Daily

daily@lists.cert.at

1 participants
3084 discussions

Tageszusammenfassung - 09.06.2023
by Daily end-of-shift report 09 Jun '23

09 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-06-2023 18:00 − Freitag 09-06-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Barracuda Email Security Gateway Appliance (ESG) sofort austauschen! ∗∗∗ --------------------------------------------- Noch ein kurzes Thema, welche wegen Feiertag etwas liegen geblieben ist. Der Hersteller Barracuda fordert Administratoren seiner Email Security Gateway Appliance (ESG) auf, die Geräte sofort auszutauschen. Hintergrund ist eine Schwachstelle in den ESG-Modellen, die zwar Ende Mai 2025 gepatcht werden sollte. Das scheint aber nicht zu wirken und der Hersteller ruft zum Austausch auf. --------------------------------------------- https://www.borncity.com/blog/2023/06/08/barracuda-email-security-gateway-a… ∗∗∗ CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances ∗∗∗ --------------------------------------------- Rapid7 incident response teams are investigating exploitation of physical Barracuda Networks Email Security Gateway (ESG) appliances. --------------------------------------------- https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-comprom… ∗∗∗ Royal ransomware gang adds BlackSuit encryptor to their arsenal ∗∗∗ --------------------------------------------- The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operations usual encryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/royal-ransomware-gang-adds-b… ∗∗∗ Detecting and mitigating a multi-stage AiTM phishing and BEC campaign ∗∗∗ --------------------------------------------- Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-miti… ∗∗∗ Undetected PowerShell Backdoor Disguised as a Profile File, (Fri, Jun 9th) ∗∗∗ --------------------------------------------- PowerShell remains an excellent way to compromise computers. Many PowerShell scripts found in the wild are usually obfuscated. Most of the time, this helps to have the script detected by fewer antivirus vendors. Yesterday, I found a script that scored 0/59 on VT! Lets have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/29930 ∗∗∗ Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021 ∗∗∗ --------------------------------------------- On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). [...] Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021. --------------------------------------------- https://www.kroll.com/en/insights/publications/cyber/clop-ransomware-moveit… ∗∗∗ MSSQL linked servers: abusing ADSI for password retrieval ∗∗∗ --------------------------------------------- When we talk about Microsoft SQL Server linked servers, we usually think of links to another SQL Server instances. However, this is only one of the multiple available options, so today we are going to delve into the Active Directory Service Interfaces (ADSI) provider, which allows querying the AD using the LDAP protocol. --------------------------------------------- https://www.tarlogic.com/blog/linked-servers-adsi-passwords/ ∗∗∗ Sicherheitsupdates Cisco: Angreifer könnten Passwörter beliebiger Nutzer ändern ∗∗∗ --------------------------------------------- Unter anderem Cisco Expressway Series und Adaptive Security Appliance sind verwundbar. Admins sollten die Software aktualisieren. --------------------------------------------- https://heise.de/-9180829 ∗∗∗ Minecraft-Modifikationspakete mit Fractureiser-Malware verseucht ∗∗∗ --------------------------------------------- Minecraftspieler aufgepasst: Auf den legitimen Portalen Bukkit und CurseForge sind infizierte Modifikationen aufgetaucht. --------------------------------------------- https://heise.de/-9182068 ∗∗∗ Schadcode-Attacken auf Netzwerk-Monitoringlösung von VMware möglich ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für VMware Aria Operations for Networks. Admins sollten zeitnah handeln. --------------------------------------------- https://heise.de/-9181036 ∗∗∗ Android-Viren: Trickreich vor Nutzern versteckt ∗∗∗ --------------------------------------------- Die Virenanalysten von Bitdefender sind beim Test einer Schutzkomponente auf Android-Malware gestoßen, die sich trickreich auf dem Smartphone versteckt. --------------------------------------------- https://heise.de/-9182008 ∗∗∗ Asylum Ambuscade: Crimeware oder Cyberspionage? ∗∗∗ --------------------------------------------- Ein seltsamer Fall eines Bedrohungsakteurs an der Grenze zwischen Crimeware und Cyberspionage. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/06/08/asylum-ambuscade-crimewar… ∗∗∗ SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint ∗∗∗ --------------------------------------------- A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint. --------------------------------------------- https://www.securityweek.com/saas-ransomware-attack-hit-sharepoint-online-w… ∗∗∗ Shodan Verified Vulns 2023-06-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-06-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Auch diesen Monat ist ein Abfall bei fast allen Einträgen zu verzeichnen. Die einzige verhältnismäßig größere Ausnahme ist die Sicherheitslücke CVE-2015-2080 (Jetleak). --------------------------------------------- https://cert.at/de/aktuelles/2023/6/shodan-verified-vulns-2023-06-01 ∗∗∗ Adventures in Disclosure: When Reporting Bugs Goes Wrong ∗∗∗ --------------------------------------------- The Zero Day Initiative (ZDI) is the world’s largest vendor-agnostic bug bounty program. That means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc. We don’t buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan. Why Disclose at All? This is a fine place to start. --------------------------------------------- https://www.thezdi.com/blog/2023/6/7/adventures-in-disclosure-when-reportin… ∗∗∗ May 2023’s Most Wanted Malware: New Version of Guloader Delivers Encrypted Cloud-Based Payloads ∗∗∗ --------------------------------------------- Check Point Research reported on a new version of shellcode-based downloader GuLoader featuring fully encrypted payloads for cloud-based delivery. Our latest Global Threat Index for May 2023 saw researchers report on a new version of shellcode-based downloader GuLoader, which was the fourth most prevalent malware. With fully encrypted payloads and anti-analysis techniques, the latest form can be stored undetected in well-known public cloud services, including Google Drive. --------------------------------------------- https://blog.checkpoint.com/security/may-2023s-most-wanted-malware-new-vers… ∗∗∗ Analyzing the FUD Malware Obfuscation Engine BatCloak ∗∗∗ --------------------------------------------- We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/analyzing-the-fud-malware-ob… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-818: (0Day) ZTE MF286R goahead Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ZTE MF286R routers. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-818/ ∗∗∗ ZDI: Sante DICOM Viewer Pro Vulnerabilities ∗∗∗ --------------------------------------------- * ZDI-23-853: Sante DICOM Viewer Pro DCM File Parsing Use-After-Free Information Disclosure Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-853/ * ZDI-23-854: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-854/ * ZDI-23-855: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-855/ * ZDI-23-856: Sante DICOM Viewer Pro JP2 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-856/ --------------------------------------------- https://www.santesoft.com/win/sante-dicom-viewer-pro/download.html ∗∗∗ Virenschutz: Hochriskante Sicherheitslücken in Trend Micros Apex One ∗∗∗ --------------------------------------------- In der Schutzsoftware Trend Micro Apex One können Angreifer Schwachstellen missbrauchen, um ihre Rechte am System auszuweiten. Aktualisierungen stehen bereit. --------------------------------------------- https://heise.de/-9180965 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and ruby2.5), Fedora (curl, dbus, pypy, pypy3.8, pypy3.9, python3.10, and python3.8), Red Hat (python and python-flask), Scientific Linux (emacs), SUSE (firefox, google-cloud-sap-agent, libwebp, opensc, openssl, openssl-3, openssl1, python-sqlparse, python310, and supportutils), and Ubuntu (libxml2, netatalk, and sysstat). --------------------------------------------- https://lwn.net/Articles/934245/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jupyter-core, openssl, and ruby2.5), Fedora (firefox), Mageia (libreoffice, openssl, and python-flask), Red Hat (python and python3), Slackware (mozilla, php8, and python3), SUSE (java-1_8_0-ibm, libcares2, mariadb, and python36), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-gke, linux-intel-iotg, linux-raspi, linux-xilinx-zynqmp, and mozjs102). --------------------------------------------- https://lwn.net/Articles/934316/ ∗∗∗ Delta Electronics CNCSoft-B DOPSoft ∗∗∗ --------------------------------------------- Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-01 ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on June 8, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-159-01 Atlas Copco Power Focus 6000 ICSA-23-159-02 Sensormatic Electronics Illustra Pro Gen 4 CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/08/cisa-releases-two-indust… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2023
by Daily end-of-shift report 07 Jun '23

07 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-06-2023 18:00 − Mittwoch 07-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Schadcode könnte via Bluetooth-Lücke auf Android-Geräten landen ∗∗∗ --------------------------------------------- Google und weitere Hersteller haben wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Eine GPU-Lücke nutzen Angreifer bereits aus. --------------------------------------------- https://heise.de/-9179937 ∗∗∗ MOVEit: Ransomware-Gang "Clop" erpresst Unternehmen nach Sicherheitslücke ∗∗∗ --------------------------------------------- Ransomware-Gang erpresst Unternehmen wegen Sicherheitslücke in der Datenübertragungssoftware MOVEit. Unter den potenziellen Opfern sind auch prominente Firmen. --------------------------------------------- https://heise.de/-9179875 ∗∗∗ SpinOk: Weitere infizierte Android-Apps mit 30 Millionen Installationen entdeckt ∗∗∗ --------------------------------------------- Die Android-Malware SpinOk schlägt immer größere Wellen und Sicherheitsforscher sind auf fast 200 weitere damit infizierte Apps in Google Play gestoßen. --------------------------------------------- https://heise.de/-9180094 ∗∗∗ Wieso mich Cybersecurity-Awareness auch als KMU interessieren sollte… ∗∗∗ --------------------------------------------- „Wieso sollte ausgerechnet uns jemand angreifen?“ Geht es um Cyberkriminalität glauben nach wie vor viele kleine und mittlere Unternehmen, dass sie kein interessantes Ziel für Kriminelle sind. Doch Zahlen zeigen etwas anderes: Cybercrime nimmt zu und wird zur wachsenden Bedrohung für Unternehmen – und zwar auch für kleine und mittlere Unternehmen. Wir geben einen Überblick über die Cybercrime-Lage in österreichischen Unternehmen und KMU und [...] --------------------------------------------- https://www.watchlist-internet.at/news/wieso-mich-cybersecurity-awareness-a… ∗∗∗ Aufgebrochene Postkästen wegen Bestellbetrug ∗∗∗ --------------------------------------------- Ein aufgebrochener Postkasten lässt im ersten Moment nicht auf einen tiefergreifenden Betrug schließen. Man könnte vermuten, dass es jemand lediglich auf den Postkasteninhalt abgesehen hatte. Tatsächlich handelt es sich häufig um den letzten Schritt eines Bestellbetrugs, bei dem Kriminelle den gelben Zettel der Post aus dem Postkasten stehlen, um die dazugehörige Postempfangsbox öffnen und ein zuvor an die Adresse ihrer Opfer bestelltes Paket stehlen zu können. Opfer müssen spätere Rechnungen und Mahnungen nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/aufgebrochene-postkaesten-wegen-best… ∗∗∗ 2023 Vulnerabilities and Threat Trends ∗∗∗ --------------------------------------------- Understanding and monitoring vulnerability trends is crucial in maintaining robust cybersecurity practices. The evolving threat landscape demands constant vigilance and proactive measures from organizations and individuals alike. --------------------------------------------- https://www.prio-n.com/2023-vulnerabilities-and-threat-trends/ ∗∗∗ Tens of Thousands of Compromised Android Apps Found by Bitdefender Anomaly Detection Technology ∗∗∗ --------------------------------------------- Here are some of the types of apps mimicked by the malware: Game cracks, Games with unlocked features, Free VPN, Fake videos, Netflix, Fake tutorials, YouTube/TikTok without ads, Cracked utility programs: weather, pdf viewers, etc, Fake security programs --------------------------------------------- https://www.bitdefender.com/blog/labs/tens-of-thousands-of-compromised-andr… ∗∗∗ High-risk vulnerabilities patched in ABB Aspect building management system ∗∗∗ --------------------------------------------- Prism Infosec has identified two high-risk vulnerabilities within the Aspect Control Engine building management system (BMS) developed by ABB. ABB’s Aspect BMS enables users to monitor a building’s performance and combines real-time integrated control, supervision, data logging, alarming, scheduling and network management functions with internet connectivity and web serving capabilities. Consequently, users can view system status, override setpoints and schedules, and more over [...] --------------------------------------------- https://www.helpnetsecurity.com/2023/06/07/cve-2023-0635-cve-2023-0636/ ===================== = Vulnerabilities = ===================== ∗∗∗ B&R APROL Abuse SLP based traffic for amplification attack CVE ID: CVE-2023-29552 ∗∗∗ --------------------------------------------- An attacker who successfully exploited this vulnerability could use affected products to cause 3rd party components to become temporarily inaccessible --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16834661… ∗∗∗ Sicherheitsupdates: Firefox und Firefox ESR gegen mögliche Attacken gerüstet ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle in Firefox könnten Angreifer Opfer noch effektiver auf unverschlüsselte Fake-Websites locken. --------------------------------------------- https://heise.de/-9180185 ∗∗∗ VMSA-2023-0012 ∗∗∗ --------------------------------------------- VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0012.html ∗∗∗ Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities ∗∗∗ --------------------------------------------- On April 3, 2023, our team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier. --------------------------------------------- https://www.wordfence.com/blog/2023/06/critical-security-update-directorist… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares), Fedora (curl and firefox), Oracle (cups-filters, kernel, and webkit2gtk3), Red Hat (emacs and kpatch-patch), Slackware (mozilla), SUSE (kernel and openssl-1_0_0), and Ubuntu (firefox and libreoffice). --------------------------------------------- https://lwn.net/Articles/934132/ ∗∗∗ Edge 114.0.1823.41 ∗∗∗ --------------------------------------------- Microsoft hat (nach dem Chrome-Sicherheitsupdate) den Edge-Browser am 6. Juni 2023 im Stable Channel auf die Version 114.0.1823.41 aktualisiert (Sicherheits- und Bug-Fixes). Laut Release Notes wird die Schwachstelle CVE-2023-3079 aus dem Chromium-Projekt geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/06/07/edge-114-0-1823-41/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business 200, 300, and 500 Series Switches Web-Based Management Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager IM & Presence Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Workload Authenticated OpenAPI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software for Firepower 2100 Series Appliances SSL/TLS Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2023
by Daily end-of-shift report 06 Jun '23

06 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Montag 05-06-2023 18:00 − Dienstag 06-06-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SSD Advisory - Roundcube markasjunk RCE ∗∗∗ --------------------------------------------- A vulnerability in Roundcube’s markasjunk plugin allows attackers that send a specially crafted identity email address to cause the plugin to execute arbitrary code. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/ ∗∗∗ Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat ∗∗∗ --------------------------------------------- The Cyclops group is particularly proud of having created ransomware capable of infecting all three major platforms: Windows, Linux, and macOS. In an unprecedented move, it has also shared a separate binary specifically geared to steal sensitive data, such as an infected computer name and a number of processes. The latter targets specific files in both Windows and Linux. --------------------------------------------- https://www.uptycs.com/blog/cyclops-ransomware-stealer-combo ∗∗∗ Gmail spoofing vulnerability sparks Google ‘Priority 1’ probe ∗∗∗ --------------------------------------------- Google launched a “Priority 1” investigation into a Gmail security vulnerability after initially dismissing it as “intended behavior” that did not require a fix. The vulnerability relates to the Brand Indicators for Message Identification (BIMI) email authentication method, a feature Google introduced to Gmail in 2021 but only recently rolled out to all 1.8 billion users of its email services. --------------------------------------------- https://www.scmagazine.com/news/email-security/gmail-spoofing-google-priori… ∗∗∗ Unsichere Firmware: Gigabyte liefert BIOS-Updates für Mainboards ∗∗∗ --------------------------------------------- Gigabyte sichert mit BIOS-Updates unsichere Mainboard-Update-Funktionen ab. Diese wurden Ende vergangene Woche entdeckt und betreffen rund 270 Modelle. --------------------------------------------- https://heise.de/-9178747 ∗∗∗ KeePass: Lücke zum Auslesen des Master-Passworts geschlossen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Passwort-Manager KeePass ermöglichte die Rekonstruktion des Master-Passworts aus Speicherabbildern. Ein Update schließt sie jetzt. --------------------------------------------- https://heise.de/-9179419 ∗∗∗ Dozens of Malicious Extensions Found in Chrome Web Store ∗∗∗ --------------------------------------------- Security researchers recently identified more than 30 malicious extensions that had made their way into the Chrome web store, potentially infecting millions. --------------------------------------------- https://www.securityweek.com/dozens-of-malicious-extensions-found-in-chrome… ∗∗∗ Webinar: Sicher bezahlen im Internet ∗∗∗ --------------------------------------------- Bei Online-Bestellungen im Internet gibt es inzwischen eine Vielzahl an Zahlungsmöglichkeiten. Worauf sollte ich bei der Auswahl achten und welche Zahlungsarten sollte ich lieber nicht nutzen? In diesem Webinar zeigen wir Ihnen, wie Sie im Internet sicher bezahlen. Nehmen Sie kostenlos teil: Dienstag 13. Juni 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-bezahlen-im-internet/ ∗∗∗ Online-Banking: Vorsicht vor gefälschten Login-Seiten in Suchmaschinen-Ergebnissen ∗∗∗ --------------------------------------------- Kriminellen fälschen Online-Banking-Login-Seiten und bewerben sie in Suchmaschinen. Bei einer Bing- oder Google-Suche nach der gewünschten Login-Seite werden die Fake-Seiten häufig als erstes Ergebnis angezeigt, wie uns ein Bank-Austria-Kunde gemeldet hat. Wenn Sie dort Ihre Daten eintippen, landen sie direkt bei Kriminellen. Wir zeigen Ihnen, wie Sie sich davor schützen. --------------------------------------------- https://www.watchlist-internet.at/news/online-banking-vorsicht-vor-gefaelsc… ∗∗∗ Xollam, the Latest Face of TargetCompany ∗∗∗ --------------------------------------------- This blog talks about the latest TargetCompany ransomware variant, Xollam, and the new initial access technique it uses. We also investigate previous variants behaviors and the ransomware familys extortion scheme. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-ta… ∗∗∗ Impulse Team’s Massive Years-Long Mostly-Undetected Cryptocurrency Scam ∗∗∗ --------------------------------------------- We have been able to uncover a massive cryptocurrency scam involving more than a thousand websites handled by different affiliates linked to a program called Impulse Project, run by a threat actor named Impulse Team. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/impulse-team-massive-cryptoc… ∗∗∗ Hackers Leak i2VPN Admin Credentials on Telegram ∗∗∗ --------------------------------------------- In a recent cybersecurity incident, hackers have claimed to have successfully breached the admin credentials of i2VPN, a popular freemium VPN proxy server app available for download on Google Play and the App Store. --------------------------------------------- https://www.hackread.com/hackers-i2vpn-admin-credentials-telegram-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome 114.0.5735.106/.110 Sicherheitsupdates für 0-day ∗∗∗ --------------------------------------------- Es sind Sicherheitsupdates, welche eine kritische Schwachstelle (0-day) beseitigen. --------------------------------------------- https://www.borncity.com/blog/2023/06/06/google-chrome-114-0-5735-106-110-s… ∗∗∗ Android security update fixes Mali GPU flaw exploited by spyware ∗∗∗ --------------------------------------------- Google has released the monthly security update for the Android platform, adding fixes for 56 vulnerabilities, five of them with a critical severity rating and one exploited since at least last December. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-security-update-fixe… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Multi-Enterprise Relationship Management, CICS TX, TXSeries for Multiplatforms, Tivoli Netcool Configuration Manager, IBM Control Desk, IBM Maximo, System Networking Switch Center, Tivoli System Automation for Multiplatforms, IBM SDK, IBM Business Automation, IBM Cloud Pak, IBM Operations Analytics, IBM Security Guardium and IBM Semeru Runtimes. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2023-33009 Zyxel Multiple Firewalls Buffer Overflow Vulnerability CVE-2023-33010 Zyxel Multiple Firewalls Buffer Overflow Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/05/cisa-adds-two-known-expl… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10), Red Hat (cups-filters, curl, kernel, kernel-rt, kpatch-patch, and webkit2gtk3), SUSE (apache-commons-fileupload, openstack-heat, openstack-swift, python-Werkzeug, and openstack-heat, python-Werkzeug), and Ubuntu (frr, go, libraw, libssh, nghttp2, python2.7, python3.10, python3.11, python3.5, python3.6, python3.8, and xfce4-settings). --------------------------------------------- https://lwn.net/Articles/934010/ ∗∗∗ Security Vulnerabilities fixed in Firefox 114 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-20/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-19/ ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-02 ∗∗∗ Zyxel security advisory for privilege escalation vulnerability in GS1900 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in 4G LTE and 5G NR outdoor routers ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2023
by Daily end-of-shift report 05 Jun '23

05 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-06-2023 18:00 − Montag 05-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ KeePass v2.54 fixes bug that leaked cleartext master password ∗∗∗ --------------------------------------------- KeePass has released version 2.54, fixing the CVE-2023-3278 vulnerability that allows the extraction of the cleartext master password from the applications memory. --------------------------------------------- https://www.bleepingcomputer.com/news/security/keepass-v254-fixes-bug-that-… ∗∗∗ Satacom delivers browser extension that steals cryptocurrency ∗∗∗ --------------------------------------------- A recent campaign by Satacom downloader is delivering a cryptocurrency-stealing extension for Chromium-based browsers, such as Chrome, Brave and Opera. --------------------------------------------- https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-ext… ∗∗∗ Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a new ongoing Magecart-style web skimmer campaign thats designed to steal personally identifiable information (PII) and credit card data from e-commerce websites. A noteworthy aspect that sets it apart from other Magecart campaigns is that the hijacked sites further serve as "makeshift" command-and-control (C2) servers, using the cover to facilitate the distribution of malicious code without the knowledge of the victim sites. --------------------------------------------- https://thehackernews.com/2023/06/magento-woocommerce-wordpress-and.html ∗∗∗ Storing Passwords - A Journey of Common Pitfalls ∗∗∗ --------------------------------------------- [..] we recently discovered a vulnerability in the web interface of STARFACE PBX allowing login using the password hash rather than the cleartext password (see advisory). We want to use this as an opportunity to discuss how we analyse such login mechanisms and talk about the misconceptions in security concepts that result in such pitfalls along the way. --------------------------------------------- https://blog.redteam-pentesting.de/2023/storing-passwords/ ∗∗∗ Big-Data-Unternehmen Splunk schließt teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Der Big-Data-Spezialist Splunk korrigiert in der gleichnamigen Software zahlreiche Sicherheitslücken, die teils als kritisches Risiko eingestuft werden. --------------------------------------------- https://heise.de/-9164194 ∗∗∗ Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards ∗∗∗ --------------------------------------------- Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards. --------------------------------------------- https://www.securityweek.com/gigabyte-rolls-out-bios-updates-to-remove-back… ∗∗∗ Kriminelle missbrauchen Spenden-Funktion von PayPal ∗∗∗ --------------------------------------------- Aktuell beobachten wir, dass Fake-Shops PayPal-Zahlungen mit der Funktion „Geld spenden“ abwickeln. Brechen Sie die Zahlung sofort ab, wenn die PayPal-Zahlung nicht wie gewohnt abläuft, sondern als Spende bezeichnet wird! Wenn Sie mit der Funktion „Geld spenden“ bezahlen, entfällt der Käuferschutz und eine Rückerstattung ist nicht möglich. Schauen Sie genau, wie Ihre PayPal-Zahlung erfolgt! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-missbrauchen-spenden-funk… ∗∗∗ Vice Society mit eigener Ransomware unterwegs ∗∗∗ --------------------------------------------- Ransomware-Gruppe führt immer wieder gezielte Angriffe auf Bildungseinrichtungen und Krankenhäuser durch. --------------------------------------------- https://www.zdnet.de/88409649/vice-society-mit-eigener-ransomware-unterwegs/ ∗∗∗ Trojaner Pikabot treibt sein Unwesen ∗∗∗ --------------------------------------------- Neue Malware-Familie setzt Anti-Analyse-Techniken ein und bietet Backdoor-Funktionen zum Laden von Shellcode und Ausführen zweistufiger Binärdateien. --------------------------------------------- https://www.zdnet.de/88409646/trojaner-pikabot-treibt-sein-unwesen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cpio, mariadb-10.3, nbconvert, sofia-sip, and wireshark), Fedora (ImageMagick, mingw-python-requests, openssl, python3.6, texlive-base, and webkitgtk), Red Hat (apr-util, git, gnutls, kernel, kernel-rt, and kpatch-patch), Slackware (cups and ntp), and Ubuntu (linux-azure-fde, linux-azure-fde-5.15 and perl). --------------------------------------------- https://lwn.net/Articles/933904/ ∗∗∗ IBM Aspera Connect and IBM Aspera Cargo has addressed multiple vulnerabilities (CVE-2023-22862, CVE-2023-27285) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001053 ∗∗∗ Vulnerability in libexpat (CVE-2022-43680) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985561 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998727 ∗∗∗ Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001271 ∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959357 ∗∗∗ There are several vulnerabilities in AntiSamy used by IBM Maximo Asset Management (CVE-2022-28367, CVE-2022-29577) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966080 ∗∗∗ There is a vulnerability in Prism used by IBM Maximo Asset Management (CVE-2022-23647) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959695 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ Multiple vulnerabilities in IBM® Java SDK and WebSphere Application Server Liberty profile affect IBM Business Automation Workflow containers ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001287 ∗∗∗ A vulnerability has been identified in IBM HTTP Server shipped with IBM Businses Automation Workflow (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001289 ∗∗∗ Cross-Site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-32339 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001291 ∗∗∗ Vulnerability in spring-expressions may affect IBM Business Automation Workflow - CVE-2023-20863 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001295 ∗∗∗ Multiple vulnerabilities in IBM Java XML affect IBM Tivoli System Automation for Multiplatforms deferred from Oracle Apr 2022 CPU (CVE-2022-21426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000999 ∗∗∗ Multiple vulnerabilities in VMware Tanzu Spring Framework affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001309 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966428 ∗∗∗ There are several vulnerabilities with TinyMCE used by IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966710 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2023
by Daily end-of-shift report 02 Jun '23

02 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-06-2023 18:00 − Freitag 02-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers use Python compiled bytecode to evade detection ∗∗∗ --------------------------------------------- Attackers who are targeting open-source package repositories like PyPI (Python Package Index) have devised a new technique for hiding their malicious code from security scanners, manual reviews, and other forms of security analysis. In one incident, researchers have found malware code hidden inside a Python bytecode (PYC) file that can be directly executed as opposed to source code files that get interpreted by the Python runtime. --------------------------------------------- https://www.csoonline.com/article/3698472/attackers-use-python-compiled-byt… ∗∗∗ Cybercriminals use legitimate websites to obfuscate malicious payloads ∗∗∗ --------------------------------------------- According to Egress, the evolving attack methodologies currently used by cybercriminals are designed to get through traditional perimeter security. “The evolution of phishing emails continues to pose a major threat to organizations, emphasizing the need to enhance defenses to prevent attacks,” said Jack Chapman, VP of Threat Intelligence, Egress. --------------------------------------------- https://www.helpnetsecurity.com/2023/06/02/evolving-attack-methodologies/ ∗∗∗ Authority Scam: Angebliche E-Mails der FCA sind Fake! ∗∗∗ --------------------------------------------- Kriminelle geben sich als Mitarbeiter:innen der britischen Finanzaufsichtsbehörde FCA aus und behaupten per E-Mail, dass eine „Online-Investitionsplattform“ geschlossen wurde. Nun gehe es darum die „rechtmäßigen Eigentümer der im Blockchain-Netzwerk eingefrorenen Vermögenswerte zu identifizieren“, so heißt es in der E-Mail. --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-angebliche-e-mails-de… ∗∗∗ Zyxel’s guidance for the recent attacks on the ZyWALL devices ∗∗∗ --------------------------------------------- Zyxel recently became aware of a cyberattack targeting our ZyWALL devices. These vulnerabilities already have patches - we took immediate action as soon as we become aware of them, and have released patches, as well as security advisories for CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Electronics CNCSoft-B DOPSoft DPA File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Published: 2023-06-01 Affected Vendor: Delta Electronics ZDI ID: ZDI-23-781 bis ZDI-23-817 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Sicherheitsupdates: Schwachstellen machen Schutzsoftware von Symantec angreifbar ∗∗∗ --------------------------------------------- Symantecs Entwickler haben in Advanced Secure Gateway und Content Analysis mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-9162943 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups and netatalk), SUSE (cups, ImageMagick, installation-images, libvirt, openvswitch, and qemu), and Ubuntu (avahi, cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws-5.4, linux-bluefield, linux-intel-iotg, and linux-intel-iotg-5.15). --------------------------------------------- https://lwn.net/Articles/933576/ ∗∗∗ High-Severity Vulnerabilities Patched in Splunk Enterprise ∗∗∗ --------------------------------------------- Splunk has resolved multiple high-severity vulnerabilities in Splunk Enterprise, including bugs in third-party packages used by the product.The post High-Severity Vulnerabilities Patched in Splunk Enterprise appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerabilities-patched-in-splun… ∗∗∗ Kritische Sicherheitslücke in MOVEit Transfer - Updates verfügbar ∗∗∗ --------------------------------------------- In MOVEit Transfer existiert eine kritische Sicherheitslücke, die eine Rechteausweitung und potentiell unautorisierten Zugriff ermöglicht. Bis jetzt wurde die Lücke für Datendiebstahl ausgenutzt. Das volle Potential der Lücke ist jedoch noch nicht bekannt. --------------------------------------------- https://cert.at/de/warnungen/2023/6/kritische-sicherheitslucke-in-moveit-tr… ∗∗∗ IBM Edge Application Manager has a vulnerability listed in CVE 2023-28154. IBM has addressed this vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000057 ∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000903 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-3676). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000941 ∗∗∗ A security vulnerability has been identified in embedded IBM WebSphere Application Server which is shipped with IBM Tivoli Netcool Configuration Manager (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000959 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affecting IBM Tivoli Network Configuration Manager (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000969 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager - Includes Oracle January 2023 CPU (CVE-2023-21830, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000991 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms - Includes Oracle January 2023 CPU (CVE-2023-21830, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000989 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000993 ∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888295 ∗∗∗ Multiple vulnerabilities in IBM Java XML affect IBM Tivoli System Automation Application Manager deferred from Oracle Apr 2022 CPU (CVE-2022-21426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000997 ∗∗∗ Apache commons fileupload vulnerability affect embedded Case Forms in IBM Business Automation Workflow and IBM Case Manager - CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001009 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2023
by Daily end-of-shift report 01 Jun '23

01 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-05-2023 18:00 − Donnerstag 01-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Terminator antivirus killer is a vulnerable Windows driver in disguise ∗∗∗ --------------------------------------------- A threat actor known as Spyboy is promoting a Windows defense evasion tool called "Terminator" [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-… ∗∗∗ Exploit released for RCE flaw in popular ReportLab PDF library ∗∗∗ --------------------------------------------- A researcher has published a working exploit for a remote code execution (RCE) flaw impacting ReportLab, a popular Python library used by numerous projects to generate PDF files from HTML input. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-rce-fla… ∗∗∗ Polizei warnt vor neuer Betrugsmasche mit NFC-Smartphone-Bezahlung ∗∗∗ --------------------------------------------- Kriminellen ist es gelungen, Bankkarten der Opfer auf ihre Handys zu laden. Anschließend wurde kräftig eingekauft und Konten leergeräumt. --------------------------------------------- https://futurezone.at/digital-life/betrug-phishing-mobile-payment-nfc-smart… ∗∗∗ Serious Security: That KeePass “master password crack”, and what we can learn from it ∗∗∗ --------------------------------------------- Here, in an admittedly discursive nutshell, is the fascinating story of CVE-2023-32784. (Short version: Dont panic.) --------------------------------------------- https://nakedsecurity.sophos.com/2023/05/31/serious-security-that-keepass-m… ∗∗∗ XSS vulnerability in the ASP.NET application: examining CVE-2023-24322 in mojoPortal CMS ∗∗∗ --------------------------------------------- In this article, we will thoroughly examine the XSS vulnerability in a CMS written in C#. Lets recall the theory, figure out how the security defect looks from a users perspective and in code, and also practice writing exploits. --------------------------------------------- https://pvs-studio.com/en/blog/posts/csharp/1054/ ∗∗∗ Angriff auf iPhones: Kaspersky macht ausgeklügelte Attacke publik ∗∗∗ --------------------------------------------- Kaspersky hat nach eigenen Angaben in iPhone-Backups Spuren eines komplexen Angriffs entdeckt. Gegenwehr sei nur mit rabiaten Mitteln möglich. --------------------------------------------- https://heise.de/-9159301 ∗∗∗ STARFACE: Authentication with Password Hash Possible ∗∗∗ --------------------------------------------- RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an applications database generally has become best practice to protect users passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2022-004/ ∗∗∗ Malware Spotlight: Camaro Dragon’s TinyNote Backdoor ∗∗∗ --------------------------------------------- In this report, we analyze another previously undisclosed backdoor associated with this cluster of activity which shares with it not only a common infrastructure but also the same high-level intelligence-gathering goal. --------------------------------------------- https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinyn… ===================== = Vulnerabilities = ===================== ∗∗∗ Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability ∗∗∗ --------------------------------------------- Rapid7 managed services teams are observing exploitation of a critical vulnerability in Progress Software’s MOVEit Transfer solution across multiple customer environments. --------------------------------------------- https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of… ∗∗∗ Unified Automation: New UaGateway V1.5.14 Service Release ∗∗∗ --------------------------------------------- This version contains security bug fixes including improvements in KeyUsage check. --------------------------------------------- https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt ∗∗∗ (0Day) Fatek Automation FvDesigner FPJ File Parsing Out-Of-Bounds Write/Pointer Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Published: 2023-05-31 Affected Vendor: Fatek Automation ZDI ID: ZDI-23-760 bis ZDI-23-771 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) VIPRE Antivirus Plus ∗∗∗ --------------------------------------------- Published: 2023-05-31 Affected Vendor: VIPRE ZDI ID: ZDI-23-755 bis ZDI-23-759 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM App Connect, IBM Business Automation Manager Open Editions, IBM Business Automation Workflow, IBM Control Desk, IBM Maximo, IBM Edge Application Manager, IBM MQ, IBM Spectrum Protect Plus, IBM Control Desk, IBM Data Risk Manager, Tivoli, Hardware Management Console, IBM Cloud Pak, IBM Power Systems, IBM Security Directory Server, WebSphere Application Server, Rational Developer for i, IBM Security Guardium --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp, openssl, sssd, and texlive-bin), Fedora (bitcoin-core, editorconfig, edk2, mod_auth_openidc, pypy, pypy3.9, python3.10, and python3.8), Red Hat (kernel, openssl, pcs, pki-core:10.6, and qatzip), SUSE (chromium, ImageMagick, openssl-1_1, and tiff), and Ubuntu (cups, libvirt, and linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi). --------------------------------------------- https://lwn.net/Articles/933465/ ∗∗∗ AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-019 ∗∗∗ AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-018 ∗∗∗ Consent Popup - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-017 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-017 ∗∗∗ Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-016 ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 ∗∗∗ HID Global SAFE ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2023
by Daily end-of-shift report 31 May '23

31 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-05-2023 18:00 − Mittwoch 31-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zero-Day-Lücke: Leck in Barracudas ESG bereits seit 7 Monaten missbraucht ∗∗∗ --------------------------------------------- Barracuda hat vergangene Woche eine Zero-Day-Lücke in den ESG-Appliances abgedichtet. Untersuchungen ergeben, dass sie bereits seit Oktober missbraucht wurden. --------------------------------------------- https://heise.de/-9083222 ∗∗∗ Android-Spyware SpinOk kommt auf mehr als 421 Millionen Installationen ∗∗∗ --------------------------------------------- Ein Android-Software-Modul mit Spyware-Funktionen hat Doctor Web in Apps auf Google Play mit mehr als 421 Millionen Downloads aufgespürt. Google ist informiert. --------------------------------------------- https://heise.de/-9069832 ∗∗∗ Ransomware: Schutzkonzept gegen Angriffe ∗∗∗ --------------------------------------------- Trotz Maßnahmen gegen Cyber-Angriffe und Ransomware gelingen viele Attacken. Die Daten sind verschlüsselt. Einige Punkte verhelfen zu brauchbaren Backups. --------------------------------------------- https://heise.de/-9069092 ∗∗∗ RomCom malware spread via Google Ads for ChatGPT, GIMP, more ∗∗∗ --------------------------------------------- A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/romcom-malware-spread-via-go… ∗∗∗ Mirai Variant Opens Tenda, Zyxel Gear to RCE, DDoS ∗∗∗ --------------------------------------------- Researchers have observed several cyberattacks leveraging a botnet called IZ1H9, which exploits vulnerabilities in exposed devices and servers running on Linux. --------------------------------------------- https://www.darkreading.com/endpoint/mirai-variant-tenda-zyxel-rce-ddos ∗∗∗ Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor ∗∗∗ --------------------------------------------- Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say. --------------------------------------------- https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/ ∗∗∗ Netflix-Phishing-Nachrichten aktuell besonders gefährlich! ∗∗∗ --------------------------------------------- Netflix hat mit Mai 2023 das Account-Sharing – also das Teilen von Netflix-Konten – unterbunden, wodurch zahlreiche Userinnen und User ihren Zugriff verloren haben, oder weitere Gebühren zu bezahlen haben. Gleichzeitig sind unzählige Netflix-Phishing-Mails im Umlauf, die zwar in keinem Zusammenhang mit den neuen Account-Sharing-Richtlinien stehen, aber durch die Umstellungen schneller für echt gehalten werden. Achtung: Hier dürfen keine Daten bekanntgegeben werden! --------------------------------------------- https://www.watchlist-internet.at/news/netflix-phishing-nachrichten-aktuell… ∗∗∗ Investigating BlackSuit Ransomware’s Similarities to Royal ∗∗∗ --------------------------------------------- In this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-rans… ===================== = Vulnerabilities = ===================== ∗∗∗ New macOS vulnerability, Migraine, could bypass System Integrity Protection ∗∗∗ --------------------------------------------- A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2023-32369, was included in the security updates released by Apple on May 18, 2023. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerab… ∗∗∗ Barracuda Email Security Gateway Appliance (ESG) Vulnerability ∗∗∗ --------------------------------------------- Barracuda Networks priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments. --------------------------------------------- https://www.barracuda.com/company/legal/esg-vulnerability ∗∗∗ CVE-2023-34152: Shell Command Injection Bug Affecting ImageMagick ∗∗∗ --------------------------------------------- [...] recent findings have brought to light a trio of security vulnerabilities that could transform this useful tool into a potential weapon in the hands of malicious entities. * CVE-2023-34151: Undefined behaviors of casting double to size_t in svg, mvg, and other coders * CVE-2023-34152: RCE (shell command injection) vulnerability * CVE-2023-34153: Shell command injection vulnerability --------------------------------------------- https://securityonline.info/cve-2023-34152-shell-command-injection-bug-affe… ∗∗∗ Webbrowser: Google Chrome 114 schließt 16 Lücken und verbessert Sicherheit ∗∗∗ --------------------------------------------- Neben den üblichen geschlossenen Sicherheitslücken, derer 16 an der Zahl, liefert Google Chrome 114 auch teils neue oder verbesserte Sicherheitsfunktionen. --------------------------------------------- https://heise.de/-9069705 ∗∗∗ Zwangsupdate: WordPress-Websites über Jetpack-Lücke manipulierbar ∗∗∗ --------------------------------------------- Die Jetpack-Entwickler haben 102 fehlerbereinigte Versionen ihres WordPress-Plug-ins veröffentlicht. --------------------------------------------- https://heise.de/-9069974 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman and kamailio), Fedora (texlive-base), Mageia (cups-filters, postgresql, qtbase5, tcpreplay, tomcat, and vim), Slackware (openssl), SUSE (amazon-ssm-agent, cni, cni-plugins, compat-openssl098, installation-images, libaom, openssl, openssl-1_0_0, openssl-1_1, terraform, terraform-provider-helm, tiff, tomcat, and wireshark), and Ubuntu (batik, flask, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-oracle, linux-oracle-5.4, mozjs102, nanopb, openssl, openssl1.0, snapd, and texlive-bin). --------------------------------------------- https://lwn.net/Articles/933360/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0004 ∗∗∗ --------------------------------------------- Date Reported: May 30, 2023 Advisory ID: WSA-2023-0004 CVE identifiers: CVE-2023-28204, CVE-2023-32373. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0004.html ∗∗∗ Possible damage of secure element in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-435698-BT: Due to an error in the software interface to the secure element chip on the cameras, the chip can be **permanently damaged** leading to an unusable camera when enabling the Stream security option (signing of the video stream) on Bosch CPP13 and CPP14 cameras. The default setting for this option is "off". --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-435698-bt.html ∗∗∗ DataSpider Servista uses a hard-coded cryptographic key ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38222042/ ∗∗∗ [20230501] - Core - Open Redirects and XSS within the mfa selection ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/899-20230501-core-open-red… ∗∗∗ [20230502] - Core - Bruteforce prevention within the mfa screen ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/900-20230502-core-brutefor… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2023
by Daily end-of-shift report 30 May '23

30 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-05-2023 18:00 − Dienstag 30-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ QBot malware abuses Windows WordPad EXE to infect devices ∗∗∗ --------------------------------------------- The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-… ∗∗∗ Hot Pixels attack checks CPU temp, power changes to steal data ∗∗∗ --------------------------------------------- A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the targets browser and infer the navigation history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hot-pixels-attack-checks-cpu… ∗∗∗ Android apps with spyware installed 421 million times from Google Play ∗∗∗ --------------------------------------------- A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-in… ∗∗∗ Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files, (Mon, May 29th) ∗∗∗ --------------------------------------------- I was asked how to analyze Office Documents that are embedded inside PPT files. PPT is the "standard" binary format for PowerPoint, it's an olefile. You can analyze it with oledump.py --------------------------------------------- https://isc.sans.edu/diary/rss/29894 ∗∗∗ Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT, (Tue, May 30th) ∗∗∗ --------------------------------------------- Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware. Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29. --------------------------------------------- https://isc.sans.edu/diary/rss/29896 ∗∗∗ Beware of the new phishing technique “file archiver in the browser” that exploits zip domains ∗∗∗ --------------------------------------------- “file archiver in the browser” is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain. --------------------------------------------- https://securityaffairs.com/146828/cyber-crime/file-archiver-in-the-browser… ∗∗∗ Severe Flaw in Google Clouds Cloud SQL Service Exposed Confidential Data ∗∗∗ --------------------------------------------- A new security flaw has been disclosed in the Google Cloud Platforms (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data. --------------------------------------------- https://thehackernews.com/2023/05/severe-flaw-in-google-clouds-cloud-sql.ht… ∗∗∗ Vorsicht vor Fake-Service-Telefonnummern beim Googeln! ∗∗∗ --------------------------------------------- Die Suche nach einer Service-Telefonnummer stellt sich bei manchen Web-Angeboten als kompliziertes Unterfangen heraus. Deshalb ist es oft einfacher, nicht auf den jeweiligen Unternehmens-Websites sondern direkt über die Suchmaschine nach den Kontaktdaten zu suchen. Doch Vorsicht: Unter echte Kontaktdaten mischen Kriminelle auch Fake-Seiten und -Nummern, über die Ihnen Geld und Daten gestohlen werden. Ein aktuelles Beispiel sind Fake-Nummern der Fluglinie Ryanair! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-service-telefonnum… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL 3.0 Series Release Notes [30 May 2023] ∗∗∗ --------------------------------------------- * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650]) * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255]) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) * Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465]) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html ∗∗∗ OpenSSL 1.1.1 Series Release Notes [30th May 2023] ∗∗∗ --------------------------------------------- * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html ∗∗∗ Sicherheitslücke in Moxa MXsecurity Series gefährdet kritische Infrastrukturen ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in der Netzwerküberwachungslösung MXsecurity bringt Industrieanlagen in Gefahr. --------------------------------------------- https://heise.de/-9068382 ∗∗∗ Angreifer könnten Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- In der aktuellen Wireshark-Version haben die Entwickler mehrere Sicherheitsprobleme gelöst. --------------------------------------------- https://heise.de/-9069031 ∗∗∗ Kollaborations-Suite Nextcloud: Teils hochriskante Lücken geschlossen ∗∗∗ --------------------------------------------- In der Kollaborations-Software Nextcloud klaffen Sicherheitslücken mit teils hohem Risiko. Aktualisierte Software steht bereit. --------------------------------------------- https://heise.de/-9068654 ∗∗∗ VMSA-2023-0011 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0011.html ∗∗∗ Many Vulnerabilities Found in PrinterLogic Enterprise Software ∗∗∗ --------------------------------------------- Vulnerabilities identified in PrinterLogic’s enterprise management printer solution could expose organizations to authentication bypass, SQL injection, cross-site scripting (XSS) and other types of attacks. --------------------------------------------- https://www.securityweek.com/many-vulnerabilities-found-in-printerlogic-ent… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker-registry, gpac, libraw, libreoffice, rainloop, and sysstat), Fedora (bottles, c-ares, edk2, libssh, microcode_ctl, python-vkbasalt-cli, rust-buffered-reader, rust-nettle, rust-nettle-sys, rust-rpm-sequoia, rust-sequoia-keyring-linter, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-policy-config, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, rust-sequoia-wot, and xen), SUSE (opera), and Ubuntu (Jhead, linuxptp, and sudo). --------------------------------------------- https://lwn.net/Articles/933165/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh and sssd), Fedora (microcode_ctl and python3.6), Gentoo (cgal, firefox firefox-bin, openimageio, squashfs-tools, thunderbird thunderbird-bin, tiff, tomcat, webkit-gtk, and xorg-server xwayland), SUSE (c-ares and go1.18-openssl), and Ubuntu (Jhead, node-hawk, node-nth-check, and perl). --------------------------------------------- https://lwn.net/Articles/933246/ ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Starlette vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95981715/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulner… ∗∗∗ Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-in-mitsubishi-plc-could-le… ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998795 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998811 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998813 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999091 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999115 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining [CVE-2023-20860] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999119 ∗∗∗ Apache Commons Text vulnerability affects Netcool Operations Insight [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999133 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999213 ∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center (CVE-2023-29257, CVE-2023-29255, CVE-2023-27555, CVE-2023-26021, CVE-2023-25930, CVE-2023-26022, CV) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999215 ∗∗∗ [All] Expat - CVE-2022-43680 (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999237 ∗∗∗ Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to HTTP request splitting attacks (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999241 ∗∗∗ IBM Copy Services Manager is vulnerable to crypto attack vulnerabilities due to IBM Java 8 vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999269 ∗∗∗ IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981113 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2023
by Daily end-of-shift report 26 May '23

26 May '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-05-2023 18:00 − Freitag 26-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft 365 phishing attacks use encrypted RPMSG messages ∗∗∗ --------------------------------------------- Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-365-phishing-attac… ∗∗∗ Dark Frost Botnet targets the gaming sector with powerful DDoS ∗∗∗ --------------------------------------------- Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed denial-of-service (DDoS) attacks. The botnet borrows code from several popular bot families, including Mirai, Gafgyt, and Qbot. --------------------------------------------- https://securityaffairs.com/146683/malware/dark-frost-botnet.html ∗∗∗ New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids ∗∗∗ --------------------------------------------- A new strain of malicious software thats engineered to penetrate and disrupt critical systems in industrial environments has been unearthed. Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, [...] --------------------------------------------- https://thehackernews.com/2023/05/new-cosmicenergy-malware-exploits-ics.html ∗∗∗ Sicherheitslücken in Gesundheits-App: Datendiebstahl wäre möglich gewesen ∗∗∗ --------------------------------------------- Lücken in Gesundheits-Apps haben den schlechten Zustand der Digitalisierung im Gesundheitswesen offengelegt. Es fehle eine "sichere Basisinfrastruktur". --------------------------------------------- https://heise.de/-9064935 ∗∗∗ Cold as Ice: Unit 42 Wireshark Quiz for IcedID ∗∗∗ --------------------------------------------- IcedID is a known vector for ransomware. Analyze infection traffic from this banking trojan in our latest Wireshark tutorial. --------------------------------------------- https://unit42.paloaltonetworks.com/wireshark-quiz-icedid/ ∗∗∗ Exploiting the Sonos One Speaker Three Different Ways: A Pwn2Own Toronto Highlight ∗∗∗ --------------------------------------------- During Pwn2Own Toronto 2022, three different teams successfully exploited the Sonos One Speaker. In total, $105,000 was awarded to the three teams, with the team of Toan Pham and Tri Dang from Qrious Secure winning $60,000 since their entry was first on the schedule. --------------------------------------------- https://www.thezdi.com/blog/2023/5/24/exploiting-the-sonos-one-speaker-thre… ∗∗∗ What is a web shell? ∗∗∗ --------------------------------------------- What are web shells? And why are attackers increasingly using them in their campaigns? We break it down in this blog. --------------------------------------------- https://blog.talosintelligence.com/what-is-a-web-shell/ ∗∗∗ New Info Stealer Bandit Stealer Targets Browsers, Wallets ∗∗∗ --------------------------------------------- This is an analysis of Bandit Stealer, a new Go-based information-stealing malware capable of evading detection as it targets multiple browsers and cryptocurrency wallets. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/new-info-stealer-bandit-stea… ===================== = Vulnerabilities = ===================== ∗∗∗ LibreOffice-Lücken: Risiko von Codeschmuggel mit präparierten Dokumenten ∗∗∗ --------------------------------------------- Neue LibreOffice-Versionen stopfen teils hochriskante Sicherheitslücken. Mit manipulierten Spreadsheets könnten Angreifer Schadcode einschleusen. --------------------------------------------- https://heise.de/-9066277 ∗∗∗ Kritische Lücken in Netzwerkverwaltungssoftware D-Link D-View 8 geschlossen ∗∗∗ --------------------------------------------- D-Link hat offensichtlich knapp fünf Monate gebraucht, um einen Sicherheitspatch für D-View 8 zu entwickeln, der sich aber immer noch im Beta-Stadium befindet. --------------------------------------------- https://heise.de/-9066361 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sniproxy), Fedora (c-ares), Oracle (apr-util, curl, emacs, git, go-toolset and golang, go-toolset:ol8, gssntlmssp, libreswan, mysql:8.0, thunderbird, and webkit2gtk3), Red Hat (go-toolset-1.19 and go-toolset-1.19-golang and go-toolset:rhel8), Slackware (ntfs), SUSE (rmt-server), and Ubuntu (linux-raspi, linux-raspi-5.4 and python-django). --------------------------------------------- https://lwn.net/Articles/933071/ ∗∗∗ K000134793 : OpenJDK vulnerability CVE-2018-2952 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134793 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a heap-based buffer overflow in Perl (CVE-2020-10543) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998419 ∗∗∗ IBM MQ is affected by a vulnerability in the IBM Runtime Environment, Java Technology Edition (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998353 ∗∗∗ : IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998677 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998685 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998673 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998679 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998675 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998681 ∗∗∗ Vulnerability in IBM Java (CVE-2022-21426) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998705 ∗∗∗ Vulnerability in OpenSSL (CVE-2022-4304, CVE-2022-4450, CVE-2023-0215 and CVE-2023-0286 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998707 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998727 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998753 ∗∗∗ AIX is vulnerable to security restrictions bypass due to curl (CVE-2022-32221) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998763 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2023
by Daily end-of-shift report 25 May '23

25 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-05-2023 18:00 − Donnerstag 25-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers target 1.5M WordPress sites with cookie consent plugin exploit ∗∗∗ --------------------------------------------- Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-15m-wordpress… ∗∗∗ A new OAuth vulnerability that may impact hundreds of online services ∗∗∗ --------------------------------------------- This post details issues identified in Expo, a popular framework used by many online services to implement OAuth (as well as other functionality). The vulnerability in the expo-auth-session library warranted a CVE assignment – CVE-2023-28131. Expo created a hotfix within the day that automatically provided mitigation, but Expo recommends that customers update their deployment to deprecate this service to fully remove the risk (see the Expo security advisory on the topic). --------------------------------------------- https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundre… ∗∗∗ codeexplain.vim: A nvim plugin Powered by GPT4ALL for Real-time Code Explanation and Vulnerability Detection (no internet necessary) ∗∗∗ --------------------------------------------- codeexplain.nvim is a NeoVim plugin that uses the powerful GPT4ALL language model to provide on-the-fly, line-by-line explanations and potential security vulnerabilities for selected code directly in your NeoVim editor. Its like having your personal code assistant right inside your editor without leaking your codebase to any company. --------------------------------------------- https://github.com/mthbernardes/codeexplain.nvim ∗∗∗ Google Authenticator: Geräteverschlüsselung versprochen, aber nicht geliefert ∗∗∗ --------------------------------------------- Google hat dem Authenticator eine Backup-Funktion spendiert, die Geheimnisse jedoch nicht verschlüsselt. Ein Update soll das ändern. Das tut es aber nicht. --------------------------------------------- https://heise.de/-9065547 ∗∗∗ Buhti: New Ransomware Operation Relies on Repurposed Payloads ∗∗∗ --------------------------------------------- Attackers use rebranded variants of leaked LockBit and Babuk ransomware payloads but use own custom exfiltration tool. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/buhti-ra… ∗∗∗ Mercenary mayhem: A technical analysis of Intellexas PREDATOR spyware ∗∗∗ --------------------------------------------- Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox). --------------------------------------------- https://blog.talosintelligence.com/mercenary-intellexa-predator/ ∗∗∗ Abusing Web Services Using Automated CAPTCHA-Breaking Services and Residential Proxies ∗∗∗ --------------------------------------------- This blog entry features three case studies that show how malicious actors evade the antispam, antibot, and antiabuse measures of online web services via residential proxies and CAPTCHA-breaking services. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/abusing-web-services-using-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Teils kritische Sicherheitslücken in Mitel MiVoice Connect ∗∗∗ --------------------------------------------- In Mitels MiVoice Connect und Connect Mobility Router klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. --------------------------------------------- https://heise.de/-9064992 ∗∗∗ Kritisches Sicherheitsupdate (24. Mai 2023) für alle Zyxel-Firewall-Produkte – Angriffe laufen bereits ∗∗∗ --------------------------------------------- Der taiwanesische Hersteller Zyxel hat ein sehr kritisches Security Update für sämtliche Security Produkte veröffentlicht. Die Sicherheitswarnung gibt an, dass gleich mehrere Buffer Overflow-Schwachstellen (CVE-2023-33009, CVE-2023-33010) betroffen seien. --------------------------------------------- https://www.borncity.com/blog/2023/05/25/kritisches-sicherheitsupdate-24-ma… ∗∗∗ Kritische Sicherheitslücke mit Höchstwertung bedroht GitLab ∗∗∗ --------------------------------------------- Es gibt eine wichtiges Sicherheitsupdate für die Versionsverwaltung GitLab. Entwickler sollten jetzt reagieren. --------------------------------------------- https://heise.de/-9065150 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python2.7), Fedora (maradns), Red Hat (devtoolset-12-binutils, go-toolset and golang, httpd24-httpd, jenkins and jenkins-2-plugins, rh-ruby27-ruby, and sudo), Scientific Linux (git), Slackware (texlive), SUSE (cups-filters, poppler, texlive, distribution, golang-github-vpenso-prometheus_slurm_exporter, kubernetes1.18, kubernetes1.23, openvswitch, rmt-server, and ucode-intel), and Ubuntu (ca-certificates, calamares-settings-ubuntu, Jhead, libhtml-stripscripts-perl, and postgresql-10, postgresql-12, postgresql-14, postgresql-15). --------------------------------------------- https://lwn.net/Articles/932994/ ∗∗∗ Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN90278893/ ∗∗∗ D-Link D-View 8 : v2.0.1.27 and below : TrendMicro (ZDI) Reported Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Autodesk: Multiple Vulnerabilities in PSKernel component used by specific Autodesk products ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0009 ∗∗∗ Autodesk: Privilege Escalation Vulnerability in the Autodesk Installer Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0010 ∗∗∗ F5: K000134768 : Linux kernel vulnerability CVE-2022-4378 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134768 ∗∗∗ F5: K000134770 : Linux kernel vulnerability CVE-2022-42703 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134770 ∗∗∗ Moxa MXsecurity Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-145-01 ∗∗∗ Nextcloud: Blind SSRF in the Mail app on avatar endpoint ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ Nextcloud: Contacts - PHOTO svg only sanitized if mime type is all lower case ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Nextcloud: Error in calendar when booking an appointment reveals the full path of the website ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6987493 ∗∗∗ IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998037 ∗∗∗ IBM Planning Analytics Workspace has addressed a vulnerability in SnakeYaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998025 ∗∗∗ Vulnerability from log4j-1.2.16.jar affect IBM Operations Analytics - Log Analysis (CVE-2023-26464) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998333 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands that run Designer flows is vulnerable to arbitrary code execution due to [CVE-2022-37614] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998341 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-2251] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998357 ∗∗∗ A vulnerability in Etcd-io could affect IBM CICS TX Standard [CVE-2021-28235] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998361 ∗∗∗ A vulnerability in Etcd-io could affect IBM CICS TX Advanced [CVE-2021-28235] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998367 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands is vulnerable to arbitrary code execution due to [CVE-2023-30547] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998381 ∗∗∗ Due to the use of Apache spring-web, IBM ECM Content Management Interoperability Services (CMIS) is affected by remote code execution (RCE) security vulnerability CVE-2016-1000027 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998405 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998391 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily