Daily

daily@lists.cert.at

1 participants
3200 discussions

Tageszusammenfassung - 24.10.2023
by Daily end-of-shift report 24 Oct '23

24 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 23-10-2023 18:00 − Dienstag 24-10-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Log in With... Feature Allows Full Online Account Takeover for Millions ∗∗∗ --------------------------------------------- Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems. --------------------------------------------- https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-take… ∗∗∗ Hostile Takeover: Malicious Ads via Facebook ∗∗∗ --------------------------------------------- Criminals hijack business accounts on Facebook and run their own advertising campaigns in someone elses name and at the expense of those affected. --------------------------------------------- https://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads ∗∗∗ Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware ∗∗∗ --------------------------------------------- In this report, we share our latest crimeware findings: GoPIX targeting PIX payment system; Lumar stealing files and passwords; Rhysida ransomware supporting old Windows. --------------------------------------------- https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/ ∗∗∗ Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar ∗∗∗ --------------------------------------------- The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts. --------------------------------------------- https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html ∗∗∗ Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 ∗∗∗ --------------------------------------------- We were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued our interest. --------------------------------------------- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-to… ∗∗∗ Best Practices for Writing Quality Vulnerability Reports ∗∗∗ --------------------------------------------- How to write great vulnerability reports? If you’re a security consultant, penetration tester or a bug bounty hunter, these tips are for you! --------------------------------------------- https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-… ∗∗∗ Kriminelle verbreiten falsche Ryanair-Telefonnummern ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie im Internet nach einer Telefonnummer von Ryanair suchen. Kriminelle stellen Webseiten mit falschen Nummern ins Netz. Wenn Sie bei der falschen Ryanair-Servicehotline anrufen, stehlen Kriminelle Ihnen sensible Daten und Geld. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-verbreiten-falsche-ryanai… ∗∗∗ LOLBin mit WorkFolders.exe unter Windows ∗∗∗ --------------------------------------------- Die legitime Windows-Anwendung WorkFolders.exe lässt sich verwenden, um andere .exe-Programme im Windows-Ordner System32 oder im aktuellen Ordner zu starten. Dies ermöglicht Malware sogenannte LOLBin-Angriffe, bei der legitime Betriebssystemdateien zur Ausführung von Schadprogrammen missbraucht werden. --------------------------------------------- https://www.borncity.com/blog/2023/10/24/lolbin-mit-workfolders-exe-unter-w… ∗∗∗ The Great CVSS Bake Off: Testing How CVSS v4 Performs Versus v3 ∗∗∗ --------------------------------------------- The highly anticipated Common Vulnerability Scoring System (CVSS) version 4 is planned to be released on October 31st by the Forum of Incident Response and Security Teams (FIRST). --------------------------------------------- https://orca.security/resources/blog/cvss-version-4-versus-version-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMware warns admins of public exploit for vRealize RCE flaw ∗∗∗ --------------------------------------------- VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs). --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-publi… ∗∗∗ Viele Systeme längst kompromittiert: Cisco stellt Patches für IOS XE bereit ∗∗∗ --------------------------------------------- Durch Schwachstellen in der Betriebssoftware IOS XE sind weltweit Zehntausende von Cisco-Geräten infiltriert worden. Jetzt gibt es erste Patches. --------------------------------------------- https://www.golem.de/news/viele-systeme-laengst-kompromittiert-cisco-stellt… ∗∗∗ CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files ∗∗∗ --------------------------------------------- Orthanc is an open source software to manage, exchange and visualize medical imaging data. In versions < 1.12.0, it is affected by an arbitrary file overwrite vulnerability (CVE-2023-33466) that might allow an authenticated attacker to obtain RCE on the system. --------------------------------------------- https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-… ∗∗∗ Proxy: Squid-Entwickler dichten teils kritische Lecks in Version 6.4 ab ∗∗∗ --------------------------------------------- Mit Squid 6.4 haben die Entwickler eine um vier Sicherheitslücken bereinigte Version des Proxy-Servers vorgelegt. Es klaffen jedoch weitere Lücken darin. --------------------------------------------- https://www.heise.de/news/Proxy-Squid-6-4-schliesst-teils-kritische-Sicherh… ∗∗∗ Lücke in LiteSpeed-Cache-Plug-in gefährdet 4 Millionen WordPress-Websites ∗∗∗ --------------------------------------------- Angreifer können WordPress-Websites mit Schadcode-Skripten verseuchen. Ein Sicherheitsupdate repariert das LiteSpeed-Cache-Plug-in. --------------------------------------------- https://www.heise.de/news/Luecke-in-LiteSpeed-Cache-Plug-in-gefaehrdet-4-Mi… ∗∗∗ Sicherheitsupdates: Firefox-Browser anfällig für Clickjacking-Attacken ∗∗∗ --------------------------------------------- Mozilla hat in aktuellen Versionen von Firefox und Firefox ESR mehrere Sicherheitsprobleme gelöst. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Firefox-Browser-anfaellig-fuer… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ceph and dbus), Fedora (cachelib, fb303, fbthrift, fizz, folly, matrix-synapse, mcrouter, mvfst, nats-server, nodejs18, proxygen, wangle, watchman, and wdt), Mageia (libcue), Oracle (18, grafana, kernel, nodejs, nodejs:16, nodejs:18, php, php:8.0, and tomcat), Red Hat (python27:2.7, python3, python39:3.9, python39-devel:3.9, toolbox, varnish, and varnish:6), SUSE (fwupdate, gcc13, icu73_2, netty, netty-tcnative, and xen), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/948688/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Vulnerability in SICK Flexi Soft Gateway ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-164691.html ∗∗∗ Rockwell Automation Stratix 5800 and Stratix 5200 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-297-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2023
by Daily end-of-shift report 23 Oct '23

23 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-10-2023 18:00 − Montag 23-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sessioncookies: Hacker erbeuten Zugangscodes bei Identitätsdienst Okta ∗∗∗ --------------------------------------------- Der Identitätsdienst Okta ist ein weiteres Mal das Einfallstor für Hacker gewesen. Dieses Mal betraf es Daten des Kundensupports. --------------------------------------------- https://www.golem.de/news/sessioncookies-hacker-erbeuten-zugangscodes-bei-i… ∗∗∗ Erst nach 3 Jahren gefixt: Zeiterfassungssystem ermöglichte OAuth-Token-Diebstahl ∗∗∗ --------------------------------------------- Harvest ermöglichte es Angreifern, OAuth-Token von Nutzern zu stehlen, die die Zeiterfassungssoftware mit Outlook verbinden wollten. --------------------------------------------- https://www.golem.de/news/erst-nach-3-jahren-gefixt-zeiterfassungssystem-er… ∗∗∗ Die MOVEit-Sicherheitslücke – eine Zwischenbilanz ∗∗∗ --------------------------------------------- Selbst wer die Software nicht verwendet, kann ein Opfer sein. Schätzungen gehen bisher von rund 68 Millionen Personen aus, deren Daten abgeflossen sind. --------------------------------------------- https://www.heise.de/-9318038.html ∗∗∗ Internationalen Ermittlungsbehörden gelingt Schlag gegen Ragnar Locker ∗∗∗ --------------------------------------------- Internationalen Ermittlern ist es gelungen, die Infrastruktur der bekannten Ransomware-Gruppierung Ragnar Locker zu zerschlagen. --------------------------------------------- https://www.heise.de/-9340480.html ∗∗∗ Cisco IOS XE und die verschwundenen Hintertüren ∗∗∗ --------------------------------------------- Die Anzahl der offensichtlich kompromittierten Geräte ist auch in Deutschland schlagartig gefallen, was wohl kaum an den gerade erschienenen Patches liegt. --------------------------------------------- https://www.heise.de/-9341205.html ∗∗∗ New TetrisPhantom hackers steal data from secure USB drives on govt systems ∗∗∗ --------------------------------------------- A new sophisticated threat tracked as TetrisPhantom has been using compromised secure USB drives to target government systems in the Asia-Pacific region. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tetrisphantom-hackers-st… ∗∗∗ The outstanding stealth of Operation Triangulation ∗∗∗ --------------------------------------------- In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules. --------------------------------------------- https://securelist.com/triangulation-validators-modules/110847/ ∗∗∗ base64dump.py Handles More Encodings Than Just BASE64, (Sun, Oct 22nd) ∗∗∗ --------------------------------------------- My tool base64dump.py takes any input and searches for encoded data. By default, it searches for base64 encoding, but I implemented several encodings (like vaious hexadecimal formats) --------------------------------------------- https://isc.sans.edu/diary/rss/30332 ∗∗∗ How an AppleTV may take down your (#IPv6) network, (Mon, Oct 23rd) ∗∗∗ --------------------------------------------- I recently ran into an odd issue with IPv6 connectivity in my home network. During a lengthy outage, I decided to redo some of my network configurations. As part of this change, I also reorganized my IPv6 setup, relying more on DHCPv6 and less on router advertisements to configure IPv6 addresses. Overall, this worked well. My Macs had no issues connecting to IPv6. However, the Linux host I use to alert me of network connectivity issues could not "ping" the test host via IPv6. --------------------------------------------- https://isc.sans.edu/diary/rss/30336 ∗∗∗ Tampered OpenCart Authentication Aids Credit Card Skimming Attack ∗∗∗ --------------------------------------------- Using out of date software is the leading cause of website compromise, so keeping your environment patched and up to date is one of the most important responsibilities of a website administrator. It’s not uncommon to employ the use of custom code on websites, and spend small fortunes on software developers to tailor their website just the way they want it. However, the usage of customised code can sometimes inadvertently lock a website administrator into using an out of date CMS installation long after its expiry date, particularly if they no longer have access to their old developer (or sufficient funds to hire a new one). --------------------------------------------- https://blog.sucuri.net/2023/10/tampered-opencart-authentication-aids-credi… ∗∗∗ Abusing gdb Features for Data Ingress & Egress ∗∗∗ --------------------------------------------- As of November 2019, elfutils supports debuginfod, a client/server protocol that enables debuggers (gdb) to fetch debugging symbols via HTTP/HTTPs from a user-specified remote server. This blog post will demonstrate how this feature of gdb can be abused to create data communication paths for data exfiltration and tool ingress. --------------------------------------------- https://www.archcloudlabs.com/projects/debuginfod/ ∗∗∗ Vorsicht vor Jobangeboten auf WhatsApp oder Telegram ∗∗∗ --------------------------------------------- Sie suchen gerade einen Job? Praktisch, wenn Sie gar nicht suchen müssen und Sie direkt auf WhatsApp oder Telegram einen Job angeboten bekommen. Dahinter stecken aber Kriminelle, die Ihnen z. B. einen „Datenoptimierungsjob mit möglichen Provisionen“ anbieten. Auf Plattformen wie privko.live oder depopnr.com verlieren Sie dann Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-auf-whatsa… ∗∗∗ Important security update ∗∗∗ --------------------------------------------- Autodesk recently determined that an unauthorized third-party obtained access to portions of internal systems. Our findings show that sensitive data about our customers and their projects or products have not been compromised. We immediately took steps to contain the incident. Forensic analysis conducted by an independent, third party indicates that no customer operations or Autodesk products were disrupted due to this incident. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0020 ∗∗∗ Kritische Sicherheitslücke in Cisco IOS XE - aktiv ausgenützt ∗∗∗ --------------------------------------------- Update: 23. Oktober 2023 Cisco hat für einige der von der Schwachstelle betroffenen Geräte Aktualisierungen veröffentlicht, und weitere Updates angekündigt. Das Unternehmen aktualisiert die Liste an verfügbaren Patches auf einer dedizierten Seite laufend. Wenn das Management-WebInterface eines Cisco XE Gerätes vor dem Einspielen des Updates offen im Netz erreichbar war, ist davon auszugehen, dass ein Angreifer dies ausgenutzt hat und zumindest neue Admin-Accounts angelegt hat. Damit ist die Installation von weiteren Hintertüren möglich, die - aus heutiger Sicht - nur mit einem Factory Reset / Neuinstallation von IOS XE umfassend entfernt werden können --------------------------------------------- https://cert.at/de/warnungen/2023/10/kritische-sicherheitslucke-in-cisco-io… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗ --------------------------------------------- Version 1.4: Updated the summary to indicate the first fixes are available. Added specific fixed release information. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (krb5, redis, roundcube, ruby-rack, ruby-rmagick, zabbix, and zookeeper), Fedora (ansible-core, chromium, libvpx, mingw-xerces-c, python-asgiref, python-django, and vim), Mageia (cadence, kernel, kernel-linus, libxml2, nodejs, and shadow-utils), Oracle (nghttp2), Slackware (LibRaw), and SUSE (chromium, java-11-openjdk, nodejs18, python-Django, python-urllib3, and suse-module-tools). --------------------------------------------- https://lwn.net/Articles/948522/ ∗∗∗ Vulnerability in QUSBCam2 ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute arbitrary commands via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-43 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2023
by Daily end-of-shift report 20 Oct '23

20 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-10-2023 18:00 − Freitag 20-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malvertising: Angreifer nutzen Punycode für gefälschte Webseiten ∗∗∗ --------------------------------------------- Cyberkriminelle werben über Google Ads etwa mit gefälschten KeePass-URLs mit Punycode-Zeichen. Die beworbene Seite liefert Malware aus. --------------------------------------------- https://www.heise.de/-9339448.html ∗∗∗ SolarWinds behebt Codeschmuggel in Access Rights Manager ∗∗∗ --------------------------------------------- Die Software zur Verwaltung von Zugriffsberechtigungen hat unter anderem Fehler, die eine Rechteausweitung ermöglichten. Admins sollten zügig handeln. --------------------------------------------- https://www.heise.de/-9339437.html ∗∗∗ VMware dichtet hochriskante Lecks in Aria, Fusion und Workstation ab ∗∗∗ --------------------------------------------- VMware hat Updates für VMNware Aria Operations for Logs, VMware Fusion sowie VMware Workstation veröffentlicht. Sie schließen teils hochriskante Lücken. --------------------------------------------- https://www.heise.de/-9339932.html ∗∗∗ IT-Sicherheitsbehörden geben Tipps für sichere Software und Phishing-Prävention ∗∗∗ --------------------------------------------- Die US-Sicherheitsbehörde CISA veröffentlicht mit internationalen Partnern je eine Handreichung zu sicherem Software-Entwurf und zur Phishing-Prävention. --------------------------------------------- https://www.heise.de/-9339899.html ∗∗∗ Cybersicherheit ermöglichen – BSI veröffentlicht Checklisten für Kommunen ∗∗∗ --------------------------------------------- Das BSI bietet Kommunen nun einen unkomplizierten und ressourcenschonenden Einstieg in den etablierten IT-Grundschutz des BSI. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Fake Corsair job offers on LinkedIn push DarkGate malware ∗∗∗ --------------------------------------------- A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-corsair-job-offers-on-l… ∗∗∗ ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges ∗∗∗ --------------------------------------------- A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems. "ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said [...] --------------------------------------------- https://thehackernews.com/2023/10/exelastealer-new-low-cost-cybercrime.html ∗∗∗ Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall ∗∗∗ --------------------------------------------- Here at watchTowr, we just love attacking high-privilege devices [...]. A good example of these is the device class of ‘next generation’ firewalls, which usually include VPN termination functionality (meaning they’re Internet-accessible by network design). These devices patrol the border between the untrusted Internet and an organisation’s softer internal network, and so are a great place for attackers to elevate their status from ‘outsiders’ to ‘trusted users’. --------------------------------------------- https://labs.watchtowr.com/ghost-in-the-wire-sonic-in-the-wall/ ∗∗∗ VMware Aria Operations for Logs CVE-2023-34051 Technical Deep Dive and IOCs ∗∗∗ --------------------------------------------- Earlier this year we reported the technical details for VMSA-2023-0001 affecting VMware Aria Operations for Logs (formerly VMware vRealize Log Insight). [...] During the course of that investigation, we noticed the fix provided by VMware was not sufficient to stop a motivated attacker. We reported this new issue to VMware and it was fixed in VMSA-2023-0021. This post will discuss the technical details of CVE-2023-34051, an authentication bypass that allows remote code execution as root. --------------------------------------------- https://www.horizon3.ai/vmware-aria-operations-for-logs-cve-2023-34051-tech… ∗∗∗ Concerns grow as LockBit knockoffs increasingly target popular vulnerabilities ∗∗∗ --------------------------------------------- Hackers are using a leaked toolkit used to create do-it-yourself versions of the popular LockBit ransomware, making it easy for even amateur cybercriminals to target common vulnerabilities. The LockBit ransomware gang, which has attacked thousands of organizations across the world, had the toolkit leaked in September 2022 by a disgruntled affiliate. --------------------------------------------- https://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit ∗∗∗ Attacks on 5G Infrastructure From User Devices: ASN.1 Vulnerabilities in 5G Cores ∗∗∗ --------------------------------------------- In the second part of this series, we will examine how attackers can trigger vulnerabilities by sending control messages masquerading as user traffic to cross over from user plane to control plane. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/j/asn1-vulnerabilities-in-5g-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE Software Web UI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Version 1.2: Added access list mitigation. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Command Injection Vulnerability ∗∗∗ --------------------------------------------- Version 1.1: Added information about active exploitation attempts. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ RT 5.0.5 Release Notes ∗∗∗ --------------------------------------------- RT 5.0.5 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details. --------------------------------------------- https://docs.bestpractical.com/release-notes/rt/5.0.5 ∗∗∗ RT 4.4.7 Release Notes ∗∗∗ --------------------------------------------- RT 4.4.7 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details. --------------------------------------------- https://docs.bestpractical.com/release-notes/rt/4.4.7 ∗∗∗ VMSA-2023-0022 ∗∗∗ --------------------------------------------- VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044, CVE-2023-34045, CVE-2023-34046) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0022.html ∗∗∗ VMSA-2023-0021 ∗∗∗ --------------------------------------------- VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0021.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10 and webkit2gtk), Fedora (matrix-synapse and trafficserver), Mageia (chromium-browser-stable, ghostscript, libxpm, and ruby-RedCloth), Oracle (.NET 7.0, curl, dotnet7.0, galera, mariadb, go-toolset, golang, java-1.8.0-openjdk, and python-reportlab), Red Hat (php, php:8.0, tomcat, and varnish), Slackware (httpd), SUSE (bluetuith, grub2, kernel, rxvt-unicode, and suse-module-tools), and Ubuntu (dotnet6, dotnet7, dotnet8, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15,linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-intel-iotg, linux-oem-6.1, linux-raspi, and mutt). --------------------------------------------- https://lwn.net/Articles/948368/ ∗∗∗ Kritische Sicherheitslücke in Citrix NetScaler ADC und NetScaler Gateway - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentifizierten Angreifer:innen, bestehende, authentifizierte Sessions zu übernehmen. Diese Schwachstelle wird zumindest seit Ende August 2023 bei Angriffen gegen Ziele in verschiedenen Sektoren aktiv ausgenutzt. --------------------------------------------- https://cert.at/de/warnungen/2023/10/kritische-sicherheitslucke-in-citrix-n… ∗∗∗ Multiple vulnerabilities in ctrlX WR21 HMI ∗∗∗ --------------------------------------------- BOSCH-SA-175607: The operating system of the ctrlX WR21 HMI has several vulnerabilities when the Kiosk mode is used in conjunction with Google Chrome. In worst case, an attacker with physical access to the device might gain full root access without prior authentication by combining the exploitation of those vulnerabilities. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-175607.html ∗∗∗ CVE-2023-38041 New client side release to address a privilege escalation on Windows user machines ∗∗∗ --------------------------------------------- A vulnerability exists on all versions of the Ivanti Secure Access Client Below 22.6R1 that would allow an unprivileged local user to gain unauthorized elevated privileges on the affected system. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-38041-New-client-side-release-… ∗∗∗ Decision Optimization in IBM Cloud Pak for Data is affected by a vulnerability in Node.js semver package (CVE-2022-25883) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056400 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect IBM ILOG CPLEX Optimization Studio (CVE-2023-21968, CVE-2023-21937, CVE-2023-21938) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056397 ∗∗∗ Improper input validation may lead to a Denial of Service attack in web services with IBM CICS TX Standard and IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056433 ∗∗∗ IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to electron ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056425 ∗∗∗ Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056429 ∗∗∗ IBM Integration Bus is vulnerable to a denial of service due to Eclipse Mosquitto ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056456 ∗∗∗ IBM App Connect Enterprise Toolkit and IBM Integration Bus Toolkit are vulnerable to a denial of service due to Okio GzipSource (CVE-2023-3635). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056518 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2023
by Daily end-of-shift report 19 Oct '23

19 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-10-2023 18:00 − Donnerstag 19-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Money-making scripts attack organizations ∗∗∗ --------------------------------------------- Cybercriminals attack government, law enforcement, non-profit organizations, agricultural and commercial companies by slipping a cryptominer, keylogger, and backdoor into their systems. --------------------------------------------- https://securelist.com/miner-keylogger-backdoor-attack-b2b/110761/ ∗∗∗ HasMySecretLeaked findet auf GitHub veröffentlichte Secrets ∗∗∗ --------------------------------------------- Wer prüfen möchte, ob seine Secrets auf GitHub geleakt sind, kann das kostenfreie Toolset von GitGuardian nutzen. Es soll dabei private Daten schützen. --------------------------------------------- https://www.heise.de/news/Security-Toolset-HasMySecretLeaked-sucht-auf-GitH… ∗∗∗ Public Report – Caliptra Security Assessment ∗∗∗ --------------------------------------------- During August and September of 2023, Microsoft engaged NCC Group to conduct a security assessment of Caliptra v0.9. Caliptra is an open-source silicon IP block for datacenter-focused server-class ASICs. --------------------------------------------- https://research.nccgroup.com/2023/10/18/public-report-caliptra-security-as… ∗∗∗ Number of Cisco Devices Hacked via Unpatched Vulnerability Increases to 40,000 ∗∗∗ --------------------------------------------- The number of Cisco devices hacked via the CVE-2023-20198 zero-day has reached 40,000, including many in the US. --------------------------------------------- https://www.securityweek.com/number-of-cisco-devices-hacked-via-unpatched-v… ∗∗∗ Ein PayPal-Tonband ruft an? Drücken Sie nicht die 1! ∗∗∗ --------------------------------------------- Eine unbekannte Nummer erscheint am Smartphone-Bildschirm. Sie heben ab und eine Roboterstimme meldet sich im Namen PayPals. Angeblich soll Geld von Ihrem PayPal-Konto behoben werden. Um das zu verhindern, sollen Sie die Taste „1“ drücken. Tun Sie dies nicht – Kriminelle versuchen, Ihnen dadurch Geld und Daten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/ein-paypal-tonband-ruft-an-druecken-… ∗∗∗ Es cyberwart wieder. Oder so. ∗∗∗ --------------------------------------------- Wie schon zu Beginn des Krieges in der Ukraine vor inzwischen eineinhalb Jahren kam es auch kurz nach den Ereignissen, die am 07.10.2023 Israel erschüttert haben, relativ schnell zu Berichten über die mögliche Rolle von Cyberangriffen in diesem Konflikt. --------------------------------------------- https://cert.at/de/blog/2023/10/es-cyberwart-wieder-oder-so ∗∗∗ Hackers Exploit QR Codes with QRLJacking for Malware Distribution ∗∗∗ --------------------------------------------- Researchers report a surge in QR code-related cyberattacks exploiting phishing and malware distribution, especially QRLJacking and Quishing attacks. --------------------------------------------- https://www.hackread.com/hackers-exploit-qr-codes-qrljacking-malware/ ∗∗∗ CISA, NSA, FBI, MS-ISAC Publish Guide on Preventing Phishing Intrusions ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) today published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-fbi-ms-isac-publish-guide-pr… ∗∗∗ Exploited SSH Servers Offered in the Dark web as Proxy Pools ∗∗∗ --------------------------------------------- Aqua Nautilus researchers have shed brighter light on a long-standing threat to SSH in the context of the cloud. More specifically, the threat actor harnessed our SSH server to be a slave proxy and pass traffic through it. --------------------------------------------- https://blog.aquasec.com/threat-alert-exploited-ssh-servers-offered-in-the-… ===================== = Vulnerabilities = ===================== ∗∗∗ Casio discloses data breach impacting customers in 149 countries ∗∗∗ --------------------------------------------- Japanese electronics manufacturer Casio disclosed a data breach impacting customers from 149 countries after hackers gained to the servers of its ClassPad education platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/casio-discloses-data-breach-… ∗∗∗ Sophos Firewall: PDF-Passwortschutz der SPX-Funktion umgehbar ∗∗∗ --------------------------------------------- Sophos verteilt aktualisierte Firmware für die Firewalls. Im Secure PDF eXchange können Angreifer den Schutz umgehen und unbefugt PDF-Dateien entschlüsseln. --------------------------------------------- https://www.heise.de/news/Sophos-Firewall-PDF-Passwortschutz-der-SPX-Funkti… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-babel), Fedora (moodle), Gentoo (mailutils), Oracle (go-toolset:ol8 and java-11-openjdk), Red Hat (ghostscript, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, nghttp2, nodejs:16, nodejs:18, and rhc-worker-script), SUSE (cni, cni-plugins, container-suseconnect, containerd, cups, exim, grub2, helm, libeconf, nodejs18, python3, runc, slurm, supportutils, and tomcat), and Ubuntu (glib2.0, openssl, and vips). --------------------------------------------- https://lwn.net/Articles/948246/ ∗∗∗ ZDI-23-1568: NI Measurement & Automation Explorer Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1568/ ∗∗∗ ZDI-23-1567: SolarWinds Access Rights Manager OpenClientUpdateFile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1567/ ∗∗∗ ZDI-23-1566: SolarWinds Access Rights Manager GetParameterFormTemplateWithSelectionState Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1566/ ∗∗∗ ZDI-23-1565: SolarWinds Access Rights Manager OpenFile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1565/ ∗∗∗ ZDI-23-1564: SolarWinds Access Rights Manager createGlobalServerChannelInternal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1564/ ∗∗∗ ZDI-23-1563: SolarWinds Access Rights Manager ExecuteAction Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1563/ ∗∗∗ ZDI-23-1562: SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1562/ ∗∗∗ ZDI-23-1561: SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1561/ ∗∗∗ ZDI-23-1560: SolarWinds Access Rights Manager IFormTemplate Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1560/ ∗∗∗ Cisco Catalyst SD-WAN Manager Local File Inclusion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE-2023-24052) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/10/19/technical-advisory-multiple-vulner… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2023
by Daily end-of-shift report 18 Oct '23

18 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-10-2023 18:00 − Mittwoch 18-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious Notepad++ Google ads evade detection for months ∗∗∗ --------------------------------------------- A new Google Search malvertizing campaign targets users looking to download the popular Notepad++ text editor, employing advanced techniques to evade detection and analysis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-notepad-plus-plus-… ∗∗∗ Over 40,000 admin portal accounts use admin as a password ∗∗∗ --------------------------------------------- Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-40-000-admin-portal-acc… ∗∗∗ Recently patched Citrix NetScaler bug exploited as zero-day since August ∗∗∗ --------------------------------------------- A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced. --------------------------------------------- https://www.bleepingcomputer.com/news/security/recently-patched-citrix-nets… ∗∗∗ Hiding in Hex, (Wed, Oct 18th) ∗∗∗ --------------------------------------------- There are a variety of attacks seen from DShield honeypots [1]. Most of the time these commands are human readable. but every now and again they are obfuscated using base64 or hex encoding. A quick look for commands containing the "/x" delimiter give a lot of results encoded in hexadecimal. --------------------------------------------- https://isc.sans.edu/diary/rss/30322 ∗∗∗ Qubitstrike Targets Jupyter Notebooks with Crypto Mining and Rootkit Campaign ∗∗∗ --------------------------------------------- Dubbed Qubitstrike by Cado, the intrusion set utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise. "The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as GitHub," security researchers Matt Muir and Nate Bill said in a Wednesday write-up. --------------------------------------------- https://thehackernews.com/2023/10/qubitstrike-targets-jupyter-notebooks.html ∗∗∗ BlackCat Climbs the Summit With a New Tactic ∗∗∗ --------------------------------------------- BlackCat ransomware gang has released a utility called Munchkin, allowing attackers to propagate their payload to remote machines. We analyze this new tool. --------------------------------------------- https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utilit… ∗∗∗ Updated MATA attacks industrial companies in Eastern Europe ∗∗∗ --------------------------------------------- Kaspersky experts discovered several detections of malware from the MATA cluster, previously attributed to the Lazarus group, compromising defense contractor companies in Eastern Europe. --------------------------------------------- https://ics-cert.kaspersky.com/publications/updated-mata-attacks-industrial… ∗∗∗ Where Has the MS Office Document Malware Gone? ∗∗∗ --------------------------------------------- Infostealers, which steal user account credentials saved in web browsers or email clients, constitute the majority of attacks targeting general or corporate users. Related information was shared through the ASEC Blog in December of last year. [1] While the distribution method for the named malware differs slightly depending on their main features, Infostealer-type malware typically uses malicious sites disguised as pages for downloading legitimate programs as their distribution route. --------------------------------------------- https://asec.ahnlab.com/en/57883/ ∗∗∗ CISA Updates Toolkit to Promote Public Safety Communications and Cyber Resiliency ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) collaborates with public safety, national security, and emergency preparedness communities to enhance seamless and secure communications to keep America safe, secure, and resilient. Any interruption in communications can have a cascading effect, impacting a public safety agency’s ability to deliver critical lifesaving services to the community. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-updates-toolkit-promote-public-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Oracle veröffentlicht 387 Sicherheits-Patches ∗∗∗ --------------------------------------------- Der vierteljährliche Patchday von Oracle hat stattgefunden. Er bringt im Oktober 387 Updates für mehr als 120 Produkte. --------------------------------------------- https://www.heise.de/-9337238 ∗∗∗ AMD-Grafiktreiber: Codeschmuggel durch Sicherheitslücke möglich ∗∗∗ --------------------------------------------- AMD warnt vor einer Sicherheitslücke in den eigenen Grafiktreibern. Angreifer könnten Code einschleusen und mit erhöhten Rechten ausführen. --------------------------------------------- https://www.heise.de/-9337480 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (slurm-wlm), Fedora (icecat and python-configobj), Oracle (dotnet6.0, kernel-container, nginx, nginx:1.20, nginx:1.22, and python3.9), Red Hat (bind9.16, curl, dotnet6.0, kernel-rt, kpatch-patch, nghttp2, nodejs, python-reportlab, and virt:rhel), Slackware (util), SUSE (buildah, conmon, erlang, glibc, kernel, nghttp2, opensc, python-urllib3, samba, slurm, and suse-module-tools), and Ubuntu (frr, linux-azure, and pmix). --------------------------------------------- https://lwn.net/Articles/948097/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2023
by Daily end-of-shift report 17 Oct '23

17 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 16-10-2023 18:00 − Dienstag 17-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Discord still a hotbed of malware activity — Now APTs join the fun ∗∗∗ --------------------------------------------- Discord continues to be a breeding ground for malicious activity by hackers and now APT groups, with it commonly used to distribute malware, exfiltrate data, and targeted by threat actors to steal authentication tokens. --------------------------------------------- https://www.bleepingcomputer.com/news/security/discord-still-a-hotbed-of-ma… ∗∗∗ A hack in hand is worth two in the bush ∗∗∗ --------------------------------------------- We analyzed the data published by Cyber Av3ngers and found it to be sourced from older leaks by another hacktivist group called Moses Staff. --------------------------------------------- https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/ ∗∗∗ Android Mobile Root Detection – Snake Oil or Silver Bullet? ∗∗∗ --------------------------------------------- Android is one of the most widely used mobile operating systems in the world. However, with its widespread use, it is also susceptible to security threats. --------------------------------------------- https://sec-consult.com/blog/detail/android-mobile-root-detection-snake-oil… ∗∗∗ NSA Publishes ICS/OT Intrusion Detection Signatures and Analytics ∗∗∗ --------------------------------------------- NSA has released Elitewolf, a repository of intrusion detection signatures and analytics for OT environments. --------------------------------------------- https://www.securityweek.com/nsa-publishes-ics-ot-intrusion-detection-signa… ∗∗∗ Betrügerische Spendenorganisationen sammeln Geld für Israel ∗∗∗ --------------------------------------------- Kriminelle wissen, dass die Spendenbereitschaft in Krisensituationen besonders hoch ist. Nur wenige Tage nach dem Anschlag in Israel tauchen im Netz betrügerische Spenden-Websiten für Israel auf. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-spendenorganisationen… ∗∗∗ Snapshot fuzzing direct composition with WTF ∗∗∗ --------------------------------------------- Although there is public research on Direct Composition, only a few discuss fuzzing this feature, and none, to our knowledge, that covers snapshot fuzzing. --------------------------------------------- https://blog.talosintelligence.com/snapshot-fuzzing-direct-composition-with… ∗∗∗ Principles for ransomware-resistant cloud backups ∗∗∗ --------------------------------------------- Helping to make cloud backups resistant to the effects of destructive ransomware. --------------------------------------------- https://www.ncsc.gov.uk/guidance/principles-for-ransomware-resistant-cloud-… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software ∗∗∗ --------------------------------------------- Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. --------------------------------------------- https://thehackernews.com/2023/10/critical-vulnerabilities-uncovered-in.html ∗∗∗ Cisco: Schwere Sicherheitslücke in IOS XE ermöglicht Netzwerk-Übernahme ∗∗∗ --------------------------------------------- Geräte mit IOS XE und Web-UI können von Angreifern ohne Weiteres aus der Ferne übernommen werden. Cisco hat keine Patches, aber Empfehlungen für Betroffene. --------------------------------------------- https://www.heise.de/news/Cisco-Schwere-Sicherheitsluecke-in-IOS-XE-erlaubt… ∗∗∗ SonicOS: Angreifer können Sonicwalls abstürzen lassen ∗∗∗ --------------------------------------------- Sonicwall hat Updates für SonicOS veröffentlicht, die Sicherheitslücken schließen. Die Lecks erlauben Angreifern, verwundbare Geräte lahmzulegen. --------------------------------------------- https://www.heise.de/news/SonicOS-Angreifer-koennen-Sonicwalls-abstuerzen-l… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (axis, nghttp2, node-babel7, and tomcat9), Fedora (curl and ghostscript), Oracle (bind, kernel-container, mariadb:10.5, and python3.11), Red Hat (.NET 7.0, go-toolset, golang, and go-toolset:rhel8), SUSE (kernel, libcue, libxml2, python-Django, and python-gevent), and Ubuntu (curl, ghostscript, iperf3, libcue, python2.7, quagga, and samba). --------------------------------------------- https://lwn.net/Articles/948010/ ∗∗∗ K000137211 : cURL vulnerabilities CVE-2023-38546 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137211 ∗∗∗ Festo: Vulnerable Siemens TIA-Portal in multiple Festo Didactic products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-047/ ∗∗∗ WAGO: Multiple products vulnerable to local file inclusion ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-046/ ∗∗∗ Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-290-01 ∗∗∗ Rockwell Automation FactoryTalk Linx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-290-02 ∗∗∗ Vulnerability CVE-2023-35116 affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052938 ∗∗∗ IBM Personal Communications could allow a remote user to obtain sensitive information including user passwords, allowing unauthorized access. (CVE-2016-0321) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/276845 ∗∗∗ IBM Db2 is vulnerable to denial of service via a specially crafted query on certain databases. (CVE-2023-30987) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047560 ∗∗∗ Vulnerability in pycrypto-2.6.1.tar.gz affects IBM Integrated Analytics System [CVE-2013-7459, CVE-2018-6594] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053417 ∗∗∗ Multiple vulnerabilities in OpenSSL affect IBM Observability with Instana (Agent container image) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053623 ∗∗∗ Remote code execution/denial of service attack is possible in IBM Observability with Instana (Self-hosted on Docker) due to use of Apache Kafka ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053643 ∗∗∗ Due to use of Apache Commons FileUpload and Tomcat, IBM UrbanCode Release is vulnerable to a denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053627 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2023
by Daily end-of-shift report 16 Oct '23

16 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-10-2023 18:00 − Montag 16-10-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DarkGate malware spreads through compromised Skype accounts ∗∗∗ --------------------------------------------- Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-thr… ∗∗∗ Scanning evasion issue in Cisco Secure Email Gateway ∗∗∗ --------------------------------------------- Cisco Secure Email Gateway provided by Cisco Systems may fail to detect specially crafted files. --------------------------------------------- https://jvn.jp/en/jp/JVN58574030/ ∗∗∗ Security review for Microsoft Edge version 118 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 118! We have reviewed the new settings in Microsoft Edge version 118 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 117 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls ∗∗∗ --------------------------------------------- The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure. --------------------------------------------- https://thehackernews.com/2023/10/spynote-beware-of-this-android-trojan.html ∗∗∗ Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign ∗∗∗ --------------------------------------------- Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems."The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 [..] --------------------------------------------- https://thehackernews.com/2023/10/pro-russian-hackers-exploiting-recent.html ∗∗∗ Signal says there is no evidence rumored zero-day bug is real ∗∗∗ --------------------------------------------- As this is an ongoing investigation, and the mitigation is to simply disable the Link Previews feature, users may want to turn this setting off for the time being until its fully confirmed not to be real. --------------------------------------------- https://www.bleepingcomputer.com/news/security/signal-says-there-is-no-evid… ∗∗∗ “EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts ∗∗∗ --------------------------------------------- Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake “browser updates”. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down. --------------------------------------------- https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-… ∗∗∗ Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign ∗∗∗ --------------------------------------------- We provide a comprehensive analysis of the XorDDoS Trojans attacking behaviors. Subsequently, we unveil the intricate network infrastructure orchestrating the campaigns botnet. Lastly, we introduce the advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. These signatures effectively identified over 1,000 XorDDoS C2 traffic sessions in August 2023 alone. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-deliv… ∗∗∗ WS_FTP: Ransomware-Attacken auf ungepatchte Server ∗∗∗ --------------------------------------------- In WS_FTP hat Hersteller Progress kürzlich teils kritische Sicherheitslücken geschlossen. Inzwischen sieht Sophos Ransomware-Angriffe darauf. --------------------------------------------- https://www.heise.de/news/WS-FTP-Ransomware-Attacken-auf-ungepatchte-Server… ∗∗∗ Milesight Industrial Router Vulnerability Possibly Exploited in Attacks ∗∗∗ --------------------------------------------- A vulnerability affecting Milesight industrial routers, tracked as CVE-2023-4326, may have been exploited in attacks. --------------------------------------------- https://www.securityweek.com/milesight-industrial-router-vulnerability-poss… ∗∗∗ Sie verkaufen auf Willhaben? Diese Betrugsmasche sollten Sie kennen! ∗∗∗ --------------------------------------------- Auf Willhaben und anderen Verkaufsplattformen begegnen Ihnen sicherlich auch mal Betrüger:innen. Besonders vorsichtig sollten Sie sein, wenn Sie zum ersten Mal verkaufen und Sie den Ablauf eines Verkaufs noch nicht so gut kennen. Wir zeigen Ihnen eine gängige Betrugsmasche und wie Sie sich davor schützen! --------------------------------------------- https://www.watchlist-internet.at/news/sie-verkaufen-auf-willhaben-diese-be… ∗∗∗ curl-Schwachstelle durch Microsoft ungepatcht ∗∗∗ --------------------------------------------- In der Bibliothek und im Tool curl gibt es in älteren Versionen eine Schwachstelle, die vom Projekt am 11. Oktober 2023 mit der Version 8.4.0 geschlossen wurde. Microsoft liefert curl mit Windows aus, und es stellte sich die Frage, ob curl zum Patchday, 10. Oktober 2023, ebenfalls aktualisiert wurde. Mein Stand ist, dass in Windows auch nach den Oktober 2023-Updates die veraltete curl-Version enthalten ist. --------------------------------------------- https://www.borncity.com/blog/2023/10/14/curl-schwachstelle-durch-microsoft… ∗∗∗ Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability ∗∗∗ --------------------------------------------- Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. --------------------------------------------- https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-soft… ∗∗∗ Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a ===================== = Vulnerabilities = ===================== ∗∗∗ Exim bugs ∗∗∗ --------------------------------------------- Fixed in 4.96.2/4.97: - CVE-2023-42117: Improper Neutralization of Special Elements - CVE-2023-42119: dnsdb Out-Of-Bounds Read libspf2 Integer Underflow: - CVE-2023-42118: Mitigation: Do not use the `spf` condition in your ACL --------------------------------------------- https://exim.org/static/doc/security/CVE-2023-zdi.txt ∗∗∗ Wordpress: Übernahme durch Lücke in Royal Elementor Addons and Template ∗∗∗ --------------------------------------------- Im Wordpress-Plug-in Royal Elementor Addons and Template missbrauchen Cyberkriminelle eine kritische Lücke. Sie nutzen sie zur Übernahme von Instanzen. --------------------------------------------- https://www.heise.de/news/Wordpress-Uebernahme-durch-Luecke-in-Royal-Elemen… ∗∗∗ Samba: Neue Versionen beheben mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Durch verschiedene Programmierfehler konnten Angreifer auf geheime Informationen bis hin zum Kerberos-TGT-Passwort zugreifen. Aktualisierungen stehen bereit. --------------------------------------------- https://www.heise.de/news/Samba-Neue-Versionen-beheben-mehrere-Sicherheitsl… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (batik, poppler, and tomcat9), Fedora (chromium, composer, curl, emacs, ghostscript, libwebp, libXpm, netatalk, nghttp2, python-asgiref, python-django, and webkitgtk), Mageia (curl and libX11), Oracle (bind, busybox, firefox, and kernel), Red Hat (curl, dotnet6.0, dotnet7.0, and nginx), SUSE (chromium, cni, cni-plugins, grub2, netatalk, opensc, opera, and wireshark), and Ubuntu (iperf3). --------------------------------------------- https://lwn.net/Articles/947891/ ∗∗∗ Vulnerabilities in Video Station ∗∗∗ --------------------------------------------- Three vulnerabilities have been reported to affect Video Station: - CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities - CVE-2023-34977: Cross-site scripting (XSS) vulnerability If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-52 ∗∗∗ Vulnerabilities in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- Two vulnerabilities have been reported to affect several QNAP operating system versions: - CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. - CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-41 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read and expose sensitive data via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-42 ∗∗∗ Vulnerability in Container Station ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute arbitrary commands via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-44 ∗∗∗ web2py vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN80476432/ ∗∗∗ cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ FortiSandbox - XSS on delete endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-311 ∗∗∗ FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-215 ∗∗∗ FortiSandbox - Arbitrary file delete ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-280 ∗∗∗ Red Lion Europe: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-041/ ∗∗∗ Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-043/ ∗∗∗ 2023-10 Security Bulletin: Junos OS and Junos OS Evolved: High CPU load due to specific NETCONF command (CVE-2023-44184) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos… ∗∗∗ IBM Security Verify Access Appliance has multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009735 ∗∗∗ Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953617 ∗∗∗ Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009741 ∗∗∗ IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028513 ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052776 ∗∗∗ Multiple Vulnerabilities of Apache HttpClient have affected IBM Jazz Reporting Service ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052811 ∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Jazz Reporting Services. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052810 ∗∗∗ IBM Jazz Reporting Service is vulnerable to a denial of service (CVE-2023-35116) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052809 ∗∗∗ Vulnerability with snappy-java affect IBM Cloud Object Storage Systems (Oc2023v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052829 ∗∗∗ Require strict cookies for image proxy requests ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ OAuth2 client_secret stored in plain text in the database ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Inviting excessive long email addresses to a calendar event makes the server unresponsive ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r… ∗∗∗ Password of talk conversations can be bruteforced ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7… ∗∗∗ Rate limiter not working reliable when Memcached is installed ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… ∗∗∗ Security updates 1.5.5 and 1.4.15 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15 ∗∗∗ Security update 1.6.4 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2023/10/16/security-update-1.6.4-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2023
by Daily end-of-shift report 13 Oct '23

13 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-10-2023 18:00 − Freitag 13-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware attacks now target unpatched WS_FTP servers ∗∗∗ --------------------------------------------- Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-attacks-now-targe… ∗∗∗ FBI shares AvosLocker ransomware technical details, defense tips ∗∗∗ --------------------------------------------- The U.S. government has updated the list of tools AvosLocker ransomware affiliates use in attacks to include open-source utilities along with custom PowerShell, and batch scripts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-shares-avoslocker-ransom… ∗∗∗ An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit ∗∗∗ --------------------------------------------- In April this year Google's Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wil… ∗∗∗ DarkGate Malware Spreading via Messaging Services Posing as PDF Files ∗∗∗ --------------------------------------------- A piece of malware known as DarkGate has been observed being spread via instant messaging platforms such as Skype and Microsoft Teams. In these attacks, the messaging apps are used to deliver a Visual Basic for Applications (VBA) loader script that masquerades as a PDF document, which, when opened, triggers the download and execution of an AutoIt script designed to launch the malware. --------------------------------------------- https://thehackernews.com/2023/10/darkgate-malware-spreading-via.html ∗∗∗ GNOME what Im sayin? - GNOME libcue 0-click vulnerability ∗∗∗ --------------------------------------------- Am 10. Oktober wurde CVE-2023-43641 veröffentlicht, eine 0-click out-of-bounds array access Schwachstelle in libcue. GNOME verwendet diese Library zum Parsen von cuesheets beim Indizieren von Dateien für die Suchfunktion. Wie schlimm ist es? --------------------------------------------- https://cert.at/de/blog/2023/10/gnome-what-im-sayin-gnome-libcue-0-click-vu… ∗∗∗ WordPress 6.3.2 Security Release – What You Need to Know ∗∗∗ --------------------------------------------- WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordpress-6-3-2-security-release-wha… ∗∗∗ Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malwares ∗∗∗ --------------------------------------------- Because the Lazarus threat group has been active since a long time ago, there are many attack cases and various malware strains are used in each case. In particular, there is also a wide variety of backdoors used for controlling the infected system after initial access. AhnLab Security Emergency response Center (ASEC) is continuously tracking and analyzing attacks by the Lazarus group, and in this post, we will analyze Volgmer and Scout, the two major malware strains used in their attacks. --------------------------------------------- https://asec.ahnlab.com/en/57685/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes iOS Kernel zero-day vulnerability on older iPhones ∗∗∗ --------------------------------------------- Apple has published security updates for older iPhones and iPads to backport patches released one week ago, addressing two zero-day vulnerabilities exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-fixes-ios-kernel-zero-… ∗∗∗ Caching-Proxy: 35 Schwachstellen in Squid schon mehr als 2 Jahre ungepatcht ∗∗∗ --------------------------------------------- Anfang 2021 hatte ein Sicherheitsforscher 55 Schwachstellen an das Entwicklerteam von Squid gemeldet. Ein Großteil ist noch offen. --------------------------------------------- https://www.golem.de/news/caching-proxy-35-schwachstellen-in-squid-schon-me… ∗∗∗ Schwere Sicherheitslücken in Monitoring-Software Zabbix behoben ∗∗∗ --------------------------------------------- In verschiedenen Komponenten der Monitoringsoftware Zabbix klafften kritische Sicherheitslücken, die Angreifern die Ausführung eigenen Codes ermöglichen. --------------------------------------------- https://www.heise.de/news/Schwere-Sicherheitsluecken-in-Monitoring-Software… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, tomcat9, and webkit2gtk), Fedora (cacti, cacti-spine, grafana-pcp, libcue, mbedtls, samba, and vim), Oracle (kernel, libvpx, and thunderbird), Red Hat (bind and galera, mariadb), SUSE (exiv2, go1.20, go1.21, and kernel), and Ubuntu (ffmpeg). --------------------------------------------- https://lwn.net/Articles/947710/ ∗∗∗ cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Nextcloud Security Advisory: Improper restriction of excessive authentication attempts on WebDAV endpoint ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ K000137229 : BIND vulnerability CVE-2022-38178 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137229 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2023
by Daily end-of-shift report 12 Oct '23

12 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-10-2023 18:00 − Donnerstag 12-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Well, this SOCKS - curl SOCKS 5 Heap Buffer Overflow (CVE-2023-38545) ∗∗∗ --------------------------------------------- Nachdem letzte Woche ein Advisory zu "der schlimmsten Schwachstelle in curl seit Langem" angekündigt wurde, konnten verängstigte, verschlafene und chronisch unterkoffeinierte Admins und Security-Spezialisten nach der gestrigen Veröffentlichung den Schaden begutachten. Die gute Nachricht: Die Apokalypse ist an uns vorüber gegangen. Die schlechte Nachricht: Mit dem CVSS(v2) Score lässt sich die Schwere einer Schwachstelle nicht immer ausreichend abbilden. --------------------------------------------- https://cert.at/de/blog/2023/10/well-this-socks-curl-socks-5-heap-buffer-ov… ∗∗∗ ToddyCat: Keep calm and check logs ∗∗∗ --------------------------------------------- In this article, we’ll describe ToddyCat new toolset, the malware used to steal and exfiltrate data, and the techniques used by this group to move laterally and conduct espionage operations. --------------------------------------------- https://securelist.com/toddycat-keep-calm-and-check-logs/110696/ ∗∗∗ Malicious NuGet Package Targeting .NET Developers with SeroXen RAT ∗∗∗ --------------------------------------------- A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT. The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti, is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig, software supply chain security firm Phylum said in a report today. While the real package has received nearly 79,000 downloads to date, the malicious variant is said to have artificially inflated its download count after being published on October 6, 2023, to surpass 100,000 downloads. --------------------------------------------- https://thehackernews.com/2023/10/malicious-nuget-package-targeting-net.html ∗∗∗ New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects ∗∗∗ --------------------------------------------- In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects. --------------------------------------------- https://www.virusbulletin.com/blog/2023/10/new-paper-nexus-android-banking-… ∗∗∗ Backdoor Malware Found on WordPress Website Disguised as Legitimate Plugin ∗∗∗ --------------------------------------------- A backdoor deployed on a compromised WordPress website poses as a legitimate plugin to hide its presence. --------------------------------------------- https://www.securityweek.com/backdoor-malware-found-on-wordpress-website-di… ∗∗∗ Using Velociraptor for large-scale endpoint visibility and rapid threat hunting ∗∗∗ --------------------------------------------- In this post we give on overview of some of the capabilities of Velociraptor, and also how we have leveraged them to conduct some real-time threat hunting shedding light on how it can equip security teams to proactively safeguard digital environments. --------------------------------------------- https://www.pentestpartners.com/security-blog/using-velociraptor-for-large-… ∗∗∗ Angebliche Branchenbücher und Firmenverzeichnisse locken in teure Abo-Falle! ∗∗∗ --------------------------------------------- Aktuell werden uns zahlreiche unseriöse Branchen-, Adressen- und Firmenverzeichnisse gemeldet, die versuchen Unternehmen das Geld aus der Tasche zu ziehen. Per E-Mail, Telefon oder Fax werden Unternehmen dazu überredet, sich in ein nutzloses und oft gar nicht existierendes Branchenbuch einzutragen. Wer auf das Angebot eingeht, schließt ein überteuertes Abo ab, das nur schwer zu kündigen ist. Betroffen von dieser Abzocke sind vor allem kleine und mittlere Unternehmen. --------------------------------------------- https://www.watchlist-internet.at/news/angebliche-branchenbuecher-und-firme… ∗∗∗ XOR Known-Plaintext Attacks ∗∗∗ --------------------------------------------- In this blog post, we show in detail how a known-plaintext attack on XOR encoding works, and automate it with custom tools to decrypt and extract the configuration of a Cobalt Strike beacon. If you are not interested in the theory, just in the tools, go straight to the conclusion. --------------------------------------------- https://blog.nviso.eu/2023/10/12/xor-known-plaintext-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ An analysis of PoS/ cashIT! cash registers ∗∗∗ --------------------------------------------- This report summarizes our findings about vulnerabilities in cashIT!, a cash register system implementing the Austrian cash registers security regulation (RKSV). Besides lack of encryption, outdated software components and low-entropy passwords, these weaknesses include a bypass of origin checks (CVE-2023-3654), unauthenticated remote database exfiltration (CVE-2023-3655), and unauthenticated remote code with administrative privileges on the cash register host machines (CVE-2023-3656). Based on our analysis result, these vulnerabilities affect over 200 cash register installations in Austrian restaurants that are accessible over the Internet. --------------------------------------------- https://epub.jku.at/obvulioa/content/titleinfo/9142358 ∗∗∗ Sicherheitsupdates: Backdoor-Lücke bedroht Netzwerkgeräte von Juniper ∗∗∗ --------------------------------------------- Schwachstellen im Netzwerkbetriebssystem Junos OS bedrohen Routing-, Switching- und Sicherheitsgeräte von Juniper. --------------------------------------------- https://www.heise.de/-9332169 ∗∗∗ 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows ∗∗∗ --------------------------------------------- Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device [..] All these vulnerabilities also have a severity score of 9.8. Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco’s third-party vendor vulnerability disclosure policy. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-webkit-and-yifan-r… ∗∗∗ 40 Schwachstellen in IBM-Sicherheitslösung QRadar SIEM geschlossen ∗∗∗ --------------------------------------------- Mehrere Komponenten in IBM QRadar SIEM weisen Sicherheitslücken auf und gefährden das Security-Information-and-Event-Management-System. --------------------------------------------- https://www.heise.de/-9332542 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 2, 2023 to October 8, 2023) ∗∗∗ --------------------------------------------- Last week, there were 92 vulnerabilities disclosed in 88 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libcue, org-mode, python3.7, and samba), Fedora (libcue, oneVPL, oneVPL-intel-gpu, and xen), Mageia (glibc), Oracle (glibc, kernel, libssh2, libvpx, nodejs, and python-reportlab), Slackware (libcaca), SUSE (gsl, ImageMagick, kernel, opensc, python-urllib3, qemu, rage-encryption, samba, and xen), and Ubuntu (curl and samba). --------------------------------------------- https://lwn.net/Articles/947570/ ∗∗∗ Weintek cMT3000 HMI Web CGI ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-15 ∗∗∗ Santesoft Sante FFT Imaging ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-02 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-01 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-13 ∗∗∗ Hikvision Access Control and Intercom Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-14 ∗∗∗ PILZ : WIBU Vulnerabilities in multiple Products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-033/ ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-16 ∗∗∗ Hikvision Access Control and Intercom Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-14 ∗∗∗ CVE-2023-3281 Cortex XSOAR: Cleartext Exposure of Client Certificate Key in Kafka v3 Integration (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-3281 ∗∗∗ IBM Aspera Faspex has addressed an IP address restriction bypass vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7048851 ∗∗∗ Vulnerability of okio-1.13.0.jar is affecting APM WebSphere Application Server Agent, APM Tomcat Agent, APM SAP NetWeaver Java Stack Agent, APM WebLogic Agent and APM Data Collector for J2SE ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7051173 ∗∗∗ IBM App Connect Enterprise is vulnerable to a potential information disclosure ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7051204 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2023
by Daily end-of-shift report 11 Oct '23

11 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-10-2023 18:00 − Mittwoch 11-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft to kill off VBScript in Windows to block malware delivery ∗∗∗ --------------------------------------------- Microsoft is planning to phase out VBScript in future Windows releases after 30 years of use, making it an on-demand feature until it is removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-to-kill-off-vbscri… ∗∗∗ Microsoft warns of incorrect BitLocker encryption errors ∗∗∗ --------------------------------------------- Microsoft warned customers this week of incorrect BitLocker drive encryption errors being shown in some managed Windows environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-incorrec… ∗∗∗ LinkedIn Smart Links attacks return to target Microsoft accounts ∗∗∗ --------------------------------------------- Hackers are once again abusing LinkedIn Smart Links in phishing attacks to bypass protection measures and evade detection in attempts to steal Microsoft account credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linkedin-smart-links-attacks… ∗∗∗ Support-Ende für Windows Server 2012 R2: Warum Sie das nicht ignorieren dürfen ∗∗∗ --------------------------------------------- Ab sofort steht der Windows Server 2012 R2 komplett ohne Support dar. Doch aufgrund seiner Beliebtheit kommt er noch immer zum Einsatz – das muss sich ändern. --------------------------------------------- https://www.heise.de/news/Support-Ende-fuer-Windows-Server-2012-R2-Warum-Si… ∗∗∗ Wireshark Tutorial: Identifying Hosts and Users ∗∗∗ --------------------------------------------- When a host is infected or otherwise compromised, security professionals need to quickly review packet captures of suspicious network traffic to identify affected hosts and users. --------------------------------------------- https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-u… ∗∗∗ Distribution of Magniber Ransomware Stops (Since August 25th) ∗∗∗ --------------------------------------------- Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. --------------------------------------------- https://asec.ahnlab.com/en/57592/ ∗∗∗ The Risks of Exposing DICOM Data to the Internet ∗∗∗ --------------------------------------------- DICOM has revolutionized the medical imaging industry. However, it also presents potential vulnerabilities when exposed to the open internet. --------------------------------------------- https://www.rapid7.com/blog/post/2023/10/11/the-risks-of-exposing-dicom-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-38545: curl SOCKS5 oversized hostname vulnerability. How bad is it?, (Wed, Oct 11th) ∗∗∗ --------------------------------------------- Today, we got the promised fix for CVE-2023-38545. So here is a quick overview of how severe it is. --------------------------------------------- https://isc.sans.edu/diary/rss/30304 ∗∗∗ Patchday Microsoft: Attacken auf Skype for Business und WordPad ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für etwa Azure, Office und Windows veröffentlicht. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-Attacken-auf-Skype-for-Busines… ∗∗∗ Patchday Adobe: Schadcode-Attacken auf Magento-Shops und Photoshop möglich ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben in Bridge, Commerce, Magento Open Source und Photoshop mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Schadcode-Attacken-auf-Magento-Sho… ∗∗∗ Webbrowser: Google-Chrome-Update schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Google hat das wöchentliche Chrome-Update herausgegeben. Es schließt 20 Sicherheitslücken, von denen mindestens eine als kritisch gilt. --------------------------------------------- https://www.heise.de/news/Webbrowser-Google-Chrome-Update-schliesst-kritisc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, mediawiki, tomcat10, and tomcat9), Fedora (libcaca, oneVPL, oneVPL-intel-gpu, and tracker-miners), Gentoo (curl), Mageia (cups and firefox, thunderbird), Red Hat (curl, kernel, kernel-rt, kpatch-patch, libqb, libssh2, linux-firmware, python-reportlab, tar, and the virt:rhel module), Slackware (curl, libcue, libnotify, nghttp2, and samba), SUSE (conmon, curl, glibc, kernel, php-composer2, python-reportlab, samba, and shadow), [...] --------------------------------------------- https://lwn.net/Articles/947409/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Sicherheitsupdates Fortinet: Angreifer können Passwörter im Klartext einsehen ∗∗∗ --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Fortinet-Angreifer-koennen-Pas… ∗∗∗ K000137202 : Intel BIOS vulnerability CVE-2022-38083 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137202 ∗∗∗ Lenovo System Update Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500581-LENOVO-SYSTEM-UPDATE-VU… ∗∗∗ Lenovo View Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500580-LENOVO-VIEW-DENIAL-OF-S… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (October 2023) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500582-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ Lenovo Preload Directory Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500579-LENOVO-PRELOAD-DIRECTOR… ∗∗∗ [R1] Security Center Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-32 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily