Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 08.02.2023
by Daily end-of-shift report 08 Feb '23

08 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-02-2023 18:00 − Mittwoch 08-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware-Attacke: CISA veröffentlicht Wiederherstellungsskript für VMware ESXi ∗∗∗ --------------------------------------------- Die US-amerikanische Cyber-Sicherheitsbehörde CISA hat ein Wiederherstellungsskript bereitgestellt, mit dem betroffene Server gerettet werden könnten. --------------------------------------------- https://heise.de/-7488498 ∗∗∗ Achtung: Betrügerische Rechnungen in E-Mails und PayPal-App! ∗∗∗ --------------------------------------------- PayPal-User:innen aufgepasst: Kriminelle stellen aktuell Coinbase-Rechnungen über PayPal. Diese Rechnungen landen dadurch sowohl in Ihrem Mail-Postfach, als auch Ihrer PayPal-App und können dadurch für echt gehalten werden! Ignorieren Sie die Rechnungen und setzen Sie sich bei Unklarheiten mit PayPal in Verbindung. Bezahlen Sie nichts und befolgen Sie keinesfalls die Händler-Anweisungen aus der Rechnung. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-rechnungen-in… ∗∗∗ Sicherheitsupdate: Acht Sicherheitslücken in OpenSSL geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Softwarebibliothek für verschlüsselte Verbindungen OpenSSL attackieren. Der Bedrohungsgrad hält sich aber in Grenzen. --------------------------------------------- https://heise.de/-7489560 ∗∗∗ Medusa botnet returns as a Mirai-based variant with ransomware sting ∗∗∗ --------------------------------------------- A new version of the Medusa DDoS (distributed denial of service) botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-botnet-returns-as-a-m… ∗∗∗ Simple HTML Phishing via Telegram Bot, (Wed, Feb 8th) ∗∗∗ --------------------------------------------- Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them. --------------------------------------------- https://isc.sans.edu/diary/rss/29528 ∗∗∗ Post-Exploitation: Abusing the KeePass Plugin Cache ∗∗∗ --------------------------------------------- This blog post presents a post-exploitation approach to inject code into KeePass without process injection. It is performed by abusing the cache resulting from the compilation of PLGX plugin. --------------------------------------------- https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cac… ∗∗∗ A Detailed Analysis of a New Stealer Called Stealerium ∗∗∗ --------------------------------------------- Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. --------------------------------------------- https://securityscorecard.com/research/a-detailed-analysis-of-a-new-stealer… ∗∗∗ Rustproofing Linux (nccgroup) ∗∗∗ --------------------------------------------- The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust. In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer. --------------------------------------------- https://lwn.net/Articles/922638/ ∗∗∗ Pwn2Owning Two Hosts at the Same Time: Abusing Inductive Automation Ignition’s Custom Deserialization ∗∗∗ --------------------------------------------- Pwn2Own Miami 2022 was a fine competition. At the contest, I successfully exploited three different targets. In this blog post, I would like to show you my personal best research of the competition: the custom deserialization issue in Inductive Automation Ignition. --------------------------------------------- https://www.thezdi.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-… ∗∗∗ CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability ∗∗∗ --------------------------------------------- Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-obser… ∗∗∗ How to Use Cloud Access Security Brokers for Data Protection ∗∗∗ --------------------------------------------- A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise’s security policies whenever cloud-based resources are accessed. --------------------------------------------- https://www.hackread.com/cloud-access-security-brokers-data-protection/ ===================== = Vulnerabilities = ===================== ∗∗∗ PMASA-2023-1 ∗∗∗ --------------------------------------------- XSS vulnerability in drag-and-drop upload Affected Versions: phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0. --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2023-1/ ∗∗∗ Webbrowser: Google Chrome dichtet Sicherheitslecks ab und ändert Release-Zyklus ∗∗∗ --------------------------------------------- Der Webbrowser Google Chrome 110 schließt 15 teils hochriskante Schwachstellen. Der Hersteller stellt zudem auf ein neues Release-System um. --------------------------------------------- https://heise.de/-7488524 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/922626/ ∗∗∗ Tuesday February 14 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, 18.x and 19.x releases lines on or shortly after, Tuesday February 14 2023 in order to address: 2 low severity issues. 2 medium severity issues. 1 high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases ∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in The Huawei Children Smart Watch (Simba-AL00) ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvithc… ∗∗∗ IBM Security Bulletins 2023-02-08 ∗∗∗ --------------------------------------------- * A Security Vulnerability has been identified in the IBM Java SDK as shipped with IBM Security Verify Access. * IBM Aspera Orchestrator affected by vulnerability (CVE-2022-28615) * IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577) * IBM® Db2® is vulnerable to an information disclosure vulnerabilitiy due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927) * IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) * IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted Load command. (CVE-2022-43929) * IBM Jazz for Service Management is vulnerable to All XStream (Publicly disclosed vulnerability) (CVE-2022-41966) * IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Express.js Express denial of service (CVE-2022-24999) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Moment denial of service (CVE-2022-31129) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js follow-redirects module information disclosure vulnerabilities (CVE-2022-0536, CVE-2022-0155) * IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787) * IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) * Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2 * Multiple vulnerabilities in the Expat library affect IBM® Db2® Net Search Extender may lead to denial of service or arbitrary code execution. * Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. * Unspecified vulnerability in Java Affects IBM Infosphere Global Name Management (CVE-2022-21496) * Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476) * Vulnerability in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-34165) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2023
by Daily end-of-shift report 07 Feb '23

07 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-02-2023 18:00 − Dienstag 07-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researcher breaches Toyota supplier portal with info on 14,000 partners ∗∗∗ --------------------------------------------- The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022. EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-s… ∗∗∗ APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th) ∗∗∗ --------------------------------------------- Many of the bots I am observing attempt to detect the infected system&#;x26;#;39;s public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted. --------------------------------------------- https://isc.sans.edu/diary/rss/29516 ∗∗∗ Android Security Bulletin—February 2023 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. [..] The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. --------------------------------------------- https://source.android.com/docs/security/bulletin/2023-02-01 ∗∗∗ Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console ∗∗∗ --------------------------------------------- AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS. --------------------------------------------- https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/ ∗∗∗ Smishing: Vorsicht vor Fake Magenta-SMS ∗∗∗ --------------------------------------------- Momentan sind vermehrt gefälschte Magenta-SMS im Umlauf. In der Nachricht wird behauptet, dass Ihre Rechnung nicht beglichen werden konnte. Klicken Sie nicht auf den Link – dieser führt zu einer gefälschten Magenta-Seite, wo Kriminelle Ihre Daten und Ihr Geld stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/smishing-vorsicht-vor-diesem-fake-ma… ∗∗∗ Saferinternet.at-Studie: Jugendliche und Falschinformationen im Internet ∗∗∗ --------------------------------------------- Anlässlich des heutigen Safer Internet Day führte Saferinternet.at eine Studie zum Thema „Jugendliche und Falschinformationen im Internet“ durch. Die Studienergebnisse zeigen, dass Österreichs Jugendliche beim Umgang mit Informationen im Internet in einem Dilemma stecken: Die Jugendlichen informieren sich zu Alltagsthemen vor allem über soziale Medien, vertrauen den dort bezogenen Informationen jedoch kaum. --------------------------------------------- https://www.watchlist-internet.at/news/studie-jugendliche-und-falschinforma… ∗∗∗ Safer Internet Day: FAQ Internetsicherheit für Kinder und Jugendliche ∗∗∗ --------------------------------------------- Im Internet lauern für Heranwachsende viele Gefahren, die sie noch nicht einschätzen können. Mit Wissensvermittlung und Tools können sie geschützt werden. --------------------------------------------- https://heise.de/-7333482 ∗∗∗ This notorious ransomware has now found a new target ∗∗∗ --------------------------------------------- The authors of Clop ransomware are experimenting with a Linux variant - a warning that multiple different platforms are in the sights of cyber extortionists. --------------------------------------------- https://www.zdnet.com/article/this-notorious-ransomware-is-now-targeting-li… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-094: Netatalk dsi_writeinit Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-094/ ∗∗∗ TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering ∗∗∗ --------------------------------------------- Subcomponent: Frontend Rendering (ext:frontend, ext:core) Affected Versions: 8.7.0-8.7.50, 9.0.0-9.5.39, 10.0.0-10.4.34, 11.0.0-11.5.22, 12.0.0-12.1.3 Severity: High References: CVE-2023-24814, CWE-79 --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-001 ∗∗∗ Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419) ∗∗∗ --------------------------------------------- Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. ONLYOFFICE, OpenKM, LogicalDOC, Mayan [..] Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412… ∗∗∗ OpenSSL Security Advisory [7th February 2023] ∗∗∗ --------------------------------------------- * Severity: High - X.400 address type confusion in X.509 GeneralName (CVE-2023-0286): [...] this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. * Severity: Moderate - CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401 --------------------------------------------- https://www.openssl.org/news/secadv/20230207.txt ∗∗∗ Dateiübertragungslösung: Zero-Day-Lücke in GoAnywhere-MFT-Servern ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf Server mit GoAnywhere MFT abgesehen. Bislang gibt es kein Sicherheitsupdate. Eine temporäre Übergangslösung sichert Systeme ab. --------------------------------------------- https://heise.de/-7487393 ∗∗∗ VMSA-2023-0003 ∗∗∗ --------------------------------------------- CVSSv3 Range: 7.8 CVE(s): CVE-2023-20854 Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux). --------------------------------------------- https://lwn.net/Articles/922519/ ∗∗∗ Ichiran App vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11257333/ ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ EnOcean SmartServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-037-01 ∗∗∗ IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953461 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839565 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953483 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Denial of Service vulnerability affects IBM Business Automation Workflow - CVE-2022-25887 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952745 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953525 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953557 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953559 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to bypassing security restrictions, denial of service attacks, and data integrity impacts due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953579 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953583 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953587 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953589 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2023
by Daily end-of-shift report 06 Feb '23

06 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-02-2023 18:00 − Montag 06-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Weltweiter Ransomware-Angriff ∗∗∗ --------------------------------------------- Bei einem weltweit breit gestreuten Ransomware-Angriff wurden laut Medienberichten tausende ESXi-Server, die u. a. zur Virtualisierung von IT-Fachverfahren genutzt werden, verschlüsselt. Der regionale Schwerpunkt der Angriffe lag dabei auf Frankreich, den USA, Deutschland und Kanada, auch weitere Länder sind betroffen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Downloads via Google Ads: "Tsunami" an Malvertising verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Immer mehr Angreifer versuchen, Geräte von Nutzern mit Malware zu infizieren. Forscher beobachten einen massiven Anstieg auf Google bei der Suche nach Software. --------------------------------------------- https://heise.de/-7485196 ∗∗∗ Tiere zu verschenken: Vorsicht vor betrügerischen Inseraten auf Facebook ∗∗∗ --------------------------------------------- In Facebook-Gruppen tauchen immer wieder betrügerische Inserate für abzugebende Hunde oder Pferde auf. Angeblich sei der Besitzer bzw. die Besitzerin plötzlich verstorben. Daher suchen die Angehörigen dringend einen guten Platz für das Tier. Sie müssen lediglich die Transportkosten bezahlen, da sich das Tier im Ausland befindet. Dahinter steckt aber Betrug, das Tier gibt es gar nicht und Sie verlieren viel Geld! --------------------------------------------- https://www.watchlist-internet.at/news/tiere-zu-verschenken-vorsicht-vor-be… ∗∗∗ Assemblyline as a Malware Analysis Sandbox, (Sat, Feb 4th) ∗∗∗ --------------------------------------------- If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. "Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline's most powerful functionalities is its recursive analysis model."[2] --------------------------------------------- https://isc.sans.edu/diary/rss/29510 ∗∗∗ Royal Ransomware adds support for encrypting Linux, VMware ESXi systems ∗∗∗ --------------------------------------------- Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines. Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, [...] --------------------------------------------- https://securityaffairs.com/141876/cyber-crime/royal-ransomware-vmware-esxi… ∗∗∗ FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection ∗∗∗ --------------------------------------------- An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said [...] --------------------------------------------- https://thehackernews.com/2023/02/formbook-malware-spreads-via.html ∗∗∗ GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry ∗∗∗ --------------------------------------------- E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, [...] --------------------------------------------- https://thehackernews.com/2023/02/guloader-malware-using-malicious-nsis.html ∗∗∗ ImageMagick: The hidden vulnerability behind your online images ∗∗∗ --------------------------------------------- In a recent APT Simulation engagement, the Ocelot team identified that ImageMagick was used to process images in a Drupal-based website, and hence, the team decided to try to find new vulnerabilities in this component, proceeding to download the latest version of ImageMagick, 7.1.0-49 at that time. As a result, two zero days were identified: [...] --------------------------------------------- https://www.metabaseq.com/imagemagick-zero-days/ ∗∗∗ The Defenders Guide to OneNote MalDocs ∗∗∗ --------------------------------------------- With the heyday of macro-enabled spreadsheets and documents behind us, threat actors have experimented with novel ways to deliver their payloads, including disk image files (.iso, .vhd files), HTML Smuggling (.hta files with embedded scripts), and now OneNote files. --------------------------------------------- https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs ∗∗∗ How the CISA catalog of vulnerabilities can help your organization ∗∗∗ --------------------------------------------- The CISA catalog of known exploited vulnerabilities is designed for the federal government and useful to everyone. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/02/how-the-cisa-catalog-can-hel… ∗∗∗ Collect, Exfiltrate, Sleep, Repeat ∗∗∗ --------------------------------------------- In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command [...] --------------------------------------------- https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ ∗∗∗ Solving a VM-based CTF challenge without solving it properly ∗∗∗ --------------------------------------------- A pretty common reverse-engineering CTF challenge genre for the hard/very-hard bucket are virtual machines. There are several flavors to this*, but the most common one is to implement a custom VM in a compiled language and provide it together with bytecode of a flag checker. This was the case for the More Control task from Byte Bandits CTF 2023 - the task this entry is about. --------------------------------------------- https://gynvael.coldwind.pl/?id=763 ∗∗∗ Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations ∗∗∗ --------------------------------------------- Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. --------------------------------------------- https://asec.ahnlab.com/en/47088/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder ∗∗∗ --------------------------------------------- On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations. The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant [...] --------------------------------------------- https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/922337/ ∗∗∗ CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) said two vulnerabilities from Oracle and SugarCRM are actively being exploited and ordered federal civilian agencies to patch them before February 23. --------------------------------------------- https://therecord.media/cisa-adds-oracle-sugarcrm-bugs-to-exploited-vulnera… ∗∗∗ Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6570741 ∗∗∗ Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6592963 ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953401 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953433 ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857695 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2023
by Daily end-of-shift report 03 Feb '23

03 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-02-2023 18:00 − Freitag 03-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers weaponize Microsoft Visual Studio add-ins to push malware ∗∗∗ --------------------------------------------- Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-weaponize-microsoft-… ∗∗∗ Anker: Eufy-Kameras waren nicht so sicher wie beworben ∗∗∗ --------------------------------------------- Nach anfänglichem Abstreiten gibt Anker zu, dass die Werbeversprechen zur Sicherheit der Eufy-Überwachungskameras nicht eingehalten wurden. --------------------------------------------- https://www.golem.de/news/anker-eufy-kameras-waren-nicht-so-sicher-wie-bewo… ∗∗∗ Konami Code Backdoor Concealed in Image ∗∗∗ --------------------------------------------- Attackers are always looking for new ways to conceal their malware and evade detection, whether it’s through new forms of obfuscation, concatenation, or — in this case — unorthodox use of image file extensions. One of the most common backdoors that we have observed over the last few months has been designed to evade detection by placing the payload in an image file and requiring some additional tricks to unlock it. --------------------------------------------- https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html ∗∗∗ Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails ∗∗∗ --------------------------------------------- IBM Aspera Faspex promises security to end users by offering encryption options for the files being uploaded through its application. This security model is broken through the pre-authentication RCE vulnerability we discovered, that allowed us to execute arbitrary commands on the Aspera Faspex server. --------------------------------------------- https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ ∗∗∗ Cisco patcht mehrere Produkte - potenzielle Backdoor-Lücke ∗∗∗ --------------------------------------------- Cisco hat Updates zum Schließen von Sicherheitslücken in mehreren Produkten veröffentlicht. Die gravierendste klafft in der IOx Application Hosting Environment. --------------------------------------------- https://heise.de/-7483079 ∗∗∗ Zwei Sicherheitsprobleme in OpenSSH 9.2 gelöst ∗∗∗ --------------------------------------------- Der OpenSSH-Client ist in einer aktualisierten Version erschienen. Informationen über die geschlossenen Sicherheitslücken sind noch rar. --------------------------------------------- https://heise.de/-7483316 ∗∗∗ Erneute Phishing-Welle mit E-Mails im Namen der WKO ∗∗∗ --------------------------------------------- „Aktualisierung Ihrer Firmendaten“: Haben Sie eine E-Mail vom „WKO Serviceteam“ mit diesem Betreff erhalten, sollten Sie genau hinsehen. Denn derzeit versenden Cyberkriminelle willkürlich solche Phishing-Mails an österreichische Unternehmer:innen und geben sich dabei als Wirtschaftskammer Österreich aus. --------------------------------------------- https://www.watchlist-internet.at/news/erneute-phishing-welle-mit-e-mails-i… ∗∗∗ OneNote Dokumente als neues Hilfsmittel für Spammer und Co. ∗∗∗ --------------------------------------------- Nachdem Microsoft im Juli letzten Jahres die Hürde für Spammer deutlich höher gelegt hat - eingebettete Makros in heruntergeladenen Office Dokumente wurden per Default disabled - musste aus Sicht der Angreifer entsprechender Ersatz gefunden werden. Neuen Erkenntnissen zufolge, wurde dieser auch erfolgreich in Form von OneNote Dokumenten gefunden. --------------------------------------------- https://cert.at/de/aktuelles/2023/2/onenote-dokumente-als-neues-hilfsmittel… ∗∗∗ What is an OSINT Tool – Best OSINT Tools 2023 ∗∗∗ --------------------------------------------- An OSINT tool is a must for every researcher - In this article, we will explore the 15 best OSINT tools that you can use for your investigations. --------------------------------------------- https://www.hackread.com/what-is-osint-tool-best-osint-tools-2023/ ===================== = Vulnerabilities = ===================== ∗∗∗ K000130496: Overview of F5 vulnerabilities (February 2023) ∗∗∗ --------------------------------------------- On February 1, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000130496 ∗∗∗ Angreifer könnten Windows-PCs mit VMware Workstation attackieren ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Lücke in der Virtualisierungslösung VMware Workstation. Angreifer brauchten lokale Benutzerrechte auf dem PC des Opfers. --------------------------------------------- https://heise.de/-7483515 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff). --------------------------------------------- https://lwn.net/Articles/922112/ ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-033-01 Delta Electronics DIAScreen, ICSA-23-033-02 Mitsubishi Electric GOT2000 Series and GT SoftGOT2000, ICSA-23-033-03 Baicells Nova, ICSA-23-033-04 Delta Electronics DVW-W02W2-E2, ICSA-23-033-05 Delta Electronics DX-2100-L1-CN, ICSA-22-221-01 Mitsubishi Electric Multiple Factory Automation Products (Update D). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/cisa-releases-six… ∗∗∗ B&R Advisory: Several Issues in APROL Database ∗∗∗ --------------------------------------------- Several Issues in ARPOL database, CVE ID: CVE-2022-43761, CVE-2022-43762, CVE-2022-43763, CVE-2022-43764, CVE-2022-43765 --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16748230… *** IBM Security Bulletins 2023-02-01 *** --------------------------------------------- Tivoli System Automation Application Manager, IBM MQ, IBM FlashSystem 5000, IBM FlashSystem 7200, IBM FlashSystem 7300, IBM FlashSystem 9100, IBM FlashSystem 9200, IBM FlashSystem 9500, IBM FlashSystem V9000, IBM Spectrum Virtualize as Software Only, IBM Spectrum Virtualize for Public Cloud, IBM Storwize V5000, V5000E, V7000 and V5100, Jazz for Service Management, SAN Volume Controller, IBM App Connect Enterprise, IBM Voice Gateway, IBM Aspera, IBM MQ, IBM Business Automation Workflow, IBM Control Desk, IBM Maximo, IBM Sterling Connect:Direct File Agent. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Exploitation of GoAnywhere MFT zero-day vulnerability ∗∗∗ --------------------------------------------- A warning has been issued about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2023
by Daily end-of-shift report 02 Feb '23

02 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-02-2023 18:00 − Donnerstag 02-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New DDoS-as-a-Service platform used in recent attacks on hospitals ∗∗∗ --------------------------------------------- A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platfo… ∗∗∗ New Nevada Ransomware targets Windows and VMware ESXi systems ∗∗∗ --------------------------------------------- A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-target… ∗∗∗ LockBit ransomware goes Green, uses new Conti-based encryptor ∗∗∗ --------------------------------------------- The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-gree… ∗∗∗ Password-stealing “vulnerability” reported in KeePass – bug or feature? ∗∗∗ --------------------------------------------- Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway? --------------------------------------------- https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability… ∗∗∗ Rotating Packet Captures with pfSense, (Wed, Feb 1st) ∗∗∗ --------------------------------------------- Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files. --------------------------------------------- https://isc.sans.edu/diary/rss/29500 ∗∗∗ What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits ∗∗∗ --------------------------------------------- We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/what-socs-need-to-know-about… ∗∗∗ OpenSSH 9.2 released ∗∗∗ --------------------------------------------- OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe is exploitable. --------------------------------------------- https://lwn.net/Articles/922006/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Causing Deletion of All Users in CrushFTP Admin Area ∗∗∗ --------------------------------------------- During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django). --------------------------------------------- https://lwn.net/Articles/921957/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-23517, CVE-2023-23518,CVE-2022-42826. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0001.html ∗∗∗ Jira Service Management Server and Data Center Advisory (CVE-2023-22501) ∗∗∗ --------------------------------------------- This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0 --------------------------------------------- https://confluence.atlassian.com/jira/jira-service-management-server-and-da… ∗∗∗ Drupal Releases Security Update to Address a Vulnerability in Apigee Edge ∗∗∗ --------------------------------------------- Drupal released a security update to address a vulnerability affecting the Apigee Edge module for Drupal 9.x. An attacker could exploit this vulnerability to bypass access authorization or disclose sensitive information. CISA encourages users and administrators to review Drupal’s security advisory SA-CONTRIB-2023-005 and apply the necessary update. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/drupal-releases-s… ∗∗∗ Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6912697 ∗∗∗ IBM API Connect is impacted by an external service interaction vulnerability (CVE-2022-34350) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6921243 ∗∗∗ IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6921285 ∗∗∗ IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952181 ∗∗∗ IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6909467 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2023
by Daily end-of-shift report 01 Feb '23

01 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-01-2023 18:00 − Mittwoch 01-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Zehntausende Qnap-NAS hängen verwundbar am Internet ∗∗∗ --------------------------------------------- Angreifer könnten direkt über das Internet an einer kritischen Sicherheitslücke in Netzwerkspeichern von Qnap ansetzen. --------------------------------------------- https://heise.de/-7477826 ∗∗∗ Microsoft Defender for Endpoint schickt nun auch Linux-Rechner in die Isolation ∗∗∗ --------------------------------------------- Weil auch Linux-Geräte als Einfallstor für Cyber-Angreifer dienen können, isoliert Microsofts Security-Software künftig bei Bedarf auch sie aus dem Firmennetz. --------------------------------------------- https://heise.de/-7477878 ∗∗∗ Diskussion um Schwachstelle in KeePass ∗∗∗ --------------------------------------------- Eine Schwachstelle erlaubt das Ändern der KeePass-Konfiguration, wenn Nutzer bestimmte Rechte haben. Mit denen können sie jedoch viel mehr anstellen. --------------------------------------------- https://heise.de/-7478396 ∗∗∗ Neue Vinted-Verkäufer:innen aufgepasst: Keine Zahlungen freigeben! ∗∗∗ --------------------------------------------- Auf der Second-Hand-Plattform vinted.at kommt es aktuell vermehrt zu einer Betrugsmasche, die sich an neue Verkäufer:innen richtet. Die ersten Interessent:innen melden sich schnell und verlangen eine Telefonnummer. Anschließend folgen SMS im Namen von Vinted, die eine Bestätigung der Kreditkartendaten zum Erhalt der Zahlung fordern. Achtung: Die SMS stammen nicht von vinted.at, sondern von Kriminellen und die vermeintlichen Bestätigungen führen zu Abbuchungen [...] --------------------------------------------- https://www.watchlist-internet.at/news/neue-vinted-verkaeuferinnen-aufgepas… ∗∗∗ Hackers use new IceBreaker malware to breach gaming companies ∗∗∗ --------------------------------------------- Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-new-icebreaker-m… ∗∗∗ DShield Honeypot Setup with pfSense, (Tue, Jan 31st) ∗∗∗ --------------------------------------------- Setting up a DShield honeypot is well guided by the installation script [1]. After several minutes of following the instructions and adding some custom details, the honeypot is up and running. What's needed after that is to expose the honeypot to the internet. I recently decided to update my home router and thought it was a great opportunity to dig into using pfSense [2]. --------------------------------------------- https://isc.sans.edu/diary/rss/29490 ∗∗∗ Detecting (Malicious) OneNote Files, (Wed, Feb 1st) ∗∗∗ --------------------------------------------- We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document"). --------------------------------------------- https://isc.sans.edu/diary/rss/29494 ∗∗∗ Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076) ∗∗∗ --------------------------------------------- Cisco has released patches for a high-severity vulnerability (CVE-2023-20076) found in some of its industrial routers, gateways and enterprise wireless access points, which may allow attackers to insert malicious code that can’t be deleted by simply rebooting the device or updating its firmware. “In this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/01/cve-2023-20076/ ∗∗∗ Google sponsored ads malvertising targets password manager ∗∗∗ --------------------------------------------- Our reserachers found a more direct way to go after your password by using Google sponsored ads campaigns --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponso… ∗∗∗ Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking ∗∗∗ --------------------------------------------- Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched. --------------------------------------------- https://www.securityweek.com/unpatched-econolite-traffic-controller-vulnera… ∗∗∗ Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware ∗∗∗ --------------------------------------------- Microsoft warns that phishing, fake software updates and unpatched vulnerabilities are being exploited for ransomware attacks. --------------------------------------------- https://www.zdnet.com/article/microsoft-we-are-tracking-these-100-active-ra… ∗∗∗ Password Nightmare Explained ∗∗∗ --------------------------------------------- This blog post belongs to a series in which we examine various influences on password strategies. The first post in the series analyzed the macrosocial influence of a country on its citizens’ passwords. The second post was focused on the analysis of the influence of a community on password choice. In this last post, we aim to increase the strength of our readers’ passwords by influencing their password strategies using knowledge and insights from our research. --------------------------------------------- https://www.gosecure.net/blog/2023/01/31/password-nightmare-explained/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in Driver Distributor where passwords are stored in a recoverable format ∗∗∗ --------------------------------------------- Driver Distributor provided by FUJIFILM Business Innovation Corp. contains a vulnerability where passwords are stored in a recoverable format. --------------------------------------------- https://jvn.jp/en/jp/JVN22830348/ ∗∗∗ Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software ∗∗∗ --------------------------------------------- Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. --------------------------------------------- https://thehackernews.com/2023/02/additional-supply-chain-vulnerabilities.h… ∗∗∗ Virenschutz: Datei-Upload bis Exitus durch Trend Micro Apex One-Schwachstelle ∗∗∗ --------------------------------------------- Eine hochriskante Sicherheitslücke im Trend Micro Apex One Server könnten Angreifer missbrauchen, um den Server mit Dateien zu fluten und damit lahmzulegen. --------------------------------------------- https://heise.de/-7477479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fig2dev and libstb), Fedora (seamonkey), SUSE (ctags, python-setuptools, samba, tmux, and xterm), and Ubuntu (advancecomp, apache2, python-django, slurm-llnl, and vim). --------------------------------------------- https://lwn.net/Articles/921848/ ∗∗∗ CVE-2023-22374: F5 BIG-IP Format String Vulnerability ∗∗∗ --------------------------------------------- Rapid7 found an additional vulnerability in the appliance-mode REST interface. We reported it to F5 and are now disclosing it in accordance with our vulnerability disclosure policy. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/01/cve-2023-22374-f5-big-ip-format… ∗∗∗ IBM Security Bulletins 2023-02-01 ∗∗∗ --------------------------------------------- App Connect Professional is affected by JsonErrorReportValve in Apache Tomcat. A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-23477) A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-23477) A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-23477) A vulnerability in the IBM Java Runtime affects IBM Rational ClearQuest (CVE-2022-21626) A vulnerability may affect the IBM Elastic Storage System GUI (CVE-2022-43869) HTTP header injection vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-34165) IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to json5 (CVE-2022-46175) IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons [CVE-2022-42889 and CVE-2022-33980] IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML IBM Cloud Pak for Multicloud Management is vulnerable to denial of service due to protobuf-java core and lite IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of FasterXML Jackson (CVE-2022-42003) IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS IBM Infosphere Information Server is vulnerable to cross-site scripting (CVE-2023-23475) IBM Spectrum Scale GUI is vulnerable to Format string attack (CVE-2022-43869) IBM Sterling B2B Integrator is vulnerable to denial of service due to Netty (CVE-2021-37136, CVE-2021-37137) IBM Sterling Connect:Direct File Agent is vulnerable to a denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) IBM Sterling Connect:Direct File Agent is vulnerable to a memory exploit due to Eclipse Openj9 (CVE-2022-3676) IBM Sterling External Authentication Server vulnerable to denial of service due to Apache Xerces2 (CVE-2022-23437) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in GNU glibc (CVE-2021-3999) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-27664) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in protobuf (CVE-2022-1941) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in OpenSSL (CVE-2022-2068) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in GNU gzip (CVE-2022-1271) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to issues in OpenSSL (CVE-2022-1434, CVE-2022-1343, CVE-2022-1292, CVE-2022-1473 ) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to query parameter smuggling in Golang Go (CVE-2022-2880) IBM WebSphere Application Server Liberty used by IBM Cloud Pak for Watson AIOps is vulnerable to HTTP header injection (CVE-2022-34165) Multiple vulnerabilities in IBM Java SDK affects App Connect Professional. Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061) Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-2068, CVE-2022-2097) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi… ∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi… ∗∗∗ Multiple Vulnerabilities Patched in Quick Restaurant Menu Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-… ∗∗∗ SA45653 - Cross-site Request Forgery in Login Form ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Cross-site-Re… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2023
by Daily end-of-shift report 31 Jan '23

31 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 30-01-2023 18:00 − Dienstag 31-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exploit released for critical VMware vRealize RCE vulnerability ∗∗∗ --------------------------------------------- Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances. VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Github Desktop & Atom: Signaturschlüssel von Github entwendet ∗∗∗ --------------------------------------------- Auf Github wurden Signaturschlüssel entwendet, die bald zurückgerufen werden. Betroffen sind Github Desktop und Atom für Mac, die den Dienst einstellen. (Github, Security) --------------------------------------------- https://www.golem.de/news/github-desktop-atom-signaturschluessel-von-github… ∗∗∗ Prilex modification now targeting contactless credit card transactions ∗∗∗ --------------------------------------------- Kaspersky discovers three new variants of the Prilex PoS malware capable of blocking contactless NFC transactions on an infected device. --------------------------------------------- https://securelist.com/prilex-modification-now-targeting-contactless-credit… ∗∗∗ Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process ∗∗∗ --------------------------------------------- On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). --------------------------------------------- https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-ca… ∗∗∗ Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th) ∗∗∗ --------------------------------------------- I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard. --------------------------------------------- https://isc.sans.edu/diary/rss/29488 ∗∗∗ Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years ∗∗∗ --------------------------------------------- A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years."TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically --------------------------------------------- https://thehackernews.com/2023/01/researchers-uncover-packer-that-helped.ht… ∗∗∗ Chromebook SH1MMER exploit promises admin jailbreak ∗∗∗ --------------------------------------------- Schools laptops are out if this one gets around, but beware bricking Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/01/30/chromebook_e… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg.[..] These releases will be made available on Tuesday 7th February 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is High --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html ∗∗∗ Abstandhalten zu undurchsichtigen Multi-Level-Marketing-Angeboten wie shopwithme.biz ∗∗∗ --------------------------------------------- Wer sich aktuell auf sozialen Medien wie Facebook, YouTube oder TikTok bewegt, kommt an Werbevideos, die das große Geld versprechen, kaum vorbei. Mit minimalem Aufwand und revolutionären Methoden sollen Sie ganz einfach Unsummen an Geld verdienen können. Ähnliches verspricht man beispielsweise bei shopwithme.biz. Ein genauerer Blick lässt vermuten: Hier verdient man nicht durch den Verkauf von Produkten, sondern durch die Anwerbung neuer Kundschaft. Wir raten hier --------------------------------------------- https://www.watchlist-internet.at/news/abstandhalten-zu-undurchsichtigen-mu… ∗∗∗ A Phishing Page that Changes According to the User’s Email Address (Using Favicon) ∗∗∗ --------------------------------------------- The ASEC analysis team continuously monitors phishing emails, and we have been detecting multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user. --------------------------------------------- https://asec.ahnlab.com/en/46786/ ===================== = Vulnerabilities = ===================== ∗∗∗ [20230101] - Core - CSRF within post-installation messages ∗∗∗ --------------------------------------------- Severity: Low Versions: 4.0.0-4.2.6 Exploit type: CSRF Description: A missing token check causes a CSRF vulnerability in the handling of post-installation messages. Affected Installs Joomla! CMS versions 4.0.0-4.2.6 Solution: Upgrade to version 4.2.7 --------------------------------------------- https://developer.joomla.org:443/security-centre/890-20230101-core-csrf-wit… ∗∗∗ [20230102] - Core - Missing ACL checks for com_actionlogs ∗∗∗ --------------------------------------------- Severity: Low Versions: 4.0.0-4.2.6 Exploit type: Incorrect Access Control Description: A missing ACL check allows non super-admin users to access com_actionlogs. Solution: Upgrade to version 4.2.7 --------------------------------------------- https://developer.joomla.org:443/security-centre/891-20230102-core-missing-… ∗∗∗ VMSA-2023-0002 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.5 CVE(s): CVE-2023-20856 Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0002.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo). --------------------------------------------- https://lwn.net/Articles/921765/ ∗∗∗ [R1] Tenable Plugin Feed ID #202212212055 Fixes Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges. We have resolved the issue and also made several defense-in-depth fixes alongside. --------------------------------------------- https://www.tenable.com/security/tns-2023-04 ∗∗∗ WordPress Vulnerability & Patch Roundup January 2023 ∗∗∗ --------------------------------------------- * SiteGround Security – SQL injection * ExactMetrics – Cross Site Scripting (XSS) * Enable Media Replace – Arbitrary File Upload * Spectra WordPress Gutenberg Blocks – Stored Cross Site Scripting * GiveWP – SQL Injection * Better Font Awesome – Cross Site Scripting (XSS) * LearnPress – SQL Injection * Royal Elementor Addons and Templates – Cross Site Scripting (XSS) * Strong Testimonials – Stored Cross Site Scripting (XSS) * HUSKY (formerly WOOF) – PHP Object Injection * WP Show Posts – Cross Site Scripting (XSS) * Widgets for Google Reviews – Cross Site Scripting (XSS) * Strong Testimonials – Cross Site Scripting (XSS) * Simple Sitemap – Cross Site Scripting (XSS) * Contextual Related Posts – Stored Cross Site Scripting (XSS) * Stream – Broken Access Control * Customer Reviews for WooCommerce – Cross Site Scripting (XSS) * Themify Portfolio Post – Stored Cross Site Scripting * Spotlight Social Media Feeds – Stored Cross Site Scripting (XSS) * RSS Aggregator by Feedzy – Stored Cross Site Scripting (XSS) --------------------------------------------- https://blog.sucuri.net/2023/01/wordpress-vulnerability-patch-roundup-janua… ∗∗∗ IBM Security Bulletins) ∗∗∗ --------------------------------------------- * IBM UrbanCode Deploy (UCD) is vulnerable to cross-site scripting ( CVE-2022-46771 ) * IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go (CVE-2022-24921, CVE-2022-28327, CVE-2022-24675) * IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities affect IBM Sterling External Authentication Server * Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring. * Multiple vulnerabilities in libcURL affect IBM Rational ClearCase ( CVE-2022-42915, CVE-2022-42916, CVE-2022-32221, CVE-2022-35252, * * CVE-2022-32205, CVE-2022-32206, CVE-2022-32207 ) * IBM Sterling Secure Proxy vulnerable to multiple issues * Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2022-2097, CVE-2022-2068) * A vulnerability in the IBM Java Runtime affects IBM Rational ClearCase (CVE-2022-21626) * Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to jsonwebtoken CVE-2022-23529 * Automation Assets in IBM Cloud Pak for Integration is vulnerable to CSS injection due to Swagger CVE-2019-17495 * Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to protobuf CVE-2022-1941 * Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities * IBM Watson Knowledge Catalog on Cloud Pak for Data is vulnerable to SQL injection (CVE-2022-41731) * IBM Virtualization Engine TS7700 is vulnerable to a denial of service threat due to use of IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 (CVE-2022-21626) * Multiple vulnerabilities affect IBM Db2\u00ae on Cloud Pak for Data and Db2 Warehouse\u00ae on Cloud Pak for Data * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in XStream * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PyPA Wheel * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js json5 * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js decode-uri-component * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PostgreSQL * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Tomcat * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Spark * Multiple Vulnerabilities in Java packages affect IBM Voice Gateway * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in HSQLDB * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Google Protocol Buffers * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-031-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2023
by Daily end-of-shift report 30 Jan '23

30 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-01-2023 18:00 − Montag 30-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Sicherheitsforscher kombinieren Lücken in VMware vRealize Log ∗∗∗ --------------------------------------------- Angreifer könnten zeitnah vRealize Log von VMware ins Visier nehmen und Schadcode mit Root-Rechten ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7474931 ∗∗∗ Vorsicht vor gefälschten FinanzOnline-Benachrichtigungen ∗∗∗ --------------------------------------------- Kriminelle versenden gefälschte FinanzOnline-E-Mails. Aktuell sind uns zwei Varianten bekannt: In einem Mail wird behauptet, dass Sie eine Erstattung aus dem Sozialfonds erhalten. In einem anderen Mail steht, dass Sie eine Rückerstattung erhalten und einen QR-Code scannen müssen. Folgen Sie nicht den Anweisungen, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli… ∗∗∗ Malware PlugX infiziert USB-Geräte ∗∗∗ --------------------------------------------- Sicherheitsforscher der Unit 42 von Palo Alto Networks haben Cyberangriffe mit neuer Variante der altbekannten Schadsoftware beobachtet. Die mutmaßlich aus China stammende PlugX-Malware ist aufgefallen, weil diese Variante alle angeschlossenen USB-Wechselmediengeräte wie Disketten-, Daumen- oder Flash-Laufwerke sowie alle weiteren Systeme [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/28/malware-plugx-infiziert-usb-gerte/ ∗∗∗ Laufwerksverschlüsselung per BitLocker: Das sollten Sie beachten ∗∗∗ --------------------------------------------- Die Geräteverschlüsselung von Microsoft schützt Ihre Daten vor unerwünschten Zugriffen. Zuweilen greift BitLocker automatisch, oft muss man selbst Hand anlegen. --------------------------------------------- https://heise.de/-7467041 ∗∗∗ Shady reward apps on Google Play amass 20 million downloads ∗∗∗ --------------------------------------------- A new category of activity tracking applications has been having massive success recently on Google Play, Androids official app store, having been downloaded on over 20 million devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shady-reward-apps-on-google-… ∗∗∗ SaaS Rootkit Exploits Hidden Rules in Microsoft 365 ∗∗∗ --------------------------------------------- A vulnerability within Microsofts OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/saas-rootkit-exploits-h… ∗∗∗ Gootkit Malware Continues to Evolve with New Components and Obfuscations ∗∗∗ --------------------------------------------- The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is "exclusive to this group. --------------------------------------------- https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html ∗∗∗ Titan Stealer: A New Golang-Based Information Stealer Malware Emerges ∗∗∗ --------------------------------------------- A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," [...] --------------------------------------------- https://thehackernews.com/2023/01/titan-stealer-new-golang-based.html ∗∗∗ Asking MEMORY.DMP and Volatility to make up ∗∗∗ --------------------------------------------- A few days ago Ive posted RE category write-ups from the KnightCTF 2023. Another category Ive looked at – quite intensely at that – was forensics. While this blog post isnt a write-up for that category, I still wanted (and well, was asked to actually) write down some steps I took to make Volatility work with MEMORY.DMP file provided in the "Take care of this" challenge series. Or actually steps I took to convert MEMORY.DMP into something volatility could work with. --------------------------------------------- https://gynvael.coldwind.pl/?id=762 ∗∗∗ Analysis Report on Malware Distributed via Microsoft OneNote ∗∗∗ --------------------------------------------- This document is an analysis report on malware that is being actively distributed using Microsoft OneNote. The ASEC analysis team identified the rapidly increasing trend of OneNote malware distribution from November 2022 and has classified the malware according to the level of intricacy based on the screen that appears when the file is actually opened. --------------------------------------------- https://asec.ahnlab.com/en/46457/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap-NAS: Kritische Sicherheitslücke ermöglicht Unterjubeln von Schadcode ∗∗∗ --------------------------------------------- In Qnap-Netzwerkgeräten mit QTS- und QuTS-hero-Betriebssystem könnten Angreifer Schadcode einschleusen und ausführen. Updates schließen die kritische Lücke. --------------------------------------------- https://heise.de/-7475288 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, dojo, git, lemonldap-ng, libapache-session-browseable-perl, libapache-session-ldap-perl, libzen, node-object-path, openjdk-11, sofia-sip, tiff, tor, and varnish), Fedora (libgit2, open62541, pgadmin4, rubygem-git, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-libgit2-sys, rust-libgit2-sys0.12, rust-pore, rust-pretty-git-prompt, rust-rd-agent, rust-rd-hashd, rust-resctl-bench, rust-resctl-demo, rust-silver, and rust-tokei), Scientific --------------------------------------------- https://lwn.net/Articles/921620/ ∗∗∗ CERT-Warnung: Standard KeePass-Setup ermöglicht Passwort-Klau (CVE-2023-24055) ∗∗∗ --------------------------------------------- Kurzer Hinweis bzw. Warnung an Nutzer des KeePass Password Safe zur Verwaltung von Kennwörtern und Zugangsdaten. Das Cyber Emergency Response Team aus Belgien (CERT.be) hat am 27. Januar 2023 eine Warnung zu KeePass veröffentlicht. Im Standard-Setup sind Schreibzugriffe auf die [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/30/cert-warnung-standard-keepass-setu… ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848023 ∗∗∗ Enterprise Content Management System Monitor is affected by a vulnerability in Eclipse Openj9 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890603 ∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to Denial of Service (DoS) attacks (CVE-2022-40153) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890629 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855093 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855105 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855099 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855097 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2023
by Daily end-of-shift report 27 Jan '23

27 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-01-2023 18:00 − Freitag 27-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProxyShell & Co.: Microsoft gibt Tipps, um Exchange Server abzusichern ∗∗∗ --------------------------------------------- Vor dem Hintergrund mehrerer kritischer Sicherheitslücken und Attacken auf Exchange Server zeigt Microsoft, welche Updates Admins dringend installieren müssen. --------------------------------------------- https://heise.de/-7472639 ∗∗∗ CPUs von Intel und ARM: Linux und der Umgang mit datenabhängigem Timing ∗∗∗ --------------------------------------------- Wenn die Dauer von Operationen von den Daten abhängt, ermöglicht dies Timing-Attacken auf Informationen. Wie geht Linux damit um? --------------------------------------------- https://www.golem.de/news/cpus-von-intel-und-arm-linux-und-der-umgang-mit-d… ∗∗∗ Bitwarden password vaults targeted in Google ads phishing attack ∗∗∗ --------------------------------------------- Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users password vault credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-ta… ∗∗∗ Live Linux IR with UAC, (Thu, Jan 26th) ∗∗∗ --------------------------------------------- The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr. As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. [...] With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made. --------------------------------------------- https://isc.sans.edu/diary/rss/29480 ∗∗∗ WhatsApp hijackers take over your account while you sleep ∗∗∗ --------------------------------------------- Theres an easy way to protect yourself. Heres how. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/protect-your-whatsapp-accoun… ∗∗∗ "2.6 million DuoLingo account entries" up for sale ∗∗∗ --------------------------------------------- We take a look at claims of large amounts of DuoLingo user data up for sale, supposedly scraped from publicly available sources. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/2.6-million-duolingo-account… ∗∗∗ Tourismusbranche im Visier von Kriminellen: Cyberangriffe über booking.com ∗∗∗ --------------------------------------------- Der Hotelverband Deutschland, der französische Hotelverband GNI und die Wirtschaftskammer Österreich warnen vor zwei unterschiedlichen Betrugsversuchen über die Kommunikationskanäle von booking.com. Die Angriffe zielen darauf ab, das Computer-System der Unterkünfte mit Schadsoftware zu infizieren oder Kunden:innendaten abzugreifen. --------------------------------------------- https://www.watchlist-internet.at/news/tourismusbranche-im-visier-von-krimi… ∗∗∗ Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms ∗∗∗ --------------------------------------------- We recap our research on privilege escalation and powerful permissions in Kubernetes and analyze the ways various platforms have addressed it. --------------------------------------------- https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation/ ∗∗∗ A Blog with NoName ∗∗∗ --------------------------------------------- Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations --------------------------------------------- https://www.team-cymru.com/post/a-blog-with-noname ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, and modsecurity-apache), Fedora (libgit2, mediawiki, and redis), Oracle (go-toolset:ol8, java-1.8.0-openjdk, systemd, and thunderbird), Red Hat (java-1.8.0-openjdk and redhat-ds:12), SUSE (apache2, bluez, chromium, ffmpeg-4, glib2, haproxy, kernel, libXpm, podman, python-py, python-setuptools, samba, xen, xrdp, and xterm), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/921477/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/26/cisa-releases-eig… ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857695 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857999 ∗∗∗ IBM App Connect Enterprise Certified Container may be vulnerable to denial of service due to [CVE-2022-42898] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858007 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-27664] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858011 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-32189] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858009 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to [CVE-2022-23491] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858005 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858015 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847951 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2023
by Daily end-of-shift report 26 Jan '23

26 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-01-2023 18:00 − Donnerstag 26-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exploit released for critical Windows CryptoAPI spoofing bug ∗∗∗ --------------------------------------------- Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and U.K.s NCSC allowing MD5-collision certificate spoofing. Tracked as CVE-2022-34689, this security flaw was addressed with security updates released in August 2022 [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a new Python-based attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022."This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report [..] --------------------------------------------- https://thehackernews.com/2023/01/pyration-new-python-based-rat-utilizes.ht… ∗∗∗ Massive Supply-Chain-Attacke auf Router von Asus, D-Link & Co. beobachtet ∗∗∗ --------------------------------------------- Angreifer haben derzeit weltweit eine kritische Schwachstelle in Wireless-SoCs von Realtek im Visier. In Deutschland soll es Millionen Attacken gegeben haben. [...] Von der Lücke sind rund 190 IoT-Modelle von 66 Herstellern betroffen. Eine Auflistung von betroffenen Geräten findet man in der ursprünglichen Warnmeldung am Ende des Beitrags. Sicherheitspatches von Realtek sind schon seit Sommer 2021 verfügbar. --------------------------------------------- https://heise.de/-7471324 ∗∗∗ Cybercrime: Polizei zerschlägt Ransomware-Gruppe "Hive" ∗∗∗ --------------------------------------------- Deutsche Ermittler haben in Zusammenarbeit mit den Behörden in den Niederlanden und den USA die Kontrolle über das Ransomware-Netzwerk "Hive" übernommen. --------------------------------------------- https://heise.de/-7472192 ∗∗∗ Chinese PlugX Malware Hidden in Your USB Devices? ∗∗∗ --------------------------------------------- The PlugX malware stood out to us as this variant infects any attached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB is later plugged into. This PlugX malware also hides actor files in a USB device using a novel technique that works even on the most recent Windows operating systems (OS) at the time of writing this post. --------------------------------------------- https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/ ∗∗∗ AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa23-025a ∗∗∗ Achtung: Phishing zur Kontensperrung zielt auf Ing-Banking-Kunden (Jan. 2023) ∗∗∗ --------------------------------------------- us gegebenem Anlass greife ich die nächste Phishing-Kampagne hier im Blog auf, die sich an Kunden von Banken richtet. Kunden der Online-Bank Ing erhalten in einer Kampagne eine Phishing-Mail mit dem Hinweis, dass das Konto gesperrt worden sei, weil nicht auf eine Nachricht der Bank reagiert worden sei. --------------------------------------------- https://www.borncity.com/blog/2023/01/26/achtung-phishing-zur-kontensperrun… ∗∗∗ New Mimic Ransomware Abuses Everything APIs for its Encryption Process ∗∗∗ --------------------------------------------- Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate BIND: Angreifer könnten DNS-Server mit Anfragen überfluten ∗∗∗ --------------------------------------------- Die Entwickler haben in der DNS-Software auf Open-Source-Basis BIND drei DoS-Lücken geschlossen. --------------------------------------------- https://heise.de/-7471773 ∗∗∗ Wordpress-Plug-in: Kritische Lücke in Learnpress auf 75.000 Webseiten ∗∗∗ --------------------------------------------- Das Wordpress-Plug-in Learnpress kommt auf über 100.000 Webseiten zum Einsatz. Mangels installierter Updates sind 75.000 davon für Kompromittierung anfällig. --------------------------------------------- https://heise.de/-7471283 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git), Fedora (libXpm and redis), Oracle (bind, firefox, grub2, java-1.8.0-openjdk, java-11-openjdk, kernel, libtasn1, libXpm, and sssd), Red Hat (thunderbird), SUSE (freeradius-server, kernel, libzypp-plugin-appdata, python-certifi, and xen), and Ubuntu (bind9, krb5, linux-raspi, linux-raspi-5.4, and privoxy). --------------------------------------------- https://lwn.net/Articles/921345/ ∗∗∗ libcurl as used by IBM QRadar Wincollect agent is vulnerable to denial of service (CVE-2022-43552, CVE-2022-43551) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857685 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to query parameter smuggling due to [CVE-2022-2880] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857849 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-2879] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857851 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-41715] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857853 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to elevated privileges due to [CVE-2022-42919] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857847 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily