Daily

daily@lists.cert.at

1 participants
3198 discussions

Tageszusammenfassung - 06.10.2023
by Daily end-of-shift report 06 Oct '23

06 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-10-2023 18:00 − Freitag 06-10-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploits released for Linux flaw giving root on major distros ∗∗∗ --------------------------------------------- Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Librarys dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploits-released-for-linux-… ∗∗∗ Jetzt patchen! Exploits für glibc-Lücke öffentlich verfügbar ∗∗∗ --------------------------------------------- Nachdem der Bug in der Linux-Bibliothek glibc am vergangenen Dienstag bekannt wurde, sind nun zuverlässig funktionierende Exploits aufgetaucht. --------------------------------------------- https://www.heise.de/-9326518 ∗∗∗ Finanzbetrug per Telefon: Ignorieren Sie Anrufer:innen, die Sie zu Investitionen überreden wollen ∗∗∗ --------------------------------------------- Finanzbetrug ist ein lukratives Geschäft. Der finanzielle Schaden für die Betroffenen ist oft enorm. Gleichzeitig ist der Finanzmarkt streng reguliert, um Betrug in diesem Bereich zu erschweren. Das ist mit ein Grund, wieso Betrüger:innen immer wieder neue Wege finden, um an ihre Opfer zu kommen. Aktuell berichten unsere Leser:innen vermehrt davon, dass sie von Kriminellen angerufen und direkt am Telefon zu Investments überredet werden. --------------------------------------------- https://www.watchlist-internet.at/news/finanzbetrug-per-telefon-ignorieren-… ∗∗∗ Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform ∗∗∗ --------------------------------------------- In this article, we will discuss this issue of how malware authors use obfuscation to make analyzing their Android malware more challenging. We will review two such case studies to illustrate those obfuscation techniques in action. Finally, we’ll cover some overall techniques researchers can use to address these obstacles. --------------------------------------------- https://unit42.paloaltonetworks.com/hooking-framework-in-sandbox-to-analyze… ∗∗∗ Microsoft: Human-operated ransomware attacks tripled over past year ∗∗∗ --------------------------------------------- Human-operated ransomware attacks are up more than 200% since September 2022, according to researchers from Microsoft, who warned that it could represent a shift in the cybercrime underground. --------------------------------------------- https://therecord.media/human-operated-ransomware-attacks-report-microsoft ∗∗∗ New tool: le-hex-to-ip.py, (Thu, Oct 5th) ∗∗∗ --------------------------------------------- So, this week it is my privilege to be TA-ing for Taz Wake for the beta run of his new class FOR577: Linux Incident Response and Threat Hunting. We were looking in the linux /proc filesystem and were noticing in the /proc//net/{tcp/udp/icmp/...} that the IP addresses were listed in hex, but little-endian. I immediately remembered Didier's Handler's Diary from last week about the IPs in the event logs that were in decimal and little endian. --------------------------------------------- https://isc.sans.edu/diary/rss/30284 ∗∗∗ NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke bedroht Dell SmartFabric Storage Software ∗∗∗ --------------------------------------------- Dell hat mehrere gefährliche Sicherheitslücken in SmartFabric Storage Software geschlossen. --------------------------------------------- https://www.heise.de/-9326738 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15). --------------------------------------------- https://lwn.net/Articles/946848/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2023
by Daily end-of-shift report 05 Oct '23

05 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-10-2023 18:00 − Donnerstag 05-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Curl 8.4.0 is to be released on October 11th ... ∗∗∗ --------------------------------------------- ... containing a fix for "the worst security problem found in curl in a long time". The associated CVE is expected to be published shortly after. Use the time to check where you have #curl & #libcurl in your environment. --------------------------------------------- https://twitter.com/pyotam2/status/1709305830573473987 ∗∗∗ Jetzt patchen! Confluence Data Center: Angreifer machen sich zu Admins ∗∗∗ --------------------------------------------- Atlassian hat eine kritische Sicherheitslücke in Confluence Data Center und Server geschlossen. --------------------------------------------- https://www.heise.de/-9325414 ∗∗∗ Lorenz ransomware crew bungles blackmail blueprint by leaking two years of contacts ∗∗∗ --------------------------------------------- A security researcher noticed Lorenz's dark web victim blog was leaking backend code, pulled the data from the site, and uploaded to it a public GitHub repository. The data includes names, email addresses, and the subject line entered into the ransomware group's limited online form to request information from Lorenz. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/05/lorenz_ranso… ∗∗∗ The discovery of Gatekeeper bypass CVE-2023-27943 ∗∗∗ --------------------------------------------- Looking for vulnerabilities is not my usual daily routine. I am a software developer for Endpoint Security software. I implement new features, improve existing functionality, fixing bugs. So, the discovery of this vulnerability was a surprise. And it made me scared that a macOS update broke our product. In the end, it turned out to be quite a severe vulnerability on macOS. --------------------------------------------- https://blog.f-secure.com/discovery-of-gatekeeper-bypass-cve-2023-27943/ ∗∗∗ H1 2023 – a brief overview of main incidents in industrial cybersecurity ∗∗∗ --------------------------------------------- In this overview, we discuss cybercriminal and hacktivist attacks on industrial organizations. --------------------------------------------- https://ics-cert.kaspersky.com/publications/h1-2023-a-brief-overview-of-mai… ∗∗∗ Looking at the Attack Surface of the Sony XAV-AX5500 Head Unit ∗∗∗ --------------------------------------------- In this post, we look at the attack surface of another target in a different category. The Sony XAV-AX5500 is a popular aftermarket head unit that interacts with different systems within a vehicle. It also offers attackers a potential foothold into an automobile. --------------------------------------------- https://www.thezdi.com/blog/2023/10/5/looking-at-the-attack-surface-of-the-… ∗∗∗ Exposing Infection Techniques Across Supply Chains and Codebases ∗∗∗ --------------------------------------------- This entry delves into threat actors intricate methods to implant malicious payloads within seemingly legitimate applications and codebases. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/j/infection-techniques-across-… ∗∗∗ Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I ∗∗∗ --------------------------------------------- At 2021, we found Pre-auth RCE vulnerabilities(CVE-2022-24673 and CVE-2022-3942) in Canon and HP printers, and vulnerabilty(CVE-2021-44734) in Lexmark. We used these vulnerabilities to exploit Canon ImageCLASS MF644Cdw, HP Color LaserJet Pro MFP M283fdw and Lexmark MC3224i in Pwn2Own Austin 2021. Following we will describe the details of the Canon and HP vulnerabilities and exploitation. --------------------------------------------- https://devco.re/blog/2023/10/05/your-printer-is-not-your-printer-hacking-p… ∗∗∗ EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability ∗∗∗ --------------------------------------------- Threat actors are exploiting the open redirection vulnerability on Indeed.com to launch EvilProxy phishing attacks against high-ranking executives. --------------------------------------------- https://www.hackread.com/evilproxy-phishing-kit-microsoft-indeed-vulnerabil… ∗∗∗ CISA and NSA Release New Guidance on Identity and Access Management ∗∗∗ --------------------------------------------- Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-and-nsa-release-new… ∗∗∗ Notruf-Tool Cisco Emergency Responder mit statischen Zugangsdaten ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für mehrere Produkte wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://www.heise.de/-9325669 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2023-10-04 ∗∗∗ --------------------------------------------- Cisco has published 3 Security Advisories (1 Critical, 1 High, 1 Medium Severity) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ (0Day) D-Link ∗∗∗ --------------------------------------------- ZDI-23-1501 - ZDI-23-1525: Multiple Routers, DIR-X3260, DAP-2622, DAP-1325 and D-View --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Wieder Exploit-Update für iOS und iPadOS – das wohl auch Hitzeproblem fixt ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Donnerstag erneut wichtige Fixes für sein iPhone- und iPad-Betriebssystem vorgelegt. Es geht um Sicherheit und Überhitzung. --------------------------------------------- https://www.heise.de/-9325367 ∗∗∗ Malware-Schutz: Schwachstellen in Watchguard EPDR und AD360 geschlossen ∗∗∗ --------------------------------------------- In den Malware-Schutzlösungen Watchguard EPDR und AD360 klaffen teils Sicherheitslücken mit hohem Risiko. Aktualisierungen stehen bereit. --------------------------------------------- https://www.heise.de/-9326078 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 25, 2023 to October 1, 2023) ∗∗∗ --------------------------------------------- Last week, there were 90 vulnerabilities disclosed in 68 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libx11, and libxpm), Fedora (ckeditor, drupal7, glibc, golang-github-cncf-xds, golang-github-envoyproxy-control-plane, golang-github-hashicorp-msgpack, golang-github-minio-highwayhash, golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, golang-github-protobuf, golang-google-protobuf, nats-server, and pgadmin4), Red Hat (firefox and thunderbird), SUSE (chromium, exim, ghostscript, kernel, poppler, python-gevent, and python-reportlab), and Ubuntu (binutils, exim4, jqueryui, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-kvm, linux-oem-6.1, nodejs, and python-django). --------------------------------------------- https://lwn.net/Articles/946698/ ∗∗∗ ZDI-23-1498: Ansys SpaceClaim X_B File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1498/ ∗∗∗ Open Redirect in SAP® BSP Test Application it00 (Bypass for CVE-2020-6215 Patch) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/open-redirect-in-bsp-tes… ∗∗∗ Qognify NiceVision ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02 ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-03 ∗∗∗ Hitachi Energy AFS65x, AFF66x, AFS67x, and AFR67x Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2023
by Daily end-of-shift report 04 Oct '23

04 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-10-2023 18:00 − Mittwoch 04-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitswarnung: Schwachstellen in Qualcomm-Treibern werden aktiv ausgenutzt ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Qualcomm-Treibern gefährden Smartphones und Tablets weltweit. Patches sind vorhanden - zumindest bei den Herstellern. --------------------------------------------- https://www.golem.de/news/sicherheitswarnung-schwachstellen-in-qualcomm-tre… ∗∗∗ Looney Tunables: Schwachstelle in C-Bibliothek gefährdet Linux-Systeme ∗∗∗ --------------------------------------------- Eine Pufferüberlauf-Schwachstelle im dynamischen Lader von glibc ermöglicht es Angreifern, auf Linux-Systemen Root-Rechte zu erlangen. --------------------------------------------- https://www.golem.de/news/looney-tunables-schwachstelle-in-c-bibliothek-gef… ∗∗∗ Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement ∗∗∗ --------------------------------------------- Microsoft security researchers recently identified an attack where attackers attempted to move laterally to a cloud environment through a SQL Server instance. The attackers initially exploited a SQL injection vulnerability in an application within the target’s environment to gain access and elevated permissions to a Microsoft SQL Server instance deployed in an Azure Virtual Machine (VM). --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vect… ∗∗∗ Optimizing WordPress: Security Beyond Default Configurations ∗∗∗ --------------------------------------------- Default configurations in software are not always the most secure. For example, you might buy a network-attached home security camera from your friendly neighborhood electronics store. While these are handy to keep an eye on your property from the comfort of your phone, they also typically come shipped with a default username and password. And since they are connected to the web, they can be accessed from anywhere. Attackers know this, [...] --------------------------------------------- https://blog.sucuri.net/2023/10/optimizing-wordpress-security-beyond-defaul… ∗∗∗ Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems. Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities ShellTorch. "These vulnerabilities [...] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world's largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover," [...] --------------------------------------------- https://thehackernews.com/2023/10/warning-pytorch-models-vulnerable-to.html ∗∗∗ Patchday: Attacken auf Android 11, 12 und 13 beobachtet ∗∗∗ --------------------------------------------- Unter anderem Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Zwei Lücken haben Angreifer bereits im Visier. --------------------------------------------- https://www.heise.de/-9324125.html ∗∗∗ Linux tries to dump Windows notoriously insecure RNDIS protocol ∗∗∗ --------------------------------------------- Here we go again. Linux developers are trying, once more, to rid Linux of Microsofts Remote Network Driver Interface Specification. Heres why its complicated. --------------------------------------------- https://www.zdnet.com/home-and-office/networking/linux-tries-to-dump-window… ∗∗∗ Five Misconfigurations Threatening Your AWS Environment Today ∗∗∗ --------------------------------------------- In the ever-expanding realm of AWS, with over 200 services at your disposal, securing your cloud account configurations and mastering complex environments can feel like an overwhelming challenge. To help you prioritize and root them out, we’ve put together a guide for AWS configurations that are most commonly overlooked. Here are five of the top misconfigurations that could be lurking in your AWS environment right now. --------------------------------------------- https://blog.aquasec.com/five-misconfigurations-threatening-your-aws-enviro… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server ∗∗∗ --------------------------------------------- Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. --------------------------------------------- https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalati… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc, postgresql-11, and thunderbird), Fedora (openmpi, pmix, prrte, and slurm), Gentoo (glibc and libvpx), Oracle (kernel), Red Hat (kernel), Slackware (libX11 and libXpm), SUSE (firefox, kernel, libeconf, libqb, libraw, libvpx, libX11, libXpm, mdadm, openssl-1_1, poppler, postfix, python311, rubygem-puma, runc, and vim), and Ubuntu (freerdp2, glibc, grub2-signed, grub2-unsigned, libx11, libxpm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, and mozjs102). --------------------------------------------- https://lwn.net/Articles/946496/ ∗∗∗ New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks ∗∗∗ --------------------------------------------- Supermicro has released BMC IPMI firmware updates to address multiple vulnerabilities impacting select motherboard models. --------------------------------------------- https://www.securityweek.com/new-supermicro-bmc-vulnerabilities-could-expos… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2023
by Daily end-of-shift report 03 Oct '23

03 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 02-10-2023 18:00 − Dienstag 03-10-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ AVM: Fritzbox-Schwachstelle wohl ohne Fernzugriff ausnutzbar ∗∗∗ --------------------------------------------- Seit Anfang September verteilt AVM Sicherheitsupdates für die Fritzbox. Inzwischen gibt es weitere Informationen zur gepatchten Schwachstelle. --------------------------------------------- https://www.golem.de/news/avm-fritzbox-schwachstelle-wohl-ohne-fernzugriff-… ∗∗∗ Exclusive: Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more) ∗∗∗ --------------------------------------------- Researchers have identified the exfiltration infrastructure of a LockBit affiliate while investigating a LockBit extortion incident that occurred in Q3 2023. --------------------------------------------- https://securityaffairs.com/151862/breaking-news/exfiltration-infrastructur… ∗∗∗ BunnyLoader, a new Malware-as-a-Service advertised in cybercrime forums ∗∗∗ --------------------------------------------- Zscaler ThreatLabz researchers discovered a new malware-as-a-service (MaaS) that is called BunnyLoader, which has been advertised for sale in multiple cybercrime forums since September 4, 2023. --------------------------------------------- https://securityaffairs.com/151869/malware/bunnyloader-maas.html ∗∗∗ Security researchers believe mass exploitation attempts against WS_FTP have begun ∗∗∗ --------------------------------------------- Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_updat… ∗∗∗ Cloudflare Protection Bypass Vulnerability on Threat Actors’ Radar ∗∗∗ --------------------------------------------- Researchers have identified two mechanisms that hinge on the assumption that traffic originating from Cloudflare towards the origin server is inherently trustworthy, while traffic from other origins should be blocked. --------------------------------------------- https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-ac… ∗∗∗ Drei Fragen und Antworten: Der beste Schutz für das Active Directory ∗∗∗ --------------------------------------------- Bis zu 90 Prozent aller Angriffe bedienen sich Microsofts Active Directory – es ist der Hebel, um die eigene Sicherheit zu verbessern. Wir zeigen, wie das geht. --------------------------------------------- https://www.heise.de/news/Drei-Fragen-und-Antworten-Der-beste-Schutz-fuer-d… ∗∗∗ Exim-Lücke: Erste Patches laufen ein ∗∗∗ --------------------------------------------- Nach verschiedenen Kommunikationspannen hat das Exim-Team kritische Sicherheitslücken im beliebten Mailserver behoben. Debian verteilt bereits Updates. --------------------------------------------- https://www.heise.de/news/Exim-Luecke-Erste-Patches-laufen-ein-9323709.html… ∗∗∗ Angriffe auf ältere Android-Geräte: Lücke in Mali-GPU nur teilweise geschlossen ∗∗∗ --------------------------------------------- Aufgrund mehrerer Schwachstellen im Treiber der Grafikeinheit Mali sind unter anderem Smartphone-Modelle von Samsung und Xiaomi verwundbar. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-aeltere-Android-Geraete-Luecke-in-Ma… ∗∗∗ Booking.com: Achtung bei „fehlgeschlagener Zahlung“ oder „Verifikation Ihrer Zahlungsinfos“ ∗∗∗ --------------------------------------------- Fälle, in denen Unterkünfte über booking.com gebucht wurden und Buchende anschließend zur Verifikation ihrer Zahlungen oder zu einer neuerlichen Zahlung aufgefordert werden, häufen sich aktuell. Vorsicht ist geboten, denn die Aufforderungen stammen von Kriminellen, die sich Zugang zu den Buchungsdaten verschaffen konnten und es nun auf das Geld der Hotelgäste abgesehen haben! --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-achtung-bei-fehlgeschlage… ∗∗∗ Fortinet Labs Uncovers Series of Malicious NPM Packages Stealing Data ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered a series of malicious packages concealed within NPM (Node Package Manager), the primary software repository for JavaScript developers. The researchers utilized a dedicated system designed to detect nefarious open-source packages across multiple ecosystems, including PyPI and NPM. --------------------------------------------- https://www.hackread.com/fortinet-labs-malicious-npm-packages-steal-data/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Edge, Teams get fixes for zero-days in open-source libraries ∗∗∗ --------------------------------------------- Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-teams-get-fi… ∗∗∗ Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers ∗∗∗ --------------------------------------------- Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-says-hackers-exploi… ∗∗∗ Jetzt patchen! Ransomware schlüpft durch kritische TeamCity-Lücke ∗∗∗ --------------------------------------------- Angreifer nutzen eine Sicherheitslücke des Software-Distributionssystems TeamCity aus, das weltweit über 30.000 Firmen wie Citibank, HP und Nike einsetzen. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Ransomware-schluepft-durch-kritisch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird). --------------------------------------------- https://lwn.net/Articles/946313/ ∗∗∗ Mattermost security updates Desktop app v5.5.1 and Mobile app v2.8.1 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses the vulnerability CVE-2023-4863 of the third-party library libwebp which was affecting the Desktop app and the Mobile iOS app. We highly recommend that you apply the update. The security update is available for Mattermost dot releases Desktop app v5.5.1 and Mobile app v2.8.1. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-desktop-app-v5-5-1-… ∗∗∗ K000137090 : Node.js vulnerabilities CVE-2018-12121, CVE-2018-12122, and CVE-2018-12123 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137090?utm_source=f5support&utm_medi… ∗∗∗ K000137093 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137093?utm_source=f5support&utm_medi… ∗∗∗ The IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit are vulnerable to a server-side request forgery due to Apache Batik (CVE-2022-44730, CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7043490 ∗∗∗ Vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7043727 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to Google Protocol Buffer protobuf-cpp (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7045071 ∗∗∗ Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035373 ∗∗∗ Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035370 ∗∗∗ Multiple vulnerabilities in the IBM Java Runtime affects IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035371 ∗∗∗ A vulnerability in libcURL affect IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035382 ∗∗∗ IBM Spectrum Symphony openssl 1.1.1 End of Life ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7045753 ∗∗∗ IBM\u00ae Db2\u00ae is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010573 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2023
by Daily end-of-shift report 02 Oct '23

02 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-09-2023 18:00 − Montag 02-10-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Meet LostTrust ransomware — A likely rebrand of the MetaEncryptor gang ∗∗∗ --------------------------------------------- The LostTrust ransomware operation is believed to be a rebrand of MetaEncryptor, utilizing almost identical data leak sites and encryptors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-losttrust-ransomware-a-… ∗∗∗ New Marvin attack revives 25-year-old decryption flaw in RSA ∗∗∗ --------------------------------------------- A flaw related to the PKCS #1 v1.5 padding in SSL servers discovered in 1998 and believed to have been resolved still impacts several widely-used projects today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-marvin-attack-revives-25… ∗∗∗ The Silent Threat of APIs: What the New Data Reveals About Unknown Risk ∗∗∗ --------------------------------------------- The rapid growth of APIs creates a widening attack surface and increasing unknown cybersecurity risks. --------------------------------------------- https://www.darkreading.com/attacks-breaches/silent-threat-of-apis-what-new… ∗∗∗ Jetzt patchen: Exploit für kritische Sharepoint-Schwachstelle aufgetaucht ∗∗∗ --------------------------------------------- Er ist Teil einer sehr effektiven Exploit-Kette zur Schadcodeausführung auf Sharepoint-Servern, die ein Forscher kürzlich offenlegte. --------------------------------------------- https://www.golem.de/news/jetzt-patchen-exploit-fuer-kritische-sharepoint-s… ∗∗∗ Cybercriminals Using New ASMCrypt Malware Loader to Fly Under the Radar ∗∗∗ --------------------------------------------- Threat actors are selling a new crypter and loader called ASMCrypt, which has been described as an "evolved version" of another loader malware known as DoubleFinger. "The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week. --------------------------------------------- https://thehackernews.com/2023/09/cybercriminals-using-new-asmcrypt.html ∗∗∗ BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground ∗∗∗ --------------------------------------------- Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader thats being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," [...] --------------------------------------------- https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html ∗∗∗ Security researchers believe mass exploitation attempts against WS_FTP have begun ∗∗∗ --------------------------------------------- Early signs emerge after Progress Software said there were no active attempts last week Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_updat… ∗∗∗ Temporary suspension of automatic snap registration following security incident ∗∗∗ --------------------------------------------- On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed. Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately. --------------------------------------------- https://forum.snapcraft.io/t/temporary-suspension-of-automatic-snap-registr… ∗∗∗ The Hitchhikers Guide to Malicious Third-Party Dependencies ∗∗∗ --------------------------------------------- The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., NPM, PyPI) serve as public databases that users can query to retrieve packages for various functionalities, [...] In this work, we show how attackers can [...] achieve arbitrary code execution on victim machines, thereby realizing open-source software supply chain chain attacks. --------------------------------------------- https://arxiv.org/abs/2307.09087 ∗∗∗ Fritzbox-Sicherheitsleck analysiert: Risiko sogar bei deaktiviertem Fernzugriff ∗∗∗ --------------------------------------------- AVM schließt bei vielen Fritzboxen eine Sicherheitslücke. Unserer Analyse zufolge lässt sie sich aus der Ferne ausnutzen – sogar mit abgeschaltetem Fernzugriff. --------------------------------------------- https://www.heise.de/-9323225.html ∗∗∗ BSI-Umfrage: Kritische Infrastrukturen haben Nachholbedarf bei IT-Sicherheit ∗∗∗ --------------------------------------------- Vor allem bei der Umsetzung organisatorischer Sicherheitsmaßnahmen hapert es noch bei Betreibern kritischer Infrastrukturen. Gründe: Personal- und Geldmangel. --------------------------------------------- https://www.heise.de/-9323606.html ∗∗∗ Don’t Let Zombie Zoom Links Drag You Down ∗∗∗ --------------------------------------------- Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks. --------------------------------------------- https://krebsonsecurity.com/2023/10/dont-let-zombie-zoom-links-drag-you-dow… ∗∗∗ Silverfort Open Sources Lateral Movement Detection Tool ∗∗∗ --------------------------------------------- Silverfort has released the source code for its lateral movement detection tool LATMA, to help identify and analyze intrusions. --------------------------------------------- https://www.securityweek.com/silverfort-open-sources-lateral-movement-detec… ∗∗∗ Die Österreichische Post AG verkauft keine Zufallspakete für 2 Euro! ∗∗∗ --------------------------------------------- Betrügerische Werbeschaltungen auf Facebook spielen vor, dass die Post AG nicht zustellbare Pakete für nur 2 Euro verkauft. Angeblich haben Sie so die Möglichkeit, mit tollen Gegenständen wie Tablets, Kaffeemaschinen oder Büchern überrascht zu werden. Achtung: Es handelt sich um reinen Betrug. Werbung und Profile stammen nicht von der Post und die Pakete existieren nicht. Sie landen hier in einer Abo-Falle oder geben Ihr Zahlungsmittel unbeabsichtigt für Zahlungen durch Kriminelle frei. --------------------------------------------- https://www.watchlist-internet.at/news/die-oesterreichische-post-ag-verkauf… ∗∗∗ Keine Warnung zu den aktuellen Exim Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) ∗∗∗ --------------------------------------------- Am Mittwoch 27. September wurden durch die Zero Day Initiative sechs Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) im Mail Transfer Agent (MTA) Exim veröffentlicht.[1][2][3][4][5][6] Nach interner Analyse und im Austausch mit Experten sind wir zu ähnlichen Schlüssen, wie nun auf der offiziellen Mailingliste des Projekts veröffentlicht[7], gekommen. --------------------------------------------- https://cert.at/de/aktuelles/2023/10/keine-warnung-zu-den-aktuellen-exim-sc… ∗∗∗ E-Mail-Angriff via Dropbox ∗∗∗ --------------------------------------------- BEC 3.0-Angriffe häufen sich und sind noch schwieriger zu erkennen, weil Hacker Links über legitime Dienste versenden. --------------------------------------------- https://www.zdnet.de/88412118/e-mail-angriff-via-dropbox/ ∗∗∗ Kritische Sicherheitsupdates: Chrome, Edge, Firefox, Thunderbird,Tor ∗∗∗ --------------------------------------------- Ende September 2023 gab es Sicherheitsupdates für diverse Software, die kritische Schwachstellen (0-Days) schließen sollen. Bei den Chromium-Browsern wurde eine Sicherheitslücke im V8 Encoder geschlossen (betrifft Google Chrome und beim Edge). Die Mozilla Entwickler haben ebenfalls Notfall-Updates für den Firefox und den Thunderbird herausgebracht. Und Tor wurde diesbezüglich ebenfalls aktualisiert. Ich fasse mal die Updates in diesem Sammelbeitrag zusammen. --------------------------------------------- https://www.borncity.com/blog/2023/10/02/kritische-sicherheitsupdates-chrom… ∗∗∗ Bitsight identifies nearly 100,000 exposed industrial control systems ∗∗∗ --------------------------------------------- Bitsight has identified nearly 100,000 exposed industrial control systems (ICS) potentially allowing an attacker to access and control physical infrastructure. --------------------------------------------- https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-ind… ===================== = Vulnerabilities = ===================== ∗∗∗ JetBrains TeamCity Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- Topic: JetBrains TeamCity Unauthenticated Remote Code Execution Risk: High Text:## # This module requires Metasploit [...] --------------------------------------------- https://cxsecurity.com/issue/WLB-2023100003 ∗∗∗ OpenRefines Zip Slip Vulnerability Could Let Attackers Execute Malicious Code ∗∗∗ --------------------------------------------- A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below. --------------------------------------------- https://thehackernews.com/2023/10/openrefines-zip-slip-vulnerability.html ∗∗∗ Security updates available in PDF-XChange Editor/Tools 10.1.1.381 ∗∗∗ --------------------------------------------- Released version 10.1.1.381, which addresses potential security and stability issues. --------------------------------------------- https://www.tracker-software.com/support/security-bulletins.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cups, firefox-esr, firmware-nonfree, gerbv, jetty9, libvpx, mosquitto, open-vm-tools, python-git, python-reportlab, and trafficserver), Fedora (firefox, giflib, libvpx, libwebp, webkitgtk, and xen), Gentoo (Chromium, Google Chrome, Microsoft Edge, ClamAV, GNU Binutils, and wpa_supplicant, hostapd), Mageia (flac, giflib, indent, iperf, java, libvpx, libxml2, quictls, wireshark, and xrdp), Oracle (kernel), Slackware (libvpx and mozilla), and SUSE (bind, python, python-bugzilla, roundcubemail, seamonkey, and xen). --------------------------------------------- https://lwn.net/Articles/946186/ ∗∗∗ Suprema BioStar 2 ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-01 ∗∗∗ Multiple Vulnerabilities in Electrolink FM/DAB/TV Transmitter ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ K000137058 : Linux kernel vulnerability CVE-2022-4269 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137058 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2023
by Daily end-of-shift report 29 Sep '23

29 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-09-2023 18:00 − Freitag 29-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Version 1.0: Ungepatchte Schwachstellen im Mail Transfer Agent Exim ∗∗∗ --------------------------------------------- Der Open Source Mail Transfer Agent (MTA) Exim weist mehrere schwerwiegende ungepatchte Schwachstellen auf. Besonders kritisch ist eine Buffer Overflow Schwachstelle in der SMTP-Implementierung, CVE-2023-42115, die einer entfernten, unauthorisierten angreifenden Person gegebenenfalls das Ausführen von Code mit Rechten des Service Accounts, mit dem Exim betrieben wird, ermöglicht. Sie erreicht daher eine CVSS-Bewertung von 9.8 ("kritisch"). --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-2… ∗∗∗ Betrifft unzählige Anwendungen: Zero-Day-Schwachstelle in VP8-Videokodierung ∗∗∗ --------------------------------------------- Google hat mal wieder eine Zero-Day-Schwachstelle in Chrome gepatcht. Neben gängigen Webbrowsern sind aber auch viele andere Apps betroffen. --------------------------------------------- https://www.golem.de/news/betrifft-unzaehlige-anwendungen-zero-day-schwachs… ∗∗∗ Dringend patchen: Schwachstelle mit maximalem Schweregrad in WS_FTP ∗∗∗ --------------------------------------------- Der Entwickler der Datentransfersoftware Moveit hat erneut kritische Schwachstellen behoben - dieses Mal in der Serveranwendung WS_FTP. --------------------------------------------- https://www.golem.de/news/dringend-patchen-schwachstelle-mit-maximalem-schw… ∗∗∗ Important release of LibreOffice 7.6.2 Community and LibreOffice 7.5.7 Community with key security fix ∗∗∗ --------------------------------------------- The Document Foundation is releasing LibreOffice 7.6.2 Community and LibreOffice 7.5.7 Community ahead of schedule to address a security issue known as CVE 2023-4863, which originates in a widely used code library known as libwebp, created by Google more than a decade ago to render the then-new WebP graphics format. --------------------------------------------- https://blog.documentfoundation.org/blog/2023/09/26/lo-762-and-lo-757/ ∗∗∗ Jetzt patchen! Angreifer haben Netzwerkgeräte von Cisco im Visier ∗∗∗ --------------------------------------------- Cisco hat unter anderem eine kritische Lücke in Catalyst SD-WAN geschlossen. Außerdem gibt es Sicherheitsupdates für weitere Produkte. --------------------------------------------- https://www.heise.de/-9320947.html ∗∗∗ Balkonkraftwerke: Hoymiles schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Der Wechselrichterhersteller hat die Lücken in der API geschlossen – das haben wir verifiziert. Im Gespräch gelobte Hoymiles Besserung. --------------------------------------------- https://www.heise.de/-9321291.html ∗∗∗ Malicious ad served inside Bings AI chatbot ∗∗∗ --------------------------------------------- Users looking for software downloads may be tricked into visiting malicious websites via their interaction with Bing Chat. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/09/malicious-ad-… ∗∗∗ Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks ∗∗∗ --------------------------------------------- Hackers have set their sights on CVE-2023-34468, an RCE vulnerability in Apache NiFi that impacts thousands of organizations. --------------------------------------------- https://www.securityweek.com/hackers-set-sights-on-apache-nifi-flaw-that-ex… ∗∗∗ Oktober ist Cyber Security Month: Tipps und Veranstaltungen ∗∗∗ --------------------------------------------- Im Oktober dreht sich alles um Cyber-Sicherheit. Machen auch Sie mit und nutzen Sie das vielfältige Angebot. Wir zeigen Ihnen, wie Sie Ihre Kenntnisse zu Phishing, Randsomeware und Co. verbessern. --------------------------------------------- https://www.watchlist-internet.at/news/oktober-ist-cyber-security-month-tip… ∗∗∗ Betrügerisches EP-Gewinnspiel wird massenhaft per SMS verschickt ∗∗∗ --------------------------------------------- „Gratulation an die EP Electronic Gewinner”. Dieser Text steht in einer SMS, die derzeit massenhaft von Kriminellen verschickt wird. Besonders perfid: In der SMS werden auch die Namen der angeblichen Gewinner:innen genannt. Selbst wenn Ihr Name in der SMS auftaucht, sollten Sie nicht auf den mitgeschickten Link klicken! Betrüger:innen versuchen Sie in die Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-ep-gewinnspiel-wird-… ∗∗∗ CL0P Seeds ^_- Gotta Catch Em All! ∗∗∗ --------------------------------------------- CL0P is distributing ransomware data via torrents. We investigate this new method, including seeds we’ve tracked — disguising victims with Pokemon. Catch them all! --------------------------------------------- https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-… ∗∗∗ Phishing via Dropbox ∗∗∗ --------------------------------------------- A burgeoning attack involving Dropbox is making the rounds. In the first two weeks of September, we saw 5,440 of these attacks. Hackers are using Dropbox to create fake login pages that eventually lead to a credential harvesting page. It’s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites—like Dropbox—to send and host phishing material. --------------------------------------------- https://blog.checkpoint.com/harmony-email/phishing-via-dropbox/ ∗∗∗ Analysis of Time-to-Exploit Trends: 2021-2022 ∗∗∗ --------------------------------------------- Mandiant Intelligence analyzed 246 vulnerabilities that were exploited between 2021 and 2022. Sixty-two percent (153) of the vulnerabilities were first exploited as zero-day vulnerabilities. The number of exploited vulnerabilities each year continues to increase, while the overall times-to-exploit (TTEs) we are seeing are decreasing. Exploitation of a vulnerability is most likely to occur before the end of the first month following the release of a patch. --------------------------------------------- https://www.mandiant.com/resources/blog/time-to-exploit-trends-2021-2022 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, and vim), Gentoo (Fish, GMP, libarchive, libsndfile, Pacemaker, and sudo), Oracle (nodejs:16 and nodejs:18), Red Hat (virt:av and virt-devel:av), Slackware (mozilla), SUSE (chromium, firefox, Golang Prometheus, iperf, libqb, and xen), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/945965/ ∗∗∗ Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, Firefox Focus for Android 118.1.0, and Thunderbird 115.3.1. ∗∗∗ --------------------------------------------- CVE-2023-5217: Heap buffer overflow in libvpx Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ ∗∗∗ Vulnerabilities in node.js affect Cloud Pak Sytem [CVE-2023-28154, CVE-2022-46175, CVE-2022-3517] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038776 ∗∗∗ IBM Instana Observability is vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7041863 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from go-toolset and amicontained ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039373 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2023-29409 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032246 ∗∗∗ Vulnerabilities in XStream library affects IBM Engineering Test Management (ETM) (CVE-2022-40151) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042166 ∗∗∗ Vulnerabilities in xercesImpl library affects IBM Engineering Test Management (ETM) (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042167 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering product is affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042172 ∗∗∗ Vulnerabilities in batik-all library affects IBM Engineering Test Management (ETM) (CVE-2022-44730, CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042170 ∗∗∗ Multiple vulnerabilities in IBM Storage Defender \u2013 Data Protect ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040913 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2023
by Daily end-of-shift report 28 Sep '23

28 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-09-2023 18:00 − Donnerstag 28-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researchers Release Details of New RCE Exploit Chain for SharePoint ∗∗∗ --------------------------------------------- One of the already-patched flaws enables elevation of privilege, while the other enables remote code execution. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/reseachers-release-deta… ∗∗∗ Unzählige Anwendungen betroffen: Chaos bei WebP-Lücke ∗∗∗ --------------------------------------------- Anfangs ordnete Google die Lücke aber nur dem hauseigenen Webbrowser Chrome zu. Mittlerweile hat Google sich aber korrigiert und für die alte Sicherheitslücke (CVE-2023-4863 "hoch") den neuen Eintrag CVE-2023-5129 mit einer kritischen Einstufung (CVSS Score 10 von 10) eingereicht. Dieser wurde aber bereits nach sechs Stunden durch Google als ungültig erklärt. Als Grund ist angegeben, dass der neue Eintrag sich mit dem alten Eintrag doppelt. --------------------------------------------- https://www.heise.de/-9319783 ∗∗∗ SMS Security & Privacy Gaps Make It Clear Users Need a Messaging Upgrade ∗∗∗ --------------------------------------------- Like any forty-year-old technology, SMS is antiquated compared to its modern counterparts. That’s especially concerning when it comes to security. --------------------------------------------- http://security.googleblog.com/2023/09/sms-security-privacy-gaps-make-it-cl… ∗∗∗ Mit Cloudflare Cloudflare umgehen ∗∗∗ --------------------------------------------- Von Cloudflare-Kunden konfigurierte Schutzmechanismen (z. B. Firewall, DDoS-Schutz) für Webseiten können aufgrund von Lücken in den mandantenübergreifenden Schutzmaßnahmen umgangen werden, wodurch Kunden potenziell Angriffen ausgesetzt sind, welche von Cloudflare verhindert werden sollten. --------------------------------------------- https://certitude.consulting/blog/de/cloudflare-verwenden-um-cloudflare-zu-… ∗∗∗ TrendMicro veröffentlicht kritischen Patch für Apex One SP1 Build 12512 ∗∗∗ --------------------------------------------- Der kritische Patch beseitigt gleich mehrere Bugs, wovon einer verhindert, dass der Apex One-Server Virenerkennungsprotokolldaten von verwalteten Sicherheitsagenten empfangen kann. --------------------------------------------- https://www.borncity.com/blog/2023/09/28/trendmicro-verffentlicht-kritische… ∗∗∗ SSH keys stolen by stream of malicious PyPI and npm packages ∗∗∗ --------------------------------------------- A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2023-09-27 ∗∗∗ --------------------------------------------- Cisco has published 15 security advisories: (1x Critical, 7x High, 6x Medium, 1x Informational) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Hoymiles: Bedrohliche Lücken in der S-Miles-Cloud ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat sich Hoymiles Cloudservice genauer angesehen und Lücken gefunden, über die Wechselrichter sogar zerstört werden können. --------------------------------------------- https://www.heise.de/-9319500 ∗∗∗ Mozilla: Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, and Firefox Focus for Android 118.1.0. ∗∗∗ --------------------------------------------- CVE-2023-5217: Heap buffer overflow in libvpx. Impact: critical --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ ∗∗∗ Google Chrome 117.0.5938.132 ∗∗∗ --------------------------------------------- Google hat zum 27. September 2023 Updates des Google Chrome Browsers 117 im Stable Channel für Mac, Linux und Windows freigegeben. Es ist ein Sicherheitsupdate, das ausgerollt werden und mehrere Schwachstellen (Einstufung teilweise als "hoch") beseitigen sollen. --------------------------------------------- https://www.borncity.com/blog/2023/09/28/google-chrome-117-0-5938-132/ ∗∗∗ GStreamer Security Advisories 2023-09-20 ∗∗∗ --------------------------------------------- GStreamer has published 3 security advisories at 2023-09-20. --------------------------------------------- https://gstreamer.freedesktop.org/security/ ∗∗∗ Hancom Office 2020 HWord footerr use-after-free vulnerability ∗∗∗ --------------------------------------------- A use-after-free vulnerability exists in the footerr functionality of Hancom Office 2020 HWord 11.0.0.7520. A specially crafted .doc file can lead to a use-after-free. An attacker can trick a user into opening a malformed file to trigger this vulnerability. --------------------------------------------- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1759 ∗∗∗ Accusoft ImageGear dcm_pixel_data_decode out-of-bounds write vulnerability ∗∗∗ --------------------------------------------- An out-of-bounds write vulnerability exists in the dcm_pixel_data_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability. --------------------------------------------- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1802 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ncurses), Fedora (emacs, firecracker, firefox, libkrun, python-oauthlib, and virtiofsd), Mageia (glibc and vim), Oracle (18), SUSE (bind, binutils, busybox, cni, cni-plugins, container-suseconnect, containerd, curl, exempi, ffmpeg, firefox, go1.19-openssl, go1.20-openssl, gpg2, grafana, gsl, gstreamer-plugins-bad, gstreamer-plugins-base, libpng15, libwebp, mutt, nghttp2, open-vm-tools, pmix, python-brotlipy, python3, python310, qemu, quagga, rubygem-actionview-5_1, salt, supportutils, xen, and xrdp), and Ubuntu (libwebp, minidlna, puma, and python2.7, python3.5). --------------------------------------------- https://lwn.net/Articles/945829/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0009 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-39928, CVE-2023-35074, CVE-2023-39434, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0009.html ∗∗∗ (0Day) Control Web Panel ∗∗∗ --------------------------------------------- ZDI-23-1476 - ZDI-23-1479 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) Exim ∗∗∗ --------------------------------------------- ZDI-23-1468 - ZDI-23-1473 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ ZDI-23-1475: (0Day) Avast Premium Security Sandbox Protection Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1475/ ∗∗∗ ZDI-23-1474: (0Day) Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1474/ ∗∗∗ Drupal: Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-047 ∗∗∗ Drupal: Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-046 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rockwell Automation PanelView 800 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-271-01 ∗∗∗ DEXMA DexGate ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-271-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2023
by Daily end-of-shift report 27 Sep '23

27 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-09-2023 18:00 − Mittwoch 27-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Unzählige Anwendungen betroffen: WebP-Schwachstelle erreicht maximalen Schweregrad ∗∗∗ --------------------------------------------- Die Schwachstelle in der WebP-Bibliothek wurde zuvor fälschlicherweise als Chrome-Bug markiert. Sie betrifft aber weitaus mehr Anwendungen. --------------------------------------------- https://www.golem.de/news/unzaehlige-anwendungen-betroffen-webp-schwachstel… ∗∗∗ Apple Releases MacOS Sonoma Including Numerous Security Patches, (Tue, Sep 26th) ∗∗∗ --------------------------------------------- As expected, Apple today released macOS Sonoma (14.0). This update, in addition to new features, provides patches for about 60 different vulnerabilities. --------------------------------------------- https://isc.sans.edu/diary/rss/30252 ∗∗∗ ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families ∗∗∗ --------------------------------------------- Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year. "ShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of ransomware programs," Group-IB and Bridewell said in a joint technical report. --------------------------------------------- https://thehackernews.com/2023/09/shadowsyndicate-new-cybercrime-group.html ∗∗∗ Reports about Cyber Actors Hiding in Router Firmware ∗∗∗ --------------------------------------------- On September 27, 2023, a joint cybersecurity advisory (CSA) was released detailing activities of the cyber actors known as BlackTech. The CSA describes how BlackTech is able to modify router firmware without detection. [...] Cisco has reviewed the report. Cisco would like to highlight the following key facts: The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. [...] --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Hacking htmx applications ∗∗∗ --------------------------------------------- With the normal flow of frontend frameworks moving from hipster to mainstream in the coming few months, during a test, you bump into this strange application that receives HTML with `hx-` attributes in responses. Congrats, you are testing your first htmx application, let me give you the building blocks to play with for testing this type of application. --------------------------------------------- https://medium.com/@matuzg/hacking-htmx-applications-f8d29665faf ∗∗∗ A Deep Dive into Brute Ratel C4 payloads – Part 2 ∗∗∗ --------------------------------------------- Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework. There aren’t a lot of Brute Ratel samples available in the wild. This second part of the analysis presents the remaining commands executed by the agent. --------------------------------------------- https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/ ∗∗∗ Fake Bitwarden installation packages delivered RAT to Windows users ∗∗∗ --------------------------------------------- Windows users looking to install the Bitwarden password manager may have inadvertently installed a remote access trojan (RAT). The ZenRAT malware A malicious website spoofing Bitwarden’s legitimate one (located at bitwariden[.]com) has been offering fake installation packages containing the ZenRAT malware. --------------------------------------------- https://www.helpnetsecurity.com/2023/09/27/windows-bitwarden-rat/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/945700/ ∗∗∗ New GPU Side-Channel Attack Allows Malicious Websites to Steal Data ∗∗∗ --------------------------------------------- GPUs from AMD, Apple, Arm, Intel, Nvidia and Qualcomm are vulnerable to a new type of side-channel attack named GPU.zip. --------------------------------------------- https://www.securityweek.com/new-gpu-side-channel-attack-allows-malicious-w… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0020 ∗∗∗ --------------------------------------------- VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2023-34043) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0020.html ∗∗∗ K000136909 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000136909 ∗∗∗ K000136907 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43124 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000136907 ∗∗∗ semver-6.3.0.tgz is vulnerable to CVE-2022-25883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039430 ∗∗∗ Okio GzipSource is vulnerable to CVE-2023-3635 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039433 ∗∗∗ Certifi is vulnerable to CVE-2023-37920 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039436 ∗∗∗ VMware Tanzu Spring for Apache Kafka is vulnerable to CVE-2023-34040 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039438 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039519 ∗∗∗ Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040603 ∗∗∗ Vulnerability of jython-standalone-2.7.0.jar have affected APM WebSphere Application Server Agent and APM Tomcat Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040614 ∗∗∗ IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040672 ∗∗∗ IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in IBM Websphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040744 ∗∗∗ The Bouncy Castle Crypto Package For Java (bc-java) component is vulnerable to CVE-2023-33201 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028107 ∗∗∗ Control Access issues in PCOMM ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031707 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2023
by Daily end-of-shift report 26 Sep '23

26 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Montag 25-09-2023 18:00 − Dienstag 26-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A new spin on the ZeroFont phishing technique, (Tue, Sep 26th) ∗∗∗ --------------------------------------------- Last week, I came across an interesting phishing e-mail, in which a text written in a font with zero-pixel size was used in quite a novel way. --------------------------------------------- https://isc.sans.edu/diary/rss/30248 ∗∗∗ Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR ∗∗∗ --------------------------------------------- A remote code execution when the user attempts to view a benign file within a ZIP archive. The issue occurs because a) ZIP archive may include a benign file such as an ordinary .JPG file and also a folder that has the same name as the benign file, and the contents of the folder which may include executable content are processed during an attempt to access only the benign file. --------------------------------------------- https://blog.securelayer7.net/analysis-of-cve-2023-38831-zero-day-vulnerabi… ∗∗∗ Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted ∗∗∗ --------------------------------------------- >From what was observed in previous cases, we were able to clearly identify a distribution campaign, using phishing webpages to trick victims into installing malicious APKs, which feature a larger list of targets compared to its previous versions. --------------------------------------------- https://www.threatfabric.com/blogs/xenomorph ∗∗∗ PGP-verschlüsselte E-Mails mit macOS 14: GPGTools warnt vor schnellem Upgrade ∗∗∗ --------------------------------------------- macOS 14 sägt Mail-Plug-ins ab, bewährte Tools wie GPG funktionieren deshalb nicht mehr. GPGTools stellt aber eine neue Extension für Apple Mail in Aussicht. --------------------------------------------- https://www.heise.de/-9318030 ∗∗∗ Vorsicht, wenn PCM Marketing anruft ∗∗∗ --------------------------------------------- Unternehmen werden im Moment häufig von der Marketing-Agentur „PCM Marketing“ angerufen und an eine Kündigung eines Abos erinnert. Bei Nichtkündigung kommt es angeblich zu hohen Kosten. Nach dem Telefonat erhalten Sie ein E-Mail mit einer ausgefüllten Vorlage, die Sie unterschreiben und zurückschicken sollen. Achtung: Unterschreiben Sie nicht, Sie werden in ein teures Abo gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-pcm-marketing-anruft/ ∗∗∗ Fortifying your wireless network: A comprehensive guide to defend against wireless attacks ∗∗∗ --------------------------------------------- In this in-depth blog, we will delve into the technical intricacies of safeguarding your network against wireless threats. Armed with this knowledge, you can confidently defend your wireless infrastructure against potential attackers. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/fortifying-your-wir… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2023-20588 / XSA-439 ∗∗∗ --------------------------------------------- Version 1 accidentally linked to the wrong AMD bulletin. This has been corrected in v2. All other information in v1 is believed to be correct. | Impact: An attacker might be able to infer data from a different execution context on the same CPU core. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-439.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exempi, glib2.0, lldpd, and netatalk), Fedora (curl, libppd, and linux-firmware), Oracle (kernel), and SUSE (Cadence, frr, modsecurity, python-CairoSVG, python-GitPython, and tcpreplay). --------------------------------------------- https://lwn.net/Articles/945559/ ∗∗∗ Firefox 118 und 115.3 ESR freigegeben ∗∗∗ --------------------------------------------- Zum 26. September 2023 haben die Mozilla-Entwickler den neuen Firefox 118 sowie das Wartungsupdate des Firefox 115.3 ESR veröffentlicht. Mit den Updates wurden einige Schwachstellen geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/09/26/firefox-118-115-3-freigegeben/ ∗∗∗ Suprema BioStar 2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-01 ∗∗∗ Advantech EKI-1524-CE series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-04 ∗∗∗ Hitachi Energy Asset Suite 9 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-02 ∗∗∗ Baker Hughes Bently Nevada 3500 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-05 ∗∗∗ Mitsubishi Electric FA Engineering Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03 ∗∗∗ IBM Storage Protect Server is susceptible to numerous vulnerabilities due to Golang Go (CVE-2023-29402, CVE-2023-29403, CVE-2023-29404, CVE-2023-29405, CVE-2023-29406, CVE-2023-29400, CVE-2023-24540, CVE-2023-24539, X-Force 250518) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038772 ∗∗∗ Vulnerability with kernel , OpenJDK jna-platform affect IBM Cloud Object Storage Systems (Sept2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038968 ∗∗∗ Vulnerability with bcprov-jdk affect IBM Cloud Object Storage Systems (Sept2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038966 ∗∗∗ Vulnerability with Python affect IBM Cloud Object Storage Systems (Sept2023v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038969 ∗∗∗ IBM InfoSphere Information Server is vulnerable to OS command injection (CVE-2022-35717) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038982 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to privilege escalation attack due to Apache Cassandra ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039222 ∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039262 ∗∗∗ Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039367 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2023
by Daily end-of-shift report 25 Sep '23

25 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-09-2023 18:00 − Montag 25-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Akira Ransomware Mutates to Target Linux Systems ∗∗∗ --------------------------------------------- The newly emerged ransomware actively targets both Windows and Linux systems with a double-extortion approach. --------------------------------------------- https://www.darkreading.com/attacks-breaches/akira-ransomware-mutates-to-ta… ∗∗∗ Predator-Spyware: Staatstrojaner wurde über iOS-Schwachstellen eingeschleust ∗∗∗ --------------------------------------------- Intellexa hat die jüngst von Apple gepatchten Schwachstellen in iOS ausgenutzt, um eine Zero-Day-Exploit-Kette für iPhones zu entwickeln. --------------------------------------------- https://www.golem.de/news/predator-spyware-staatstrojaner-wurde-ueber-ios-s… ∗∗∗ Blocking Visual Studio Code embedded reverse shell before its too late ∗∗∗ --------------------------------------------- Since July 2023, Microsoft is offering the perfect reverse shell, embedded inside Visual Studio Code, a widely used development tool. With just a few clicks, any user with a github account can share their visual studio desktop on the web. VS code tunnel is almost considered a lolbin (Living Of the Land Binary). --------------------------------------------- https://ipfyx.fr/post/visual-studio-code-tunnel/ ∗∗∗ iRacing Exploit allows attackers to take control of users computer ∗∗∗ --------------------------------------------- If you have updated iRacing since 2023 Season 2 Patch 5, you’re safe. But if you have the game installed and haven’t updated it, it’s important to either update or uninstall it as soon as possible. Keep in mind this exploit is possible even if you haven’t got an active iRacing subscription, so if you were thinking about updating it later, it’s worth uninstalling it in the meanwhile. --------------------------------------------- https://blog.ss23.geek.nz/2023/09/21/iracing-electron-rce-exploit.html ∗∗∗ Außergewöhnliche Malware nimmt westeuropäische Telkos ins Visier ∗∗∗ --------------------------------------------- Lua Dream ist ein mittels Lua modular aufgebauter Schädling, der es auf Telekommunikationsunternehmen abgesehen hat – und wahrscheinlich aus Asien stammt. --------------------------------------------- https://www.heise.de/-9315204.html ∗∗∗ In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover ∗∗∗ --------------------------------------------- A critical vulnerability in the TeamCity CI/CD server could allow unauthenticated attackers to execute code and take over vulnerable servers. --------------------------------------------- https://www.securityweek.com/in-the-wild-exploitation-expected-for-critical… ∗∗∗ Webinar: Manipulation durch Dark Patterns – wie kann ich mich schützen? ∗∗∗ --------------------------------------------- Dark Patterns werden im Internet eingesetzt, um uns zu Handlungen zu verleiten, die nicht in unserem Interesse liegen – und so z. B. mehr Geld auszugeben oder mehr Daten zu teilen, als wir eigentlich möchten. Dieses Webinar erklärt, wie uns Dark Patterns manipulieren und wie Sie sich davor schützen können. Nehmen Sie kostenlos teil: Dienstag 03. Oktober 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-manipulation-durch-dark-patt… ∗∗∗ Gefälschtes Gewinnspiel für ÖBB-Geschenkkarten & iPhone 15 Pro ∗∗∗ --------------------------------------------- Uns werden aktuell betrügerische Gewinnspiele für das neue iPhone sowie ÖBB-Geschenkkarten zum Gratis-Zugfahren gemeldet. Die Gewinnspiele werden über Soziale Netzwerke, Messenger und per E-Mail verbreitet. Den Gewinn bekommen Sie angeblich, wenn Sie € 1,95 zahlen. Wer bezahlt verliert aber Geld! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-oebb-g… ∗∗∗ SCCM Hierarchy Takeover ∗∗∗ --------------------------------------------- tl;dr: There is no security boundary between sites in the same hierarchy. When an administrative user is granted a security role in SCCM, such as Full Administrator or Infrastructure Administrator, in any primary site, the underlying database changes propagate upward to the central administration site (CAS) and then to other primary sites in the hierarchy. This means that if an attacker gains control of any primary site, they gain control of the entire SCCM hierarchy. --------------------------------------------- https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087 ∗∗∗ iOS 17 update secretly changed your privacy settings; here’s how to set them back ∗∗∗ --------------------------------------------- Many iPhone users who upgraded their iPhones to the recently-released iOS 17 will be alarmed to hear that they may have actually downgraded their security and privacy. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/ios-17-update-secretly-chan… ∗∗∗ From ScreenConnect to Hive Ransomware in 61 hours ∗∗∗ --------------------------------------------- In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, [...] --------------------------------------------- https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-… ∗∗∗ CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR) ∗∗∗ --------------------------------------------- AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system’s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining. --------------------------------------------- https://asec.ahnlab.com/en/57222/ ∗∗∗ Kaspersky Reveals Alarming IoT Threats and Dark Web DDoS Boom ∗∗∗ --------------------------------------------- Kaspersky Unveils Alarming IoT Vulnerabilities and Dark Webs Thriving DDoS Economy. --------------------------------------------- https://www.hackread.com/iot-vulnerabilities-dark-web-ddos-economy/ ===================== = Vulnerabilities = ===================== ∗∗∗ Elasticsearch 8.9.0, 7.17.13 Security Update ∗∗∗ --------------------------------------------- An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. --------------------------------------------- https://discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/34… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, elfutils, flac, ghostscript, libapache-mod-jk, lldpd, and roundcube), Fedora (linux-firmware, roundcubemail, and thunderbird), Mageia (curl, file, firefox/thunderbird, ghostpcl, libtommath, and nodejs), Oracle (kernel, open-vm-tools, qemu, and virt:ol and virt-devel:rhel), SUSE (bind, busybox, djvulibre, exempi, ImageMagick, libqb, libssh2_org, opera, postfix, python, python36, renderdoc, webkit2gtk3, and xrdp), and Ubuntu (accountsservice and open-vm-tools). --------------------------------------------- https://lwn.net/Articles/945503/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-41991 Apple Multiple Products Improper Certificate Validation Vulnerability CVE-2023-41992 Apple Multiple Products Kernel Privilege Escalation Vulnerability CVE-2023-41993 Apple Multiple Products WebKit Code Execution Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/25/cisa-adds-three-known-ex… ∗∗∗ RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php ∗∗∗ Wago: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-042/ ∗∗∗ Stored Cross-Site Scripting in der mb Support broker management Solution openVIVA c2 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scr… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily