Daily

daily@lists.cert.at

1 participants
3085 discussions

Tageszusammenfassung - 13.02.2023
by Daily end-of-shift report 13 Feb '23

13 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-02-2023 18:00 − Montag 13-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erpressungstrojaner Play infiltriert Systeme von A10 Networks ∗∗∗ --------------------------------------------- Angreifer konnten auf interne Daten des Herstellers von Netzwerkgeräten A10 Networks zugreifen. Kundendaten sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-7493748 ∗∗∗ Gefälschtes Therme Wien-Gewinnspiel auf Facebook ∗∗∗ --------------------------------------------- Auf Facebook kursiert momentan ein betrügerisches Gewinnspiel für einen Tagesurlaub inklusive Massage in der Therme Wien. Das Gewinnspiel, das von der Facebook-Seite „Freizeit-Helden“ beworben wird, steht aber in keinem Zusammenhang mit der Therme Wien und sammelt Daten. Nehmen Sie nicht teil und melden Sie das Posting. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-therme-wien-gewinnspiel… ∗∗∗ Details zur LocalPotato NTLM Authentication-Schwachstelle (CVE-2023-21746) ∗∗∗ --------------------------------------------- Mitte Januar 2023 Monat hatte ich im Blog-Beitrag Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) auf eine lokale NTLM-Authentifizierungsschwachstelle (CVE-2023-21746) hingewiesen. Die Entdecker bezeichnen diese als LocalPotator, hatten seinerzeit aber keine Details offen gelegt. Jetzt wurde dies nachgeholt. --------------------------------------------- https://www.borncity.com/blog/2023/02/11/details-zur-localpotato-ntlm-authe… ∗∗∗ We had a security incident. Here’s what we know. ∗∗∗ --------------------------------------------- TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems. --------------------------------------------- https://www.reddit.com/r/netsec/comments/10y59q2/we_had_a_security_incident… ∗∗∗ Devs targeted by W4SP Stealer malware in malicious PyPi packages ∗∗∗ --------------------------------------------- Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-steale… ∗∗∗ Security baseline for Microsoft Edge version 110 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 110! We have reviewed the new settings in Microsoft Edge version 110 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 110 introduced 13 new computer settings and 13 new user settings. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ PCAP Data Analysis with Zeek, (Sun, Feb 12th) ∗∗∗ --------------------------------------------- Having full packet captures of a device or an entire network can be extremely useful. It is also a lot of data to go through and process manually. Zeek [1] can help to simplify network traffic analysis. It can also help save a lot of storage space. I'll be going through and processing some PCAP data collected from my honeypot. --------------------------------------------- https://isc.sans.edu/diary/rss/29530 ∗∗∗ Linux auditd for Threat Hunting [Part 2] ∗∗∗ --------------------------------------------- In this part, I will highlight only 1 technique (process/command execution) and explain the fields. In Part 3, I will show you tests I ran for several other behaviors. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-hunting-part-2-c75500f5… ∗∗∗ Crypto Wallet Address Replacement Attack ∗∗∗ --------------------------------------------- At around 17:49 UTC on 9 February 2023, Phylum’s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. This time, however, the attacker changed the obfuscation technique and radically increased the volume of attacks. [..] over 451 unique packages. These targeted some very popular packages, many of them in the crypto/finance and web development space --------------------------------------------- https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-repla… ∗∗∗ The Linux Kernel and the Cursed Driver (CVE-2022-4842) ∗∗∗ --------------------------------------------- TL;DR: We found a bug in the not-so-well-maintained NTFS3 driver in Linux. Abusing the vulnerability could lead to a denial-of-service (DoS) attack on machines with a mounted NTFS filesystem. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/the-linux-kernel-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Monitorr 1.7.6 Shell Upload ∗∗∗ --------------------------------------------- Topic: Monitorr 1.7.6 Shell Upload Risk: High Text:# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution # Exploit Author: Achuth V P (retrymp3... --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020021 ∗∗∗ Cisco Email Security Appliance URL Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- On January 18, 2023, Cisco disclosed the following: A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. [...] After additional investigation, it was determined that this vulnerability is not exploitable. For more information, see the Workarounds section of this advisory. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ABB Cyber Security Advisory: Drive Composer multiple vulnerabilities ∗∗∗ --------------------------------------------- Affected products: CVE-2018-1285, CVE-2022-35737, CVE-2021-27293, CVE-2022-37434: - Drive Composer entry 2.8 and earlier - Drive Composer pro 2.8 and earlier. CVE-2018-1002205: - Drive Composer entry 2.4 and earlier - Drive Composer pro 2.4 and earlier An attacker who successfully exploited these vulnerabilities could cause the product to stop, make the product inaccessible or insert and run arbitrary code. --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=9AKK1… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/923163/ ∗∗∗ Wordpress Multiple themes - Unauthenticated Arbitrary File Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020022 ∗∗∗ NEC PC Settings Tool vulnerable to missing authentication for critical function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60320736/ ∗∗∗ Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN98612206/ ∗∗∗ IBM Security Bulletins 2023-02-13 ∗∗∗ --------------------------------------------- * AIX is vulnerable to denial of service vulnerabilities * IBM Cloud Pak for Network Automation v2.4.3 addresses multiple security vulnerabilities * IBM MQ Appliance is vulnerable to an unspecified Java SE vulnerability (CVE-2022-21626) * IBM PowerVM Novalink is vulnerable because Apache Commons IO could allow a remote attacker to traverse directories on the system * IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to protobuf-java core and lite are vulnerable to a denial of service. (CVE-2022-3509) * IBM PowerVM Novalink is vulnerable because Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. (CVE-2022-21628) * IBM QRadar SIEM includes multiple components with known vulnerabilities * IBM QRadar SIEM is vulnerable to information exposure (CVE-2022-34351) * IBM Security Directory Integrator is affected by multiple security vulnerabilities * IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579) * IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970) * IBM Sterling B2B Integrator is vulnerable to http header injection due to IBM WebSphere Application Server (CVE-2022-34165) * IBM Sterling Connect:Direct FTP+ is vulnerable to denial of service due to IBM Java (CVE-2022-21626) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js bunyan module command execution * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities with ca-certificates, OpenJDK, Sudo affect IBM Cloud Object Storage Systems (Feb 2023v1) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2023
by Daily end-of-shift report 10 Feb '23

10 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-02-2023 18:00 − Freitag 10-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th) ∗∗∗ --------------------------------------------- PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one. --------------------------------------------- https://isc.sans.edu/diary/rss/29538 ∗∗∗ Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign ∗∗∗ --------------------------------------------- Late last year we reported on a malware campaign targeting thousands of WordPress websites to redirect visitors to bogus Q&A websites. The sites themselves contained very little useful information to a regular visitor, but — more importantly — also contained Google Adsense advertisements. It appeared to be an attempt to artificially pump ad views to generate revenue. Since September, our SiteCheck remote scanner has detected this campaign on 10,890 infected sites. --------------------------------------------- https://blog.sucuri.net/2023/02/bogus-url-shorteners-redirect-thousands-of-… ∗∗∗ Cracking the Odd Case of Randomness in Java ∗∗∗ --------------------------------------------- During a recent white-box assessment, we came across the use of RandomStringUtils.randomAlphanumeric being used in a security sensitive context. We knew it used Java’s weak java.util.Random class but were interested in seeing how practically exploitable it actually was, so we decided to dig into it and see how it worked under the hood. --------------------------------------------- https://www.elttam.com/blog/cracking-randomness-in-java/ ∗∗∗ What are the writable shares in this big domain? ∗∗∗ --------------------------------------------- RSMBI is a python tool that answers to the question: What are the writable shares in this big domain? RSMBI connect to each target and it mounts the available shares in the /tmp folder (but that can also be changed). Once the shares are successfully mounted the threads (or the solo one) would start (os.)walking recursively all the folders, trying get a file handle with writing rights. --------------------------------------------- https://github.com/oldboy21/RSMBI ∗∗∗ 0Day Avalanche Blockchain API DoS ∗∗∗ --------------------------------------------- This is a remote API DoS/crash that should OOM chain P and render a vulnerable node mostly or entirely useless. --------------------------------------------- https://g.livejournal.com/15852.html ∗∗∗ Fake-Spendenaufrufe: Kriminelle missbrauchen Erdbebenkatastrophe ∗∗∗ --------------------------------------------- Das Erdbeben in der Türkei und in Nordsyrien löste eine Welle der Hilfsbereitschaft aus. Es gibt zahlreiche Möglichkeiten, um Überlebende finanziell zu unterstützen. Kriminelle missbrauchen die humanitäre Krise und versuchen auf verschiedenen Wegen die Solidarität durch Fake-Spendenaufrufe auszunutzen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-spendenaufrufe-kriminelle-missb… ===================== = Vulnerabilities = ===================== ∗∗∗ CKSource CKEditor5 35.4.0 Cross Site Scripting ∗∗∗ --------------------------------------------- CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data. --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020019 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift). --------------------------------------------- https://lwn.net/Articles/922929/ ∗∗∗ Statement About the DoS Vulnerability in the E5573Cs-322 ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20230210-01… ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954671 ∗∗∗ Vulnerabilities in IBM Semeru Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619, CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954673 ∗∗∗ Vulnerability in IBM Java Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954675 ∗∗∗ Vulnerability in IBM Java (CVE-2022-3676) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954681 ∗∗∗ Vulnerability in IBM Java (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954683 ∗∗∗ Vulnerability in Firefox (CVE-2022-43926) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954679 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954685 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution due to [CVE-2022-45907] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954691 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954695 ∗∗∗ CVE-2022-3676 may affect IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954701 ∗∗∗ IBM MQ Appliance is vulnerable to identity spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6823807 ∗∗∗ IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2021-45485, CVE-2021-45486 and CVE-2022-1012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851373 ∗∗∗ IBM MQ Appliance is vulnerable to HTTP header injection (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622055 ∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622053 ∗∗∗ IBM MQ Appliance is vulnerable to improper session invalidation (CVE-2022-40230) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622051 ∗∗∗ IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622041 ∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622047 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of servce due to IBM Java (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954727 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM\/GKLM) (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2023
by Daily end-of-shift report 09 Feb '23

09 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-02-2023 18:00 − Donnerstag 09-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ESXiArgs ransomware version prevents VMware ESXi recovery ∗∗∗ --------------------------------------------- New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-vers… ∗∗∗ Solving one of NOBELIUM’s most novel attacks: Cyberattack Series ∗∗∗ --------------------------------------------- This is the first in an ongoing series exploring some of the most notable cases of the Microsoft Detection and Response Team (DART), which investigates cyberattacks on behalf of our customers. The Cyberattack Series takes you behind the scenes for an inside look at the investigation and share lessons that you can apply to better protect your own organization. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nob… ∗∗∗ [SANS ISC] A Backdoor with Smart Screenshot Capability ∗∗∗ --------------------------------------------- Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being “smart” means performing actions depending on the context, the environment, or user actions. For a while, backdoors and trojans have implemented screenshot capabilities. From an attacker’s point of view, it’s interesting to “see” what’s displayed on the victim’s computer. --------------------------------------------- https://blog.rootshell.be/2023/02/09/sans-isc-a-backdoor-with-smart-screens… ∗∗∗ Exploit Vector Analysis of Emerging ESXiArgs Ransomware ∗∗∗ --------------------------------------------- In recent days CVE-2021-21974, a heap-overflow vulnerability in VMWare ESXi’s OpenSLP service has been prominently mentioned in the news in relation to a wave of ransomware effecting numerous organizations. The relationship between CVE-2021-21974 and the ransomware campaign may be blown out of proportion. We do not currently know what the initial access vector is, and it is possible it could be any of the vulnerabilities related to ESXi’s OpenSLP service. --------------------------------------------- https://www.greynoise.io/blog/exploit-vector-analysis-of-emerging-esxiargs-… ∗∗∗ Passwort-Manager: Umstrittene Sicherheitslücke in KeePass beseitigt ∗∗∗ --------------------------------------------- Eine viel diskutierte Sicherheitslücke, die Einbrechern im System den Passwort-Export erleichterte, hat der Entwickler nun mit einem Update geschlossen. --------------------------------------------- https://heise.de/-7489944 ∗∗∗ Datenleck: Deezer informiert Kunden jetzt per E-Mail ∗∗∗ --------------------------------------------- 230 Millionen Deezer-Datensätze wurden entwendet und etwa beim Have-I-been-pwned-Projekt hinzugefügt. Jetzt informiert Deezer betroffene Kunden darüber. --------------------------------------------- https://heise.de/-7490760 ∗∗∗ Teures Visum bei asia-visa.com ∗∗∗ --------------------------------------------- Sie möchten ein Visum für Thailand oder Vietnam beantragen? Bei einer Internetrecherche stoßen Sie möglicherweise auf asia-visa.com – ein Anbieter, der Ihnen den „Papierkram“ abnimmt. Wir raten Ihnen ab, das überteuerte Angebot zu nutzen und empfehlen, die Einreisegenehmigung über die offizielle Stelle zu beantragen. --------------------------------------------- https://www.watchlist-internet.at/news/teures-visum-bei-asia-visacom/ ∗∗∗ CISA and FBI Release ESXiArgs Ransomware Recovery Guidance ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/08/cisa-and-fbi-rele… ∗∗∗ Neue PayPal-Betrugsmasche – mit echten Push-Benachrichtigungen (Feb. 2023) ∗∗∗ --------------------------------------------- Über Twitter bin ich auf eine neue Betrugsmasche hingewiesen worden, die Leute schon mal ins Boxhorn jagen kann. Denn die Masche beginnt, dass das Opfer eine Push-Benachrichtigung von PayPal über eine Zahlung (per Einzug) bekommt. Aber die Nachricht ist trotzdem Betrug und hat das Ziel, an Daten des Opfers heranzukommen. Ich habe die Hinweise auf Twitter mal in diesem Beitrag zusammen gefasst. --------------------------------------------- https://www.borncity.com/blog/2023/02/08/neue-paypal-betrugsmasche-mit-echt… ∗∗∗ Sicherheitsvorfall bei wargaming.net (Feb. 2023)? ∗∗∗ --------------------------------------------- Ein Leser hat mich auf einen Sicherheitsvorfall beim Spieleentwickler wargaming.net aufmerksam gemacht. Ich habe dann ein wenig recherchiert, ist nicht der erste Vorfall bei diesem Anbieter. Es könnte aber auch ein Phishing-Versuch sein (das versuche ich noch zu klären). Hier einige Informationen, was mir bekannt ist. --------------------------------------------- https://www.borncity.com/blog/2023/02/09/sicherheitsvorfall-bei-wargaming-n… ∗∗∗ Evasion Techniques Uncovered: An Analysis of APT Methods ∗∗∗ --------------------------------------------- DLL search order hijacking and DLL sideloading are commonly used by nation state sponsored attackers to evade detection. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/09/evasion-techniques-uncovered-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution ∗∗∗ --------------------------------------------- This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status. --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020017 ∗∗∗ SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow ∗∗∗ --------------------------------------------- The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php ∗∗∗ Angreifer könnten über Nvidia GeForce Experience Daten manipulieren ∗∗∗ --------------------------------------------- In der aktuellen Version das Grafikkarten-Tools GeForce Experience von Nvidia haben die Entwickler drei Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7490068 ∗∗∗ Notfallpatch für Dateiübertragungslösung GoAnywhere MFT erschienen ∗∗∗ --------------------------------------------- Admins können ihre GoAnywhere-MFT-Server (On-Premises) nun mit einem Sicherheitsupdate gegen aktuelle laufende Attacken absichern. --------------------------------------------- https://heise.de/-7490040 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird). --------------------------------------------- https://lwn.net/Articles/922756/ ∗∗∗ Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras ∗∗∗ --------------------------------------------- A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time. [...] Dahua device vulnerabilities may be targeted by DDoS botnets, but in the case of CVE-2022-30564, it would most likely be exploited in highly targeted attacks whose goal is to tamper with evidence, rather than cybercrime operations. The issue was reported to the vendor in the fall of 2022. Dahua has released patches for each of the impacted devices. --------------------------------------------- https://www.securityweek.com/vulnerability-allows-hackers-to-remotely-tampe… ∗∗∗ CVE-2023-0003 Cortex XSOAR: Local File Disclosure Vulnerability in the Cortex XSOAR Server (Severity: MEDIUM) ∗∗∗ --------------------------------------------- A file disclosure vulnerability in the Palo Alto Networks Cortex XSOAR server software enables an authenticated user with access to the web interface to read local files from the server. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0003 ∗∗∗ CVE-2023-0002 Cortex XDR Agent: Product Disruption by Local Windows User (Severity: MEDIUM) ∗∗∗ --------------------------------------------- A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0002 ∗∗∗ CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password (Severity: MEDIUM) ∗∗∗ --------------------------------------------- An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0001 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-24964) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953519 ∗∗∗ IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6891111 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Eclipse Openj9 security bypass (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953807 ∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953825 ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953873 ∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953879 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953641 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953593 ∗∗∗ Vulnerability in Axios affects IBM Process Mining . IBM X-Force ID: 232247 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6611183 ∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0208 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852405 ∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0148 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852407 ∗∗∗ Vulnerability in d3-color affects IBM Process Mining . WS-2022-0322 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856473 ∗∗∗ IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for user privilege escalation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6909427 ∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954391 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954401 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954403 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954405 ∗∗∗ Vulnerability in Apache Commons Text affects IBM Process Mining . CVE-2022-42889 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954409 ∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954411 ∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954421 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2023
by Daily end-of-shift report 08 Feb '23

08 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-02-2023 18:00 − Mittwoch 08-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware-Attacke: CISA veröffentlicht Wiederherstellungsskript für VMware ESXi ∗∗∗ --------------------------------------------- Die US-amerikanische Cyber-Sicherheitsbehörde CISA hat ein Wiederherstellungsskript bereitgestellt, mit dem betroffene Server gerettet werden könnten. --------------------------------------------- https://heise.de/-7488498 ∗∗∗ Achtung: Betrügerische Rechnungen in E-Mails und PayPal-App! ∗∗∗ --------------------------------------------- PayPal-User:innen aufgepasst: Kriminelle stellen aktuell Coinbase-Rechnungen über PayPal. Diese Rechnungen landen dadurch sowohl in Ihrem Mail-Postfach, als auch Ihrer PayPal-App und können dadurch für echt gehalten werden! Ignorieren Sie die Rechnungen und setzen Sie sich bei Unklarheiten mit PayPal in Verbindung. Bezahlen Sie nichts und befolgen Sie keinesfalls die Händler-Anweisungen aus der Rechnung. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-rechnungen-in… ∗∗∗ Sicherheitsupdate: Acht Sicherheitslücken in OpenSSL geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Softwarebibliothek für verschlüsselte Verbindungen OpenSSL attackieren. Der Bedrohungsgrad hält sich aber in Grenzen. --------------------------------------------- https://heise.de/-7489560 ∗∗∗ Medusa botnet returns as a Mirai-based variant with ransomware sting ∗∗∗ --------------------------------------------- A new version of the Medusa DDoS (distributed denial of service) botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-botnet-returns-as-a-m… ∗∗∗ Simple HTML Phishing via Telegram Bot, (Wed, Feb 8th) ∗∗∗ --------------------------------------------- Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them. --------------------------------------------- https://isc.sans.edu/diary/rss/29528 ∗∗∗ Post-Exploitation: Abusing the KeePass Plugin Cache ∗∗∗ --------------------------------------------- This blog post presents a post-exploitation approach to inject code into KeePass without process injection. It is performed by abusing the cache resulting from the compilation of PLGX plugin. --------------------------------------------- https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cac… ∗∗∗ A Detailed Analysis of a New Stealer Called Stealerium ∗∗∗ --------------------------------------------- Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. --------------------------------------------- https://securityscorecard.com/research/a-detailed-analysis-of-a-new-stealer… ∗∗∗ Rustproofing Linux (nccgroup) ∗∗∗ --------------------------------------------- The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust. In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer. --------------------------------------------- https://lwn.net/Articles/922638/ ∗∗∗ Pwn2Owning Two Hosts at the Same Time: Abusing Inductive Automation Ignition’s Custom Deserialization ∗∗∗ --------------------------------------------- Pwn2Own Miami 2022 was a fine competition. At the contest, I successfully exploited three different targets. In this blog post, I would like to show you my personal best research of the competition: the custom deserialization issue in Inductive Automation Ignition. --------------------------------------------- https://www.thezdi.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-… ∗∗∗ CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability ∗∗∗ --------------------------------------------- Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-obser… ∗∗∗ How to Use Cloud Access Security Brokers for Data Protection ∗∗∗ --------------------------------------------- A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise’s security policies whenever cloud-based resources are accessed. --------------------------------------------- https://www.hackread.com/cloud-access-security-brokers-data-protection/ ===================== = Vulnerabilities = ===================== ∗∗∗ PMASA-2023-1 ∗∗∗ --------------------------------------------- XSS vulnerability in drag-and-drop upload Affected Versions: phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0. --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2023-1/ ∗∗∗ Webbrowser: Google Chrome dichtet Sicherheitslecks ab und ändert Release-Zyklus ∗∗∗ --------------------------------------------- Der Webbrowser Google Chrome 110 schließt 15 teils hochriskante Schwachstellen. Der Hersteller stellt zudem auf ein neues Release-System um. --------------------------------------------- https://heise.de/-7488524 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/922626/ ∗∗∗ Tuesday February 14 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, 18.x and 19.x releases lines on or shortly after, Tuesday February 14 2023 in order to address: 2 low severity issues. 2 medium severity issues. 1 high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases ∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in The Huawei Children Smart Watch (Simba-AL00) ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvithc… ∗∗∗ IBM Security Bulletins 2023-02-08 ∗∗∗ --------------------------------------------- * A Security Vulnerability has been identified in the IBM Java SDK as shipped with IBM Security Verify Access. * IBM Aspera Orchestrator affected by vulnerability (CVE-2022-28615) * IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577) * IBM® Db2® is vulnerable to an information disclosure vulnerabilitiy due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927) * IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) * IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted Load command. (CVE-2022-43929) * IBM Jazz for Service Management is vulnerable to All XStream (Publicly disclosed vulnerability) (CVE-2022-41966) * IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Express.js Express denial of service (CVE-2022-24999) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Moment denial of service (CVE-2022-31129) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js follow-redirects module information disclosure vulnerabilities (CVE-2022-0536, CVE-2022-0155) * IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787) * IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) * Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2 * Multiple vulnerabilities in the Expat library affect IBM® Db2® Net Search Extender may lead to denial of service or arbitrary code execution. * Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. * Unspecified vulnerability in Java Affects IBM Infosphere Global Name Management (CVE-2022-21496) * Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476) * Vulnerability in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-34165) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2023
by Daily end-of-shift report 07 Feb '23

07 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-02-2023 18:00 − Dienstag 07-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researcher breaches Toyota supplier portal with info on 14,000 partners ∗∗∗ --------------------------------------------- The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022. EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-s… ∗∗∗ APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th) ∗∗∗ --------------------------------------------- Many of the bots I am observing attempt to detect the infected system&#;x26;#;39;s public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted. --------------------------------------------- https://isc.sans.edu/diary/rss/29516 ∗∗∗ Android Security Bulletin—February 2023 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. [..] The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. --------------------------------------------- https://source.android.com/docs/security/bulletin/2023-02-01 ∗∗∗ Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console ∗∗∗ --------------------------------------------- AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS. --------------------------------------------- https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/ ∗∗∗ Smishing: Vorsicht vor Fake Magenta-SMS ∗∗∗ --------------------------------------------- Momentan sind vermehrt gefälschte Magenta-SMS im Umlauf. In der Nachricht wird behauptet, dass Ihre Rechnung nicht beglichen werden konnte. Klicken Sie nicht auf den Link – dieser führt zu einer gefälschten Magenta-Seite, wo Kriminelle Ihre Daten und Ihr Geld stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/smishing-vorsicht-vor-diesem-fake-ma… ∗∗∗ Saferinternet.at-Studie: Jugendliche und Falschinformationen im Internet ∗∗∗ --------------------------------------------- Anlässlich des heutigen Safer Internet Day führte Saferinternet.at eine Studie zum Thema „Jugendliche und Falschinformationen im Internet“ durch. Die Studienergebnisse zeigen, dass Österreichs Jugendliche beim Umgang mit Informationen im Internet in einem Dilemma stecken: Die Jugendlichen informieren sich zu Alltagsthemen vor allem über soziale Medien, vertrauen den dort bezogenen Informationen jedoch kaum. --------------------------------------------- https://www.watchlist-internet.at/news/studie-jugendliche-und-falschinforma… ∗∗∗ Safer Internet Day: FAQ Internetsicherheit für Kinder und Jugendliche ∗∗∗ --------------------------------------------- Im Internet lauern für Heranwachsende viele Gefahren, die sie noch nicht einschätzen können. Mit Wissensvermittlung und Tools können sie geschützt werden. --------------------------------------------- https://heise.de/-7333482 ∗∗∗ This notorious ransomware has now found a new target ∗∗∗ --------------------------------------------- The authors of Clop ransomware are experimenting with a Linux variant - a warning that multiple different platforms are in the sights of cyber extortionists. --------------------------------------------- https://www.zdnet.com/article/this-notorious-ransomware-is-now-targeting-li… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-094: Netatalk dsi_writeinit Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-094/ ∗∗∗ TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering ∗∗∗ --------------------------------------------- Subcomponent: Frontend Rendering (ext:frontend, ext:core) Affected Versions: 8.7.0-8.7.50, 9.0.0-9.5.39, 10.0.0-10.4.34, 11.0.0-11.5.22, 12.0.0-12.1.3 Severity: High References: CVE-2023-24814, CWE-79 --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-001 ∗∗∗ Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419) ∗∗∗ --------------------------------------------- Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. ONLYOFFICE, OpenKM, LogicalDOC, Mayan [..] Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412… ∗∗∗ OpenSSL Security Advisory [7th February 2023] ∗∗∗ --------------------------------------------- * Severity: High - X.400 address type confusion in X.509 GeneralName (CVE-2023-0286): [...] this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. * Severity: Moderate - CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401 --------------------------------------------- https://www.openssl.org/news/secadv/20230207.txt ∗∗∗ Dateiübertragungslösung: Zero-Day-Lücke in GoAnywhere-MFT-Servern ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf Server mit GoAnywhere MFT abgesehen. Bislang gibt es kein Sicherheitsupdate. Eine temporäre Übergangslösung sichert Systeme ab. --------------------------------------------- https://heise.de/-7487393 ∗∗∗ VMSA-2023-0003 ∗∗∗ --------------------------------------------- CVSSv3 Range: 7.8 CVE(s): CVE-2023-20854 Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux). --------------------------------------------- https://lwn.net/Articles/922519/ ∗∗∗ Ichiran App vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11257333/ ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ EnOcean SmartServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-037-01 ∗∗∗ IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953461 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839565 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953483 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Denial of Service vulnerability affects IBM Business Automation Workflow - CVE-2022-25887 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952745 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953525 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953557 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953559 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to bypassing security restrictions, denial of service attacks, and data integrity impacts due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953579 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953583 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953587 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953589 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2023
by Daily end-of-shift report 06 Feb '23

06 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-02-2023 18:00 − Montag 06-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Weltweiter Ransomware-Angriff ∗∗∗ --------------------------------------------- Bei einem weltweit breit gestreuten Ransomware-Angriff wurden laut Medienberichten tausende ESXi-Server, die u. a. zur Virtualisierung von IT-Fachverfahren genutzt werden, verschlüsselt. Der regionale Schwerpunkt der Angriffe lag dabei auf Frankreich, den USA, Deutschland und Kanada, auch weitere Länder sind betroffen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Downloads via Google Ads: "Tsunami" an Malvertising verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Immer mehr Angreifer versuchen, Geräte von Nutzern mit Malware zu infizieren. Forscher beobachten einen massiven Anstieg auf Google bei der Suche nach Software. --------------------------------------------- https://heise.de/-7485196 ∗∗∗ Tiere zu verschenken: Vorsicht vor betrügerischen Inseraten auf Facebook ∗∗∗ --------------------------------------------- In Facebook-Gruppen tauchen immer wieder betrügerische Inserate für abzugebende Hunde oder Pferde auf. Angeblich sei der Besitzer bzw. die Besitzerin plötzlich verstorben. Daher suchen die Angehörigen dringend einen guten Platz für das Tier. Sie müssen lediglich die Transportkosten bezahlen, da sich das Tier im Ausland befindet. Dahinter steckt aber Betrug, das Tier gibt es gar nicht und Sie verlieren viel Geld! --------------------------------------------- https://www.watchlist-internet.at/news/tiere-zu-verschenken-vorsicht-vor-be… ∗∗∗ Assemblyline as a Malware Analysis Sandbox, (Sat, Feb 4th) ∗∗∗ --------------------------------------------- If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. "Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline's most powerful functionalities is its recursive analysis model."[2] --------------------------------------------- https://isc.sans.edu/diary/rss/29510 ∗∗∗ Royal Ransomware adds support for encrypting Linux, VMware ESXi systems ∗∗∗ --------------------------------------------- Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines. Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, [...] --------------------------------------------- https://securityaffairs.com/141876/cyber-crime/royal-ransomware-vmware-esxi… ∗∗∗ FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection ∗∗∗ --------------------------------------------- An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said [...] --------------------------------------------- https://thehackernews.com/2023/02/formbook-malware-spreads-via.html ∗∗∗ GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry ∗∗∗ --------------------------------------------- E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, [...] --------------------------------------------- https://thehackernews.com/2023/02/guloader-malware-using-malicious-nsis.html ∗∗∗ ImageMagick: The hidden vulnerability behind your online images ∗∗∗ --------------------------------------------- In a recent APT Simulation engagement, the Ocelot team identified that ImageMagick was used to process images in a Drupal-based website, and hence, the team decided to try to find new vulnerabilities in this component, proceeding to download the latest version of ImageMagick, 7.1.0-49 at that time. As a result, two zero days were identified: [...] --------------------------------------------- https://www.metabaseq.com/imagemagick-zero-days/ ∗∗∗ The Defenders Guide to OneNote MalDocs ∗∗∗ --------------------------------------------- With the heyday of macro-enabled spreadsheets and documents behind us, threat actors have experimented with novel ways to deliver their payloads, including disk image files (.iso, .vhd files), HTML Smuggling (.hta files with embedded scripts), and now OneNote files. --------------------------------------------- https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs ∗∗∗ How the CISA catalog of vulnerabilities can help your organization ∗∗∗ --------------------------------------------- The CISA catalog of known exploited vulnerabilities is designed for the federal government and useful to everyone. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/02/how-the-cisa-catalog-can-hel… ∗∗∗ Collect, Exfiltrate, Sleep, Repeat ∗∗∗ --------------------------------------------- In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command [...] --------------------------------------------- https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ ∗∗∗ Solving a VM-based CTF challenge without solving it properly ∗∗∗ --------------------------------------------- A pretty common reverse-engineering CTF challenge genre for the hard/very-hard bucket are virtual machines. There are several flavors to this*, but the most common one is to implement a custom VM in a compiled language and provide it together with bytecode of a flag checker. This was the case for the More Control task from Byte Bandits CTF 2023 - the task this entry is about. --------------------------------------------- https://gynvael.coldwind.pl/?id=763 ∗∗∗ Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations ∗∗∗ --------------------------------------------- Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. --------------------------------------------- https://asec.ahnlab.com/en/47088/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder ∗∗∗ --------------------------------------------- On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations. The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant [...] --------------------------------------------- https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/922337/ ∗∗∗ CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) said two vulnerabilities from Oracle and SugarCRM are actively being exploited and ordered federal civilian agencies to patch them before February 23. --------------------------------------------- https://therecord.media/cisa-adds-oracle-sugarcrm-bugs-to-exploited-vulnera… ∗∗∗ Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6570741 ∗∗∗ Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6592963 ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953401 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953433 ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857695 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2023
by Daily end-of-shift report 03 Feb '23

03 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-02-2023 18:00 − Freitag 03-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers weaponize Microsoft Visual Studio add-ins to push malware ∗∗∗ --------------------------------------------- Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-weaponize-microsoft-… ∗∗∗ Anker: Eufy-Kameras waren nicht so sicher wie beworben ∗∗∗ --------------------------------------------- Nach anfänglichem Abstreiten gibt Anker zu, dass die Werbeversprechen zur Sicherheit der Eufy-Überwachungskameras nicht eingehalten wurden. --------------------------------------------- https://www.golem.de/news/anker-eufy-kameras-waren-nicht-so-sicher-wie-bewo… ∗∗∗ Konami Code Backdoor Concealed in Image ∗∗∗ --------------------------------------------- Attackers are always looking for new ways to conceal their malware and evade detection, whether it’s through new forms of obfuscation, concatenation, or — in this case — unorthodox use of image file extensions. One of the most common backdoors that we have observed over the last few months has been designed to evade detection by placing the payload in an image file and requiring some additional tricks to unlock it. --------------------------------------------- https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html ∗∗∗ Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails ∗∗∗ --------------------------------------------- IBM Aspera Faspex promises security to end users by offering encryption options for the files being uploaded through its application. This security model is broken through the pre-authentication RCE vulnerability we discovered, that allowed us to execute arbitrary commands on the Aspera Faspex server. --------------------------------------------- https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ ∗∗∗ Cisco patcht mehrere Produkte - potenzielle Backdoor-Lücke ∗∗∗ --------------------------------------------- Cisco hat Updates zum Schließen von Sicherheitslücken in mehreren Produkten veröffentlicht. Die gravierendste klafft in der IOx Application Hosting Environment. --------------------------------------------- https://heise.de/-7483079 ∗∗∗ Zwei Sicherheitsprobleme in OpenSSH 9.2 gelöst ∗∗∗ --------------------------------------------- Der OpenSSH-Client ist in einer aktualisierten Version erschienen. Informationen über die geschlossenen Sicherheitslücken sind noch rar. --------------------------------------------- https://heise.de/-7483316 ∗∗∗ Erneute Phishing-Welle mit E-Mails im Namen der WKO ∗∗∗ --------------------------------------------- „Aktualisierung Ihrer Firmendaten“: Haben Sie eine E-Mail vom „WKO Serviceteam“ mit diesem Betreff erhalten, sollten Sie genau hinsehen. Denn derzeit versenden Cyberkriminelle willkürlich solche Phishing-Mails an österreichische Unternehmer:innen und geben sich dabei als Wirtschaftskammer Österreich aus. --------------------------------------------- https://www.watchlist-internet.at/news/erneute-phishing-welle-mit-e-mails-i… ∗∗∗ OneNote Dokumente als neues Hilfsmittel für Spammer und Co. ∗∗∗ --------------------------------------------- Nachdem Microsoft im Juli letzten Jahres die Hürde für Spammer deutlich höher gelegt hat - eingebettete Makros in heruntergeladenen Office Dokumente wurden per Default disabled - musste aus Sicht der Angreifer entsprechender Ersatz gefunden werden. Neuen Erkenntnissen zufolge, wurde dieser auch erfolgreich in Form von OneNote Dokumenten gefunden. --------------------------------------------- https://cert.at/de/aktuelles/2023/2/onenote-dokumente-als-neues-hilfsmittel… ∗∗∗ What is an OSINT Tool – Best OSINT Tools 2023 ∗∗∗ --------------------------------------------- An OSINT tool is a must for every researcher - In this article, we will explore the 15 best OSINT tools that you can use for your investigations. --------------------------------------------- https://www.hackread.com/what-is-osint-tool-best-osint-tools-2023/ ===================== = Vulnerabilities = ===================== ∗∗∗ K000130496: Overview of F5 vulnerabilities (February 2023) ∗∗∗ --------------------------------------------- On February 1, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000130496 ∗∗∗ Angreifer könnten Windows-PCs mit VMware Workstation attackieren ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Lücke in der Virtualisierungslösung VMware Workstation. Angreifer brauchten lokale Benutzerrechte auf dem PC des Opfers. --------------------------------------------- https://heise.de/-7483515 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff). --------------------------------------------- https://lwn.net/Articles/922112/ ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-033-01 Delta Electronics DIAScreen, ICSA-23-033-02 Mitsubishi Electric GOT2000 Series and GT SoftGOT2000, ICSA-23-033-03 Baicells Nova, ICSA-23-033-04 Delta Electronics DVW-W02W2-E2, ICSA-23-033-05 Delta Electronics DX-2100-L1-CN, ICSA-22-221-01 Mitsubishi Electric Multiple Factory Automation Products (Update D). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/cisa-releases-six… ∗∗∗ B&R Advisory: Several Issues in APROL Database ∗∗∗ --------------------------------------------- Several Issues in ARPOL database, CVE ID: CVE-2022-43761, CVE-2022-43762, CVE-2022-43763, CVE-2022-43764, CVE-2022-43765 --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16748230… *** IBM Security Bulletins 2023-02-01 *** --------------------------------------------- Tivoli System Automation Application Manager, IBM MQ, IBM FlashSystem 5000, IBM FlashSystem 7200, IBM FlashSystem 7300, IBM FlashSystem 9100, IBM FlashSystem 9200, IBM FlashSystem 9500, IBM FlashSystem V9000, IBM Spectrum Virtualize as Software Only, IBM Spectrum Virtualize for Public Cloud, IBM Storwize V5000, V5000E, V7000 and V5100, Jazz for Service Management, SAN Volume Controller, IBM App Connect Enterprise, IBM Voice Gateway, IBM Aspera, IBM MQ, IBM Business Automation Workflow, IBM Control Desk, IBM Maximo, IBM Sterling Connect:Direct File Agent. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Exploitation of GoAnywhere MFT zero-day vulnerability ∗∗∗ --------------------------------------------- A warning has been issued about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2023
by Daily end-of-shift report 02 Feb '23

02 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-02-2023 18:00 − Donnerstag 02-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New DDoS-as-a-Service platform used in recent attacks on hospitals ∗∗∗ --------------------------------------------- A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platfo… ∗∗∗ New Nevada Ransomware targets Windows and VMware ESXi systems ∗∗∗ --------------------------------------------- A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-target… ∗∗∗ LockBit ransomware goes Green, uses new Conti-based encryptor ∗∗∗ --------------------------------------------- The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-gree… ∗∗∗ Password-stealing “vulnerability” reported in KeePass – bug or feature? ∗∗∗ --------------------------------------------- Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway? --------------------------------------------- https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability… ∗∗∗ Rotating Packet Captures with pfSense, (Wed, Feb 1st) ∗∗∗ --------------------------------------------- Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files. --------------------------------------------- https://isc.sans.edu/diary/rss/29500 ∗∗∗ What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits ∗∗∗ --------------------------------------------- We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/what-socs-need-to-know-about… ∗∗∗ OpenSSH 9.2 released ∗∗∗ --------------------------------------------- OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe is exploitable. --------------------------------------------- https://lwn.net/Articles/922006/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Causing Deletion of All Users in CrushFTP Admin Area ∗∗∗ --------------------------------------------- During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django). --------------------------------------------- https://lwn.net/Articles/921957/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-23517, CVE-2023-23518,CVE-2022-42826. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0001.html ∗∗∗ Jira Service Management Server and Data Center Advisory (CVE-2023-22501) ∗∗∗ --------------------------------------------- This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0 --------------------------------------------- https://confluence.atlassian.com/jira/jira-service-management-server-and-da… ∗∗∗ Drupal Releases Security Update to Address a Vulnerability in Apigee Edge ∗∗∗ --------------------------------------------- Drupal released a security update to address a vulnerability affecting the Apigee Edge module for Drupal 9.x. An attacker could exploit this vulnerability to bypass access authorization or disclose sensitive information. CISA encourages users and administrators to review Drupal’s security advisory SA-CONTRIB-2023-005 and apply the necessary update. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/drupal-releases-s… ∗∗∗ Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6912697 ∗∗∗ IBM API Connect is impacted by an external service interaction vulnerability (CVE-2022-34350) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6921243 ∗∗∗ IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6921285 ∗∗∗ IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952181 ∗∗∗ IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6909467 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2023
by Daily end-of-shift report 01 Feb '23

01 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-01-2023 18:00 − Mittwoch 01-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Zehntausende Qnap-NAS hängen verwundbar am Internet ∗∗∗ --------------------------------------------- Angreifer könnten direkt über das Internet an einer kritischen Sicherheitslücke in Netzwerkspeichern von Qnap ansetzen. --------------------------------------------- https://heise.de/-7477826 ∗∗∗ Microsoft Defender for Endpoint schickt nun auch Linux-Rechner in die Isolation ∗∗∗ --------------------------------------------- Weil auch Linux-Geräte als Einfallstor für Cyber-Angreifer dienen können, isoliert Microsofts Security-Software künftig bei Bedarf auch sie aus dem Firmennetz. --------------------------------------------- https://heise.de/-7477878 ∗∗∗ Diskussion um Schwachstelle in KeePass ∗∗∗ --------------------------------------------- Eine Schwachstelle erlaubt das Ändern der KeePass-Konfiguration, wenn Nutzer bestimmte Rechte haben. Mit denen können sie jedoch viel mehr anstellen. --------------------------------------------- https://heise.de/-7478396 ∗∗∗ Neue Vinted-Verkäufer:innen aufgepasst: Keine Zahlungen freigeben! ∗∗∗ --------------------------------------------- Auf der Second-Hand-Plattform vinted.at kommt es aktuell vermehrt zu einer Betrugsmasche, die sich an neue Verkäufer:innen richtet. Die ersten Interessent:innen melden sich schnell und verlangen eine Telefonnummer. Anschließend folgen SMS im Namen von Vinted, die eine Bestätigung der Kreditkartendaten zum Erhalt der Zahlung fordern. Achtung: Die SMS stammen nicht von vinted.at, sondern von Kriminellen und die vermeintlichen Bestätigungen führen zu Abbuchungen [...] --------------------------------------------- https://www.watchlist-internet.at/news/neue-vinted-verkaeuferinnen-aufgepas… ∗∗∗ Hackers use new IceBreaker malware to breach gaming companies ∗∗∗ --------------------------------------------- Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-new-icebreaker-m… ∗∗∗ DShield Honeypot Setup with pfSense, (Tue, Jan 31st) ∗∗∗ --------------------------------------------- Setting up a DShield honeypot is well guided by the installation script [1]. After several minutes of following the instructions and adding some custom details, the honeypot is up and running. What's needed after that is to expose the honeypot to the internet. I recently decided to update my home router and thought it was a great opportunity to dig into using pfSense [2]. --------------------------------------------- https://isc.sans.edu/diary/rss/29490 ∗∗∗ Detecting (Malicious) OneNote Files, (Wed, Feb 1st) ∗∗∗ --------------------------------------------- We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document"). --------------------------------------------- https://isc.sans.edu/diary/rss/29494 ∗∗∗ Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076) ∗∗∗ --------------------------------------------- Cisco has released patches for a high-severity vulnerability (CVE-2023-20076) found in some of its industrial routers, gateways and enterprise wireless access points, which may allow attackers to insert malicious code that can’t be deleted by simply rebooting the device or updating its firmware. “In this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/01/cve-2023-20076/ ∗∗∗ Google sponsored ads malvertising targets password manager ∗∗∗ --------------------------------------------- Our reserachers found a more direct way to go after your password by using Google sponsored ads campaigns --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponso… ∗∗∗ Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking ∗∗∗ --------------------------------------------- Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched. --------------------------------------------- https://www.securityweek.com/unpatched-econolite-traffic-controller-vulnera… ∗∗∗ Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware ∗∗∗ --------------------------------------------- Microsoft warns that phishing, fake software updates and unpatched vulnerabilities are being exploited for ransomware attacks. --------------------------------------------- https://www.zdnet.com/article/microsoft-we-are-tracking-these-100-active-ra… ∗∗∗ Password Nightmare Explained ∗∗∗ --------------------------------------------- This blog post belongs to a series in which we examine various influences on password strategies. The first post in the series analyzed the macrosocial influence of a country on its citizens’ passwords. The second post was focused on the analysis of the influence of a community on password choice. In this last post, we aim to increase the strength of our readers’ passwords by influencing their password strategies using knowledge and insights from our research. --------------------------------------------- https://www.gosecure.net/blog/2023/01/31/password-nightmare-explained/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in Driver Distributor where passwords are stored in a recoverable format ∗∗∗ --------------------------------------------- Driver Distributor provided by FUJIFILM Business Innovation Corp. contains a vulnerability where passwords are stored in a recoverable format. --------------------------------------------- https://jvn.jp/en/jp/JVN22830348/ ∗∗∗ Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software ∗∗∗ --------------------------------------------- Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. --------------------------------------------- https://thehackernews.com/2023/02/additional-supply-chain-vulnerabilities.h… ∗∗∗ Virenschutz: Datei-Upload bis Exitus durch Trend Micro Apex One-Schwachstelle ∗∗∗ --------------------------------------------- Eine hochriskante Sicherheitslücke im Trend Micro Apex One Server könnten Angreifer missbrauchen, um den Server mit Dateien zu fluten und damit lahmzulegen. --------------------------------------------- https://heise.de/-7477479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fig2dev and libstb), Fedora (seamonkey), SUSE (ctags, python-setuptools, samba, tmux, and xterm), and Ubuntu (advancecomp, apache2, python-django, slurm-llnl, and vim). --------------------------------------------- https://lwn.net/Articles/921848/ ∗∗∗ CVE-2023-22374: F5 BIG-IP Format String Vulnerability ∗∗∗ --------------------------------------------- Rapid7 found an additional vulnerability in the appliance-mode REST interface. We reported it to F5 and are now disclosing it in accordance with our vulnerability disclosure policy. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/01/cve-2023-22374-f5-big-ip-format… ∗∗∗ IBM Security Bulletins 2023-02-01 ∗∗∗ --------------------------------------------- App Connect Professional is affected by JsonErrorReportValve in Apache Tomcat. A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-23477) A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-23477) A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-23477) A vulnerability in the IBM Java Runtime affects IBM Rational ClearQuest (CVE-2022-21626) A vulnerability may affect the IBM Elastic Storage System GUI (CVE-2022-43869) HTTP header injection vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-34165) IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to json5 (CVE-2022-46175) IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons [CVE-2022-42889 and CVE-2022-33980] IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML IBM Cloud Pak for Multicloud Management is vulnerable to denial of service due to protobuf-java core and lite IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of FasterXML Jackson (CVE-2022-42003) IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS IBM Infosphere Information Server is vulnerable to cross-site scripting (CVE-2023-23475) IBM Spectrum Scale GUI is vulnerable to Format string attack (CVE-2022-43869) IBM Sterling B2B Integrator is vulnerable to denial of service due to Netty (CVE-2021-37136, CVE-2021-37137) IBM Sterling Connect:Direct File Agent is vulnerable to a denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) IBM Sterling Connect:Direct File Agent is vulnerable to a memory exploit due to Eclipse Openj9 (CVE-2022-3676) IBM Sterling External Authentication Server vulnerable to denial of service due to Apache Xerces2 (CVE-2022-23437) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in GNU glibc (CVE-2021-3999) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-27664) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in protobuf (CVE-2022-1941) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in OpenSSL (CVE-2022-2068) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in GNU gzip (CVE-2022-1271) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to issues in OpenSSL (CVE-2022-1434, CVE-2022-1343, CVE-2022-1292, CVE-2022-1473 ) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to query parameter smuggling in Golang Go (CVE-2022-2880) IBM WebSphere Application Server Liberty used by IBM Cloud Pak for Watson AIOps is vulnerable to HTTP header injection (CVE-2022-34165) Multiple vulnerabilities in IBM Java SDK affects App Connect Professional. Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061) Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-2068, CVE-2022-2097) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi… ∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi… ∗∗∗ Multiple Vulnerabilities Patched in Quick Restaurant Menu Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-… ∗∗∗ SA45653 - Cross-site Request Forgery in Login Form ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Cross-site-Re… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2023
by Daily end-of-shift report 31 Jan '23

31 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 30-01-2023 18:00 − Dienstag 31-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exploit released for critical VMware vRealize RCE vulnerability ∗∗∗ --------------------------------------------- Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances. VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Github Desktop & Atom: Signaturschlüssel von Github entwendet ∗∗∗ --------------------------------------------- Auf Github wurden Signaturschlüssel entwendet, die bald zurückgerufen werden. Betroffen sind Github Desktop und Atom für Mac, die den Dienst einstellen. (Github, Security) --------------------------------------------- https://www.golem.de/news/github-desktop-atom-signaturschluessel-von-github… ∗∗∗ Prilex modification now targeting contactless credit card transactions ∗∗∗ --------------------------------------------- Kaspersky discovers three new variants of the Prilex PoS malware capable of blocking contactless NFC transactions on an infected device. --------------------------------------------- https://securelist.com/prilex-modification-now-targeting-contactless-credit… ∗∗∗ Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process ∗∗∗ --------------------------------------------- On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). --------------------------------------------- https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-ca… ∗∗∗ Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th) ∗∗∗ --------------------------------------------- I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard. --------------------------------------------- https://isc.sans.edu/diary/rss/29488 ∗∗∗ Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years ∗∗∗ --------------------------------------------- A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years."TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically --------------------------------------------- https://thehackernews.com/2023/01/researchers-uncover-packer-that-helped.ht… ∗∗∗ Chromebook SH1MMER exploit promises admin jailbreak ∗∗∗ --------------------------------------------- Schools laptops are out if this one gets around, but beware bricking Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/01/30/chromebook_e… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg.[..] These releases will be made available on Tuesday 7th February 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is High --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html ∗∗∗ Abstandhalten zu undurchsichtigen Multi-Level-Marketing-Angeboten wie shopwithme.biz ∗∗∗ --------------------------------------------- Wer sich aktuell auf sozialen Medien wie Facebook, YouTube oder TikTok bewegt, kommt an Werbevideos, die das große Geld versprechen, kaum vorbei. Mit minimalem Aufwand und revolutionären Methoden sollen Sie ganz einfach Unsummen an Geld verdienen können. Ähnliches verspricht man beispielsweise bei shopwithme.biz. Ein genauerer Blick lässt vermuten: Hier verdient man nicht durch den Verkauf von Produkten, sondern durch die Anwerbung neuer Kundschaft. Wir raten hier --------------------------------------------- https://www.watchlist-internet.at/news/abstandhalten-zu-undurchsichtigen-mu… ∗∗∗ A Phishing Page that Changes According to the User’s Email Address (Using Favicon) ∗∗∗ --------------------------------------------- The ASEC analysis team continuously monitors phishing emails, and we have been detecting multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user. --------------------------------------------- https://asec.ahnlab.com/en/46786/ ===================== = Vulnerabilities = ===================== ∗∗∗ [20230101] - Core - CSRF within post-installation messages ∗∗∗ --------------------------------------------- Severity: Low Versions: 4.0.0-4.2.6 Exploit type: CSRF Description: A missing token check causes a CSRF vulnerability in the handling of post-installation messages. Affected Installs Joomla! CMS versions 4.0.0-4.2.6 Solution: Upgrade to version 4.2.7 --------------------------------------------- https://developer.joomla.org:443/security-centre/890-20230101-core-csrf-wit… ∗∗∗ [20230102] - Core - Missing ACL checks for com_actionlogs ∗∗∗ --------------------------------------------- Severity: Low Versions: 4.0.0-4.2.6 Exploit type: Incorrect Access Control Description: A missing ACL check allows non super-admin users to access com_actionlogs. Solution: Upgrade to version 4.2.7 --------------------------------------------- https://developer.joomla.org:443/security-centre/891-20230102-core-missing-… ∗∗∗ VMSA-2023-0002 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.5 CVE(s): CVE-2023-20856 Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0002.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo). --------------------------------------------- https://lwn.net/Articles/921765/ ∗∗∗ [R1] Tenable Plugin Feed ID #202212212055 Fixes Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges. We have resolved the issue and also made several defense-in-depth fixes alongside. --------------------------------------------- https://www.tenable.com/security/tns-2023-04 ∗∗∗ WordPress Vulnerability & Patch Roundup January 2023 ∗∗∗ --------------------------------------------- * SiteGround Security – SQL injection * ExactMetrics – Cross Site Scripting (XSS) * Enable Media Replace – Arbitrary File Upload * Spectra WordPress Gutenberg Blocks – Stored Cross Site Scripting * GiveWP – SQL Injection * Better Font Awesome – Cross Site Scripting (XSS) * LearnPress – SQL Injection * Royal Elementor Addons and Templates – Cross Site Scripting (XSS) * Strong Testimonials – Stored Cross Site Scripting (XSS) * HUSKY (formerly WOOF) – PHP Object Injection * WP Show Posts – Cross Site Scripting (XSS) * Widgets for Google Reviews – Cross Site Scripting (XSS) * Strong Testimonials – Cross Site Scripting (XSS) * Simple Sitemap – Cross Site Scripting (XSS) * Contextual Related Posts – Stored Cross Site Scripting (XSS) * Stream – Broken Access Control * Customer Reviews for WooCommerce – Cross Site Scripting (XSS) * Themify Portfolio Post – Stored Cross Site Scripting * Spotlight Social Media Feeds – Stored Cross Site Scripting (XSS) * RSS Aggregator by Feedzy – Stored Cross Site Scripting (XSS) --------------------------------------------- https://blog.sucuri.net/2023/01/wordpress-vulnerability-patch-roundup-janua… ∗∗∗ IBM Security Bulletins) ∗∗∗ --------------------------------------------- * IBM UrbanCode Deploy (UCD) is vulnerable to cross-site scripting ( CVE-2022-46771 ) * IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go (CVE-2022-24921, CVE-2022-28327, CVE-2022-24675) * IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities affect IBM Sterling External Authentication Server * Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring. * Multiple vulnerabilities in libcURL affect IBM Rational ClearCase ( CVE-2022-42915, CVE-2022-42916, CVE-2022-32221, CVE-2022-35252, * * CVE-2022-32205, CVE-2022-32206, CVE-2022-32207 ) * IBM Sterling Secure Proxy vulnerable to multiple issues * Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2022-2097, CVE-2022-2068) * A vulnerability in the IBM Java Runtime affects IBM Rational ClearCase (CVE-2022-21626) * Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to jsonwebtoken CVE-2022-23529 * Automation Assets in IBM Cloud Pak for Integration is vulnerable to CSS injection due to Swagger CVE-2019-17495 * Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to protobuf CVE-2022-1941 * Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities * IBM Watson Knowledge Catalog on Cloud Pak for Data is vulnerable to SQL injection (CVE-2022-41731) * IBM Virtualization Engine TS7700 is vulnerable to a denial of service threat due to use of IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 (CVE-2022-21626) * Multiple vulnerabilities affect IBM Db2\u00ae on Cloud Pak for Data and Db2 Warehouse\u00ae on Cloud Pak for Data * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in XStream * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PyPA Wheel * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js json5 * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js decode-uri-component * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PostgreSQL * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Tomcat * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Spark * Multiple Vulnerabilities in Java packages affect IBM Voice Gateway * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in HSQLDB * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Google Protocol Buffers * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-031-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily