patchen! Exploitcode legt Attacken auf Juniper-Firewalls nahe ∗∗∗
---------------------------------------------
Sicherheitsforscher haben Schwachstellen in Juniper Firewalls und Switches dokumentiert. Das können Angreifer nun missbrauchen.
---------------------------------------------
https://heise.de/-9287740
∗∗∗ Zoho ManageEngine: Schwachstelle erlaubt Umgehen von Mehrfaktorauthentifizierung ∗∗∗
---------------------------------------------
Zahlreiche ManageEninge-Produkte von Zoho sind von Schwachstellen betroffen, die die Umgehung der Mehrfaktorauthentifizierung (MFA) ermöglichen. Während aktualisierte Softwarepakete offenbar seit Ende Juni bereitstehen, wurde erst jetzt die CVE-Meldung dazu bekannt.
---------------------------------------------
https://heise.de/-9287917
∗∗∗ MalDoc in PDF: Japanisches CERT warnt vor in PDFs versteckten Malware-Dokumenten ∗∗∗
---------------------------------------------
Cyberkriminelle finden immer neue Wege, Malware vor der Erkennung zu verstecken. Das japanische CERT hat jetzt bösartige Word-Dokumente in PDFs gefunden.
---------------------------------------------
https://heise.de/-9288262
∗∗∗ Gefälschte Beschwerdemails an Hotels führen zu Schadsoftware ∗∗∗
---------------------------------------------
Derzeit kursieren gefälschte E-Mails mit angeblichen Gästebeschwerden. Bisher sind uns zwei Versionen bekannt. In einem E-Mail beklagt sich ein vermeintlicher Gast über die Sauberkeit der Zimmer, in einer anderen Version, wirft man dem Personal vor, Wertgegenstände aus dem Zimmer gestohlen zu haben. Als Beweis finden Sie im E-Mail einen Link zu Fotos. Wir vermuten Schadsoftware, klicken Sie nicht auf den Link!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-beschwerdemails-an-hotel…
∗∗∗ Ungefixter Skype-Bug ermöglicht Angreifern die IP-Adresse der Opfer abzufragen (August 2023) ∗∗∗
---------------------------------------------
Ein Sicherheitsforscher ist auf eine Möglichkeit gestoßen, die IP-Adresse eines Skype-Benutzers zu ermitteln, ohne dass die Zielperson überhaupt auf einen Link klicken muss.
---------------------------------------------
https://www.borncity.com/blog/2023/08/29/ungefixter-skype-bug-ermglicht-ang…
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple Vulnerabilities found in Techview LA-5570 Wireless Gateway Home Automation Controller ∗∗∗
---------------------------------------------
The Security Team at [exploitsecurity.io] uncovered multiple vulnerabilities in the Techview LA-5570 Wireless Home Automation Controller [Firmware Version 1.0.19_T53]. These vulnerabilities can be used to to gain full control of the affected device. CVE IDs: CVE-2023-34723, CVE-2023-34724, CVE-2023-34725
---------------------------------------------
https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-…
∗∗∗ Webbrowser: Firefox 117, ESR 115.2 und ESR 102.15 dichten Sicherheitslecks ab ∗∗∗
---------------------------------------------
Die Mozilla-Entwickler haben die Firefox-Versionen 117, ESR 115.2 und ESR 102.15 herausgegeben, die mehrere teils hochriskante Sicherheitslücken schließen.
---------------------------------------------
https://heise.de/-9288483
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (flask-security and opendmarc), Fedora (qemu), Oracle (rust and rust-toolset:ol8), Red Hat (cups and libxml2), Scientific Linux (cups), SUSE (ca-certificates-mozilla, chromium, clamav, freetype2, haproxy, nodejs12, procps, and vim), and Ubuntu (faad2, json-c, libqb, linux, linux-aws, linux-lts-xenial, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, and linux-gke, linux-ibm-5.4).
---------------------------------------------
https://lwn.net/Articles/943006/
∗∗∗ Unauthenticated OS Command Injection im Patton SN200 VoIP-Gateway (SYSS-2023-019) ∗∗∗
---------------------------------------------
Durch verschiedene Schwachstellen können unangemeldete Angreifende Sytembefehle auf dem Patton SN200 VoIP-Gateway ausführen.
---------------------------------------------
https://www.syss.de/pentest-blog/unauthenticated-os-command-injection-im-pa…
∗∗∗ Festo Didactic: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-040/
∗∗∗ Reflected Cross-Site Scripting (XSS) Schwachstelle in Codebeamer (ALM Solution) von PTC ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/reflected-cross-site-…
∗∗∗ IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in scikit-learn ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029479
∗∗∗ A CVE-2023-21967 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029615
∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2023 - Includes Oracle April 2023 CPU is vulnerable to (CVE-2023-2597) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029634
∗∗∗ IBM Event Streams is vulnerable to denial of service attacks due to snappy-java (CVE-2023-34453, CVE-2023-34455, CVE-2023-34454) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029640
∗∗∗ IBM Event Streams is vulnerable to a denial of service attack due to Golang Go (CVE-2023-29409) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029639
∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029646
∗∗∗ Operations Dashboard is vulnerable to remote code execution, privilege escalation, and denial of service due to multiple Go vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029648
∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029656
∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029662
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 25-08-2023 18:00 − Montag 28-08-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Update korrigiert Verschlüsselung von Qnap-Betriebssystemen ∗∗∗
---------------------------------------------
Qnap hat aktualisierte Versionen der QTS- und QuTS hero-Betriebssysteme veröffentlicht. Sie korrigieren unter anderem zu schwache Verschlüsselung.
---------------------------------------------
https://heise.de/-9286394
∗∗∗ Stalker-Malware: Whiffy Recon schnüffelt Standort alle 60 Sekunden aus ∗∗∗
---------------------------------------------
Eine Malware namens Whiffy Recon überprüft alle 60 Sekunden den Standort des infizierten Geräts. Es bleibt unklar, wozu.
---------------------------------------------
https://heise.de/-9286754
∗∗∗ Auch Antivirensoftware: Winrar-Schwachstelle betrifft womöglich weitere Programme ∗∗∗
---------------------------------------------
Nachtrag vom 28. August 2023, 17:28 Uhr: Herr Marx wies die Redaktion im Nachhinein darauf hin, dass eine mögliche Ausnutzung von CVE-2023-40477 für die einzelnen Anwendungen individuell beurteilt werden muss. Nicht jedes Programm, das die gefährdete DLL verwendet, macht automatisch Gebrauch von dem problematischen Code.
---------------------------------------------
https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betri…
∗∗∗ Duolingo: Leck mit 2,6 Millionen Nutzerdatensätze, Prüfung auf Have I been Pwned möglich ∗∗∗
---------------------------------------------
Bei der Sprachlern-App Duolingo bzw. bei deren Anbieter ermöglichten Schwachstellen Benutzerdaten abzuziehen. Jetzt hat Troy Hunt einen Datensatz mit den Informationen zu 2,6 Millionen Duolingo Nutzern in seine Plattform Have I been Pwned integriert.
---------------------------------------------
https://www.borncity.com/blog/2023/08/24/duolingo-leck-mit-26-millionen-nut…
∗∗∗ Antworten von Microsoft zum Hack der Microsoft Azure-Cloud durch Storm-0588 – Teil 1 ∗∗∗
---------------------------------------------
Ich hatte nach dem Hack der Microsoft Azure Cloud-Infrastruktur durch die mutmaßlich chinesische Gruppe Storm-0588 bei Microsoft Irland konkret nachgefragt, ob persönliche Daten eines meiner Microsoft Konten betroffen seien. Und ich hatte an den Bundesdatenschutzbeauftragten (BfDI), Ulrich Kelber, [...]
---------------------------------------------
https://www.borncity.com/blog/2023/08/26/antworten-von-microsoft-zum-hack-d…
∗∗∗ Antworten des Bundesdatenschutzbeauftragten, Ulrich Kelber, zum Hack der Microsoft Azure-Cloud durch Storm-0588 – Teil 2 ∗∗∗
---------------------------------------------
In Teil 1 dieser Artikelreihe hatte die die Antworten Microsofts auf meine konkreten Fragen zum Hack der Microsoft Azure Cloud-Infrastruktur durch die mutmaßlich chinesische Gruppe Storm-0588 wiedergegeben. Ich hatte aber auch einige Fragen an die Presseabteilung des Bundesdatenschutzbeauftragten (BfDI) [...]
---------------------------------------------
https://www.borncity.com/blog/2023/08/26/antworten-des-bundesdatenschutzbea…
∗∗∗ PoC for no-auth RCE on Juniper firewalls released ∗∗∗
---------------------------------------------
Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks’ SRX firewalls and EX switches that could allow remote code execution (RCE), as well as a proof-of-concept (PoC) exploit.
---------------------------------------------
https://www.helpnetsecurity.com/2023/08/28/poc-rce-juniper-firewalls/
∗∗∗ Beware the Azure Guest User: How to Detect When a Guest User Account Is Being Exploited ∗∗∗
---------------------------------------------
In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. Often, little effort is invested in keeping guest users safe. However, this could prove to be a costly mistake. It’s actually very important to monitor the third-party applications and identities that have access to your environment, [...]
---------------------------------------------
https://orca.security/resources/blog/detect-guest-user-account-exploited/
∗∗∗ Reply URL Flaw Allowed Unauthorized MS Power Platform API Access ∗∗∗
---------------------------------------------
Cybersecurity experts from Secureworks have revealed a critical vulnerability within Microsoft’s Power Platform, now known as Entra ID. The vulnerability, discovered early this year, involved an abandoned reply URL within the Azure Active Directory (AD) environment, granting unauthorized access to elevated permissions and control within an organization.
---------------------------------------------
https://www.hackread.com/reply-url-flaw-ms-power-platform-api-access/
∗∗∗ KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities ∗∗∗
---------------------------------------------
An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. "The binary now includes support for Telnet scanning and support for more CPU architectures," Akamai security researcher Larry W. Cashdollar said in an analysis published this month.
---------------------------------------------
https://thehackernews.com/2023/08/kmsdbot-malware-gets-upgrade-now.html
=====================
= Vulnerabilities =
=====================
∗∗∗ D-Link DAP-2622: Various Security Vulnerabilities Reported ∗∗∗
---------------------------------------------
Affected Models: DAP-2622
Hardware Revision: All A Series Hardware Revisions
Region: Non-US/CA
Affected FW: v1.00 & Below
Fixed FW: v1.10B03R022 Beta-Hotfix
---------------------------------------------
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name…
∗∗∗ Busybox cpio directory traversal vulnerability (CVE-2023-39810) ∗∗∗
---------------------------------------------
When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this.
---------------------------------------------
https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerabi…
∗∗∗ Sicherheitsupdates: Drupal-Plug-ins mit Schadcode-Lücken ∗∗∗
---------------------------------------------
Wenn bestimmte Plug-ins zum Einsatz kommen, sind mit dem CMS Drupal erstellte Websites attackierbar.
---------------------------------------------
https://heise.de/-9286388
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, clamav, librsvg, rar, and unrar-nonfree), Fedora (caddy, chromium, and xen), and SUSE (ca-certificates-mozilla, gawk, ghostscript, java-1_8_0-ibm, java-1_8_0-openjdk, php7, qemu, and xen).
---------------------------------------------
https://lwn.net/Articles/942922/
∗∗∗ Sicherheitsschwachstellen im tef-Händlerportal (SYSS-2023-020/-021) ∗∗∗
---------------------------------------------
Im tef-Händlerportal kann über eine Persistent Cross-Site Scripting-Schwachstelle beliebiger Code im Kontext des Benutzers ausgeführt werden.
---------------------------------------------
https://www.syss.de/pentest-blog/sicherheitsschwachstellen-im-tef-haendlerp…
∗∗∗ VU#757109: Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/757109
∗∗∗ Vulnerabilities in IBM Java Runtime affect z/Transaction Processing Facility ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028975
∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to arbitrary code execution due to an unsafe deserialization flaw (CVE-2022-40609). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029160
∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from systemd, libcap, openssl-libs, libxml2, go-toolset, and prometheus-operator ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029356
∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029359
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-35890) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029364
∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-32342] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029362
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029361
∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI - July 2023 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029360
∗∗∗ GNU C library (glibc) vulnerability affects (CVE-2015-7547) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650093
∗∗∗ ISC DHCP vulnerability affects TS4500 Tape Library (CVE-2018-5732) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650877
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 24-08-2023 18:00 − Freitag 25-08-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Auch Antivirensoftware: Winrar-Schwachstelle betrifft Hunderte weitere Programme ∗∗∗
---------------------------------------------
Nicht nur alte Winrar-Versionen sind für eine jüngst gepatchte Sicherheitslücke anfällig, sondern auch zahlreiche weitere Anwendungen.
---------------------------------------------
https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betri…
∗∗∗ FBI-Warnung: Barracuda ESG-Appliances noch immer bedroht, umgehend entfernen ∗∗∗
---------------------------------------------
Das FBI warnt vor den Barracuda-ESG-Schwachstellen, die Ende Mai bekannt wurden. Es geht davon aus, dass alle Geräte kompromittiert seien.
---------------------------------------------
https://heise.de/-9284695
∗∗∗ „Mammutjagd“ auf Online-Marktplätze ∗∗∗
---------------------------------------------
Mit dem Toolset "Telekopye" können auch technisch wenig versierte Hacker auf Online-Marktplätzen Jagd auf ahnungslose Käufer – im Gauner-Slang "Mammut" - machen.
---------------------------------------------
https://www.zdnet.de/88411400/mammutjagd-auf-online-marktplaetze/
∗∗∗ Jupiter X Core WordPress plugin could let hackers hijack sites ∗∗∗
---------------------------------------------
Two vulnerabilities affecting some version of Jupiter X Core, a premium plugin for setting up WordPress and WooCommerce websites, allow hijacking accounts and uploading files without authentication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/jupiter-x-core-wordpress-plu…
∗∗∗ Python Malware Using Postgresql for C2 Communications, (Fri, Aug 25th) ∗∗∗
---------------------------------------------
For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks...
---------------------------------------------
https://isc.sans.edu/diary/rss/30158
∗∗∗ Playing Dominos with Moodles Security (1/2) ∗∗∗
---------------------------------------------
This is the first blog in a two-part series where we will present our findings on a Moodle security audit we conducted. We were drawn to researching the security aspect of the framework due to its popularity, with the goal of contributing to a safer internet. In this first article, we demonstrate how an unauthenticated attacker can leverage a vulnerability with a supposedly low impact to gain full control over the Moodle instance.
---------------------------------------------
https://www.sonarsource.com/blog/playing-dominos-with-moodles-security-1/
∗∗∗ A broken marriage. Abusing mixed vendor Kerberos stacks ∗∗∗
---------------------------------------------
*nix based servers and services can be joined to Active Directory networks in the same way as their Windows counterparts. This is usually facilitated through the MIT or Heimdal Kerberos stacks. Kerberos is designed as an authentication-based protocol therefore authorisation decisions are implemented independently to the Kerberos protocol itself. Due to this, different vendor stacks behave differently on how authorisation decisions are made.
---------------------------------------------
https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mix…
∗∗∗ A Beginner’s Guide to Adversary Emulation with Caldera ∗∗∗
---------------------------------------------
The target audience for this blog post is individuals who have a basic understanding of cybersecurity concepts and terminology and looking to expand their knowledge on adversary emulation. This post delves into the details of adversary emulation with the Caldera framework exploring the benefits it offers.
---------------------------------------------
https://blog.nviso.eu/2023/08/25/a-beginners-guide-to-adversary-emulation-w…
∗∗∗ Analysis of MS-SQL Server Proxyjacking Cases ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks. If successful, they install malware on the infected system.
---------------------------------------------
https://asec.ahnlab.com/en/56350/
∗∗∗ Stories from the SOC - Unveiling the stealthy tactics of Aukill malware ∗∗∗
---------------------------------------------
On April 21st, 2023, AT&T Managed Extended Detection and Response (Managed XDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the clients print server to disable the servers installed endpoint detection and response (EDR) solution by brute-forcing an administrator account and downgrading a driver to a vulnerable version.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so…
=====================
= Vulnerabilities =
=====================
∗∗∗ Maxon Cinema 4D SKP File Parsing vulnerabilities ∗∗∗
---------------------------------------------
CVSS Score: 7.8
CVE-2023-40482, CVE-2023-40483, CVE-2023-40486, CVE-2023-40485, CVE-2023-40484, CVE-2023-40488, CVE-2023-4049[0], CVE-2023-40491, CVE-2023-40487, CVE-2023-40489
Mitigation: Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ (0Day) LG Simple Editor vulnerabilities ∗∗∗
---------------------------------------------
CVSS Scores: 6.5-9.8
CVE-2023-40502, CVE-2023-40513, CVE-2023-40514, CVE-2023-40515, CVE-2023-40492, CVE-2023-40493, CVE-2023-40494, CVE-2023-40495, CVE-2023-40496, CVE-2023-40497, CVE-2023-40498, CVE-2023-40499, CVE-2023-40500, CVE-2023-40503, CVE-2023-40503, CVE-2023-40504, CVE-2023-40505, CVE-2023-40506, CVE-2023-40507, CVE-2023-40508, CVE-2023-40509, CVE-2023-40510, CVE-2023-40511, CVE-2023-40512, CVE-2023-40501, CVE-2023-40516
[...] they do not have plans to fix the [vulnerabilities]
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ (0Day) LG SuperSign Media Editor vulnerabilities ∗∗∗
---------------------------------------------
CVSS Scores: 5.3-7.5
CVE-2023-40517, CVE-2023-41181
The vendor states that they do not have plans to fix the [vulnerabilities] now or in the future. [...] Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ QNap: [Vulnerabilities] in QTS and QuTS hero ∗∗∗
---------------------------------------------
CVE-2023-34971, CVE-2023-34973, CVE-2023-34972
Affected products: QTS 5.1.0, 5.0.1, 4.5.4; QuTS hero h5.1.0, h4.5.4
We have already fixed the [vulnerabilities] in the following operating system versions: * QTS 5.1.0.2444 build 20230629 and later * QTS 5.0.1.2425 build 20230609 and later * QTS 4.5.4.2467 build 20230718 and later * QuTS hero h5.1.0.2424 build 20230609 and later * QuTS hero h4.5.4.2476 build 20230728 and later
---------------------------------------------
https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (tryton-server), Fedora (youtube-dl), SUSE (clamav and krb5), and Ubuntu (cjose and fastdds).
---------------------------------------------
https://lwn.net/Articles/942766/
∗∗∗ ZDI-23-1224: LG LED Assistant updateFile Directory Traversal Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1224/
∗∗∗ ZDI-23-1223: LG LED Assistant thumbnail Directory Traversal Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1223/
∗∗∗ ZDI-23-1222: LG LED Assistant setThumbnailRc Directory Traversal Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1222/
∗∗∗ ZDI-23-1221: LG LED Assistant upload Directory Traversal Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1221/
∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028506
∗∗∗ ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7017974
∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21541, CVE-2022-21540) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028934
∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2023-26115] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028936
∗∗∗ IBM Spectrum Copy Data Management uses weaker than expected cryptographic algorithms ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028841
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily