Daily

daily@lists.cert.at

1 participants
3200 discussions

Tageszusammenfassung - 10.10.2023
by Daily end-of-shift report 10 Oct '23

10 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 09-10-2023 18:00 − Dienstag 10-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patch Now: Massive RCE Campaign Wrangles Routers Into Botnet ∗∗∗ --------------------------------------------- Thousands of devices, including D-Link and Zyxel gear, remain vulnerable to takeover despite the availability of patches for the several bugs being exploited by IZ1H9 campaign. --------------------------------------------- https://www.darkreading.com/cloud/patch-now-massive-rce-campaign-d-link-zyx… ∗∗∗ Over 17,000 WordPress sites hacked in Balada Injector attacks last month ∗∗∗ --------------------------------------------- Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-17-000-wordpress-sites-… ∗∗∗ The Art of Concealment: A New Magecart Campaign That’s Abusing 404 Pages ∗∗∗ --------------------------------------------- A new, sophisticated, and covert Magecart web skimming campaign has been targeting Magento and WooCommerce websites. --------------------------------------------- https://www.akamai.com/blog/security-research/magecart-new-technique-404-pa… ∗∗∗ Inzwischen vorhanden: Details zu gefixten Lücken in iOS 17 und Co. ∗∗∗ --------------------------------------------- Als iOS 17, iPadOS 17, watchOS 10 und tvOS 17 erschienen, machte Apple keine Angaben zu enthaltenen Sicherheitspatches. Mittlerweile lassen sie sich einsehen. --------------------------------------------- https://www.heise.de/-9319162 ∗∗∗ ‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History ∗∗∗ --------------------------------------------- Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history. --------------------------------------------- https://www.securityweek.com/rapid-reset-zero-day-exploited-to-launch-large… ∗∗∗ Take a note of SpyNote! ∗∗∗ --------------------------------------------- Among noteworthy spyware, one that has been in the limelight recently is SpyNote. This spyware app spreads via smishing (i.e. malicious SMS messages) by urging the victims to install the app from provided links. Naturally, the hosting and downloading happen outside of the official Play Store app, to prevent the security evaluation done by Google Play Store from thwarting the spread of this spyware. --------------------------------------------- https://blog.f-secure.com/take-a-note-of-spynote/ ∗∗∗ Android-Geräte ab Werk mit Malware infiziert ∗∗∗ --------------------------------------------- Settop-Boxen mit bestimmten Chipsätzen von Allwinner und Rockchip enthalten den Trojaner Badbox. Der zeigt unterwünschte Werbung an und verbreitet schädliche Apps. --------------------------------------------- https://www.zdnet.de/88412275/android-geraete-ab-werk-mit-malware-infiziert/ ∗∗∗ Infostealer with Abnormal Certificate Being Distributed ∗∗∗ --------------------------------------------- Recently, there has been a high distribution rate of malware using abnormal certificates. Malware often disguise themselves with normal certificates. However, in this case, the malware entered the certificate information randomly, with the Subject Name and Issuer Name fields having unusually long strings. As a result, the certificate information is not visible in Windows operating systems, and a specific tool or infrastructure is required to inspect the structure of these certificates. --------------------------------------------- https://asec.ahnlab.com/en/57553/ ∗∗∗ CISA, Government, and Industry Partners Publish Fact Sheet for Organizations Using Open Source Software ∗∗∗ --------------------------------------------- This guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-government-and-industry-partners… ===================== = Vulnerabilities = ===================== ∗∗∗ Per SSID: Schwachstelle in D-Link-Repeater erlaubt Codeausführung ∗∗∗ --------------------------------------------- Beim Netzwerk-Scan des D-Link DAP-X1860 kann es zu einer unerwünschten Codeausführung kommen. Über spezielle SSIDs sind Angriffe möglich. --------------------------------------------- https://www.golem.de/news/per-ssid-schwachstelle-in-d-link-repeater-erlaubt… ∗∗∗ Siemens Security Advisories 2023-10-10 ∗∗∗ --------------------------------------------- SSA-843070: SCALANCE W1750D, SSA-829656: Xpedition Layout Browser, SSA-784849: SIMATIC CP Devices, SSA-770890: SICAM A8000 Devices, SSA-647455: RUGGEDCOM APE1808 devices, SSA-594373: SINEMA Server V14, SSA-524778: Tecnomatix Plant Simulation, SSA-386812: Simcenter Amesim before V2021.1, SSA-295483: Mendix, SSA-160243: SINEC NMS before V2.0, SSA-134651: SICAM A8000 Devices, SSA-035466: SICAM PAS/PQS --------------------------------------------- https://www.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Backup: Acronis schließt Sicherheitslücken im Agent für Linux, Mac und Windows ∗∗∗ --------------------------------------------- Acronis hat eine Aktualisierung des Agent für Linux, Mac und Windows veröffentlicht. Sie dichtet unter anderem ein Leck mit hohem Risiko ab. --------------------------------------------- https://www.heise.de/-9329516 ∗∗∗ Sicherheitsupdates: Schadcode- und Root-Lücken bedrohen IBM-Software ∗∗∗ --------------------------------------------- IBM hat unter anderem im Datenbankmanagementsystem Db2 schwerwiegende Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de/-9329404 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown). --------------------------------------------- https://lwn.net/Articles/947233/ ∗∗∗ One-Click GNOME Exploit Could Pose Serious Threat to Linux Systems ∗∗∗ --------------------------------------------- A one-click exploit targeting the Libcue component of the GNOME desktop environment could pose a serious threat to Linux systems. --------------------------------------------- https://www.securityweek.com/one-click-gnome-exploit-could-pose-serious-thr… ∗∗∗ SAP Releases 7 New Notes on October 2023 Patch Day ∗∗∗ --------------------------------------------- SAP has released seven new notes as part of its October 2023 Security Patch Day, all rated ‘medium severity’. --------------------------------------------- https://www.securityweek.com/sap-releases-7-new-notes-on-october-2023-patch… ∗∗∗ Unverschlüsselte Bluetoothverbindung bei Smartwatch Amazfit Bip U (SYSS-2023-022) ∗∗∗ --------------------------------------------- Die Smartwatch Amazfit Bip U kommuniziert unverschlüsselt mit dem verbundenen Smartphone. Alle Nachrichten können daher von Angreifenden abgehört werden. --------------------------------------------- https://www.syss.de/pentest-blog/unverschluesselte-bluetoothverbindung-bei-… ∗∗∗ Ivanti Endpoint Manager new vulnerabilities ∗∗∗ --------------------------------------------- There are two vulnerabilities we have recently discovered that impact Ivanti Endpoint Manager (EPM) versions 2022 and below. They both have CVSS scores in the ‘Moderate’ range. We are reporting them as CVE-2023-35083 and CVE-2023-35084. --------------------------------------------- https://www.ivanti.com/blog/ivanti-endpoint-manager-new-vulnerabilities ∗∗∗ F5 BIG-IP Security Advisories 2023-10-10 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/new-updated-articles#sort=%40f5_updated_publishe… ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Citrix NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-ga… ∗∗∗ Citrix Hypervisor Multiple Security Updates ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX575089/citrix-hypervisor-multiple-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2023
by Daily end-of-shift report 09 Oct '23

09 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-10-2023 18:00 − Montag 09-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ HelloKitty ransomware source code leaked on hacking forum ∗∗∗ --------------------------------------------- A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source… ∗∗∗ High-Severity Flaws in ConnectedIOs 3G/4G Routers Raise Concerns for IoT Security ∗∗∗ --------------------------------------------- Multiple high-severity security vulnerabilities have been disclosed in ConnectedIOs ER2000 edge routers and the cloud-based management platform that could be exploited by malicious actors to execute malicious code and access sensitive data. --------------------------------------------- https://thehackernews.com/2023/10/high-severity-flaws-in-connectedios.html ∗∗∗ Turn OFF This WatchGuard Feature - GuardLapse ∗∗∗ --------------------------------------------- Picture this: a feature from a security appliance that willingly dispatches its password hashes to any device on the network. That is precisely what WatchGuards SSO does under certain circumstances. --------------------------------------------- https://projectblack.io/blog/turn-off-this-watchguard-feature-guardlapse/ ∗∗∗ Amazon Prime email scammer snatches defeat from the jaws of victory ∗∗∗ --------------------------------------------- A very convincing Amazon Prime scam landed in our mail server today and...went straight to spam. Heres why. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/10/amazon-prime ∗∗∗ Credential Harvesting Campaign Targets Unpatched NetScaler Instances ∗∗∗ --------------------------------------------- Threat actors are targeting Citrix NetScaler instances unpatched against CVE-2023-3519 to steal user credentials. --------------------------------------------- https://www.securityweek.com/credential-harvesting-campaign-targets-unpatch… ∗∗∗ The reality of Apple watch pen testing ∗∗∗ --------------------------------------------- We were approached to do an Apple Watch application test. It seems this isn’t a standard service offered by most companies (including us, although we’ve done plenty of work [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/the-reality-of-apple-watch-pe… ∗∗∗ Immer wieder Abo-Fallen bei IQ-Tests wie auf iq-fast.com/de! ∗∗∗ --------------------------------------------- Wer einen IQ-Test durchführen möchte, findet im Internet unzählige Angebote dafür. Auch iq-fast.com/de lockt mit einem entsprechenden Test auf die eigene Website. Abgesehen von der minderwertigen Qualität des dort angebotenen Tests, der lediglich aus 20 Fragen besteht, führt eine Eingabe der Kreditkartendaten nicht zum Erhalt sinnvoller Ergebnisse, sondern in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/immer-wieder-abo-fallen-bei-iq-tests… ∗∗∗ Fake friends and followers on social media – and how to spot them ∗∗∗ --------------------------------------------- One of the biggest threats to watch out for on social media is fraud perpetrated by people who aren’t who they claim to be. Here’s how to recognize them. --------------------------------------------- https://www.welivesecurity.com/en/social-media/fake-friends-followers-socia… ∗∗∗ Android TV Boxes Infected with Backdoors, Compromising Home Networks ∗∗∗ --------------------------------------------- The Android TV box you recently purchased may be riddled with harmful backdoors. --------------------------------------------- https://www.hackread.com/android-tv-boxes-backdoors-home-networks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freerdp2, gnome-boxes, grub2, inetutils, lemonldap-ng, prometheus-alertmanager, python-urllib3, thunderbird, and vinagre), Fedora (freeimage, fwupd, libspf2, mingw-freeimage, thunderbird, and vim), Gentoo (c-ares, dav1d, Heimdal, man-db, and Oracle VirtualBox), Oracle (bind, bind9.16, firefox, ghostscript, glibc, ImageMagick, and thunderbird), Slackware (netatalk), SUSE (ImageMagick, nghttp2, poppler, python, python-gevent, and yq), and Ubuntu (bind9 and vim). --------------------------------------------- https://lwn.net/Articles/947117/ ∗∗∗ Vulnerabilities in Music Station ∗∗∗ --------------------------------------------- Two path traversal vulnerabilities have been reported to affect Music Station. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-28 ∗∗∗ Vulnerabilities in ClamAV ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been reported in ClamAV. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-26 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating systems. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-37 ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-36 ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-39 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2023
by Daily end-of-shift report 06 Oct '23

06 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-10-2023 18:00 − Freitag 06-10-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploits released for Linux flaw giving root on major distros ∗∗∗ --------------------------------------------- Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Librarys dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploits-released-for-linux-… ∗∗∗ Jetzt patchen! Exploits für glibc-Lücke öffentlich verfügbar ∗∗∗ --------------------------------------------- Nachdem der Bug in der Linux-Bibliothek glibc am vergangenen Dienstag bekannt wurde, sind nun zuverlässig funktionierende Exploits aufgetaucht. --------------------------------------------- https://www.heise.de/-9326518 ∗∗∗ Finanzbetrug per Telefon: Ignorieren Sie Anrufer:innen, die Sie zu Investitionen überreden wollen ∗∗∗ --------------------------------------------- Finanzbetrug ist ein lukratives Geschäft. Der finanzielle Schaden für die Betroffenen ist oft enorm. Gleichzeitig ist der Finanzmarkt streng reguliert, um Betrug in diesem Bereich zu erschweren. Das ist mit ein Grund, wieso Betrüger:innen immer wieder neue Wege finden, um an ihre Opfer zu kommen. Aktuell berichten unsere Leser:innen vermehrt davon, dass sie von Kriminellen angerufen und direkt am Telefon zu Investments überredet werden. --------------------------------------------- https://www.watchlist-internet.at/news/finanzbetrug-per-telefon-ignorieren-… ∗∗∗ Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform ∗∗∗ --------------------------------------------- In this article, we will discuss this issue of how malware authors use obfuscation to make analyzing their Android malware more challenging. We will review two such case studies to illustrate those obfuscation techniques in action. Finally, we’ll cover some overall techniques researchers can use to address these obstacles. --------------------------------------------- https://unit42.paloaltonetworks.com/hooking-framework-in-sandbox-to-analyze… ∗∗∗ Microsoft: Human-operated ransomware attacks tripled over past year ∗∗∗ --------------------------------------------- Human-operated ransomware attacks are up more than 200% since September 2022, according to researchers from Microsoft, who warned that it could represent a shift in the cybercrime underground. --------------------------------------------- https://therecord.media/human-operated-ransomware-attacks-report-microsoft ∗∗∗ New tool: le-hex-to-ip.py, (Thu, Oct 5th) ∗∗∗ --------------------------------------------- So, this week it is my privilege to be TA-ing for Taz Wake for the beta run of his new class FOR577: Linux Incident Response and Threat Hunting. We were looking in the linux /proc filesystem and were noticing in the /proc//net/{tcp/udp/icmp/...} that the IP addresses were listed in hex, but little-endian. I immediately remembered Didier's Handler's Diary from last week about the IPs in the event logs that were in decimal and little endian. --------------------------------------------- https://isc.sans.edu/diary/rss/30284 ∗∗∗ NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke bedroht Dell SmartFabric Storage Software ∗∗∗ --------------------------------------------- Dell hat mehrere gefährliche Sicherheitslücken in SmartFabric Storage Software geschlossen. --------------------------------------------- https://www.heise.de/-9326738 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15). --------------------------------------------- https://lwn.net/Articles/946848/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2023
by Daily end-of-shift report 05 Oct '23

05 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-10-2023 18:00 − Donnerstag 05-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Curl 8.4.0 is to be released on October 11th ... ∗∗∗ --------------------------------------------- ... containing a fix for "the worst security problem found in curl in a long time". The associated CVE is expected to be published shortly after. Use the time to check where you have #curl & #libcurl in your environment. --------------------------------------------- https://twitter.com/pyotam2/status/1709305830573473987 ∗∗∗ Jetzt patchen! Confluence Data Center: Angreifer machen sich zu Admins ∗∗∗ --------------------------------------------- Atlassian hat eine kritische Sicherheitslücke in Confluence Data Center und Server geschlossen. --------------------------------------------- https://www.heise.de/-9325414 ∗∗∗ Lorenz ransomware crew bungles blackmail blueprint by leaking two years of contacts ∗∗∗ --------------------------------------------- A security researcher noticed Lorenz's dark web victim blog was leaking backend code, pulled the data from the site, and uploaded to it a public GitHub repository. The data includes names, email addresses, and the subject line entered into the ransomware group's limited online form to request information from Lorenz. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/05/lorenz_ranso… ∗∗∗ The discovery of Gatekeeper bypass CVE-2023-27943 ∗∗∗ --------------------------------------------- Looking for vulnerabilities is not my usual daily routine. I am a software developer for Endpoint Security software. I implement new features, improve existing functionality, fixing bugs. So, the discovery of this vulnerability was a surprise. And it made me scared that a macOS update broke our product. In the end, it turned out to be quite a severe vulnerability on macOS. --------------------------------------------- https://blog.f-secure.com/discovery-of-gatekeeper-bypass-cve-2023-27943/ ∗∗∗ H1 2023 – a brief overview of main incidents in industrial cybersecurity ∗∗∗ --------------------------------------------- In this overview, we discuss cybercriminal and hacktivist attacks on industrial organizations. --------------------------------------------- https://ics-cert.kaspersky.com/publications/h1-2023-a-brief-overview-of-mai… ∗∗∗ Looking at the Attack Surface of the Sony XAV-AX5500 Head Unit ∗∗∗ --------------------------------------------- In this post, we look at the attack surface of another target in a different category. The Sony XAV-AX5500 is a popular aftermarket head unit that interacts with different systems within a vehicle. It also offers attackers a potential foothold into an automobile. --------------------------------------------- https://www.thezdi.com/blog/2023/10/5/looking-at-the-attack-surface-of-the-… ∗∗∗ Exposing Infection Techniques Across Supply Chains and Codebases ∗∗∗ --------------------------------------------- This entry delves into threat actors intricate methods to implant malicious payloads within seemingly legitimate applications and codebases. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/j/infection-techniques-across-… ∗∗∗ Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I ∗∗∗ --------------------------------------------- At 2021, we found Pre-auth RCE vulnerabilities(CVE-2022-24673 and CVE-2022-3942) in Canon and HP printers, and vulnerabilty(CVE-2021-44734) in Lexmark. We used these vulnerabilities to exploit Canon ImageCLASS MF644Cdw, HP Color LaserJet Pro MFP M283fdw and Lexmark MC3224i in Pwn2Own Austin 2021. Following we will describe the details of the Canon and HP vulnerabilities and exploitation. --------------------------------------------- https://devco.re/blog/2023/10/05/your-printer-is-not-your-printer-hacking-p… ∗∗∗ EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability ∗∗∗ --------------------------------------------- Threat actors are exploiting the open redirection vulnerability on Indeed.com to launch EvilProxy phishing attacks against high-ranking executives. --------------------------------------------- https://www.hackread.com/evilproxy-phishing-kit-microsoft-indeed-vulnerabil… ∗∗∗ CISA and NSA Release New Guidance on Identity and Access Management ∗∗∗ --------------------------------------------- Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-and-nsa-release-new… ∗∗∗ Notruf-Tool Cisco Emergency Responder mit statischen Zugangsdaten ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für mehrere Produkte wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://www.heise.de/-9325669 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2023-10-04 ∗∗∗ --------------------------------------------- Cisco has published 3 Security Advisories (1 Critical, 1 High, 1 Medium Severity) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ (0Day) D-Link ∗∗∗ --------------------------------------------- ZDI-23-1501 - ZDI-23-1525: Multiple Routers, DIR-X3260, DAP-2622, DAP-1325 and D-View --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Wieder Exploit-Update für iOS und iPadOS – das wohl auch Hitzeproblem fixt ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Donnerstag erneut wichtige Fixes für sein iPhone- und iPad-Betriebssystem vorgelegt. Es geht um Sicherheit und Überhitzung. --------------------------------------------- https://www.heise.de/-9325367 ∗∗∗ Malware-Schutz: Schwachstellen in Watchguard EPDR und AD360 geschlossen ∗∗∗ --------------------------------------------- In den Malware-Schutzlösungen Watchguard EPDR und AD360 klaffen teils Sicherheitslücken mit hohem Risiko. Aktualisierungen stehen bereit. --------------------------------------------- https://www.heise.de/-9326078 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 25, 2023 to October 1, 2023) ∗∗∗ --------------------------------------------- Last week, there were 90 vulnerabilities disclosed in 68 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libx11, and libxpm), Fedora (ckeditor, drupal7, glibc, golang-github-cncf-xds, golang-github-envoyproxy-control-plane, golang-github-hashicorp-msgpack, golang-github-minio-highwayhash, golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, golang-github-protobuf, golang-google-protobuf, nats-server, and pgadmin4), Red Hat (firefox and thunderbird), SUSE (chromium, exim, ghostscript, kernel, poppler, python-gevent, and python-reportlab), and Ubuntu (binutils, exim4, jqueryui, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-kvm, linux-oem-6.1, nodejs, and python-django). --------------------------------------------- https://lwn.net/Articles/946698/ ∗∗∗ ZDI-23-1498: Ansys SpaceClaim X_B File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1498/ ∗∗∗ Open Redirect in SAP® BSP Test Application it00 (Bypass for CVE-2020-6215 Patch) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/open-redirect-in-bsp-tes… ∗∗∗ Qognify NiceVision ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02 ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-03 ∗∗∗ Hitachi Energy AFS65x, AFF66x, AFS67x, and AFR67x Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2023
by Daily end-of-shift report 04 Oct '23

04 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-10-2023 18:00 − Mittwoch 04-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitswarnung: Schwachstellen in Qualcomm-Treibern werden aktiv ausgenutzt ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Qualcomm-Treibern gefährden Smartphones und Tablets weltweit. Patches sind vorhanden - zumindest bei den Herstellern. --------------------------------------------- https://www.golem.de/news/sicherheitswarnung-schwachstellen-in-qualcomm-tre… ∗∗∗ Looney Tunables: Schwachstelle in C-Bibliothek gefährdet Linux-Systeme ∗∗∗ --------------------------------------------- Eine Pufferüberlauf-Schwachstelle im dynamischen Lader von glibc ermöglicht es Angreifern, auf Linux-Systemen Root-Rechte zu erlangen. --------------------------------------------- https://www.golem.de/news/looney-tunables-schwachstelle-in-c-bibliothek-gef… ∗∗∗ Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement ∗∗∗ --------------------------------------------- Microsoft security researchers recently identified an attack where attackers attempted to move laterally to a cloud environment through a SQL Server instance. The attackers initially exploited a SQL injection vulnerability in an application within the target’s environment to gain access and elevated permissions to a Microsoft SQL Server instance deployed in an Azure Virtual Machine (VM). --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vect… ∗∗∗ Optimizing WordPress: Security Beyond Default Configurations ∗∗∗ --------------------------------------------- Default configurations in software are not always the most secure. For example, you might buy a network-attached home security camera from your friendly neighborhood electronics store. While these are handy to keep an eye on your property from the comfort of your phone, they also typically come shipped with a default username and password. And since they are connected to the web, they can be accessed from anywhere. Attackers know this, [...] --------------------------------------------- https://blog.sucuri.net/2023/10/optimizing-wordpress-security-beyond-defaul… ∗∗∗ Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems. Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities ShellTorch. "These vulnerabilities [...] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world's largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover," [...] --------------------------------------------- https://thehackernews.com/2023/10/warning-pytorch-models-vulnerable-to.html ∗∗∗ Patchday: Attacken auf Android 11, 12 und 13 beobachtet ∗∗∗ --------------------------------------------- Unter anderem Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Zwei Lücken haben Angreifer bereits im Visier. --------------------------------------------- https://www.heise.de/-9324125.html ∗∗∗ Linux tries to dump Windows notoriously insecure RNDIS protocol ∗∗∗ --------------------------------------------- Here we go again. Linux developers are trying, once more, to rid Linux of Microsofts Remote Network Driver Interface Specification. Heres why its complicated. --------------------------------------------- https://www.zdnet.com/home-and-office/networking/linux-tries-to-dump-window… ∗∗∗ Five Misconfigurations Threatening Your AWS Environment Today ∗∗∗ --------------------------------------------- In the ever-expanding realm of AWS, with over 200 services at your disposal, securing your cloud account configurations and mastering complex environments can feel like an overwhelming challenge. To help you prioritize and root them out, we’ve put together a guide for AWS configurations that are most commonly overlooked. Here are five of the top misconfigurations that could be lurking in your AWS environment right now. --------------------------------------------- https://blog.aquasec.com/five-misconfigurations-threatening-your-aws-enviro… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server ∗∗∗ --------------------------------------------- Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. --------------------------------------------- https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalati… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc, postgresql-11, and thunderbird), Fedora (openmpi, pmix, prrte, and slurm), Gentoo (glibc and libvpx), Oracle (kernel), Red Hat (kernel), Slackware (libX11 and libXpm), SUSE (firefox, kernel, libeconf, libqb, libraw, libvpx, libX11, libXpm, mdadm, openssl-1_1, poppler, postfix, python311, rubygem-puma, runc, and vim), and Ubuntu (freerdp2, glibc, grub2-signed, grub2-unsigned, libx11, libxpm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, and mozjs102). --------------------------------------------- https://lwn.net/Articles/946496/ ∗∗∗ New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks ∗∗∗ --------------------------------------------- Supermicro has released BMC IPMI firmware updates to address multiple vulnerabilities impacting select motherboard models. --------------------------------------------- https://www.securityweek.com/new-supermicro-bmc-vulnerabilities-could-expos… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2023
by Daily end-of-shift report 03 Oct '23

03 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 02-10-2023 18:00 − Dienstag 03-10-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ AVM: Fritzbox-Schwachstelle wohl ohne Fernzugriff ausnutzbar ∗∗∗ --------------------------------------------- Seit Anfang September verteilt AVM Sicherheitsupdates für die Fritzbox. Inzwischen gibt es weitere Informationen zur gepatchten Schwachstelle. --------------------------------------------- https://www.golem.de/news/avm-fritzbox-schwachstelle-wohl-ohne-fernzugriff-… ∗∗∗ Exclusive: Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more) ∗∗∗ --------------------------------------------- Researchers have identified the exfiltration infrastructure of a LockBit affiliate while investigating a LockBit extortion incident that occurred in Q3 2023. --------------------------------------------- https://securityaffairs.com/151862/breaking-news/exfiltration-infrastructur… ∗∗∗ BunnyLoader, a new Malware-as-a-Service advertised in cybercrime forums ∗∗∗ --------------------------------------------- Zscaler ThreatLabz researchers discovered a new malware-as-a-service (MaaS) that is called BunnyLoader, which has been advertised for sale in multiple cybercrime forums since September 4, 2023. --------------------------------------------- https://securityaffairs.com/151869/malware/bunnyloader-maas.html ∗∗∗ Security researchers believe mass exploitation attempts against WS_FTP have begun ∗∗∗ --------------------------------------------- Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_updat… ∗∗∗ Cloudflare Protection Bypass Vulnerability on Threat Actors’ Radar ∗∗∗ --------------------------------------------- Researchers have identified two mechanisms that hinge on the assumption that traffic originating from Cloudflare towards the origin server is inherently trustworthy, while traffic from other origins should be blocked. --------------------------------------------- https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-ac… ∗∗∗ Drei Fragen und Antworten: Der beste Schutz für das Active Directory ∗∗∗ --------------------------------------------- Bis zu 90 Prozent aller Angriffe bedienen sich Microsofts Active Directory – es ist der Hebel, um die eigene Sicherheit zu verbessern. Wir zeigen, wie das geht. --------------------------------------------- https://www.heise.de/news/Drei-Fragen-und-Antworten-Der-beste-Schutz-fuer-d… ∗∗∗ Exim-Lücke: Erste Patches laufen ein ∗∗∗ --------------------------------------------- Nach verschiedenen Kommunikationspannen hat das Exim-Team kritische Sicherheitslücken im beliebten Mailserver behoben. Debian verteilt bereits Updates. --------------------------------------------- https://www.heise.de/news/Exim-Luecke-Erste-Patches-laufen-ein-9323709.html… ∗∗∗ Angriffe auf ältere Android-Geräte: Lücke in Mali-GPU nur teilweise geschlossen ∗∗∗ --------------------------------------------- Aufgrund mehrerer Schwachstellen im Treiber der Grafikeinheit Mali sind unter anderem Smartphone-Modelle von Samsung und Xiaomi verwundbar. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-aeltere-Android-Geraete-Luecke-in-Ma… ∗∗∗ Booking.com: Achtung bei „fehlgeschlagener Zahlung“ oder „Verifikation Ihrer Zahlungsinfos“ ∗∗∗ --------------------------------------------- Fälle, in denen Unterkünfte über booking.com gebucht wurden und Buchende anschließend zur Verifikation ihrer Zahlungen oder zu einer neuerlichen Zahlung aufgefordert werden, häufen sich aktuell. Vorsicht ist geboten, denn die Aufforderungen stammen von Kriminellen, die sich Zugang zu den Buchungsdaten verschaffen konnten und es nun auf das Geld der Hotelgäste abgesehen haben! --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-achtung-bei-fehlgeschlage… ∗∗∗ Fortinet Labs Uncovers Series of Malicious NPM Packages Stealing Data ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered a series of malicious packages concealed within NPM (Node Package Manager), the primary software repository for JavaScript developers. The researchers utilized a dedicated system designed to detect nefarious open-source packages across multiple ecosystems, including PyPI and NPM. --------------------------------------------- https://www.hackread.com/fortinet-labs-malicious-npm-packages-steal-data/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Edge, Teams get fixes for zero-days in open-source libraries ∗∗∗ --------------------------------------------- Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-teams-get-fi… ∗∗∗ Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers ∗∗∗ --------------------------------------------- Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-says-hackers-exploi… ∗∗∗ Jetzt patchen! Ransomware schlüpft durch kritische TeamCity-Lücke ∗∗∗ --------------------------------------------- Angreifer nutzen eine Sicherheitslücke des Software-Distributionssystems TeamCity aus, das weltweit über 30.000 Firmen wie Citibank, HP und Nike einsetzen. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Ransomware-schluepft-durch-kritisch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird). --------------------------------------------- https://lwn.net/Articles/946313/ ∗∗∗ Mattermost security updates Desktop app v5.5.1 and Mobile app v2.8.1 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses the vulnerability CVE-2023-4863 of the third-party library libwebp which was affecting the Desktop app and the Mobile iOS app. We highly recommend that you apply the update. The security update is available for Mattermost dot releases Desktop app v5.5.1 and Mobile app v2.8.1. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-desktop-app-v5-5-1-… ∗∗∗ K000137090 : Node.js vulnerabilities CVE-2018-12121, CVE-2018-12122, and CVE-2018-12123 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137090?utm_source=f5support&utm_medi… ∗∗∗ K000137093 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137093?utm_source=f5support&utm_medi… ∗∗∗ The IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit are vulnerable to a server-side request forgery due to Apache Batik (CVE-2022-44730, CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7043490 ∗∗∗ Vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7043727 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to Google Protocol Buffer protobuf-cpp (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7045071 ∗∗∗ Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035373 ∗∗∗ Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035370 ∗∗∗ Multiple vulnerabilities in the IBM Java Runtime affects IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035371 ∗∗∗ A vulnerability in libcURL affect IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035382 ∗∗∗ IBM Spectrum Symphony openssl 1.1.1 End of Life ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7045753 ∗∗∗ IBM\u00ae Db2\u00ae is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010573 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2023
by Daily end-of-shift report 02 Oct '23

02 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-09-2023 18:00 − Montag 02-10-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Meet LostTrust ransomware — A likely rebrand of the MetaEncryptor gang ∗∗∗ --------------------------------------------- The LostTrust ransomware operation is believed to be a rebrand of MetaEncryptor, utilizing almost identical data leak sites and encryptors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-losttrust-ransomware-a-… ∗∗∗ New Marvin attack revives 25-year-old decryption flaw in RSA ∗∗∗ --------------------------------------------- A flaw related to the PKCS #1 v1.5 padding in SSL servers discovered in 1998 and believed to have been resolved still impacts several widely-used projects today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-marvin-attack-revives-25… ∗∗∗ The Silent Threat of APIs: What the New Data Reveals About Unknown Risk ∗∗∗ --------------------------------------------- The rapid growth of APIs creates a widening attack surface and increasing unknown cybersecurity risks. --------------------------------------------- https://www.darkreading.com/attacks-breaches/silent-threat-of-apis-what-new… ∗∗∗ Jetzt patchen: Exploit für kritische Sharepoint-Schwachstelle aufgetaucht ∗∗∗ --------------------------------------------- Er ist Teil einer sehr effektiven Exploit-Kette zur Schadcodeausführung auf Sharepoint-Servern, die ein Forscher kürzlich offenlegte. --------------------------------------------- https://www.golem.de/news/jetzt-patchen-exploit-fuer-kritische-sharepoint-s… ∗∗∗ Cybercriminals Using New ASMCrypt Malware Loader to Fly Under the Radar ∗∗∗ --------------------------------------------- Threat actors are selling a new crypter and loader called ASMCrypt, which has been described as an "evolved version" of another loader malware known as DoubleFinger. "The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week. --------------------------------------------- https://thehackernews.com/2023/09/cybercriminals-using-new-asmcrypt.html ∗∗∗ BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground ∗∗∗ --------------------------------------------- Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader thats being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," [...] --------------------------------------------- https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html ∗∗∗ Security researchers believe mass exploitation attempts against WS_FTP have begun ∗∗∗ --------------------------------------------- Early signs emerge after Progress Software said there were no active attempts last week Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_updat… ∗∗∗ Temporary suspension of automatic snap registration following security incident ∗∗∗ --------------------------------------------- On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed. Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately. --------------------------------------------- https://forum.snapcraft.io/t/temporary-suspension-of-automatic-snap-registr… ∗∗∗ The Hitchhikers Guide to Malicious Third-Party Dependencies ∗∗∗ --------------------------------------------- The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., NPM, PyPI) serve as public databases that users can query to retrieve packages for various functionalities, [...] In this work, we show how attackers can [...] achieve arbitrary code execution on victim machines, thereby realizing open-source software supply chain chain attacks. --------------------------------------------- https://arxiv.org/abs/2307.09087 ∗∗∗ Fritzbox-Sicherheitsleck analysiert: Risiko sogar bei deaktiviertem Fernzugriff ∗∗∗ --------------------------------------------- AVM schließt bei vielen Fritzboxen eine Sicherheitslücke. Unserer Analyse zufolge lässt sie sich aus der Ferne ausnutzen – sogar mit abgeschaltetem Fernzugriff. --------------------------------------------- https://www.heise.de/-9323225.html ∗∗∗ BSI-Umfrage: Kritische Infrastrukturen haben Nachholbedarf bei IT-Sicherheit ∗∗∗ --------------------------------------------- Vor allem bei der Umsetzung organisatorischer Sicherheitsmaßnahmen hapert es noch bei Betreibern kritischer Infrastrukturen. Gründe: Personal- und Geldmangel. --------------------------------------------- https://www.heise.de/-9323606.html ∗∗∗ Don’t Let Zombie Zoom Links Drag You Down ∗∗∗ --------------------------------------------- Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks. --------------------------------------------- https://krebsonsecurity.com/2023/10/dont-let-zombie-zoom-links-drag-you-dow… ∗∗∗ Silverfort Open Sources Lateral Movement Detection Tool ∗∗∗ --------------------------------------------- Silverfort has released the source code for its lateral movement detection tool LATMA, to help identify and analyze intrusions. --------------------------------------------- https://www.securityweek.com/silverfort-open-sources-lateral-movement-detec… ∗∗∗ Die Österreichische Post AG verkauft keine Zufallspakete für 2 Euro! ∗∗∗ --------------------------------------------- Betrügerische Werbeschaltungen auf Facebook spielen vor, dass die Post AG nicht zustellbare Pakete für nur 2 Euro verkauft. Angeblich haben Sie so die Möglichkeit, mit tollen Gegenständen wie Tablets, Kaffeemaschinen oder Büchern überrascht zu werden. Achtung: Es handelt sich um reinen Betrug. Werbung und Profile stammen nicht von der Post und die Pakete existieren nicht. Sie landen hier in einer Abo-Falle oder geben Ihr Zahlungsmittel unbeabsichtigt für Zahlungen durch Kriminelle frei. --------------------------------------------- https://www.watchlist-internet.at/news/die-oesterreichische-post-ag-verkauf… ∗∗∗ Keine Warnung zu den aktuellen Exim Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) ∗∗∗ --------------------------------------------- Am Mittwoch 27. September wurden durch die Zero Day Initiative sechs Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) im Mail Transfer Agent (MTA) Exim veröffentlicht.[1][2][3][4][5][6] Nach interner Analyse und im Austausch mit Experten sind wir zu ähnlichen Schlüssen, wie nun auf der offiziellen Mailingliste des Projekts veröffentlicht[7], gekommen. --------------------------------------------- https://cert.at/de/aktuelles/2023/10/keine-warnung-zu-den-aktuellen-exim-sc… ∗∗∗ E-Mail-Angriff via Dropbox ∗∗∗ --------------------------------------------- BEC 3.0-Angriffe häufen sich und sind noch schwieriger zu erkennen, weil Hacker Links über legitime Dienste versenden. --------------------------------------------- https://www.zdnet.de/88412118/e-mail-angriff-via-dropbox/ ∗∗∗ Kritische Sicherheitsupdates: Chrome, Edge, Firefox, Thunderbird,Tor ∗∗∗ --------------------------------------------- Ende September 2023 gab es Sicherheitsupdates für diverse Software, die kritische Schwachstellen (0-Days) schließen sollen. Bei den Chromium-Browsern wurde eine Sicherheitslücke im V8 Encoder geschlossen (betrifft Google Chrome und beim Edge). Die Mozilla Entwickler haben ebenfalls Notfall-Updates für den Firefox und den Thunderbird herausgebracht. Und Tor wurde diesbezüglich ebenfalls aktualisiert. Ich fasse mal die Updates in diesem Sammelbeitrag zusammen. --------------------------------------------- https://www.borncity.com/blog/2023/10/02/kritische-sicherheitsupdates-chrom… ∗∗∗ Bitsight identifies nearly 100,000 exposed industrial control systems ∗∗∗ --------------------------------------------- Bitsight has identified nearly 100,000 exposed industrial control systems (ICS) potentially allowing an attacker to access and control physical infrastructure. --------------------------------------------- https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-ind… ===================== = Vulnerabilities = ===================== ∗∗∗ JetBrains TeamCity Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- Topic: JetBrains TeamCity Unauthenticated Remote Code Execution Risk: High Text:## # This module requires Metasploit [...] --------------------------------------------- https://cxsecurity.com/issue/WLB-2023100003 ∗∗∗ OpenRefines Zip Slip Vulnerability Could Let Attackers Execute Malicious Code ∗∗∗ --------------------------------------------- A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below. --------------------------------------------- https://thehackernews.com/2023/10/openrefines-zip-slip-vulnerability.html ∗∗∗ Security updates available in PDF-XChange Editor/Tools 10.1.1.381 ∗∗∗ --------------------------------------------- Released version 10.1.1.381, which addresses potential security and stability issues. --------------------------------------------- https://www.tracker-software.com/support/security-bulletins.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cups, firefox-esr, firmware-nonfree, gerbv, jetty9, libvpx, mosquitto, open-vm-tools, python-git, python-reportlab, and trafficserver), Fedora (firefox, giflib, libvpx, libwebp, webkitgtk, and xen), Gentoo (Chromium, Google Chrome, Microsoft Edge, ClamAV, GNU Binutils, and wpa_supplicant, hostapd), Mageia (flac, giflib, indent, iperf, java, libvpx, libxml2, quictls, wireshark, and xrdp), Oracle (kernel), Slackware (libvpx and mozilla), and SUSE (bind, python, python-bugzilla, roundcubemail, seamonkey, and xen). --------------------------------------------- https://lwn.net/Articles/946186/ ∗∗∗ Suprema BioStar 2 ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-01 ∗∗∗ Multiple Vulnerabilities in Electrolink FM/DAB/TV Transmitter ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ K000137058 : Linux kernel vulnerability CVE-2022-4269 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137058 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2023
by Daily end-of-shift report 29 Sep '23

29 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-09-2023 18:00 − Freitag 29-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Version 1.0: Ungepatchte Schwachstellen im Mail Transfer Agent Exim ∗∗∗ --------------------------------------------- Der Open Source Mail Transfer Agent (MTA) Exim weist mehrere schwerwiegende ungepatchte Schwachstellen auf. Besonders kritisch ist eine Buffer Overflow Schwachstelle in der SMTP-Implementierung, CVE-2023-42115, die einer entfernten, unauthorisierten angreifenden Person gegebenenfalls das Ausführen von Code mit Rechten des Service Accounts, mit dem Exim betrieben wird, ermöglicht. Sie erreicht daher eine CVSS-Bewertung von 9.8 ("kritisch"). --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-2… ∗∗∗ Betrifft unzählige Anwendungen: Zero-Day-Schwachstelle in VP8-Videokodierung ∗∗∗ --------------------------------------------- Google hat mal wieder eine Zero-Day-Schwachstelle in Chrome gepatcht. Neben gängigen Webbrowsern sind aber auch viele andere Apps betroffen. --------------------------------------------- https://www.golem.de/news/betrifft-unzaehlige-anwendungen-zero-day-schwachs… ∗∗∗ Dringend patchen: Schwachstelle mit maximalem Schweregrad in WS_FTP ∗∗∗ --------------------------------------------- Der Entwickler der Datentransfersoftware Moveit hat erneut kritische Schwachstellen behoben - dieses Mal in der Serveranwendung WS_FTP. --------------------------------------------- https://www.golem.de/news/dringend-patchen-schwachstelle-mit-maximalem-schw… ∗∗∗ Important release of LibreOffice 7.6.2 Community and LibreOffice 7.5.7 Community with key security fix ∗∗∗ --------------------------------------------- The Document Foundation is releasing LibreOffice 7.6.2 Community and LibreOffice 7.5.7 Community ahead of schedule to address a security issue known as CVE 2023-4863, which originates in a widely used code library known as libwebp, created by Google more than a decade ago to render the then-new WebP graphics format. --------------------------------------------- https://blog.documentfoundation.org/blog/2023/09/26/lo-762-and-lo-757/ ∗∗∗ Jetzt patchen! Angreifer haben Netzwerkgeräte von Cisco im Visier ∗∗∗ --------------------------------------------- Cisco hat unter anderem eine kritische Lücke in Catalyst SD-WAN geschlossen. Außerdem gibt es Sicherheitsupdates für weitere Produkte. --------------------------------------------- https://www.heise.de/-9320947.html ∗∗∗ Balkonkraftwerke: Hoymiles schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Der Wechselrichterhersteller hat die Lücken in der API geschlossen – das haben wir verifiziert. Im Gespräch gelobte Hoymiles Besserung. --------------------------------------------- https://www.heise.de/-9321291.html ∗∗∗ Malicious ad served inside Bings AI chatbot ∗∗∗ --------------------------------------------- Users looking for software downloads may be tricked into visiting malicious websites via their interaction with Bing Chat. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/09/malicious-ad-… ∗∗∗ Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks ∗∗∗ --------------------------------------------- Hackers have set their sights on CVE-2023-34468, an RCE vulnerability in Apache NiFi that impacts thousands of organizations. --------------------------------------------- https://www.securityweek.com/hackers-set-sights-on-apache-nifi-flaw-that-ex… ∗∗∗ Oktober ist Cyber Security Month: Tipps und Veranstaltungen ∗∗∗ --------------------------------------------- Im Oktober dreht sich alles um Cyber-Sicherheit. Machen auch Sie mit und nutzen Sie das vielfältige Angebot. Wir zeigen Ihnen, wie Sie Ihre Kenntnisse zu Phishing, Randsomeware und Co. verbessern. --------------------------------------------- https://www.watchlist-internet.at/news/oktober-ist-cyber-security-month-tip… ∗∗∗ Betrügerisches EP-Gewinnspiel wird massenhaft per SMS verschickt ∗∗∗ --------------------------------------------- „Gratulation an die EP Electronic Gewinner”. Dieser Text steht in einer SMS, die derzeit massenhaft von Kriminellen verschickt wird. Besonders perfid: In der SMS werden auch die Namen der angeblichen Gewinner:innen genannt. Selbst wenn Ihr Name in der SMS auftaucht, sollten Sie nicht auf den mitgeschickten Link klicken! Betrüger:innen versuchen Sie in die Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-ep-gewinnspiel-wird-… ∗∗∗ CL0P Seeds ^_- Gotta Catch Em All! ∗∗∗ --------------------------------------------- CL0P is distributing ransomware data via torrents. We investigate this new method, including seeds we’ve tracked — disguising victims with Pokemon. Catch them all! --------------------------------------------- https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-… ∗∗∗ Phishing via Dropbox ∗∗∗ --------------------------------------------- A burgeoning attack involving Dropbox is making the rounds. In the first two weeks of September, we saw 5,440 of these attacks. Hackers are using Dropbox to create fake login pages that eventually lead to a credential harvesting page. It’s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites—like Dropbox—to send and host phishing material. --------------------------------------------- https://blog.checkpoint.com/harmony-email/phishing-via-dropbox/ ∗∗∗ Analysis of Time-to-Exploit Trends: 2021-2022 ∗∗∗ --------------------------------------------- Mandiant Intelligence analyzed 246 vulnerabilities that were exploited between 2021 and 2022. Sixty-two percent (153) of the vulnerabilities were first exploited as zero-day vulnerabilities. The number of exploited vulnerabilities each year continues to increase, while the overall times-to-exploit (TTEs) we are seeing are decreasing. Exploitation of a vulnerability is most likely to occur before the end of the first month following the release of a patch. --------------------------------------------- https://www.mandiant.com/resources/blog/time-to-exploit-trends-2021-2022 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, and vim), Gentoo (Fish, GMP, libarchive, libsndfile, Pacemaker, and sudo), Oracle (nodejs:16 and nodejs:18), Red Hat (virt:av and virt-devel:av), Slackware (mozilla), SUSE (chromium, firefox, Golang Prometheus, iperf, libqb, and xen), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/945965/ ∗∗∗ Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, Firefox Focus for Android 118.1.0, and Thunderbird 115.3.1. ∗∗∗ --------------------------------------------- CVE-2023-5217: Heap buffer overflow in libvpx Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ ∗∗∗ Vulnerabilities in node.js affect Cloud Pak Sytem [CVE-2023-28154, CVE-2022-46175, CVE-2022-3517] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7038776 ∗∗∗ IBM Instana Observability is vulnerable to arbitrary code execution ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7041863 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from go-toolset and amicontained ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039373 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2023-29409 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032246 ∗∗∗ Vulnerabilities in XStream library affects IBM Engineering Test Management (ETM) (CVE-2022-40151) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042166 ∗∗∗ Vulnerabilities in xercesImpl library affects IBM Engineering Test Management (ETM) (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042167 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering product is affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042172 ∗∗∗ Vulnerabilities in batik-all library affects IBM Engineering Test Management (ETM) (CVE-2022-44730, CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7042170 ∗∗∗ Multiple vulnerabilities in IBM Storage Defender \u2013 Data Protect ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040913 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2023
by Daily end-of-shift report 28 Sep '23

28 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-09-2023 18:00 − Donnerstag 28-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researchers Release Details of New RCE Exploit Chain for SharePoint ∗∗∗ --------------------------------------------- One of the already-patched flaws enables elevation of privilege, while the other enables remote code execution. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/reseachers-release-deta… ∗∗∗ Unzählige Anwendungen betroffen: Chaos bei WebP-Lücke ∗∗∗ --------------------------------------------- Anfangs ordnete Google die Lücke aber nur dem hauseigenen Webbrowser Chrome zu. Mittlerweile hat Google sich aber korrigiert und für die alte Sicherheitslücke (CVE-2023-4863 "hoch") den neuen Eintrag CVE-2023-5129 mit einer kritischen Einstufung (CVSS Score 10 von 10) eingereicht. Dieser wurde aber bereits nach sechs Stunden durch Google als ungültig erklärt. Als Grund ist angegeben, dass der neue Eintrag sich mit dem alten Eintrag doppelt. --------------------------------------------- https://www.heise.de/-9319783 ∗∗∗ SMS Security & Privacy Gaps Make It Clear Users Need a Messaging Upgrade ∗∗∗ --------------------------------------------- Like any forty-year-old technology, SMS is antiquated compared to its modern counterparts. That’s especially concerning when it comes to security. --------------------------------------------- http://security.googleblog.com/2023/09/sms-security-privacy-gaps-make-it-cl… ∗∗∗ Mit Cloudflare Cloudflare umgehen ∗∗∗ --------------------------------------------- Von Cloudflare-Kunden konfigurierte Schutzmechanismen (z. B. Firewall, DDoS-Schutz) für Webseiten können aufgrund von Lücken in den mandantenübergreifenden Schutzmaßnahmen umgangen werden, wodurch Kunden potenziell Angriffen ausgesetzt sind, welche von Cloudflare verhindert werden sollten. --------------------------------------------- https://certitude.consulting/blog/de/cloudflare-verwenden-um-cloudflare-zu-… ∗∗∗ TrendMicro veröffentlicht kritischen Patch für Apex One SP1 Build 12512 ∗∗∗ --------------------------------------------- Der kritische Patch beseitigt gleich mehrere Bugs, wovon einer verhindert, dass der Apex One-Server Virenerkennungsprotokolldaten von verwalteten Sicherheitsagenten empfangen kann. --------------------------------------------- https://www.borncity.com/blog/2023/09/28/trendmicro-verffentlicht-kritische… ∗∗∗ SSH keys stolen by stream of malicious PyPI and npm packages ∗∗∗ --------------------------------------------- A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2023-09-27 ∗∗∗ --------------------------------------------- Cisco has published 15 security advisories: (1x Critical, 7x High, 6x Medium, 1x Informational) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Hoymiles: Bedrohliche Lücken in der S-Miles-Cloud ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat sich Hoymiles Cloudservice genauer angesehen und Lücken gefunden, über die Wechselrichter sogar zerstört werden können. --------------------------------------------- https://www.heise.de/-9319500 ∗∗∗ Mozilla: Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, and Firefox Focus for Android 118.1.0. ∗∗∗ --------------------------------------------- CVE-2023-5217: Heap buffer overflow in libvpx. Impact: critical --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ ∗∗∗ Google Chrome 117.0.5938.132 ∗∗∗ --------------------------------------------- Google hat zum 27. September 2023 Updates des Google Chrome Browsers 117 im Stable Channel für Mac, Linux und Windows freigegeben. Es ist ein Sicherheitsupdate, das ausgerollt werden und mehrere Schwachstellen (Einstufung teilweise als "hoch") beseitigen sollen. --------------------------------------------- https://www.borncity.com/blog/2023/09/28/google-chrome-117-0-5938-132/ ∗∗∗ GStreamer Security Advisories 2023-09-20 ∗∗∗ --------------------------------------------- GStreamer has published 3 security advisories at 2023-09-20. --------------------------------------------- https://gstreamer.freedesktop.org/security/ ∗∗∗ Hancom Office 2020 HWord footerr use-after-free vulnerability ∗∗∗ --------------------------------------------- A use-after-free vulnerability exists in the footerr functionality of Hancom Office 2020 HWord 11.0.0.7520. A specially crafted .doc file can lead to a use-after-free. An attacker can trick a user into opening a malformed file to trigger this vulnerability. --------------------------------------------- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1759 ∗∗∗ Accusoft ImageGear dcm_pixel_data_decode out-of-bounds write vulnerability ∗∗∗ --------------------------------------------- An out-of-bounds write vulnerability exists in the dcm_pixel_data_decode functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability. --------------------------------------------- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1802 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ncurses), Fedora (emacs, firecracker, firefox, libkrun, python-oauthlib, and virtiofsd), Mageia (glibc and vim), Oracle (18), SUSE (bind, binutils, busybox, cni, cni-plugins, container-suseconnect, containerd, curl, exempi, ffmpeg, firefox, go1.19-openssl, go1.20-openssl, gpg2, grafana, gsl, gstreamer-plugins-bad, gstreamer-plugins-base, libpng15, libwebp, mutt, nghttp2, open-vm-tools, pmix, python-brotlipy, python3, python310, qemu, quagga, rubygem-actionview-5_1, salt, supportutils, xen, and xrdp), and Ubuntu (libwebp, minidlna, puma, and python2.7, python3.5). --------------------------------------------- https://lwn.net/Articles/945829/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0009 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-39928, CVE-2023-35074, CVE-2023-39434, CVE-2023-40451, CVE-2023-41074, CVE-2023-41993. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0009.html ∗∗∗ (0Day) Control Web Panel ∗∗∗ --------------------------------------------- ZDI-23-1476 - ZDI-23-1479 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) Exim ∗∗∗ --------------------------------------------- ZDI-23-1468 - ZDI-23-1473 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ ZDI-23-1475: (0Day) Avast Premium Security Sandbox Protection Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1475/ ∗∗∗ ZDI-23-1474: (0Day) Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1474/ ∗∗∗ Drupal: Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-047 ∗∗∗ Drupal: Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-046 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rockwell Automation PanelView 800 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-271-01 ∗∗∗ DEXMA DexGate ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-271-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2023
by Daily end-of-shift report 27 Sep '23

27 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-09-2023 18:00 − Mittwoch 27-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Unzählige Anwendungen betroffen: WebP-Schwachstelle erreicht maximalen Schweregrad ∗∗∗ --------------------------------------------- Die Schwachstelle in der WebP-Bibliothek wurde zuvor fälschlicherweise als Chrome-Bug markiert. Sie betrifft aber weitaus mehr Anwendungen. --------------------------------------------- https://www.golem.de/news/unzaehlige-anwendungen-betroffen-webp-schwachstel… ∗∗∗ Apple Releases MacOS Sonoma Including Numerous Security Patches, (Tue, Sep 26th) ∗∗∗ --------------------------------------------- As expected, Apple today released macOS Sonoma (14.0). This update, in addition to new features, provides patches for about 60 different vulnerabilities. --------------------------------------------- https://isc.sans.edu/diary/rss/30252 ∗∗∗ ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families ∗∗∗ --------------------------------------------- Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year. "ShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of ransomware programs," Group-IB and Bridewell said in a joint technical report. --------------------------------------------- https://thehackernews.com/2023/09/shadowsyndicate-new-cybercrime-group.html ∗∗∗ Reports about Cyber Actors Hiding in Router Firmware ∗∗∗ --------------------------------------------- On September 27, 2023, a joint cybersecurity advisory (CSA) was released detailing activities of the cyber actors known as BlackTech. The CSA describes how BlackTech is able to modify router firmware without detection. [...] Cisco has reviewed the report. Cisco would like to highlight the following key facts: The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. [...] --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Hacking htmx applications ∗∗∗ --------------------------------------------- With the normal flow of frontend frameworks moving from hipster to mainstream in the coming few months, during a test, you bump into this strange application that receives HTML with `hx-` attributes in responses. Congrats, you are testing your first htmx application, let me give you the building blocks to play with for testing this type of application. --------------------------------------------- https://medium.com/@matuzg/hacking-htmx-applications-f8d29665faf ∗∗∗ A Deep Dive into Brute Ratel C4 payloads – Part 2 ∗∗∗ --------------------------------------------- Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework. There aren’t a lot of Brute Ratel samples available in the wild. This second part of the analysis presents the remaining commands executed by the agent. --------------------------------------------- https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/ ∗∗∗ Fake Bitwarden installation packages delivered RAT to Windows users ∗∗∗ --------------------------------------------- Windows users looking to install the Bitwarden password manager may have inadvertently installed a remote access trojan (RAT). The ZenRAT malware A malicious website spoofing Bitwarden’s legitimate one (located at bitwariden[.]com) has been offering fake installation packages containing the ZenRAT malware. --------------------------------------------- https://www.helpnetsecurity.com/2023/09/27/windows-bitwarden-rat/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/945700/ ∗∗∗ New GPU Side-Channel Attack Allows Malicious Websites to Steal Data ∗∗∗ --------------------------------------------- GPUs from AMD, Apple, Arm, Intel, Nvidia and Qualcomm are vulnerable to a new type of side-channel attack named GPU.zip. --------------------------------------------- https://www.securityweek.com/new-gpu-side-channel-attack-allows-malicious-w… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0020 ∗∗∗ --------------------------------------------- VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2023-34043) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0020.html ∗∗∗ K000136909 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000136909 ∗∗∗ K000136907 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43124 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000136907 ∗∗∗ semver-6.3.0.tgz is vulnerable to CVE-2022-25883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039430 ∗∗∗ Okio GzipSource is vulnerable to CVE-2023-3635 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039433 ∗∗∗ Certifi is vulnerable to CVE-2023-37920 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039436 ∗∗∗ VMware Tanzu Spring for Apache Kafka is vulnerable to CVE-2023-34040 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039438 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7039519 ∗∗∗ Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040603 ∗∗∗ Vulnerability of jython-standalone-2.7.0.jar have affected APM WebSphere Application Server Agent and APM Tomcat Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040614 ∗∗∗ IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040672 ∗∗∗ IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in IBM Websphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7040744 ∗∗∗ The Bouncy Castle Crypto Package For Java (bc-java) component is vulnerable to CVE-2023-33201 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028107 ∗∗∗ Control Access issues in PCOMM ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031707 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily