Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 23.01.2023
by Daily end-of-shift report 23 Jan '23

23 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-01-2023 18:00 − Montag 23-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Anmeldung bei ManageEngine ServiceDesk Plus MSP mit beliebigem Passwort möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Helpdesk-Software ManageEngine ServiceDesk Plus MSP von Zoho. --------------------------------------------- https://heise.de/-7467650 ∗∗∗ "Cyberkriminelle" verschaffen sich Zugang zu Sky-Kundenkonten ∗∗∗ --------------------------------------------- Der Pay-TV-Anbieter Sky bestätigt, dass sich bösartige Akteure Zugriff zu Kundenkonten verschafft haben. Details gibt es noch nicht, der Schaden ist unklar. --------------------------------------------- https://heise.de/-7468078 ∗∗∗ Vorsicht vor Betrug bei der Wohnungssuche im Ausland ∗∗∗ --------------------------------------------- Sie planen ein Auslandssemester oder suchen für einen befristeten Zeitraum eine Wohnung oder ein WG-Zimmer? Nehmen Sie sich vor günstigen Traumwohnungen in Acht! Dahinter könnte eine Betrugsmasche stecken. Finger weg, wenn Sie ohne Besichtigung eine Zahlung leisten müssen, die angeblich von TripAdvisor, Airbnb oder Booking.com verwaltet wird. Sie verlieren Ihr Geld und stehen ohne Wohnung da. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-wohnungssuche-fuer-… ∗∗∗ Massive ad-fraud op dismantled after hitting millions of iOS devices ∗∗∗ --------------------------------------------- A massive ad fraud operation dubbed Vastflux that spoofed more than 1,700 applications from 120 publishers, mostly for iOS, has been disrupted by security researchers at cybersecurity company HUMAN. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-ad-fraud-op-dismantl… ∗∗∗ Whos Resolving This Domain?, (Mon, Jan 23rd) ∗∗∗ --------------------------------------------- Challenge of the day: To find the process that resolved a specific domain. And this is not always easy! --------------------------------------------- https://isc.sans.edu/diary/rss/29462 ∗∗∗ Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks ∗∗∗ --------------------------------------------- The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week. --------------------------------------------- https://thehackernews.com/2023/01/threat-actors-turn-to-sliver-as-open.html ∗∗∗ ShareFinder: How Threat Actors Discover File Shares ∗∗∗ --------------------------------------------- Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all [...] --------------------------------------------- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover… ∗∗∗ Activation Context Cache Poisoning: Exploiting CSRSS for Privilege Escalation ∗∗∗ --------------------------------------------- Starting in July of 2022, the Windows CSRSS process entered the consciousness of the infosec community as the source of several local privilege escalation vulnerabilities in Microsoft Windows. The first public information appeared on July 12 with the release of the patch for CVE-2022-22047, which was being actively exploited. Shortly thereafter, Microsoft published an article providing some technical details [...] --------------------------------------------- https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-ex… ∗∗∗ Inglourious Drivers - A Journey of Finding Vulnerabilities in Drivers ∗∗∗ --------------------------------------------- TL;DR I discovered multiple bugs in OEM vendors for peripheral devices, which affected many users of these OEM vendors (Razer, EVGA, MSI, AMI). Many of the vulnerabilities originated in a [...] --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers… ===================== = Vulnerabilities = ===================== ∗∗∗ Unter Attacke: Sicherheitsleck in GTA V ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Angreifer missbrauchen eine Sicherheitslücke im Spiel GTA V, um die Statistiken von Opfern zu verändern. Sie könnten jedoch Schadcode unterzuschieben. --------------------------------------------- https://heise.de/-7467685 ∗∗∗ Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347) ∗∗∗ --------------------------------------------- U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and [...] --------------------------------------------- https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecke… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/920829/ ∗∗∗ A CVE-2022-21626 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856759 ∗∗∗ Multiple vulnerability affect IBM Business Automation Workflow - CVE-2022-42003, CVE-2022-42004 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856761 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2023
by Daily end-of-shift report 20 Jan '23

20 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-01-2023 18:00 − Freitag 20-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit released for critical ManageEngine RCE bug, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now available for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Exploiting null-dereferences in the Linux kernel ∗∗∗ --------------------------------------------- While the null-dereference bug itself was fixed in October 2022, the more important fix was the introduction of an oops limit which causes the kernel to panic if too many oopses occur. While this patch is already upstream, it is important that distributed kernels also inherit this oops limit and backport it to LTS releases if we want to avoid treating such null-dereference bugs as full-fledged security issues in the future. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences… ∗∗∗ Importance of signing in Windows environments, (Fri, Jan 20th) ∗∗∗ --------------------------------------------- NTLM relaying has been a plague in Windows environments for many years and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services. --------------------------------------------- https://isc.sans.edu/diary/rss/29456 ∗∗∗ Vulnerable WordPress Sites Compromised with Different Database Infections ∗∗∗ --------------------------------------------- Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels. We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. --------------------------------------------- https://blog.sucuri.net/2023/01/vulnerable-wordpress-sites-compromised-with… ∗∗∗ New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability ∗∗∗ --------------------------------------------- Earlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server. --------------------------------------------- https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.ht… ∗∗∗ Neue Love-Scam Masche: Wenn die Internetbekanntschaft Sie zum Online-Handel überredet ∗∗∗ --------------------------------------------- Betrügerische Internetbekanntschaften versuchen auf unterschiedlichsten Wegen an Ihr Geld zu kommen. Bei einer neuen Masche erschleichen sich die Kriminellen Ihr Vertrauen, um Sie später auf den Online-Marktplatz haremark. --------------------------------------------- https://www.watchlist-internet.at/news/neue-love-scam-masche-wenn-die-inter… ∗∗∗ CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion ∗∗∗ --------------------------------------------- n this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Adobe ColdFusion. --------------------------------------------- https://www.thezdi.com/blog/2023/1/18/cve-2022-35690-unauthenticated-rce-in… ∗∗∗ NCSC to retire Logging Made Easy ∗∗∗ --------------------------------------------- The NCSC is retiring Logging Made Easy (LME). After 31 March 2023, we will no longer support LME, and the GitHub page will close shortly after. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/ncsc-to-retire-logging-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco: Hochriskantes Sicherheitsleck in Unified Communications Manager ∗∗∗ --------------------------------------------- In der Unified Communications Manager-Software von Cisco klafft eine Sicherheitslücke mit hohem Risiko. Der Hersteller stellt Updates zum Schließen bereit. --------------------------------------------- https://heise.de/-7465203 ∗∗∗ Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434) ∗∗∗ --------------------------------------------- The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications. --------------------------------------------- https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/920646/ ∗∗∗ Vulnerability Spotlight: XSS vulnerability in Ghost CMS ∗∗∗ --------------------------------------------- The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-xss-vulnerabilit… ∗∗∗ Hitachi Energy PCU400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-019-01 ∗∗∗ ;">uniFLOW MOM Tech Support Potential Data Exposure Vulnerability – 20 January 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Vulnerability in minimatch affects IBM Process Mining . CVE-2022-3517 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856471 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856659 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856661 ∗∗∗ Liberty is vulnerable to denial of service due to GraphQL Java affecting IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856687 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856719 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856717 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-34305 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856713 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-45143 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856721 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2023
by Daily end-of-shift report 19 Jan '23

19 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-01-2023 18:00 − Donnerstag 19-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Illegal Solaris darknet market hijacked by competitor Kraken ∗∗∗ --------------------------------------------- Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named Kraken, who claims to have hacked it on January 13, 2022. --------------------------------------------- https://www.bleepingcomputer.com/news/security/illegal-solaris-darknet-mark… ∗∗∗ Microsoft investigates bug behind unresponsive Windows Start Menu ∗∗∗ --------------------------------------------- Microsoft is investigating an issue causing the Windows taskbar and Start Menu to become unresponsive and triggering Outlook and Teams login problems. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-bug-… ∗∗∗ PayPal accounts breached in large-scale credential stuffing attack ∗∗∗ --------------------------------------------- PayPal is sending out notices of a data breach to thousands of users who had their accounts accessed by credential stuffing actors, resulting in the compromise of some personal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-… ∗∗∗ New Blank Image attack hides phishing scripts in SVG files ∗∗∗ --------------------------------------------- An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides… ∗∗∗ Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 ∗∗∗ --------------------------------------------- Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. --------------------------------------------- https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/1… ∗∗∗ SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th) ∗∗∗ --------------------------------------------- Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world. The results werent too optimistic, it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published. --------------------------------------------- https://isc.sans.edu/diary/rss/29452 ∗∗∗ Android Users Beware: New Hook Malware with RAT Capabilities Emerges ∗∗∗ --------------------------------------------- The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. --------------------------------------------- https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html ∗∗∗ CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA ∗∗∗ --------------------------------------------- CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/circleci-malware-stole-githu… ∗∗∗ Pwned or Bot ∗∗∗ --------------------------------------------- Its fascinating to see how creative people can get with breached data. Of course theres all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone elses system. --------------------------------------------- https://www.troyhunt.com/pwned-or-bot/ ∗∗∗ LockBit ransomware – what you need to know ∗∗∗ --------------------------------------------- It is the worlds most active ransomware group - responsible for an estimated 40% of all ransomware infections worldwide. Find out what you need to know about LockBit in my article on the Tripwire State of Security blog. --------------------------------------------- https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need… ∗∗∗ Windows 11 22H2: Systemwiederherstellung verursacht "This app can’t open"-Fehler ∗∗∗ --------------------------------------------- Ich höre zwar immer wieder "läuft ohne Probleme", aber für den Fall der Fälle, also falls Windows 11 22H2 mal Schluckauf haben sollte und den Fehler "Diese App kann nicht geöffnet werden" zeigt, da hätte ich was zur Ursache. Hochoffiziell von Microsoft als Fehler bestätigt. --------------------------------------------- https://www.borncity.com/blog/2023/01/19/windows-11-22h2-systemwiederherste… ∗∗∗ Windows 10: "Schlagloch" Windows PE-Patch zum Fix der Bitlocker-Bypass-Schwachstelle CVE-2022-41099 ∗∗∗ --------------------------------------------- Nachtrag zum Januar 2023 Patchday für Windows. Es gibt in der Windows PE-Umgebung von Windows 10 eine Schwachstelle (CVE-2022-41099), die eine Umgehung der Bitlocker-Verschlüsselung umgeht. Zum Fixen muss die Windows PE-Umgebung der Clients manuell aktualisiert werden. --------------------------------------------- https://www.borncity.com/blog/2023/01/19/windows-10-schlagloch-windows-pe-p… ∗∗∗ Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest ∗∗∗ --------------------------------------------- In this blog, we’ll tackle encrypting AWS in transit and at rest. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/improve-your-aws-se… ∗∗∗ Following the LNK metadata trail ∗∗∗ --------------------------------------------- While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. --------------------------------------------- https://blog.talosintelligence.com/following-the-lnk-metadata-trail/ ∗∗∗ Darth Vidar: The Dark Side of Evolving Threat Infrastructure ∗∗∗ --------------------------------------------- Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. Upon initial inspection, the identified sample appeared to be Arkei (another info-stealer), however differences in both the sample’s code and C2 communications were observed. --------------------------------------------- https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo). --------------------------------------------- https://lwn.net/Articles/920478/ ∗∗∗ Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM ∗∗∗ --------------------------------------------- Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME). --------------------------------------------- https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vuln… ∗∗∗ CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services ∗∗∗ --------------------------------------------- A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered. --------------------------------------------- https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execu… ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-001 ∗∗∗ [R1] Nessus Version 8.15.8 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-02 ∗∗∗ Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856209 ∗∗∗ IBM Security Guardium is affected by a gson-1.7.1.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856221 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856221 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2022-48195, CVE-2022-29577, CVE-2022-28367, CVE-2015-6420) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856401 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856409 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39011) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856403 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39089) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856405 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39090) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856407 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856439 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856443 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2023
by Daily end-of-shift report 18 Jan '23

18 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-01-2023 18:00 − Mittwoch 18-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ RC4 Is Still Considered Harmful ∗∗∗ --------------------------------------------- Ive been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number 2310 with the handling of RC4 encryption that allowed you to authenticate as another user if you could either interpose on the Kerberos network traffic to and from the KDC or directly if the user was configured to disable typical pre-authentication requirements. This blog post goes into more detail [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harm… ∗∗∗ Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware, (Wed, Jan 18th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/29448 ∗∗∗ Is WordPress Secure? ∗∗∗ --------------------------------------------- According to W3Techs, 43.2% of all websites on the internet use WordPress. And of all websites that use a CMS (Content Management System) more than half (64%) leverage WordPress to power their blog or website. Unfortunately, since WordPress has such a large market share it has also become a prime target for attackers. You might be wondering whether WordPress is safe to use. And the short answer is yes - WordPress core is safe to use, but only if you maintain it to the latest version and [...] --------------------------------------------- https://blog.sucuri.net/2023/01/is-wordpress-secure.html ∗∗∗ CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9) --------------------------------------------- https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html ∗∗∗ Jetzt patchen! Tausende Firewalls von Sophos angreifbar ∗∗∗ --------------------------------------------- Sicherheitsforscher haben das Internet auf verwundbare Sophos-Firewalls gescannt und sind fündig geworden. Sicherheitspatches gibt es seit Dezember 2022. --------------------------------------------- https://heise.de/-7462565 ∗∗∗ MSI-Motherboards sollen trotz aktivem Secure Boot manipulierte Systeme starten ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat herausgefunden, dass der Schutzmechanismus Secure Boot auf MSI-Motherboards standardmäßig aktiv ist, aber trotzdem alles durchwinkt. --------------------------------------------- https://heise.de/-7462913 ∗∗∗ Hochriskante Sicherheitslücken in Qt "nur ein Bug" ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher von Cisco Thalos haben hochriskante Sicherheitslücken in Qt-QML gefunden. Qt sieht App-Entwickler am Zuge und stuft sie nur als Bug ein. --------------------------------------------- https://heise.de/-7462956 ∗∗∗ Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability ∗∗∗ --------------------------------------------- Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns. --------------------------------------------- https://www.securityweek.com/vendors-actively-bypass-security-patch-year-ol… ∗∗∗ The Defender’s Guide to Windows Services ∗∗∗ --------------------------------------------- This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. --------------------------------------------- https://posts.specterops.io/the-defenders-guide-to-windows-services-67c1711… ∗∗∗ Silo, or not silo, that is the question ∗∗∗ --------------------------------------------- As we (security folks) were working on the hardening of WSUS update servers, we had to answer an interesting question dealing with how to best isolate a sensitive server like WSUS on on-premises Active Directory. The question was: should I put my WSUS server into my T0 silo? --------------------------------------------- https://medium.com/tenable-techblog/silo-or-not-silo-that-is-the-question-d… ∗∗∗ Elastic IP Transfer: Identifying and Mitigating Risks from a New Attack-Vector on AWS ∗∗∗ --------------------------------------------- Elastic IPs (EIPs) are public and static IPv4 addresses provided by AWS. EIPs can be viewed as a pool of IPv4 addresses, accessible from the internet, that can be used in numerous ways. Once an EIP is allocated to an AWS account, it can be associated with a single compute instance or an elastic network [...] --------------------------------------------- https://orca.security/resources/blog/elastic-ip-transfer-attack-vector-on-a… ∗∗∗ An in-depth HTTP Strict Transport Security Tutorial ∗∗∗ --------------------------------------------- HSTS is an Internet standard and policy that tells the browser to only interact with a website using a secure HTTPS connection. Check out this article to learn how to leverage the security of your website and customers’ data and the security benefits you’ll gain from doing so. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/a/http-strict-transport-security… ∗∗∗ Kriminelle versprechen Geld für Haarspenden auf Job-Börsen, aber zahlen nicht! ∗∗∗ --------------------------------------------- Wenn Sie auf Facebook in diversen Job-Börsen nach einer Beschäftigung suchen, stoßen Sie womöglich auf ein verlockendes Angebot für Ihre Haare. Um für Krebskranke Perücken anzufertigen, ist man bereit, Ihnen bis zu 2000 Euro für Ihre Haare zu bezahlen. Achtung: Wenn Sie hier Kontakt aufnehmen, gibt man Ihnen genaue Anweisungen zum Abschneiden Ihrer Haare und verspricht eine Bezahlung bei Abholung. Doch dann sind Ihre Haare ab, Sie werden blockiert und [...] --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versprechen-geld-fuer-haa… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Sicherheitslücken in über 100 Oracle-Produkten ∗∗∗ --------------------------------------------- Das erste Oracle Critical Patch Update des Jahres 2023 liefert Beschreibungen und Updates für Sicherheitslücken in mehr als 100 Produkten des Unternehmens. --------------------------------------------- https://heise.de/-7462438 ∗∗∗ Versionsverwaltung: Git schließt zwei kritische Lücken in Version 2.39 ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Lücken in Git entdeckt, durch die beliebiger Code ausgeführt werden konnte. Patches stehen bereit, Nutzer sollten umgehend updaten. --------------------------------------------- https://heise.de/-7462680 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3). --------------------------------------------- https://lwn.net/Articles/920318/ ∗∗∗ Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers ∗∗∗ --------------------------------------------- Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).Two security defects were identified in TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 SOHO (small office/home office) routers, allowing attackers to execute code, crash devices, or guess login credentials. --------------------------------------------- https://www.securityweek.com/remote-code-execution-vulnerabilities-found-tp… ∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850801 ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp… ∗∗∗ Security Advisory - Misinterpretation of Input in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moiiahpp-… ∗∗∗ Security Advisory - Data Processing Error Vulnerability in a Huawei Band ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-dpeviahb-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-boviahpp-… ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp… ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-5… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2023
by Daily end-of-shift report 17 Jan '23

17 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 16-01-2023 18:00 − Dienstag 17-01-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th) ∗∗∗ --------------------------------------------- I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it. --------------------------------------------- https://isc.sans.edu/diary/rss/29442 ∗∗∗ The misadventures of an SPF record ∗∗∗ --------------------------------------------- I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT, University, University of Miami, along with 1000+ other domains had mistakenly used the “+all” SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf. --------------------------------------------- https://caniphish.com/phishing-resources/blog/scanning-spf-records ∗∗∗ Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung ∗∗∗ --------------------------------------------- Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen. --------------------------------------------- https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-s… ∗∗∗ Beware of DDosia, a botnet created to facilitate DDoS attacks ∗∗∗ --------------------------------------------- The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky. --------------------------------------------- https://blog.avast.com/ddosia-project ∗∗∗ The prevalence of RCE exploits and what you should know about RCEs ∗∗∗ --------------------------------------------- Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem. --------------------------------------------- https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what… ∗∗∗ Attackers Can Abuse GitHub Codespaces for Malware Delivery ∗∗∗ --------------------------------------------- A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports. --------------------------------------------- https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-… ∗∗∗ Gefälschtes Post-SMS im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/ ∗∗∗ Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks ∗∗∗ --------------------------------------------- We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-leg… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft resolves four SSRF vulnerabilities in Azure cloud services ∗∗∗ --------------------------------------------- Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security. --------------------------------------------- https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vul… ∗∗∗ Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich ∗∗∗ --------------------------------------------- Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren. --------------------------------------------- https://heise.de/-7461118 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor). --------------------------------------------- https://lwn.net/Articles/920217/ ∗∗∗ Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc. ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen. --------------------------------------------- https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-… ∗∗∗ LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-control… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 109 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/ ∗∗∗ A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855731 ∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855777 ∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855831 ∗∗∗ AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855827 ∗∗∗ IBM Robotic Process Automation is vulnerable to Cross-Site Scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2023
by Daily end-of-shift report 16 Jan '23

16 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-01-2023 18:00 − Montag 16-01-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Viele Cacti-Server öffentlich erreichbar und verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher stoßen auf tausende über das Internet erreichbare Server mit dem IT-Monitoring-Tool Cacti. Zahlreiche Instanzen wurden noch nicht gepatcht. --------------------------------------------- https://heise.de/-7459904 ∗∗∗ CircleCI-Hack: 2FA-Zugangsdaten von Mitarbeiter ergaunert ∗∗∗ --------------------------------------------- Die Betreiber der Cloud-basierten Continuous-Integration-Plattform CircleCI haben ihren Bericht über den Sicherheitsvorfall veröffentlicht. --------------------------------------------- https://heise.de/-7460123 ∗∗∗ Gefälschte Job-Angebote im Namen der Wirtschafskammer auf Facebook ∗∗∗ --------------------------------------------- Auf Facebook kursieren gefälschte Jobangebote im Namen der Wirtschaftskammer Österreich. Die Anzeigen versprechen Gehälter zwischen 50 und 200 Euro pro Stunde. Die Wirtschaftskammern selbst warnen bereits auf Facebook vor den gefälschten Stellenangeboten. Bewerben Sie sich nicht und klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-job-angebote-im-namen-de… ∗∗∗ Avast releases free BianLian ransomware decryptor ∗∗∗ --------------------------------------------- Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-releases-free-bianlian… ∗∗∗ Malicious ‘Lolip0p’ PyPi packages install info-stealing malware ∗∗∗ --------------------------------------------- A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packa… ∗∗∗ PSA: Why you must run an ad blocker when using Google, (Mon, Jan 16th) ∗∗∗ --------------------------------------------- Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time. --------------------------------------------- https://isc.sans.edu/diary/rss/29438 ∗∗∗ Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware ∗∗∗ --------------------------------------------- Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022. --------------------------------------------- https://thehackernews.com/2023/01/beware-tainted-vpns-being-used-to.html ∗∗∗ Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software ∗∗∗ --------------------------------------------- A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. --------------------------------------------- https://thehackernews.com/2023/01/raccoon-and-vidar-stealers-spreading.html ∗∗∗ Hacked! My Twitter user data is out on the dark web -- now what? ∗∗∗ --------------------------------------------- Your Twitter user data may now be out there too, including your phone number. Heres how to check and what you can do about it. --------------------------------------------- https://www.zdnet.com/article/hacked-my-twitter-user-data-is-out-on-the-dar… ∗∗∗ Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML ∗∗∗ --------------------------------------------- Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML. Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all [...] --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-integer-and-buff… ===================== = Vulnerabilities = ===================== ∗∗∗ PoC exploits released for critical bugs in popular WordPress plugins ∗∗∗ --------------------------------------------- Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-cr… ∗∗∗ Webbrowser: Microsoft Edge-Update schließt hochriskante Lücken ∗∗∗ --------------------------------------------- Microsoft hat in einem Update des Webbrowsers Edge Sicherheitslücken aus dem Chromium-Projekt abgedichtet. Sie schließt auch weitere hochriskante Lücken. --------------------------------------------- https://heise.de/-7459742 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp). --------------------------------------------- https://lwn.net/Articles/920120/ ∗∗∗ Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) ∗∗∗ --------------------------------------------- Im April 2021 hatten Sicherheitsforscher eine Privilege Escalation Schwachstelle im Windows RPC-Protokoll entdeckt, der eine lokale Privilegienerweiterung durch NTLM-Relay-Angriffe ermöglichte. Nun scheint ein Sicherheitsforscher auf eine nicht so bekannte Möglichkeit zur Durchführung von NTLM Reflection-Angriffen gestoßen zu sein, die er [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/15/nach-remotepotato0-kommt-die-windo… ∗∗∗ IBM Security Bulletins 2023-01-16 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM® Engineering Lifecycle Engineering products, IBM Integration Bus, IBM Maximo Asset Management, IBM MQ Internet Pass-Thru, IBM QRadar SIEM, IBM Sterling Partner Engagement Manager, IBM Tivoli Application Dependency Discovery Manager (TADDM), IBM Tivoli Netcool Configuration Manager, IBM Tivoli Network Manager (ITNM), IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM), Rational Functional Tester --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ HIMA: unquoted path vulnerabilities in X-OPC and X-OTS ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-059/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2023
by Daily end-of-shift report 13 Jan '23

13 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-01-2023 18:00 − Freitag 13-01-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fortinet says hackers exploited critical vulnerability to infect VPN customers ∗∗∗ --------------------------------------------- Remote code-execution bug was exploited to backdoor vulnerable servers. --------------------------------------------- https://arstechnica.com/?p=1909594 ∗∗∗ NortonLifeLock warns that hackers breached Password Manager accounts ∗∗∗ --------------------------------------------- Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-ha… ∗∗∗ Malware: Android-TV-Box mit vorinstallierter Schadsoftware gekauft ∗∗∗ --------------------------------------------- Auf Amazon hat ein Sicherheitsforscher eine Android-TV-Box gekauft - und entdeckte eine tief ins System integrierte Schadsoftware. --------------------------------------------- https://www.golem.de/news/malware-android-tv-box-mit-vorinstallierter-schad… ∗∗∗ Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar ∗∗∗ --------------------------------------------- Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar. --------------------------------------------- https://thehackernews.com/2023/01/cybercriminals-using-polyglot-files-in.ht… ∗∗∗ Keeping the wolves out of wolfSSL ∗∗∗ --------------------------------------------- Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). --------------------------------------------- https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-f… ∗∗∗ Bad things come in large packages: .pkg signature verification bypass on macOS ∗∗∗ --------------------------------------------- Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root. [..] This was fixed by Apple with a 2 character fix: changing uint32_t to uint64_t in macOS 13.1. --------------------------------------------- https://sector7.computest.nl/post/2023-01-xar/ ∗∗∗ Crassus Windows privilege escalation discovery tool ∗∗∗ --------------------------------------------- Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal. --------------------------------------------- https://github.com/vullabs/Crassus ∗∗∗ Cyber-Attacken auf kritische Lücke in Control Web Panel ∗∗∗ --------------------------------------------- Cyberkriminelle greifen eine kritische Sicherheitslücke in CWP (Control Web Panel, ehemals CentOS Web Panel) an. Sie kompromittieren die verwundbaren Systeme. --------------------------------------------- https://heise.de/-7458440 ∗∗∗ Red Hat ergänzt Malware-Erkennungsdienst für RHEL ∗∗∗ --------------------------------------------- Im Rahmen von Red Hat Insights ergänzt das Unternehmen nun einen Malware-Erkennungsdienst. Der ist für RHEL 8 und 9 verfügbar. --------------------------------------------- https://heise.de/-7458189 ∗∗∗ Most Cacti Installations Unpatched Against Exploited Vulnerability ∗∗∗ --------------------------------------------- Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks. --------------------------------------------- https://www.securityweek.com/most-cacti-installations-unpatched-against-exp… ∗∗∗ Bestellen Sie nicht auf Cardione.at! ∗∗∗ --------------------------------------------- Cardione ist ein Nahrungsergänzungsmittel, das angeblich bei Bluthochdruck helfen soll. Cardione.at wirbt mit gefälschten Empfehlungen eines Arztes, es gibt keine Impressums- oder sonstige Unternehmensdaten. Wir raten: Bestellen Sie keine Cardione Tabletten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bestellung-auf-cardione… ∗∗∗ Fake-Shop alvensleben.net imitiert Sofortüberweisung und fragt TANs ab! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor Fake-Shops wie alvensleben.net in Acht. Der Shop hat insbesondere Kinderspielzeug, Brettspiele und Sportgeräte im Sortiment, bietet aber auch Gartenmöbel und Klettergerüste sowie Bettwäsche an. Bezahlt werden soll per Sofortüberweisung. Achtung: Die Daten werden nicht an den Zahlungsdienstleister weitergeleitet, sondern von den Kriminellen abgegriffen. Später werden Sie zur Übermittlung von TAN-Codes überredet und dadurch um Ihr Geld gebracht! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alvenslebennet-imitiert-so… ∗∗∗ Microsoft ASR/Defender Update kann Desktop-/Startmenü-Verknüpfungen löschen ∗∗∗ --------------------------------------------- Wie aktuell in mehreren Medien berichtet wird, scheint das letzte Update von MS ASR/Defender Auswirkungen auf Desktop-/Startmenüverknüpfungen zu haben, und kann unter anderem dazu führen dass O365 Applikationen nicht mehr gestartet werden können. Gängiger Workaround scheint momentan zu sein, die entsprechenden Regeln auf "Audit" zu setzen. Microsoft hat die Regel wieder entfernt, es kann aber noch dauern, bis das global wirksam wird. Inzwischen wird empfohlen, im Admin Center auf SI MO497128 zu schauen. --------------------------------------------- https://cert.at/de/aktuelles/2023/1/microsoft-asrdefender-update-kann-deskt… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/919907/ ∗∗∗ IBM Security Bulletins 2023-01-13 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Data, IBM Cloud Pak for Security, IBM Security Verify Access Appliance, IBM Watson Speech Services, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1), ICP Speech to Text and Text to Speech --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Releases Twelve Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/cisa-releases-twe… ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/juniper-networks-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2023
by Daily end-of-shift report 12 Jan '23

12 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-01-2023 18:00 − Donnerstag 12-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Konten leergeräumt: Neue Phishing-Welle mit Apple Pay ∗∗∗ --------------------------------------------- Mit einem ausgeklügelten Trick versuchen Kriminelle an Kreditkartendaten zu kommen. Wer Grundlegendes beachtet, ist allerdings ausreichend geschützt. --------------------------------------------- https://futurezone.at/digital-life/apple-pay-phishing-welle-mail-kreditkart… ∗∗∗ Hack: Sicherheitslücke in SugarCRM-Servern wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Etliche SugarCRM-Server in den USA und Deutschland wurden schon gehackt. Ein Hotfix wurde bereits veröffentlicht. --------------------------------------------- https://www.golem.de/news/hack-sicherheitsluecke-in-sugarcrm-servern-wird-a… ∗∗∗ Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability ∗∗∗ --------------------------------------------- Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. --------------------------------------------- https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html ∗∗∗ New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors ∗∗∗ --------------------------------------------- A new analysis of Raspberry Robins attack infrastructure has revealed that its possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. --------------------------------------------- https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html ∗∗∗ IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours ∗∗∗ --------------------------------------------- A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access. --------------------------------------------- https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html ∗∗∗ Prowler v3: AWS & Azure security assessments ∗∗∗ --------------------------------------------- Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. Prowler v3 is now multi-cloud with Azure added as the second supported cloud provider. --------------------------------------------- https://isc.sans.edu/diary/rss/29430 ∗∗∗ Exfiltration Over a Blocked Port on a Next-Gen Firewall ∗∗∗ --------------------------------------------- [..] all successfully exfiltrated data packets were in small formats [..], smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size. When asked about this finding, the NG-FW vendor acknowledged that "to determine which application is being used, and whether the session aligned with the protocol’s standard, the NG-FW must allow at least one packet to pass." --------------------------------------------- https://cymulate.com/blog/data-exfiltration-firewall/ ∗∗∗ Kritische Sicherheitslücke bedroht End-of-Life-Router von Cisco ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa verschiedene Router, IP-Telefone und Webex veröffentlicht. --------------------------------------------- https://heise.de/-7456480 ∗∗∗ AI-generated phishing attacks are becoming more convincing ∗∗∗ --------------------------------------------- Its time for you and your colleagues to become more skeptical about what you read. Thats a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harrass, and spread fake news. Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed. --------------------------------------------- https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-ar… ∗∗∗ Threema Under Fire After Downplaying Security Research ∗∗∗ --------------------------------------------- The developers of the open source secure messaging app Threema have come under fire over their public response to a security analysis conducted by researchers at the Swiss university ETH Zurich. --------------------------------------------- https://www.securityweek.com/threema-under-fire-after-downplaying-security-… ∗∗∗ SCCM Site Takeover via Automatic Client Push Installation ∗∗∗ --------------------------------------------- tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation. --------------------------------------------- https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-in… ∗∗∗ Gefährliche Fehlkonfigurationen von Active Directory-Dienstkonten ∗∗∗ --------------------------------------------- Das Identifizieren von Schwachstellen in der AD-Konfiguration kann sich als Albtraum erweisen, warnt Gastautor Guido Grillenmeier von Semperis. --------------------------------------------- https://www.zdnet.de/88406475/gefaehrliche-fehlkonfigurationen-von-active-d… ∗∗∗ Microsoft Exchange Januar 2023 Patchday-Nachlese: Dienste starten nicht etc. ∗∗∗ --------------------------------------------- Zum 10. Januar 2023 (Patchday) hat Microsoft Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software, haben aber bekannte Fehler und verursachen neue neue Probleme bei der Installation. Hier ein kurzer Überblick über den Sachstand. --------------------------------------------- https://www.borncity.com/blog/2023/01/12/microsoft-exchange-januar-2023-pat… ∗∗∗ What is Red Teaming & How it Benefits Orgs ∗∗∗ --------------------------------------------- Running real-world attack simulations can help improve organizations cybersecurity resilience --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/what-is-red-teaming.html ∗∗∗ Shodan Verified Vulns 2023-01-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-01-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/1/shodan-verified-vulns-2023-01-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 ∗∗∗ --------------------------------------------- Description: This module enables users to create private vocabularies. The module doesnt enforce permissions appropriately for the taxonomy overview page and overview form. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-001 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, [...] --------------------------------------------- https://lwn.net/Articles/919785/ ∗∗∗ TP-Link SG105PE vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78481846/ ∗∗∗ WAGO: Unauthenticated Configuration Export in web-based management in multiple devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-054/ ∗∗∗ Visual Studio Code Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21779 ∗∗∗ Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854685 ∗∗∗ Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854713 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854647 ∗∗∗ Vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Servers used by IBM Master Data Management (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854595 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering products using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851835 ∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854915 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854927 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to arbitrary code execution due to [CVE-2022-25893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854929 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854931 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2023
by Daily end-of-shift report 11 Jan '23

11 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-01-2023 18:00 − Mittwoch 11-01-2023 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Lorenz ransomware gang plants backdoors to use months later ∗∗∗ --------------------------------------------- Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lorenz-ransomware-gang-plant… ∗∗∗ Bad Paths & The Importance of Using Valid URL Characters ∗∗∗ --------------------------------------------- To ensure that your web files and pages are accessible to a wide range of users with various different devices and operating systems, it’s important to use valid URL characters. Unsafe characters are known to cause compatibility issues with various browser clients, web servers, and even lead to incompatibility issues with web application firewalls. --------------------------------------------- https://blog.sucuri.net/2023/01/bad-paths-the-importance-of-using-valid-url… ∗∗∗ Gefälschte Telegram-App spioniert unter Android ∗∗∗ --------------------------------------------- IT-Forscher von Eset haben eine gefälschte Telegram-App aufgespürt, die ihre Opfer umfassend ausspioniert. Sie wird jedoch außerhalb von Google Play verteilt. --------------------------------------------- https://heise.de/-7455996 ∗∗∗ Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products ∗∗∗ --------------------------------------------- A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms. --------------------------------------------- https://www.securityweek.com/cybercrime-group-exploiting-old-windows-driver… ∗∗∗ SMB “Access is denied” caused by anti-NTLM relay protection ∗∗∗ --------------------------------------------- We investigated a situation where an SMB client could not connect to an SMB server. The SMB server returned an “Access Denied” during the NTLM authentication, even though the credentials were correct and there were no restrictions on both the server-side share and client-side (notably UNC Hardened Access). --------------------------------------------- https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntl… ∗∗∗ Dark Pink ∗∗∗ --------------------------------------------- New APT hitting Asia-Pacific, Europe that goes deeper and darker --------------------------------------------- https://blog.group-ib.com/dark-pink-apt ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: 17 Sicherheitslücken in Google Chrome gestopft ∗∗∗ --------------------------------------------- Das erste Update des Jahres hievt den Webbrowser Chrome auf Stand 109. Die Entwickler schließen darin 17 Schwachstellen, von denen einige hochriskant sind. --------------------------------------------- https://heise.de/-7455130 ∗∗∗ Patchday: Schadcode-Attacken auf Adobe InCopy und InDesign möglich ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben in mehreren Anwendungen gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7455222 ∗∗∗ Patchday: Angreifer verschaffen sich unter Windows System-Rechte ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Exchange Server, Office und Windows veröffentlicht. --------------------------------------------- https://heise.de/-7455122 ∗∗∗ Exploit-Code gesichtet: Attacken auf IT-Monitoring-Tool Cacti möglich ∗∗∗ --------------------------------------------- Angreifer könnten an einer kritischen Sicherheitslücke in Cacti ansetzen und Schadcode auf Servern ausführen. --------------------------------------------- https://heise.de/-7455833 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0). --------------------------------------------- https://lwn.net/Articles/919649/ ∗∗∗ Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs ∗∗∗ --------------------------------------------- Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs). --------------------------------------------- https://www.securityweek.com/unpatchable-hardware-vulnerability-allows-hack… ∗∗∗ Exchange Server Sicherheitsupdates (10. Januar 2023), dringend patchen ∗∗∗ --------------------------------------------- Microsoft hat zum 10. Januar 2023 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software. --------------------------------------------- https://www.borncity.com/blog/2023/01/11/exchange-server-sicherheitsupdates… ∗∗∗ AMD Client Vulnerabilities - January 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500539-AMD-CLIENT-VULNERABILIT… ∗∗∗ AMD Server Vulnerabilities - January 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500538-AMD-SERVER-VULNERABILIT… ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Cloud due to the October 2022 CPU plus CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854413 ∗∗∗ Vulnerability in IBM WebSphere Liberty Profile affects IBM InfoSphere Identity Insight (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854451 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854571 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to OpenSSL as a part of Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854575 ∗∗∗ IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854577 ∗∗∗ The IBM Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for Log4j vulnerabilities CVE-2021-4104 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6825215 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2023
by Daily end-of-shift report 10 Jan '23

10 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 09-01-2023 18:00 − Dienstag 10-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels ∗∗∗ --------------------------------------------- Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist. --------------------------------------------- https://heise.de/-7447684 ∗∗∗ Meeting-Client Zoom unter Android, macOS und Windows angreifbar ∗∗∗ --------------------------------------------- Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7453606 ∗∗∗ Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte. --------------------------------------------- https://heise.de/-7453534 ∗∗∗ Patchday: SAP behandelt vier kritische Schwachstellen ∗∗∗ --------------------------------------------- SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren. --------------------------------------------- https://heise.de/-7454402 ∗∗∗ Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges ∗∗∗ --------------------------------------------- On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention. --------------------------------------------- https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/ ∗∗∗ New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th) ∗∗∗ --------------------------------------------- I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper. --------------------------------------------- https://isc.sans.edu/diary/rss/29416 ∗∗∗ ChatGPT-Written Malware ∗∗∗ --------------------------------------------- I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.…within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks. --------------------------------------------- https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html ∗∗∗ Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL ∗∗∗ --------------------------------------------- The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week. --------------------------------------------- https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html ∗∗∗ The Dark Side of Gmail ∗∗∗ --------------------------------------------- Behind one of Gmail’s lesser-known features lies a potential threat to websites and platforms managers. --------------------------------------------- https://osintmatter.com/the-dark-side-of-gmail/ ∗∗∗ Crypto-inspired Magecart skimmer surfaces via digital crime haven ∗∗∗ --------------------------------------------- One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspir… ∗∗∗ Malware-based attacks on ATMs - A summary ∗∗∗ --------------------------------------------- Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics. --------------------------------------------- https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/ ===================== = Vulnerabilities = ===================== ∗∗∗ Securepoint UTM: Hotfix schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet. --------------------------------------------- https://heise.de/-7453560 ∗∗∗ UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface ∗∗∗ --------------------------------------------- Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen. --------------------------------------------- https://heise.de/-7454141 ∗∗∗ Eleven Vulnerabilities Patched in Royal Elementor Addons ∗∗∗ --------------------------------------------- On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day. --------------------------------------------- https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-ro… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/919543/ ∗∗∗ 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider ∗∗∗ --------------------------------------------- The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities. --------------------------------------------- https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advi… ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A) --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two… ∗∗∗ Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-acce… ∗∗∗ IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗ --------------------------------------------- CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Siemens Security Advisories (7 new, 15 updated) ∗∗∗ --------------------------------------------- SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1 SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1 SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#Sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily