Daily

daily@lists.cert.at

1 participants
3084 discussions

Tageszusammenfassung - 10.03.2023
by Daily end-of-shift report 10 Mar '23

10 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-03-2023 18:00 − Freitag 10-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security: Github führt verpflichtende 2FA ein ∗∗∗ --------------------------------------------- Wer von Github ausgewählt wurde, muss die Zwei-Faktor-Authentifizierung (2FA) innerhalb von 45 Tagen einrichten. --------------------------------------------- https://www.golem.de/news/security-github-fuehrt-verpflichtende-2fa-ein-230… ∗∗∗ Schwachstellen in Bitwarden Password-Manager-Browserweiterung können Passwörter verraten ∗∗∗ --------------------------------------------- Nutzer des Passwort-Managers Bitwarden laufen in das Risiko, dass die Auto-Fill-Funktion beim Besuch von Webseiten Anmeldeinformationen leckt. Bösartige Webseiten könnten über ein in vertrauenswürdigen Seiten eingebettetes IFRAME Anmeldeinformation stehlen und an einen Angreifer senden. --------------------------------------------- https://www.borncity.com/blog/2023/03/10/schwachstellen-in-bitwarden-passwo… ∗∗∗ New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic ∗∗∗ --------------------------------------------- The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. --------------------------------------------- https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html ∗∗∗ EJS - Server Side Prototype Pollution gadgets to RCE ∗∗∗ --------------------------------------------- Last month (February 2023), I took a look into NodeJS HTML templating libraries. During my research, I found an interesting Server Side Prototype Pollution (SSPP) gadget in the EJS library which can be leveraged to RCE. After finding this issue, I spent a week searching for an SSPP in express core or dependencies, but I didnt find any issue. Thats why, after reporting this issue to the repository maintainer, Im making an article to explain technical details. --------------------------------------------- https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce ∗∗∗ How to Avoid LDAP Injection Attacks ∗∗∗ --------------------------------------------- The key vulnerability that puts an application at risk of LDAP injection is improperly processed user input. Applications that don’t sanitize or validate user input are open to LDAP injection attacks because of the structure of LDAP statements and queries. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/c/avoid-ldap-injection-attacks.h… ∗∗∗ The Silent Spy Among Us: Modern Attacks Against Smart Intercoms ∗∗∗ --------------------------------------------- What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project that uncovered 13 vulnerabilities in the popular Akuvox E11. The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold. --------------------------------------------- https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-… ∗∗∗ Multi-Technology Script Leading to Browser Hijacking ∗∗∗ --------------------------------------------- [..] in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don’t know where it’s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT --------------------------------------------- https://isc.sans.edu/diary/rss/29620 ∗∗∗ The oldest privesc: injecting careless administrators terminals using TTY pushback ∗∗∗ --------------------------------------------- This trick is possibly the oldest security bug that still exists today, it’s been traced as far back as 1985. It’s been discovered and rediscovered and re-rediscovered by sysadmins, developpers and pentesters every few years for close to 4 decades now. It’s been subject to multiple developper battles, countless posts, but still remains largely forgotten. This is just another attempt at shedding light on it, for both attackers and defenders. --------------------------------------------- https://www.errno.fr/TTYPushback.html ∗∗∗ When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About ∗∗∗ --------------------------------------------- Multi-factor Authentication (MFA) has long ago become a standard security practice. [..] While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes. [..] In this article well explore this blind spot, understand its root cause and implications, and view the different options security teams can overcome it to maintain their environments protected. --------------------------------------------- https://thehackernews.com/2023/03/when-partial-protection-is-zero.html ∗∗∗ Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation) ∗∗∗ --------------------------------------------- The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described in this blog post), or to translate to arbitrary code execution from argument injection, file overwrites, etc. --------------------------------------------- https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.… ∗∗∗ Unauthorized access to Codespace secrets in GitHub ∗∗∗ --------------------------------------------- We identified a security issue in GitHub’s Repository Security Advisory feature (https://docs.github.com/en/code-security/security-advisories/repository-sec…) that allowed us to retrieve plaintext Codespace secrets of any organization including GitHub. --------------------------------------------- https://ophionsecurity.com/blog/access-organization-secrets-in-github ∗∗∗ Pirated copies of Final Cut Pro infect Macs with cryptojacking malware ∗∗∗ --------------------------------------------- Torrents on The Pirate Bay which claim to contain Final Cut Pro are instead being used to distribute malware, designed to infect your Mac with cryptojacking malware. --------------------------------------------- https://grahamcluley.com/pirated-copies-of-final-cut-pro-infect-macs-with-c… ∗∗∗ GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers ∗∗∗ --------------------------------------------- New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility. --------------------------------------------- https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ∗∗∗ Netcat Attack Cases Targeting MS-SQL Servers (LOLBins) ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike. --------------------------------------------- https://asec.ahnlab.com/en/49249/ ∗∗∗ Everything You Didn’t Know About Cross-Account and Cross-Cloud Provider Attacks ∗∗∗ --------------------------------------------- Wait, did you say ‘Cross-Cloud Provider Attacks’? Yes, this is actually a growing type of attack path: As organizations increasingly adopt multiple cloud platforms, their lack of security visibility across the clouds makes them a sitting target for these types of attacks. --------------------------------------------- https://orca.security/resources/blog/cross-account-cross-provider-attack-pa… ∗∗∗ Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices ∗∗∗ --------------------------------------------- Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and wireless-regdb), Fedora (caddy, python-cryptography, and redis), Oracle (gnutls), SUSE (hdf5, opera, python-Django, redis, tomcat, and xen), and Ubuntu (apache2 and snakeyaml). --------------------------------------------- https://lwn.net/Articles/925840/ ∗∗∗ IBM Security Bulletins 2023-03-10 ∗∗∗ --------------------------------------------- * Apache Commons Beanutils (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2019-10086, CVE-2014-0114) * Apache Commons FileUpload (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2023-24998) * Apache Commons IO (Publicly disclosed vulnerability) Affects IBM eDiscovery Manager (CVE-2021-29425) * IBM MQ is affected by a vulnerability in Apache Commons Net (CVE-2021-37533) * IBM QRadar WinCollect agent has multiple vulnerabilities * IBM QRadar Wincollect agent is vulnerable to server side request forgery (SSRF) (CVE-2022-43879) * IBM SDK, Java Technology Edition, Security Update February 2023 * multiple vulnerabilities in Java SE may affect CICS TX Advanced * multiple vulnerabilities in Java SE may affect CICS TX Standard * multiple vulnerabilities in Java SE may affect TXSeries for Multiplatforms * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Advanced * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Standard * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect TXSeries for Multiplatforms * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Advanced * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Standard * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect TXSeries for Multiplatforms * Watson CP4D Data Stores is vulnerable to jackson-databind due to FasterXML jackson-databind before 2.14.0-rc1 ( CVE-2022-42003 ) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Nessus Agent Version 10.3.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-12 ∗∗∗ [R1] Nessus Agent Version 8.3.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2023
by Daily end-of-shift report 09 Mar '23

09 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-03-2023 18:00 − Donnerstag 09-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Word RCE-Lücke könnte auch Microsoft Outlook betreffen ∗∗∗ --------------------------------------------- Laut einem Bericht bei borncity könnte die mit dem Februar-Patchday gefixte Remote Code Execution - Lücke in Microsoft Word auch Microsoft Outlook (zumindest 2013) betreffen - auch wenn die Februar-Patches eingespielt wurden. Noch sind nicht alle Details dazu klar, wir raten Outlook-Nutzer:innen momentan aber trotzdem dringend dazu die Empfehlungen von Microsoft dazu umzusetzen, und Outlook so zu konfigurieren, dass Mails als reiner Text dargestellt werden. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/microsoft-word-rce-lucke-konnte-auch-mi… ∗∗∗ IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks ∗∗∗ --------------------------------------------- A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. --------------------------------------------- https://thehackernews.com/2023/03/icefire-linux-ransomware.html ∗∗∗ Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware ∗∗∗ --------------------------------------------- Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis, said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. --------------------------------------------- https://thehackernews.com/2023/03/hackers-exploiting-remote-desktop.html ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009 ∗∗∗ --------------------------------------------- This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it. If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7 --------------------------------------------- https://www.drupal.org/sa-contrib-2023-009 ∗∗∗ Oracle Database Vault Protected Table With Realm Data Extraction Vulnerability ∗∗∗ --------------------------------------------- This security issue is fixed from 21c on-wards [ I think back-port patch was released in October 2022 CPU cycle]. Still Exists in 19c (so far from version 19.18 and below). DB Vault is a security feature in Oracle that attempts to restrict “SYS” account power , in addition DB Vault will ensure seperation of duties in place such as account management and authorization can’t be performed by the DBA through SYS account anymore. --------------------------------------------- https://databasesecurityninja.wordpress.com/2023/03/07/oracle-database-vaul… ∗∗∗ Ivanti Avalanche: Security Alert - CVE-2022-44574 – Authentication Bypass for Remote Control RCServlet ∗∗∗ --------------------------------------------- This vulnerability enables an attacker to overwrite credentials which gives access to a Web Panel. This vulnerability affects all Avalanche Premise versions 6.3.x and below. This vulnerability has a CVE score of 6.5. --------------------------------------------- https://forums.ivanti.com/s/article/Avalanche-ZDI-CAN-19513-Security-Adviso… ∗∗∗ Foxit PDF Editor: Lücken erlauben einschleusen von Schadcode ∗∗∗ --------------------------------------------- Sicherheitslücken in Foxit PDF Editor ermöglichen Angreifern, mit manipulierten PDF-Dateien Schadcode einzuschmuggeln und auszuführen. Ein Update steht bereit. --------------------------------------------- https://heise.de/-7540068 ∗∗∗ Home Assistant: Sicherheitslücke entdeckt und geschlossen ∗∗∗ --------------------------------------------- Wer den Home Assistant mit Supervisor benutzt, sollte sein System jetzt aktualisieren. Ansonsten könnten Eindringlinge sich daran zu schaffen machen. --------------------------------------------- https://heise.de/-7540500 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, pesign, samba, and zlib), Oracle (kernel), Slackware (httpd), SUSE (emacs, libxslt, nodejs12, nodejs14, nodejs16, openssl, poppler, python-py, python-wheel, xen, and xorg-x11-server), and Ubuntu (linux-gcp-5.4, linux-gkeop, opusfile, and samba). --------------------------------------------- https://lwn.net/Articles/925723/ ∗∗∗ Cloud Pak for Security uses packages that are vulnerable to multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551876 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962201 ∗∗∗ A vulnerability exists in IBM Robotic Process Automation where Queue Provider credentials are not obfuscated during editing (CVE-2023-25680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962207 ∗∗∗ IBM Robotic Process Automation for Cloud Pak may be vulnerable to a denial of service due to ISC BIND (CVE-2022-38177, CVE-2022-38178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962223 ∗∗∗ Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6536732 ∗∗∗ Multiple Vulnerabilities in IBM HTTP Server affect WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962383 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962407 ∗∗∗ June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962411 ∗∗∗ z\/Transaction Processing Facility is affected by vulnerabilities in the Apache Kafka (kafka-clients) and cryptography packages ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962437 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to incorrect default permissions (CVE-2022-46774) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962455 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2023
by Daily end-of-shift report 08 Mar '23

08 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-03-2023 18:00 − Mittwoch 08-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ What is a Website Defacement? ∗∗∗ --------------------------------------------- Defacement is easily one the most obvious signs of a hacked website. In these attacks, bad actors gain unauthorized access to an environment and leave their mark through digital vandalism, altering its visual appearance or content in the process. --------------------------------------------- https://blog.sucuri.net/2023/03/what-is-website-defacement.html ∗∗∗ Persistence – Event Log Online Help ∗∗∗ --------------------------------------------- Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is used mainly for troubleshooting windows errors by administrators could be also used as a form a persistence during red team operations. --------------------------------------------- https://pentestlab.blog/2023/03/07/persistence-event-log-online-help/ ∗∗∗ „Lidl Frauentagsgeschenk“: Fake-Gewinnspiel zum Frauentag ∗∗∗ --------------------------------------------- Derzeit verbreiten WhatsApp-, Messenger- oder Viber-Nutzer:innen unwissentlich einen Link mit einem betrügerischen Gewinnspiel unter ihren Kontakten. Angeblich verlost die Supermarktkette „Lidl“ anlässlich des Frauentags am 8.März „viele Geldgeschenke“, wie es in der Nachricht heißt. Klicken Sie nicht auf den Link. Kriminelle versuchen Schadsoftware auf Ihrem Gerät zu installieren! --------------------------------------------- https://www.watchlist-internet.at/news/lidl-frauentagsgeschenk-fake-gewinns… ∗∗∗ GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. --------------------------------------------- https://asec.ahnlab.com/en/48940/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002) ∗∗∗ --------------------------------------------- Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User. --------------------------------------------- https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html ∗∗∗ ABB Substation management unit COM600 IEC-104 protocol stack vulnerability ∗∗∗ --------------------------------------------- Hitachi Energy disclosed a vulnerability (CVE-2022-29492) that affects certain HE products. This vulnerability also affects the IEC 68070-5-104 (IEC-104) protocol stack of ABB Substation Management Unit COM600. Subsequently, a successful exploit could allow attackers to cause a denial-of-service attack against the COM600 product. --------------------------------------------- https://web.apsis.one/wve/68c20aba-1b85-416f-bf3f-ce8b1779c260 ∗∗∗ CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE ∗∗∗ --------------------------------------------- Aqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victims Jenkins server, potentially leading to a complete compromise of the Jenkins server. --------------------------------------------- https://blog.aquasec.com/jenkins-server-vulnerabilities ∗∗∗ Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Die kostenlose Musikproduktionssoftware von Apple lässt sich offenbar angreifen. Nutzer unter macOS sollten schnell aktualisieren. --------------------------------------------- https://heise.de/-7538801 ∗∗∗ Patchday: Fortinet dichtet 15 Schwachstellen ab, davon eine kritische ∗∗∗ --------------------------------------------- Der Patchday bei Fortinet bringt IT-Verantwortlichen Updates zum Schließen von 15 Sicherheitslücken. Eine davon ist kritisch und erlaubt Einschleusen von Code. --------------------------------------------- https://heise.de/-7538910 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr), Fedora (c-ares), Oracle (curl, kernel, pesign, samba, and zlib), Red Hat (curl, gnutls, kernel, kernel-rt, and pesign), Scientific Linux (kernel, pesign, samba, and zlib), SUSE (libX11, python-rsa, python3, python36, qemu, rubygem-rack, xorg-x11-server, and xwayland), and Ubuntu (libtpms, linux-ibm, linux-raspi, linux-raspi, python3.7, python3.8, and sofia-sip). --------------------------------------------- https://lwn.net/Articles/925606/ IBM Security Bulletins 2023-03-08 --------------------------------------------- IBM Robotic Process Automation, IBM WebSphere, IBM MQ, Financial Transaction Manager, IBM VM Recovery Manager, IBM Aspera faspio Gateway, IBM Security Verify Bridge, IBM Spectrum Scale, IBM Security Guardium. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Veeam fixt kritische Schwachstelle CVE-2023-27532 in Backup & Replication V11a/V12 ∗∗∗ --------------------------------------------- Kleiner Hinweis für Nutzer der Backup-Software des Herstellers Veeam. Dieser hat zum 7. März 2023 eine kritische Schwachstelle (CVE-2023-27532) in seinem Produkt Backup & Replication in den Versionen V11a/V12 per Update behoben. --------------------------------------------- https://www.borncity.com/blog/2023/03/08/veeam-fixt-kritische-schwachstelle… ∗∗∗ Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN82424996/ ∗∗∗ Cisco IOS XR Software for ASR 9000 Series Routers Bidirectional Forwarding Detection Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Nessus Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-11 ∗∗∗ [R1] Nessus Version 8.15.9 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2023
by Daily end-of-shift report 07 Mar '23

07 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-03-2023 18:00 − Dienstag 07-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Proof-of-Concept released for critical Microsoft Word RCE bug ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. --------------------------------------------- https://www.bleepingcomputer.com/news/security/proof-of-concept-released-fo… ∗∗∗ Old Windows ‘Mock Folders’ UAC bypass used to drop malware ∗∗∗ --------------------------------------------- A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac… ∗∗∗ Sheins Android App Caught Transmitting Clipboard Data to Remote Servers ∗∗∗ --------------------------------------------- An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. --------------------------------------------- https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.ht… ∗∗∗ SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..] --------------------------------------------- https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.ht… ∗∗∗ Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing ∗∗∗ --------------------------------------------- Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V). --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-vulnerability-in-end-… ∗∗∗ Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co. ∗∗∗ --------------------------------------------- Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich „einfachen Menschen“ den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-neue-fake-investment-pl… ∗∗∗ Betrugsmasche gegen Verrechnung ∗∗∗ --------------------------------------------- Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen. --------------------------------------------- https://certitude.consulting/blog/de/betrugsmasche-gegen-verrechnung/ ∗∗∗ Using Memory Analysis to Detect EDR-Nullifying Malware ∗∗∗ --------------------------------------------- One tool Trend Micro described, dubbed “AVBurner”, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis. --------------------------------------------- https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-ed… ===================== = Vulnerabilities = ===================== ∗∗∗ Benutzt hier jemand SHA-3? Die Referenzimplementation ... ∗∗∗ --------------------------------------------- Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow. --------------------------------------------- http://blog.fefe.de/?ts=9af9c7a3 ∗∗∗ Multiple vulnerabilities in PostgreSQL extension module pg_ivm ∗∗∗ --------------------------------------------- * Exposure of sensitive information to an unauthorized actor - CVE-2023-22847 * Uncontrolled search path element - CVE-2023-23554 --------------------------------------------- https://jvn.jp/en/jp/JVN19872280/ ∗∗∗ ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-212/ ∗∗∗ ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-214/ ∗∗∗ Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13 ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen. --------------------------------------------- https://heise.de/-7537197 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff). --------------------------------------------- https://lwn.net/Articles/925469/ ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-053/ ∗∗∗ WordPress BuddyForms Plugin — Unauthenticated Insecure Deserialization (CVE-2023–26326) ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthentic… ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960473 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960481 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960485 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960493 ∗∗∗ IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960495 ∗∗∗ IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960511 ∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828569 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2023
by Daily end-of-shift report 06 Mar '23

06 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-03-2023 18:00 − Montag 06-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shops fälschen Zahlung mit Klarna ∗∗∗ --------------------------------------------- Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-faelschen-zahlung-mit-kla… ∗∗∗ DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server ∗∗∗ --------------------------------------------- Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt. --------------------------------------------- https://www.borncity.com/blog/2023/03/05/dcom-hrtung-cve-2021-26414-zum-14-… ∗∗∗ Magbo Spam Injection Encoded with hex2bin ∗∗∗ --------------------------------------------- We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection. --------------------------------------------- https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.h… ∗∗∗ New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims ∗∗∗ --------------------------------------------- A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...] --------------------------------------------- https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.ht… ∗∗∗ How to prevent Microsoft OneNote files from infecting Windows with malware ∗∗∗ --------------------------------------------- The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-one… ∗∗∗ Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears ∗∗∗ --------------------------------------------- In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems. --------------------------------------------- https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-nove… ===================== = Vulnerabilities = ===================== ∗∗∗ strongSwan Vulnerability (CVE-2023-26463) ∗∗∗ --------------------------------------------- A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets. --------------------------------------------- https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-20… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/925323/ ∗∗∗ Multiple Vulnerabilities in Arris DG3450 Cable Gateway ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959963 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959973 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960159 ∗∗∗ Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960175 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960189 ∗∗∗ Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960201 ∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960211 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960213 ∗∗∗ Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258535 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258547 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/273103 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/278361 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/541019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2023
by Daily end-of-shift report 03 Mar '23

03 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-03-2023 18:00 − Freitag 03-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI and CISA warn of increasing Royal ransomware attack risks ∗∗∗ --------------------------------------------- CISA and the FBI have issued a joint advisory highlighting the increasing threat behind ongoing Royal ransomware attacks targeting many U.S. critical infrastructure sectors, including healthcare, communications, and education. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-increas… ∗∗∗ Persistence Techniques That Persist ∗∗∗ --------------------------------------------- In this blog post, we will focus on how malware can achieve persistence by abusing the Windows Registry. Specifically, we will focus on lesser-known techniques, many of which have been around since the days of Windows XP and are just as effective today on Windows 10 and 11. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/persistence-techniq… ∗∗∗ NIST Cybersecurity Framework 2.0: Aktualisierte Leitlinien gegen Cybercrime ∗∗∗ --------------------------------------------- Weil sich die IT-Angriffslandschaft stetig ändert, hat das US-amerikanische Institute of Standards and Technology sein Cybersecurity-Framework aktualisiert. --------------------------------------------- https://heise.de/-7534206 ∗∗∗ FAQ: Welche Cyberangriffe es gibt und wie sich Risiken vermeiden lassen ∗∗∗ --------------------------------------------- Cyberangriffe können jeden betreffen, doch mit ein paar einfachen Maßnahmen können Sie Ihr persönliches Risiko zumindest minimieren. --------------------------------------------- https://heise.de/-7523370 ∗∗∗ Thousands of Websites Hijacked Using Compromised FTP Credentials ∗∗∗ --------------------------------------------- Cybersecurity startup Wiz warns of a widespread redirection campaign in which thousands of websites have been compromised using legitimate FTP credentials. --------------------------------------------- https://www.securityweek.com/thousands-of-websites-hijacked-using-compromis… ∗∗∗ Of Degens and Defrauders: Using Open-Source Investigative Tools to Investigate Decentralized Finance Frauds and Money Laundering. (arXiv:2303.00810v1 [cs.CR]) ∗∗∗ --------------------------------------------- This study demonstrates how open-source investigative tools can extract transaction-based evidence that could be used in a court of law to prosecute DeFi frauds. Additionally, we investigate how these funds are subsequently laundered. --------------------------------------------- http://arxiv.org/abs/2303.00810 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-03-03 ∗∗∗ --------------------------------------------- IBM Cloud Pak, IBM Financial Transaction Manager, Operations Dashboard, IBM App Connect Enterprise Certified Container, IBM Sterling Connect:Express, IBM HTTP Server, IBM Spectrum Control, IBM Aspera Faspex, IBM SAN, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, IBM Maximo, IBM WebSphere Remote Server, IBM Business Automation Workflow, Rational Functional Tester. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Schadcode-Attacken auf HPE Serviceguard unter Linux möglich ∗∗∗ --------------------------------------------- Die Entwickler haben in Serviceguard for Linux von HPE drei Sicherheitslücken geschlossen. Abgesicherte Version stehen zum Download bereit. --------------------------------------------- https://heise.de/-7534361 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10 and node-css-what), SUSE (gnutls, google-guest-agent, google-osconfig-agent, nodejs10, nodejs14, nodejs16, opera, pkgconf, python-cryptography, python-cryptography-vectors, rubygem-activesupport-4_2, thunderbird, and tpm2-0-tss), and Ubuntu (git, kernel, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-lowlatency, linux-oracle, linux-azure-fde, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, php7.0, python-pip, ruby-rack, spip, and sudo). --------------------------------------------- https://lwn.net/Articles/925060/ ∗∗∗ Lücken in Intel-CPUs: Microsoft veröffentlicht außerplanmäßiges Sicherheitsupdate ∗∗∗ --------------------------------------------- Es soll insgesamt vier Lücken stopfen. Die Schwachstellen sind allerdings schon seit Juni 2022 bekannt. Betroffen sind Windows 10, Windows 11 und Windows Server. --------------------------------------------- https://www.zdnet.de/88407530/luecken-in-intel-cpus-microsoft-veroeffentlic… ∗∗∗ [R1] Nessus Version 10.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-09 ∗∗∗ BOSCH-SA-931197: Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-931197.html ∗∗∗ SonicOS SSLVPN Improper Restriction of Excessive MFA Attempts Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0005 ∗∗∗ SonicOS Unauthenticated Stack-Based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2023
by Daily end-of-shift report 02 Mar '23

02 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-03-2023 18:00 − Donnerstag 02-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YARA: Detect The Unexpected ..., (Thu, Mar 2nd) ∗∗∗ --------------------------------------------- He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ... So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences. --------------------------------------------- https://isc.sans.edu/diary/rss/29598 ∗∗∗ SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics ∗∗∗ --------------------------------------------- The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. --------------------------------------------- https://thehackernews.com/2023/03/sysupdate-malware-strikes-again-with.html ∗∗∗ This Hacker Tool Can Pinpoint a DJI Drone Operators Exact Location ∗∗∗ --------------------------------------------- Every DJI quadcopter broadcasts its operators position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates. --------------------------------------------- https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/ ∗∗∗ Helping Cyber Defenders “Decide” to Use MITRE ATT&CK ∗∗∗ --------------------------------------------- Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and today announces a new accompaniment to the guide, CISA’s Decider tool. --------------------------------------------- https://www.cisa.gov/news-events/news/helping-cyber-defenders-decide-use-mi… ∗∗∗ Application SecurityCase StudiesCloud Native SecurityVulnerabilities Gitpod remote code execution 0-day vulnerability via WebSockets ∗∗∗ --------------------------------------------- This article walks us through a current Snyk Security Labs research project focusing on cloud based development environments (CDEs) — which resulted in a full workspace takeover on the Gitpod platform and extended to the user’s SCM account. The issues here have been responsibly disclosed to Gitpod and were resolved within a single working day --------------------------------------------- https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/ ∗∗∗ CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organizations cyber posture. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a ∗∗∗ Tainted Love: A Systematic Review of Online Romance Fraud. (arXiv:2303.00070v1 [cs.HC]) ∗∗∗ --------------------------------------------- Romance fraud involves cybercriminals engineering a romantic relationship ononline dating platforms. It is a cruel form of cybercrime whereby victims areleft heartbroken, often facing financial ruin. We characterise the literarylandscape on romance fraud, advancing the understanding of researchers andpractitioners by systematically reviewing and synthesising contemporaryqualitative and quantitative evidence. --------------------------------------------- http://arxiv.org/abs/2303.00070 ∗∗∗ Dishing Out DoS: How to Disable and Secure the Starlink User Terminal. (arXiv:2303.00582v1 [cs.CR]) ∗∗∗ --------------------------------------------- Satellite user terminals are a promising target for adversaries seeking totarget satellite communication networks. Despite this, many protectionscommonly found in terrestrial routers are not present in some user terminals.As a case study we audit the attack surface presented by the Starlinkrouters admin interface, using fuzzing to uncover a denial of service attackon the Starlink user terminal. --------------------------------------------- http://arxiv.org/abs/2303.00582 ===================== = Vulnerabilities = ===================== ∗∗∗ Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008 ∗∗∗ --------------------------------------------- Project: Group control for forums Security risk: Critical Description: This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-008 ∗∗∗ Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007 ∗∗∗ --------------------------------------------- Project: Thunder Security risk: Moderately critical Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.The module doesnt sufficiently check access when serving user data via graphql leading to an access bypass vulnerability --------------------------------------------- https://www.drupal.org/sa-contrib-2023-007 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git), Debian (spip), Fedora (epiphany), Mageia (binwalk, chromium-browser-stable, crmsh, emacs, libraw, libtiff, nodejs, pkgconf, tar, and vim), Oracle (kernel and systemd), SUSE (emacs, kernel, nrpe, and rubygem-activerecord-4_2), and Ubuntu (c-ares, git, postgresql-12, postgresql-14, and sox). --------------------------------------------- https://lwn.net/Articles/924922/ ∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates teilweise verfügbar ∗∗∗ --------------------------------------------- Da Angreifende auf betroffenen Geräten beliebigen Code ausführen können, sind alle auf diesen Geräten befindlichen und darüber erreichbaren Daten gefährdet. Da es sich um Netzwerkkomponenten handelt, sind auch Szenarien denkbar wo darüber fliessende Daten gelesen, beeinträchtigt und/oder verändert werden können. --------------------------------------------- https://cert.at/de/warnungen/2023/3/kritische-sicherheitslucken-in-arubaos-… ∗∗∗ Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-006 ∗∗∗ ABB: Improper authentication vulnerability in S+ Operations (CVE ID: CVE-2023-0228) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=7PAA0… ∗∗∗ IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6590487 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959355 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959357 ∗∗∗ There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959359 ∗∗∗ Persistent cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-22860 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958691 ∗∗∗ Vulnerability in bind affects IBM Integrated Analytics System [CVE-2022-2795] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959567 ∗∗∗ IBM Cloud Pak for Network Automation v2.4.4 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959583 ∗∗∗ There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959601 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU and IBM Java - OpenJ9 CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959625 ∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848317 ∗∗∗ IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956299 ∗∗∗ Operations Dashboard is vulnerable to denial of service and response splitting due to vulnerabilities in Netty (CVE-2022-41881 and CVE-2022-41915) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959639 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2023
by Daily end-of-shift report 01 Mar '23

01 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-02-2023 18:00 − Mittwoch 01-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TPM-2.0-Spezifikationen: Angreifer könnten Schadcode auf TPM schmuggeln ∗∗∗ --------------------------------------------- In die Spezifikation der TPM-2.0-Referenzbibliothek haben sich Fehler eingeschlichen. Angreifer könnten verwundbaren Implementierungen eigenen Code unterjubeln. --------------------------------------------- https://heise.de/-7531171 ∗∗∗ Finish him! Kostenloses Entschlüsselungstool besiegt MortalKombat-Ransomware ∗∗∗ --------------------------------------------- Kaum hat der Erpressungstrojaner MortalKombat das Licht der Welt erblickt, holen Sicherheitsforscher zum finalen Schlag aus. --------------------------------------------- https://heise.de/-7531337 ∗∗∗ Gefälschter PayLife-Login in Anzeigen bei Google-Suche! ∗∗∗ --------------------------------------------- PayLife-User:innen aufgepasst: Kriminelle schalten aktuell Werbung auf Google, welche auf eine gefälschte PayLife-Website führt. Ein kleiner Tippfehler reicht aus, um die betrügerische Werbung als erstes Ergebnis angezeigt zu bekommen. Wer die eigenen Login-Daten auf der Phishing-Seite eingibt, ermöglicht es den Kriminellen, Zahlungen zu tätigen. Das Geld ist verloren! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschter-paylife-login-in-anzeig… ∗∗∗ The dangers from across browser-windows ∗∗∗ --------------------------------------------- Beim Durchsuchen des Webs versucht Ihr Browser, Sie bestmöglich zu schützen, aber manchmal scheitert er daran, wenn er nicht ordnungsgemäß von der Website angewiesen wird, die Sie besuchen. Einer der wichtigsten Sicherheitsmechanismen des Browsers ist die Same-Origin Policy [1][2][3] (SOP), die einschränkt, wie Skripte und Dokumente aus einer Ursprungsquelle mit Ressourcen und Dokumenten aus einer [...] --------------------------------------------- https://certitude.consulting/blog/de/the-dangers-from-across-browser-window… ∗∗∗ BlackLotus UEFI-Bootkit überwindet Secure Boot in Windows 11 ∗∗∗ --------------------------------------------- Sicherheitsforscher von ESET haben eine BlackLotus getaufte Malware in freier Wildbahn entdeckt, die sich des UEFI bemächtigt. BlackLotus dürfte die erste UEFI-Bootkit-Malware in freier Wildbahn sein, die Secure Boot unter Windows 11 (und wohl auch Windows 10) aushebeln kann. --------------------------------------------- https://www.borncity.com/blog/2023/03/01/blacklotus-uefi-bootkit-berwindet-… ∗∗∗ CISA: ZK Java Framework RCE Flaw Under Active Exploit ∗∗∗ --------------------------------------------- The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately. --------------------------------------------- https://www.darkreading.com/risk/cisa-zk-java-framework-rce-flaw-under-acti… ∗∗∗ SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft ∗∗∗ --------------------------------------------- The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials. --------------------------------------------- https://sysdig.com/blog/cloud-breach-terraform-data-theft/ ∗∗∗ DNS abuse: Advice for incident responders ∗∗∗ --------------------------------------------- What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers. --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-re… ∗∗∗ Google Cloud Platform allows data exfiltration without a (forensic) trace ∗∗∗ --------------------------------------------- Attackers can exfiltrate company data stored in Google Cloud Platform (GCP) storage buckets without leaving obvious forensic traces of the malicious activity in GCP’s storage access logs, Mitiga researchers have discovered. [...] In short, the main problem is that GCP’s basic storage logs – which are, by the way, not enabled by default – use the same description/event (objects.get) for [...] --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/ ∗∗∗ Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads ∗∗∗ --------------------------------------------- The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements [...] --------------------------------------------- https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-… ∗∗∗ The Level of Human Engagement Behind Automated Attacks ∗∗∗ --------------------------------------------- Even automated attacks are driven by humans, but the level of engagement we observed may surprise you! When the human or an organization behind an automated attack shows higher levels of innovation and sophistication in their attack tactics, the danger increases dramatically as they are no longer simply employing an opportunistic “spray and pray” strategy, but rather more highly evolved strategies that are closer to a so-called targeted attack. --------------------------------------------- https://www.gosecure.net/blog/2023/02/28/the-level-of-human-engagement-behi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools and syslog-ng), Fedora (gnutls and guile-gnutls), Oracle (git, httpd, lua, openssl, php, python-setuptools, python3.9, sudo, tar, and vim), Red Hat (kpatch-patch), Scientific Linux (git), SUSE (compat-openssl098, glibc, openssl, postgresql13, python-Django, webkit2gtk3, and xterm), and Ubuntu (awstats, expat, firefox, gnutls28, lighttpd, php7.2, php7.4, php8.1, python-pip, and tar). --------------------------------------------- https://lwn.net/Articles/924794/ ∗∗∗ Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products ∗∗∗ --------------------------------------------- Several ThingWorx and Kepware products are affected by two vulnerabilities that can be exploited for DoS attacks and unauthenticated remote code execution. The post Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-patched-in-thingworx-… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex App for Web Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Intelligence Center Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ TPM 2.0 Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500551-TPM-20-VULNERABILITIES ∗∗∗ Nuvoton TPM Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500550-NUVOTON-TPM-DENIAL-OF-… ∗∗∗ Malicious IKEv2 packet by authenticated peer can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 5.23.1: SC-202303.1-5 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-08 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 6.0.0: SC-202303.1-6 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-07 ∗∗∗ IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856457 ∗∗∗ DataPower Operator vulnerable to Denial of Service (CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958490 ∗∗∗ Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958504 ∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-22389, CVE-2022-25313, CVE-2022-25236, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235 and CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959019 ∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959033 ∗∗∗ IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958701 ∗∗∗ IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957688 ∗∗∗ IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957686 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2023
by Daily end-of-shift report 28 Feb '23

28 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-02-2023 18:00 − Dienstag 28-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical flaws in WordPress Houzez theme exploited to hijack websites ∗∗∗ --------------------------------------------- Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-… ∗∗∗ New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware ∗∗∗ --------------------------------------------- Threat actors are promoting a new Exfiltrator-22 post-exploitation framework designed to spread ransomware in corporate networks while evading detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-expl… ∗∗∗ Passwortmanager: Lastpass teilt weitere Details zum Dezember-Hack mit ∗∗∗ --------------------------------------------- Über einen Keylogger auf einem Privatrechner konnten Angreifer Adminzugriff auf diverse Lastpass-Kundendaten und dessen Quellcode erhalten. --------------------------------------------- https://www.golem.de/news/passwortmanager-lastpass-teilt-weitere-details-zu… ∗∗∗ Side-Channel Attack against CRYSTALS-Kyber ∗∗∗ --------------------------------------------- CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. --------------------------------------------- https://www.schneier.com/blog/archives/2023/02/side-channel-attack-against-… ∗∗∗ CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests. --------------------------------------------- https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html ∗∗∗ A Complete Kubernetes Config Review Methodology ∗∗∗ --------------------------------------------- The are many resources out there that tap into the subject of Kubernetes Pentesting or Configuration Review, however, they usually detail specific topics and misconfigurations and don’t offer a broad perspective on how to do a complete Security Review. That is why in this article I want to cover a more complete overview on all the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment. --------------------------------------------- https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-meth… ∗∗∗ Vulnerabilities Being Exploited Faster Than Ever: Analysis ∗∗∗ --------------------------------------------- The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7. --------------------------------------------- https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ev… ∗∗∗ Konzertkarten auf Facebook kaufen: Vorsicht vor Betrug ∗∗∗ --------------------------------------------- Facebook ist eine beliebte Anlaufstelle, um Karten für ausverkaufte Konzerte zu ergattern. Bedenken Sie aber, dass hinter vielen Angeboten Fake-Profile stecken. Überprüfen Sie das Profil der Verkäufer:innen sehr genau und bezahlen Sie niemals mit der PayPal-Funktion „Geld an Freunde & Familie senden“. Wir zeigen Ihnen, wie Sie betrügerische Angebote auf Facebook erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/konzertkarten-auf-facebook-kaufen-vo… ∗∗∗ Gefälschtes E-Mail von FinanzOnline über Sicherheitsaktualisierung im Umlauf ∗∗∗ --------------------------------------------- Nehmen Sie E-Mails vom Finanzamt bzw. von FinanzOnline sehr genau unter die Lupe. Im Moment sind unzählige betrügerische Schreiben im Umlauf. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-von-finanzonline… ∗∗∗ Sicherheitsanbieter Cyren geht in Liquidation – NoSpamProxy betroffen ∗∗∗ --------------------------------------------- Kurze Information für Nutzer, die Sicherheitsfunktionen des Anbieters Cyren einsetzen (z. B. NoSpamProxy). Der Anbieter Cyren steckt in wirtschaftlichen Schwierigkeiten und wird wohl liquidiert – die betreffenden Dienste werden eingestellt. --------------------------------------------- https://www.borncity.com/blog/2023/02/28/sicherheitsanbieter-cyren-geht-in-… ∗∗∗ Bitdefender Releases Free MortalKombat Ransomware Decryptor ∗∗∗ --------------------------------------------- The free Mortal Kombat ransomware decryptor is now available for victims to recover their encrypted files without having to pay the ransom. --------------------------------------------- https://www.hackread.com/bitdefender-mortalkombat-ransomware-decryptor/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0006 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.3 CVE(s): CVE-2023-20857 Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0006.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, python-werkzeug, and spip), Fedora (curl), Mageia (apache-commons-fileupload, apr, c-ares, clamav, git, gnutls, ipython, jupyter-core, php, postgresql, python-cryptography, python-jupyterlab, python-twisted, sofia-sip, and sox), Red Hat (git, httpd, kernel, kernel-rt, kpatch-patch, lua, openssl, pcs, php, python-setuptools, python3.9, systemd, tar, vim, and zlib), SUSE (libxslt, php8, postgresql15, python3, tpm2-0-tss, and ucode-intel), and --------------------------------------------- https://lwn.net/Articles/924690/ ∗∗∗ IBM Security Bulletins 2023-02-23 ∗∗∗ --------------------------------------------- IBM VM Recovery Manager, IBM MQ Appliance, Red Hat OpenShift on IBM Cloud, IBM Business Automation Workflow, WebSphere Application Server, IBM SAN b-type switch, IBM FlashSystem, TMS RAMSAN, IBM HTTP Server, IBM CloudPak, Operations Dashboard, IBM QRadar SIEM Application Framework Base Image. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2022-38108: RCE in SolarWinds Network Performance Monitor ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hong and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the SolarWinds Network Performance Monitor. This bug was originally discovered and reported by ZDI Vulnerability Research Piotr Bazydło. The vulnerability results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. --------------------------------------------- https://www.thezdi.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-netw… ∗∗∗ ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020047 ∗∗∗ ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020046 ∗∗∗ web2py development tool vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78253670/ ∗∗∗ Osprey Pump Controller 1.0.1 Exploit Code released ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ OS Command Injection in Barracuda CloudGen WAN ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/os-command-injection-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2023
by Daily end-of-shift report 27 Feb '23

27 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-02-2023 18:00 − Montag 27-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ QUICforge - Client-seitige Request-Forgery-Angriffe im QUIC Protokoll ∗∗∗ --------------------------------------------- Ein Überblick warum das QUIC Protokoll ein für die Sicherheit relevantes und besonders aktuelles Forschungsgebiet ist und welche Herausforderung die Nutzung von QUIC birgt. --------------------------------------------- https://sec-consult.com/de/blog/detail/quicforge-client-seitige-request-for… ∗∗∗ Exchange Server: Microsoft empfiehlt Aktualisierung der Antivirus-Ausnahmen (Feb. 2023) ∗∗∗ --------------------------------------------- Microsofts Exchange Server-Team hat seine Empfehlungen in Bezug auf Ausnahmen für Antivirus-Scans überarbeitet und bittet Administratoren die Einstellungen der Antivirus-Software zu überprüfen und gegebenenfalls anzupassen. --------------------------------------------- https://www.borncity.com/blog/2023/02/27/exchange-server-microsoft-empfiehl… ∗∗∗ Bösartige Authenticator-Apps auch im Google-Play-Store ∗∗∗ --------------------------------------------- Vergangene Woche haben App-Entwickler bösartige Authenticator-Apps in Apples App-Store entdeckt. Jetzt wurden sie auch im Google-Play-Store fündig. --------------------------------------------- https://heise.de/-7528469 ∗∗∗ Nur mit iPhone-PIN: Diebe räumen Apple-ID und Bankkonten ab ∗∗∗ --------------------------------------------- iPhone-Diebstähle können zu einer vollständigen Apple-ID- und Bankkonten-Übernahme führen. Schuld ist Apples (zu) einfache Passwort-Recovery per PIN. --------------------------------------------- https://heise.de/-7527961 ∗∗∗ Kleinanzeigenplattformen: Betrügerische Käufer:innen täuschen Zahlung auf gefälschter PayPal-Website vor ∗∗∗ --------------------------------------------- Willhaben, Ebay, Shpock und Co.: Nehmen Sie sich vor betrügerischen Interessent:innen in Acht! Betrügerische Interessent:innen auf Kleinanzeigenplattformen behaupten, den Kaufbetrag inklusive Versandkosten an den Zahlungsdienst PayPal überwiesen zu haben. Sie schicken Ihnen einen personalisierten Link, über den Sie das Geld angeblich anfordern können. Brechen Sie den Kontakt ab, Sie werden auf eine gefälschte PayPal-Seite gelockt. Kriminelle stehlen damit Ihre Zugangsdaten und Geld von Ihrem PayPal-Konto! --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-kleinanzeigen… ∗∗∗ PureCrypter malware hits govt orgs with ransomware, info-stealers ∗∗∗ --------------------------------------------- A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/purecrypter-malware-hits-gov… ∗∗∗ RIG Exploit Kit still infects enterprise users via Internet Explorer ∗∗∗ --------------------------------------------- The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the services long operational history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rig-exploit-kit-still-infect… ∗∗∗ Is My Site Hacked? (13 Signs) ∗∗∗ --------------------------------------------- Symptoms of a hack can vary wildly. A concerning security alert from Google, a browser warning when you visit your site, or even a notice from your hosting provider that they’ve taken down your website - all of these events may indicate that your site has been hacked. Fortunately, there are a number of quick (and free) ways you can check and find out if your website has been compromised. --------------------------------------------- https://blog.sucuri.net/2023/02/is-my-website-hacked.html ∗∗∗ Open Source Security and Risk Analysis Report ∗∗∗ --------------------------------------------- In its 8 th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report delivers our annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-… --------------------------------------------- https://www.synopsys.com/software-integrity/resources/analyst-reports/open-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Zoho ManageEngine ServiceDesk Plus ist verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit dem IT-Verwaltungssystem ManageEngine ServiceDesk Plus von Zoho attackieren. Eine ältere Zoho-Lücke wird derweil angegriffen. --------------------------------------------- https://heise.de/-7528332 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr-util, freeradius, mono, nodejs, php7.3, php7.4, and python-cryptography), Fedora (epiphany, haproxy, and podman), SUSE (chromium, libraw, php7, php74, python-pip, and rubygem-activerecord-4_2), and Ubuntu (apr, clamav, curl, intel-microcode, nss, openvswitch, webkit2gtk, and zoneminder). --------------------------------------------- https://lwn.net/Articles/924546/ ∗∗∗ Windows: Microsoft liefert cURL-Bibliothek weiterhin mit Schwachstellen aus (Feb. 2023) ∗∗∗ --------------------------------------------- Es ist eine unschöne Geschichte, die ich erneut hier im Blog einstelle. Microsoft gelingt es nicht, cURL mit Windows so auszuliefern, dass die Software auf dem aktuellen Stand ist und keine bekannte Sicherheitslücken mehr aufweist. --------------------------------------------- https://www.borncity.com/blog/2023/02/25/windows-microsoft-liefert-curl-bib… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ Advisory: Vulnerable TigerVNC Version used in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16769091… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM MQ for HPE NonStop Server is affected by channel CCDT vulnerability CVE-2022-40237 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958136 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958146 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service in Pypa Setuptools (CVE-2022-40897) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958142 ∗∗∗ IBM Security Verify Bridge (windows and docker versions) affected by a denial of service issue in Go (CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958156 ∗∗∗ Certifi package as used by IBM QRadar User Behavior Analytics is vulnerable to improper certificate validation (CVE-2022-23491) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958452 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958458 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958478 ∗∗∗ A security vulnerability ( CVE-2022-3509, CVE-2022-3171 ) has been identified in IBM WebSphere Application Server Liberty shipped with IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958474 ∗∗∗ FasterXML-jackson-databinds vulnerabilities affect IBM Operations Analytics Predictive Insights (CVE-2022-42004,CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958482 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958476 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958484 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958486 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2177, CVE-2016-2178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697949 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2180). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697951 ∗∗∗ IBM b-type SAN switches and directors affected by OpenSSL Security Advisory [22 Sep 2016] and [26 Sep 2016]. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697953 ∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650695 ∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650699 ∗∗∗ IBM b-type SAN directors and switches is affected by privilege escalation vulnerability (CVE-2016-8202). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697803 ∗∗∗ Vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors (CVE-2016-2108) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697943 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily