Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 22.12.2022
by Daily end-of-shift report 22 Dec '22

22 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-12-2022 18:00 − Donnerstag 22-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FIN7 hackers create auto-attack platform to breach Exchange servers ∗∗∗ --------------------------------------------- The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-att… ∗∗∗ Ransomware and wiper signed with stolen certificates ∗∗∗ --------------------------------------------- In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations. --------------------------------------------- https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates… ∗∗∗ Microsoft research uncovers new Zerobot capabilities ∗∗∗ --------------------------------------------- The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research… ∗∗∗ “Suspicious login” scammers up their game – take care at Christmas ∗∗∗ --------------------------------------------- A picture is worth 1024 words - we clicked through so you dont have to. --------------------------------------------- https://nakedsecurity.sophos.com/2022/12/21/suspicious-login-scammers-up-th… ∗∗∗ Neuer Android-Trojaner zielt auf Banking-Apps und Krypto-Plattformen ab ∗∗∗ --------------------------------------------- Eine neue Banking-Malware namens Godfather hat 16 Länder im Visier. Deutschland fällt darunter. Sie zeichnet Eingaben in über 415 Banking- und Krypto-Apps auf. --------------------------------------------- https://heise.de/-7441440 ∗∗∗ Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata ∗∗∗ --------------------------------------------- If the site is hosted on an Amazon Web Services (AWS) server, then collecting the AWS metadata is relatively simple. This exploit only requires calling the appropriate REST API endpoint with the right payload in the ‘url’ parameter to achieve a successful exploit. --------------------------------------------- https://www.wordfence.com/blog/2022/12/exploiting-wordpress-plugin-vulnerab… ∗∗∗ Qakbot Being Distributed via Virtual Disk Files (*.vhd) ∗∗∗ --------------------------------------------- There’s been a recent increase in the distribution of malware using disk image files. --------------------------------------------- https://asec.ahnlab.com/en/44662/ ∗∗∗ Vidar Stealer Exploiting Various Platforms ∗∗∗ --------------------------------------------- Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2. --------------------------------------------- https://asec.ahnlab.com/en/44554/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Windows code-execution vulnerability went undetected until now ∗∗∗ --------------------------------------------- Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. --------------------------------------------- https://arstechnica.com/information-technology/2022/12/critical-windows-cod… ∗∗∗ Sicherheitsupdates: Angreifer könnten Synology-Router kompromittieren ∗∗∗ --------------------------------------------- Aktuelle Versionen von Synology Router Manager schließen mehrere Sicherheitslücken. Der Hersteller stuft den Schweregrad als kritisch ein. --------------------------------------------- https://heise.de/-7440888 ∗∗∗ Wichtige Sicherheitsupdates für Avira Security, AVG Antivirus & Co. ∗∗∗ --------------------------------------------- Norton hat in seinem Portfolio von Anti-Viren-Software mehrere Sicherheitslücken geschlossen. Angreifer könnten sich höhere Nutzerrechte verschaffen. --------------------------------------------- https://heise.de/-7441040 ∗∗∗ Puckungfu: A NETGEAR WAN Command Injection ∗∗∗ --------------------------------------------- This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s WAN interface. --------------------------------------------- https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-in… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3). --------------------------------------------- https://lwn.net/Articles/918379/ ∗∗∗ Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-openimageio-file… ∗∗∗ Two New Security Flaws Reported in Ghost CMS Blogging Software ∗∗∗ --------------------------------------------- https://thehackernews.com/2022/12/two-new-security-flaws-reported-in.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/ ∗∗∗ Priva TopControl Suite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-01 ∗∗∗ Rockwell Automation Studio 5000 Logix Emulate ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-02 ∗∗∗ Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-03 ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-04 ∗∗∗ IBM Content Navigator is vulnerable to missing authorization. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6844453 ∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851347 ∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540 ) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851337 ∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851351 ∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851339 ∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851345 ∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851343 ∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851349 ∗∗∗ Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851341 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2022
by Daily end-of-shift report 21 Dec '22

21 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-12-2022 18:00 − Mittwoch 21-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers bombard PyPi platform with information-stealing malware ∗∗∗ --------------------------------------------- The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platfor… ∗∗∗ VirusTotal cheat sheet makes it easy to search for specific results ∗∗∗ --------------------------------------------- VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makes… ∗∗∗ FBI warns of search engine ads pushing malware, phishing ∗∗∗ --------------------------------------------- The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-a… ∗∗∗ Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT ∗∗∗ --------------------------------------------- After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-m… ∗∗∗ Fake jQuery Domain Redirects Site Visitors to Scam Pages ∗∗∗ --------------------------------------------- A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing. --------------------------------------------- https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-… ∗∗∗ Kindersicherungs-Apps: Smarte Kids könnten Eltern attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Android-Apps untersucht, über die Eltern Internetzugriffe von Kindern einschränken können. Doch Schwachstellen weichen den Schutz auf. --------------------------------------------- https://heise.de/-7435146 ∗∗∗ Adult popunder campaign used in mainstream ad fraud scheme ∗∗∗ --------------------------------------------- Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunde… ∗∗∗ Meddler-in-the-Middle Phishing Attacks Explained ∗∗∗ --------------------------------------------- Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. --------------------------------------------- https://unit42.paloaltonetworks.com/meddler-phishing-attacks/ ∗∗∗ Godfather: A banking Trojan that is impossible to refuse ∗∗∗ --------------------------------------------- Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries. --------------------------------------------- https://blog.group-ib.com/godfather-trojan ∗∗∗ Didn’t Notice Your Rate Limiting: GraphQL Batching Attack ∗∗∗ --------------------------------------------- In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS). --------------------------------------------- https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching… ∗∗∗ A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 ∗∗∗ --------------------------------------------- This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-… ∗∗∗ Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks ∗∗∗ --------------------------------------------- In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates. --------------------------------------------- https://heise.de/-7434860 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils). --------------------------------------------- https://lwn.net/Articles/918313/ ∗∗∗ Passwordless Persistence and Privilege Escalation in Azure ∗∗∗ --------------------------------------------- Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons. --------------------------------------------- https://posts.specterops.io/passwordless-persistence-and-privilege-escalati… ∗∗∗ Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29902403/ ∗∗∗ Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking ∗∗∗ --------------------------------------------- https://www.securityweek.com/critical-vulnerability-hikvision-wireless-brid… ∗∗∗ Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-5-2-7-4-1-7-1-5-e… ∗∗∗ Rechteausweitung in Razer Synapse (SYSS-2022-047) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/rechteausweitung-in-razer-synapse-syss-202… ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849213 ∗∗∗ GraphQL Denial of Service security vulnerability CVE-2022-37734 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828663 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849223 ∗∗∗ Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849249 ∗∗∗ OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850775 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2022
by Daily end-of-shift report 20 Dec '22

20 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 19-12-2022 18:00 − Dienstag 20-12-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux File System Monitoring & Actions, (Tue, Dec 20th) ∗∗∗ --------------------------------------------- There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (File Integrity Monitoring). Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless? --------------------------------------------- https://isc.sans.edu/diary/rss/29362 ∗∗∗ ChatGPT: Emerging AI Threat Landscape ∗∗∗ --------------------------------------------- ChatGPT is a prototype chatbot released by OpenAI. The chatbot is powered by AI and is gaining more traction than previous chatbots because it not only interacts in a conversational manner but has the capability to create code and many other complex questions and requests. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-eme… ∗∗∗ Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications. --------------------------------------------- https://thehackernews.com/2022/12/microsoft-details-gatekeeper-bypass.html ∗∗∗ Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg ∗∗∗ --------------------------------------------- We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior. --------------------------------------------- https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter… ∗∗∗ clif - simple command-line application fuzzer ∗∗∗ --------------------------------------------- clif is a command-line application fuzzer, pretty much what a wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that, for some reasons, Googles alf-fuzz doesnt allow for unlimited argument or option specification. --------------------------------------------- https://andy.codes/content/blog/2022-12-20-clif.html ∗∗∗ Better Make Sure Your Password Manager Is Secure ∗∗∗ --------------------------------------------- As part of a security analysis, our colleagues kuekerino, ubahnverleih and parzel examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application. --------------------------------------------- https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_pa… ∗∗∗ New RisePro Infostealer Increasingly Popular Among Cybercriminals ∗∗∗ --------------------------------------------- A recently identified information stealer named ‘RisePro’ is being distributed by pay-per-install malware downloader service ‘PrivateLoader’, cyberthreat firm Flashpoint reports. Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs. --------------------------------------------- https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-a… ∗∗∗ Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins ∗∗∗ --------------------------------------------- As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code. --------------------------------------------- https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/ ∗∗∗ Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities ∗∗∗ --------------------------------------------- More than two years ago, a researcher, A2nkF demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. In this blog entry, we will discuss how we discovered 3 more vulnerabilities from the old exploit chain. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/diving-into-an-old-exploit-c… ∗∗∗ Raspberry Robin Malware Targets Telecom, Governments ∗∗∗ --------------------------------------------- We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targ… ∗∗∗ Web3 IPFS Only Used for Phishing - So Far ∗∗∗ --------------------------------------------- We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phis… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird). --------------------------------------------- https://lwn.net/Articles/918268/ ∗∗∗ FoxIt Patches Code Execution Flaws in PDF Tools ∗∗∗ --------------------------------------------- Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products. --------------------------------------------- https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools ∗∗∗ [R1] Nessus Network Monitor Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-28 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-01 ∗∗∗ Rockwell Automation GuardLogix and ControlLogix controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-02 ∗∗∗ ARC Informatique PcVue ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-03 ∗∗∗ Rockwell Automation MicroLogix 1100 and 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-04 ∗∗∗ Delta 4G Router DX-3021 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-05 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.5ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849101 ∗∗∗ IBM UrbanCode Build is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849111 ∗∗∗ IBM UrbanCode Build is affected by CVE-2021-43980 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849109 ∗∗∗ IBM UrbanCode Build is affected by CVE-2022-34305 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849107 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2022
by Daily end-of-shift report 19 Dec '22

19 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-12-2022 18:00 − Montag 19-12-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Infostealer Malware with Double Extension, (Sun, Dec 18th) ∗∗∗ --------------------------------------------- Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines. --------------------------------------------- https://isc.sans.edu/diary/rss/29354 ∗∗∗ Day 3 — Next Level Font Obfuscation ∗∗∗ --------------------------------------------- Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable. --------------------------------------------- https://medium.com/@doctoreww/day-3-next-level-font-obfuscation-7a6cd978c7a5 ∗∗∗ Venom ∗∗∗ --------------------------------------------- Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations. --------------------------------------------- https://github.com/Idov31/Venom ∗∗∗ Exploiting API Framework Flexibility ∗∗∗ --------------------------------------------- The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches. --------------------------------------------- https://attackshipsonfi.re/p/exploiting-api-framework-flexibility ∗∗∗ Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-Weihnachtsgeschäft ∗∗∗ --------------------------------------------- Weihnachten bedeutet auch wieder Hochsaison für Betrüger, die mit gefälschten Shops und irreführenden SMS auf das Geld ihrer Opfer aus sind. --------------------------------------------- https://www.derstandard.at/story/2000141845543/fake-shops-und-phishing-sms-… ∗∗∗ BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor ∗∗∗ --------------------------------------------- Kurzer Hinweis für Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET über Active Directory Domain Services bis hin zu Windows Server. --------------------------------------------- https://www.borncity.com/blog/2022/12/18/bsi-legt-19-it-grundschutz-baustei… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-12-16 - 2022-12-18 ∗∗∗ --------------------------------------------- Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ HP kümmert sich mit BIOS-Updates um Schadcode-Lücken ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in HP-Computern. Einige Lücken betreffen ausschließlich AMD-Systeme. --------------------------------------------- https://heise.de/-7398783 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/918203/ ∗∗∗ Synology-SA-22:24 Samba AD DC ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_24 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329 ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash. --------------------------------------------- https://support.citrix.com/article/CTX473048/citrix-hypervisor-security-bul… ∗∗∗ Zenphoto vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN06093462/ ∗∗∗ Corel Roxio Creator LJB starts a program with an unquoted file path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13075438/ ∗∗∗ ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1681/ ∗∗∗ DLL Search Order Hijacking Vulnerability in the DWG TrueView™ Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0024 ∗∗∗ Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6845928 ∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6841801 ∗∗∗ IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848587 ∗∗∗ IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848585 ∗∗∗ IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848583 ∗∗∗ IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848577 ∗∗∗ UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848581 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848847 ∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848879 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2022
by Daily end-of-shift report 16 Dec '22

16 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-12-2022 18:00 − Freitag 16-12-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing attack uses Facebook posts to evade email security ∗∗∗ --------------------------------------------- A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII). --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attack-uses-faceboo… ∗∗∗ Backdoor Targets FreePBX Asterisk Management Portal ∗∗∗ --------------------------------------------- Written in PHP and JavaScript, FreePBX is a web-based open-source GUI that manages Asterisk, a voice over IP and telephony server. This open-source software allows users to build customer phone systems. During a recent investigation, I came across a simple piece of malware targeting FreePBX’s Asterisk Management portal which allowed attackers to arbitrarily add and delete users, as well as modify the website’s .htaccess file. Let’s take a closer look at this backdoor. --------------------------------------------- https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-managemen… ∗∗∗ Decentralized Identity Attack Surface – Part 2 ∗∗∗ --------------------------------------------- This is the second part of our Decentralized Identity (DID) blog series. In case you’re not familiar with DID concepts, we highly encourage you to start with the first part. This time we will cover a different DID implementation — Sovrin. We will also see what a critical (CVSS 10) DID vulnerability looks like by reviewing the one we found in this popular implementation. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/decentralized-ident… ∗∗∗ Das Ende vom unsicheren Hash-Algorithmus SHA-1 zieht sich wie Kaugummi ∗∗∗ --------------------------------------------- Das National Institute of Standards and Technology schickt das längst geknackte SHA-1-Verfahren in Rente – endgültig aber erst in acht Jahren. --------------------------------------------- https://heise.de/-7396973 ∗∗∗ Codeschmuggel möglich: Microsoft stuft Sicherheitslücke auf "kritisch" herauf ∗∗∗ --------------------------------------------- Eine Sicherheitslücke, für die Microsoft ein Update bereitgestellt hat, ermöglicht unerwartet Angreifern ohne Anmeldung, Schadcode einzuschleusen. --------------------------------------------- https://heise.de/-7396879 ∗∗∗ The Data Protection Officer, an ubiquitous role nobody really knows. (arXiv:2212.07712v1 [cs.CR]) ∗∗∗ --------------------------------------------- Among all cybersecurity and privacy workers, the Data Protection Officer (DPO) stands between those auditing a company's compliance and those acting as management advisors. A person that must be somehow versed in legal, management, and cybersecurity technical skills. We describe how this role tackles socio-technical risks in everyday scenarios. --------------------------------------------- http://arxiv.org/abs/2212.07712 ∗∗∗ FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food ∗∗∗ --------------------------------------------- The joint CSA analyzes the common tactics, techniques, and procedures (TTPs) utilized by criminal actors to spoof emails and domains to impersonate legitimate employees and order goods that went unpaid and were possibly resold at devalued prices with labeling that lacked industry standard “need-to-knows” (i.e., necessary information about ingredients, allergens, or expiration dates). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/fbi-fda-oci-and-u… ∗∗∗ Agenda Ransomware Uses Rust to Target More Vital Industries ∗∗∗ --------------------------------------------- This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agendas Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2022-0034 ∗∗∗ --------------------------------------------- vRealize Operations (vROps) contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0034.html *** Cisco Security Advisories 2022-12-16 *** --------------------------------------------- Cisco has updated 18 security advisories: (4x Critical, 11x High, 3x Medium) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP… *** Vulnerabilities in Autodesk Image Processing component used by Autodesk products II *** --------------------------------------------- Applications and services that utilize Image Processing component used by Autodesk products may be impacted by Out-of-bound Read, Heap-based Overflow, Out-of-bound Write, Memory corruption, and Use-after-free vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0025 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libde265, php7.3, and thunderbird), Fedora (firefox, freeradius, freerdp, and xorg-x11-server), Oracle (firefox, prometheus-jmx-exporter, and thunderbird), Red Hat (firefox, nodejs:16, prometheus-jmx-exporter, and thunderbird), and SUSE (ceph and chromium). --------------------------------------------- https://lwn.net/Articles/918047/ ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/samba-releases-se… ∗∗∗ Remote code execution bypass in Eclipse Business Intelligence Reporting Tool (BiRT) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/remote-code-execution-by… ∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848317 ∗∗∗ Multiple Vulnerabilities in base image packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848319 ∗∗∗ Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848279 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2022
by Daily end-of-shift report 15 Dec '22

15 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-12-2022 18:00 − Donnerstag 15-12-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ LEGO BrickLink bugs let hackers hijack accounts, breach servers ∗∗∗ --------------------------------------------- Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Groups official second-hand and vintage marketplace for LEGO bricks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lego-bricklink-bugs-let-hack… ∗∗∗ Hacking Using SVG Files to Smuggle QBot Malware onto Windows Systems ∗∗∗ --------------------------------------------- Phishing campaigns involving the Qakbot malware are using Scalable Vector Graphics (SVG) images embedded in HTML email attachments. --------------------------------------------- https://thehackernews.com/2022/12/hacking-using-svg-files-to-smuggle-qbot.h… ∗∗∗ Technical Review: A Deep Analysis of the Dirty Pipe Vulnerability ∗∗∗ --------------------------------------------- Dirty Pipe (CVE-2022-0847) proved that there is a new way to exploit Linux syscalls to write to files with a read-only privileges. --------------------------------------------- https://blog.aquasec.com/deep-analysis-of-the-dirty-pipe-vulnerability ∗∗∗ Digging Inside Azure Functions: HyperV Is the Last Line of Defense ∗∗∗ --------------------------------------------- We investigated Azures serverless architecture and found that a HyperV VM was the remaining defense after a container breakout. --------------------------------------------- https://unit42.paloaltonetworks.com/azure-serverless-functions-security/ ∗∗∗ Patch Tuesday: (zur Abwechslung) Augen auf! ∗∗∗ --------------------------------------------- Manchmal gelangen wir die verzwickte Lage, dass sich in den Patchnotes Updates für Schwachstellen verbergen, aufgrund derer wir zwar keine Warnung veröffentlichen, aber auf die wir dennoch explizit hinweisen wollen. Diesen Monat ist es wieder einmal soweit. --------------------------------------------- https://cert.at/de/blog/2022/12/patch-tuesday-zur-abwechslung-augen-auf ∗∗∗ Windows Server 2019/2022: Dezember 2022-Sicherheitsupdates verursachen Hyper-V-Probleme ∗∗∗ --------------------------------------------- Die zum Dezember 2022 Patchday von Microsoft ausgerollten Sicherheitsupdates führen in bestimmten Konstellationen zum Problemen mit Hyper-V. --------------------------------------------- https://www.borncity.com/blog/2022/12/15/windows-server-2019-2022-dezember-… ∗∗∗ Microsoft-Zertifikate zur Signatur von Malware missbraucht (Dez. 2022) ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf Fälle gestoßen, wo es Cyberkriminellen gelungen ist, Malware durch gültige digitale Zertifikate von Microsoft zu signieren. --------------------------------------------- https://www.borncity.com/blog/2022/12/15/microsoft-zertifikate-zur-signatur… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as Critical ∗∗∗ --------------------------------------------- Microsoft has revised the severity of a security vulnerability it originally patched in September 2022, upgrading it to "Critical" after it emerged that it could be exploited to achieve remote code execution. --------------------------------------------- https://thehackernews.com/2022/12/microsoft-reclassifies-spnego-extended.ht… ∗∗∗ Typo3: Neue Fassungen schließen hochriskante Sicherheitslücke ∗∗∗ --------------------------------------------- Angreifer könnten in Typo3 etwa eigenen PHP-Code einschleusen. Mit neuen Versionen schließen die Entwickler diese und weitere Sicherheitslücken. --------------------------------------------- https://heise.de/-7395790 ∗∗∗ Microsoft Patch Tuesday, December 2022 Edition ∗∗∗ --------------------------------------------- Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. --------------------------------------------- https://krebsonsecurity.com/2022/12/microsoft-patch-tuesday-december-2022-e… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and git), Slackware (mozilla and xorg), SUSE (apache2-mod_wsgi, capnproto, xorg-x11-server, xwayland, and zabbix), and Ubuntu (emacs24, firefox, linux-azure, linux-azure-5.15, linux-azure-fde, linux-oem-6.0, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/917947/ ∗∗∗ Der unsichtbare Feind: Buffer Overflow Schwachstellen in Zyxel Routern nach wie vor problematisch ∗∗∗ --------------------------------------------- https://sec-consult.com/de/blog/detail/enemy-within-unauthenticated-buffer-… ∗∗∗ Drupal Releases Security Updates to Address Vulnerabilities in H5P and File (Field) Paths ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/15/drupal-releases-s… ∗∗∗ [R1] Tenable.ad Versions 3.29.4, 3.19.12 and 3.11.9 Fix One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-27 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848189 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848195 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848221 ∗∗∗ Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848225 ∗∗∗ A vulnerability in Python affects IBM Elastic Storage System (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848229 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Node [CVE-2022-39353] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848213 ∗∗∗ Vulnerabilities in IBM Java SDK affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847605 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related IBM WebSphere Application Server Liberty and FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847541 ∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2022
by Daily end-of-shift report 14 Dec '22

14 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-12-2022 18:00 − Mittwoch 14-12-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft-signed malicious Windows drivers used in ransomware attacks ∗∗∗ --------------------------------------------- Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-… ∗∗∗ Open-source repositories flooded by 144,000 phishing packages ∗∗∗ --------------------------------------------- Unknown threat actors have uploaded a total of 144,294 phishing-related packages on the open-source package repositories NuGet, PyPI, and NPM. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-source-repositories-flo… ∗∗∗ Input Validation for Website Security ∗∗∗ --------------------------------------------- Web forms are incredibly useful tools. They allow you to gather important information about potential clients and site visitors, collect comments and feedback, upload files, subscribe new users to your blog, or even collect payment details. But if your forms aren’t properly validating user inputs, you might be in for a nasty surprise: a variety of issues can occur if data is uploaded to your site’s environment without specific controls. --------------------------------------------- https://blog.sucuri.net/2022/12/input-validation-for-website-security.html ∗∗∗ Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities ∗∗∗ --------------------------------------------- Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects.The Go-based tool, powered by the Open Source Vulnerabilities (OSV) database, is designed to connect "a projects list of dependencies with the vulnerabilities that affect them," [..] --------------------------------------------- https://thehackernews.com/2022/12/google-launches-largest-distributed.html ∗∗∗ New GoTrim Botnet Attempting to Break into WordPress Sites Admin Accounts ∗∗∗ --------------------------------------------- A new Go-based botnet has been spotted scanning and brute-forcing self-hosted websites using the WordPress content management system (CMS) to seize control of the targeted systems."This new brute forcer is part of a new campaign we have named GoTrim because it was written in Go and uses :::trim::: to split data communicated to and from the C2 server," --------------------------------------------- https://thehackernews.com/2022/12/new-gotrim-botnet-attempting-to-break.html ∗∗∗ Ade iOS 15: Apple stellt Support auf neueren iPhones offenbar ein ∗∗∗ --------------------------------------------- iPhones ab Baujahr 2017 erhalten Sicherheits-Updates nur noch nach Upgrade auf iOS 16. Lücken in iOS 15 werden laut Apple aktiv ausgenutzt. --------------------------------------------- https://heise.de/-7394913 ∗∗∗ BSI-Magazin mit Schwerpunkt "Ransomware" veröffentlicht ∗∗∗ --------------------------------------------- Die zweite Ausgabe des BSI-Magazins "Mit Sicherheit" in diesem Jahr ist erschienen. Das BSI stellt in diesem BSI-Magazin eine der aktuell größten Bedrohungen für die IT-Sicherheit in einem Sonderteil in den Mittelpunkt: Ransomware. [..] Weitere Themen sind Automotive Security, der Digitale Verbraucherschutz sowie die Zusammenarbeit von BSI und NATO zur Gestaltung der Cloud-Sicherheit im Bündnis. Außerdem gibt es im neuen BSI-Magazin eine neue Checkliste mit Tipps für ein sicheres Heimnetzwerk. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ NSA, CISA, and ODNI Release Guidance on Potential Threats to 5G Network Slicing ∗∗∗ --------------------------------------------- Original release date: December 13, 2022Today, the National Security Agency (NSA), CISA, and the Office of the Director of National Intelligence (ODNI), published Potential Threats to 5G Network Slicing. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents both the benefits and risks associated with 5G network slicing. It also provides mitigation strategies that address potential threats to 5G network slicing. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/13/nsa-cisa-and-odni… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities found on Arcadyan Routers ∗∗∗ --------------------------------------------- The two vulnerabilities were found by Asher Davila L. in Arcadyan wireless modems with model number VRV9506JAC23. It is probable that they are also present in other Arcadyan models as well because their web interfaces are similar and they have common features. The following are the two found vulnerabilities: * CVE-2020-9420: Cleartext transmission of sensitive information * CVE-2020-9419: Stored cross-site scripting --------------------------------------------- https://gist.github.com/AsherDLL/03d0762b5a535e300f1121caebe333ce ∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslecks ab ∗∗∗ --------------------------------------------- Google hat eine aktualisierte Version des Webbrowsers Chrome bereitgestellt. Sie schließt mindestens vier hochriskante Sicherheitslücken. --------------------------------------------- https://heise.de/-7394554 ∗∗∗ VMSA-2022-0032: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware Cloud Foundation (Cloud Foundation) ∗∗∗ --------------------------------------------- Synopsis: VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0032.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pngcheck), Fedora (qemu), Mageia (admesh, busybox, emacs, libarchive, netkit-telnet, ruby, rxvt-unicode, and shadowutils), Oracle (bcel and kernel), Red Hat (389-ds-base, bcel, dbus, firefox, grub2, kernel, kernel-rt, kpatch-patch, thunderbird, and usbguard), Scientific Linux (bcel), SUSE (containerd, firefox, grafana, java-1_8_0-openjdk, libtpms, net-snmp, and wireshark), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/917839/ ∗∗∗ Adobe Patches 38 Flaws in Enterprise Software Products ∗∗∗ --------------------------------------------- After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple enterprise-facing products.The San Jose, California software maker said the flaws could expose users to code execution and privilege escalation attacks across all computer platforms. --------------------------------------------- https://www.securityweek.com/adobe-patches-38-flaws-enterprise-software-pro… ∗∗∗ ICS Patch Tuesday: Siemens Fixes 80 OpenSSL, OpenSSH Flaws in Switches ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have addressed over 140 vulnerabilities with their December 2022 Patch Tuesday updates.Siemensread more --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-fixes-80-openssl-ope… ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Original release date: December 13, 2022Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible: iCloud for Windows 14.1 Safari 16.2 macOS Monterey 12.6.2 macOS Big Sur 11.7.2 tvOS 16.2 watchOS 9.2 iOS 15.7.2 and iPadOS 15.7.2 iOS 16.2 and iPadOS 16.2 macOS Ventura 13.1 --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/13/apple-releases-se… ∗∗∗ Sonicwall Capture Client Local Privilege Escalation via SentinelOne Agent (Aikido) ∗∗∗ --------------------------------------------- An arbitrary file deletion vulnerability (Aikido) in Sonicwall Capture Client via SentinelOne Agent could allow a local attacker to escalate privileges and delete files. The exploit was confirmed to work with 6 vulnerable EDR products, including the SentinelOne Agent for Windows.Please note: an attacker must first obtain low-privileged access on the target system in order to exploit this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0025 ∗∗∗ Cisco Identity Services Engine Unauthorized File Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Weidmueller: Multiple IoT and control products affected by JavaScript injection vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-056/ ∗∗∗ NVIDIA GPU Display Driver Advisory - November 2022 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500536-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ Vulnerabilities in Linux Kernel, Golang Go, and cURL libcurl may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847643 ∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847655 ∗∗∗ Vulnerabilities in zlib and Golang Go may affect the IBM Spectrum Protect Server (CVE-2018-25032, CVE-2022-27664) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847653 ∗∗∗ IBM Copy Services Manager is vulnerable to a remote attack vulnerabilities due to IBM WebSphere Application Server Liberty vulnerabilities (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847789 ∗∗∗ IBM Tivoli Netcool\/OMNIbus Transport Module Common Integration Library is affected by vulnerability in Apache Kafka (CVE-2022-34917) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847829 ∗∗∗ IBM Tivoli Netcool\/OMNIbus Probe and Integrations Library are affected by vulnerabilities in FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6846525 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847939 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847945 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2022
by Daily end-of-shift report 13 Dec '22

13 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 12-12-2022 18:00 − Dienstag 13-12-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Amazon ECR Public Gallery flaw could have wiped or poisoned any image ∗∗∗ --------------------------------------------- The researcher reported the vulnerability to AWS Security on November 15, 2022, and Amazon rolled out a fix in under 24 hours. While there are no signs of this flaw being abused in the wild, threat actors could have used it in massive-scale supply chain attacks against many users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-ecr-public-gallery-fl… ∗∗∗ IIS modules: The evolution of web shells and how to detect them ∗∗∗ --------------------------------------------- This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-ev… ∗∗∗ A Deep Dive into BianLian Ransomware ∗∗∗ --------------------------------------------- BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete. --------------------------------------------- https://resources.securityscorecard.com/research/bian-lian-deep-dive ∗∗∗ New Python-Based Backdoor Targeting VMware ESXi Servers ∗∗∗ --------------------------------------------- Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers. The targeted servers were impacted by known security defects (such as CVE-2019-5544 and CVE-2020-3992) that were likely used for initial compromise, but what caught the researchers’ attention was the simplicity, persistence, and capabilities of the deployed backdoor. --------------------------------------------- https://www.securityweek.com/new-python-based-backdoor-targeting-vmware-esx… ∗∗∗ What’s My Name Again? Reolink camera command injection ∗∗∗ --------------------------------------------- TL;DR Research on Reolink’s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless. --------------------------------------------- https://www.pentestpartners.com/security-blog/whats-my-name-again-reolink-c… ∗∗∗ Aktuelle Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗ --------------------------------------------- Seit ca. zwei Wochen sehen sich vermehrt österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur mit DDoS Angriffen konfrontiert. Die genauen Hintergründe und Motive der Attacken sind uns zurzeit nicht bekannt. Die Täter:innen greifen hierbei zu verschiedenen Methoden und versuchen auch, sich an getroffene Gegenmaßnahmen anzupassen. --------------------------------------------- https://cert.at/de/aktuelles/2022/12/aktuelle-welle-an-ddos-angriffen-auf-s… ∗∗∗ REPORT: A new trick from Facebook scammers and Sharkbot Android malware returns ∗∗∗ --------------------------------------------- A new wave of scams utilizes Facebook’s tagging feature to trick Page owners into believing they’ve violated Facebook’s terms and conditions. Several variations of the attack exist, but all lead to phishing sites designed to steal Page owner’s credentials. --------------------------------------------- https://blog.f-secure.com/f-alert-report-a-new-trick-from-facebook-scammers… ===================== = Vulnerabilities = ===================== ∗∗∗ Redmine vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- Redmine contains a cross-site scripting vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN60211811/ ∗∗∗ Announcing TYPO3 12.1.1 [12.1.2], 11.5.20 and 10.4.33 security releases ∗∗∗ --------------------------------------------- today weve released TYPO3 12.1.1, 11.5.20 LTS and 10.4.33 LTS, which are ready for you to download. All versions are security releases and contain important security fixes [unfortunately TYPO3 v12.1.1 contained a regression, which has been fixed in TYPO3 v12.1.2.] --------------------------------------------- https://lists.typo3.org/pipermail/typo3-announce/2022/000523.html ∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: * "Change password for frontend users" (fe_change_pwd) * "Newsletter subscriber management" (fp_newsletter) * "Master-Quiz" (fp_masterquiz) For further information on the issues, please read the related advisories TYPO3-EXT-SA-2022-016, TYPO3-EXT-SA-2022-017 and TYPO3-EXT-SA-2022-018 which were published today --------------------------------------------- https://lists.typo3.org/pipermail/typo3-announce/2022/000524.html ∗∗∗ OpenSSL: X.509 Policy Constraints Double Locking (CVE-2022-3996) ∗∗∗ --------------------------------------------- Severity: Low If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. --------------------------------------------- https://www.openssl.org/news/secadv/20221213.txt ∗∗∗ Patchday SAP: 14 neue Sicherheitsmeldungen im Dezember ∗∗∗ --------------------------------------------- Zum Jahresende behandelt SAP in 14 Sicherheitsnotizen Schwachstellen in der Software des Unternehmens. IT-Verantwortliche sollten die Updates rasch anwenden. --------------------------------------------- https://heise.de/-7392718 ∗∗∗ Jetzt patchen! Kritische Zero-Day-Lücke in FortiOS wird angegriffen ∗∗∗ --------------------------------------------- Fortinet meldet eine kritische Sicherheitslücke in FortiOS. Cyberkriminelle missbrauchen diese bereits für Angriffe. Updates stehen bereit. --------------------------------------------- https://heise.de/-7392455 ∗∗∗ VMSA-2022-0031 ∗∗∗ --------------------------------------------- Synopsis: VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0031.html ∗∗∗ VMSA-2022-0033 ∗∗∗ --------------------------------------------- Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0033.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim). --------------------------------------------- https://lwn.net/Articles/917749/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6 ∗∗∗ --------------------------------------------- In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.6 ∗∗∗ --------------------------------------------- CVE-2022-46880: Use-after-free in WebGL CVE-2022-46872: Arbitrary file read from a compromised content process CVE-2022-46881: Memory corruption in WebGL CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS CVE-2022-46882: Use-after-free in WebGL CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/ ∗∗∗ Security Vulnerabilities fixed in Firefox 108 ∗∗∗ --------------------------------------------- CVE-2022-46871: libusrsctp library out of date CVE-2022-46872: Arbitrary file read from a compromised content process CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS CVE-2022-46877: Fullscreen notification bypass CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 CVE-2022-46879: Memory safety bugs fixed in Firefox 108 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-51/ ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance. CVE-ID: CVE-2022-27518 --------------------------------------------- https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-… ∗∗∗ Privilege Escalation Schwachstellen (UNIX Insecure File Handling) in SAP® Host Agent (saposcol) ∗∗∗ --------------------------------------------- Due to insecure file handling issues of the SAP® Host Agent, a local attacker can exploit the helper binary saposcol to escalate privileges on UNIX systems. Successful exploitation leads to full system compromise with root access. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/privilege-escalation-… ∗∗∗ ICS Advisory (ICSA-22-347-03): Contec CONPROSSYS HMI System (CHS) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 ∗∗∗ ICS Advisory (ICSA-22-347-02): Schneider Electric APC Easy UPS Online ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-02 ∗∗∗ ICS Advisory (ICSA-22-347-01): ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01 ∗∗∗ Wiesemann & Theis multiple products prone to web interface vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-057/ ∗∗∗ Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-038/ ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847315 ∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6619729 ∗∗∗ IBM QRadar Network Packet Capture has released 7.3.1 Patch 1, and 7.2.8 Patch 1 in response to the vulnerabilities known as Spectre and Meltdown. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/571419 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2021-41041, CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847341 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847351 ∗∗∗ Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847349 ∗∗∗ Multiple vulnerabilities have been identified in Smack API shipped with IBM Tivoli Netcool Impact (CVE-2014-0363, CVE-2014-0364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847337 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847563 ∗∗∗ WebSphere Application Server is vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests which affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847593 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847591 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847587 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847595 ∗∗∗ Vulnerability in OAuthlib affects IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-36087) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6842215 ∗∗∗ Vulnerabilities in Redis affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-24736, CVE-2022-24735) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6842235 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2022
by Daily end-of-shift report 12 Dec '22

12 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-12-2022 18:00 − Montag 12-12-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Clop ransomware partners with TrueBot malware for access to networks ∗∗∗ --------------------------------------------- Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-ransomware-partners-wit… ∗∗∗ Popular WAFs Subverted by JSON Bypass ∗∗∗ --------------------------------------------- Web application firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format. --------------------------------------------- https://www.darkreading.com/application-security/popular-wafs-json-bypass ∗∗∗ On-device WebAuthn and what makes it hard to do well ∗∗∗ --------------------------------------------- WebAuthn improves login security a lot by making it significantly harder for a users credentials to be misused - a WebAuthn token will only respond to a challenge if its issued by the site a secret was issued to, and in general will only do so if the user provides proof of physical presence[1]. But giving people tokens is tedious and also I have a new laptop which only has USB-C but does have a working fingerprint reader and I [...] --------------------------------------------- https://mjg59.dreamwidth.org/62746.html ∗∗∗ Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant ∗∗∗ --------------------------------------------- Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks, which took place during 2020 and 2021 and likely went as far back as 2015, involved a revamped variant of a malware called Janicab that leverages a number of public services like WordPress [...] --------------------------------------------- https://thehackernews.com/2022/12/hack-for-hire-group-targets-travel-and.ht… ∗∗∗ Log4j’s Log4Shell Vulnerability: One Year Later, It’s Still Lurking ∗∗∗ --------------------------------------------- Despite mitigation, one of the worst bugs in internet history is still prevalent—and being exploited. --------------------------------------------- https://www.wired.com/story/log4j-log4shell-one-year-later/ ∗∗∗ Practically-exploitable Cryptographic Vulnerabilities in Matrix ∗∗∗ --------------------------------------------- We report several practically-exploitable cryptographic vulnerabilities in the end-to-end encryption in Matrix and describe proof-of-concept attacks exploiting these vulnerabilities. [...] Whilst the language of the paper and this website is in present tense, many of the vulnerabilities disclosed have been fixed. See our paper (or Matrix’ website) for more details. --------------------------------------------- https://nebuchadnezzar-megolm.github.io/ ∗∗∗ Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability ∗∗∗ --------------------------------------------- Cisco informed customers on Thursday that it’s working on patches for a high-severity vulnerability affecting some of its IP phones. --------------------------------------------- https://www.securityweek.com/cisco-working-patch-publicly-disclosed-ip-phon… ∗∗∗ So schützen Sie sich vor problematischen Online-Shops ∗∗∗ --------------------------------------------- Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Lieferzeiten werden nicht eingehalten, die Qualität der Produkte lässt zu wünschen übrig, oder es kommt zu hohen Zoll- oder Retourenkosten. Wir zeigen Ihnen, worauf Sie achten müssen, um keine bösen Überraschungen beim Online-Shopping zu erleben! --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-problemati… ∗∗∗ So schützen Sie sich vor Abo-Fallen im Internet ∗∗∗ --------------------------------------------- Auch im Internet hat niemand etwas zu verschenken! Lassen Sie Vorsicht walten bei Angeboten, die zu gut sind, um wahr zu sein. Diese „Angebote“ nutzen Kriminelle, um Sie in die Falle zu locken. Wenn Sie bemerken, dass Geldbeträge ohne Ihre Zustimmung von Ihrem Konto abgebucht werden, handelt es sich möglicherweise um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-abo-fallen… ∗∗∗ Was tun, wenn Sie in eine Abo-Falle getappt sind? ∗∗∗ --------------------------------------------- Auf der Suche nach kostenlosen Angeboten und gratis Testversionen werden Sie im Internet schnell fündig. Doch Vorsicht: Hier ist nicht alles Gold, was glänzt! Oft handelt es sich nämlich um Abo-Fallen, bei denen Ihnen unbegründet Rechnungen zugeschickt oder Geldbeträge vom Konto abgebucht werden und man Ihnen mit Inkassobüros oder Rechtsanwaltsschreiben droht. Die Lösung? Auf keinen Fall bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-sie-in-eine-abo-falle-g… ∗∗∗ Precious Gemstones: The New Generation of Kerberos Attacks ∗∗∗ --------------------------------------------- Unit 42 researchers show new methods to improve detection of a next-gen line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access. --------------------------------------------- https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS - heap-based buffer overflow in sslvpnd ∗∗∗ --------------------------------------------- A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise: [...] --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-22-398 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, grub2, hsqldb, node-eventsource, and openexr), Fedora (bcel, keylime, rust-capnp, rust-sequoia-octopus-librnp, xfce4-screenshooter, and xfce4-settings), Oracle (nodejs:18), Scientific Linux (grub2), Slackware (libarchive), SUSE (go1.18, go1.19, nautilus, opera, python-slixmpp, and samba), and Ubuntu (python2.7, python3.5, qemu, and squid3). --------------------------------------------- https://lwn.net/Articles/917690/ ∗∗∗ IFM: weak password recovery vulnerability in moneo appliance ∗∗∗ --------------------------------------------- Summary: An unauthenticated remote attacker could reset the administrators password with information from the default, self-signed certificate. Impact: An unathenticated attacker can remotely reset the administrator password. Solution: Mitigation: The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number. Remediation: The password-reset mechanism will be updated in a future version. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-050/ ∗∗∗ IBM Security Bulletins 2022-12-09 - 2022-12-12 ∗∗∗ --------------------------------------------- Apache Commons HttpClient 3.x (and few others), Apache POI, IBM App Connect Enterprise, IBM® Db2® Net Search Extender, IBM Elastic Storage System, IBM Engineering Workflow Management (EWM), IBM InfoSphere Information Server, IBM Spectrum Copy Data Management, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, IBM Spectrum Scale packaged in IBM Elastic Storage Server, IBM Spectrum Scale packaged in IBM Elastic Storage System, IBM Tivoli Application Dependency Discovery Manager (TADDM), Rational Team Concert (RTC), z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Intel Data Center Manager 5.1 Local Privilege Escalation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022120027 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2022
by Daily end-of-shift report 09 Dec '22

09 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-12-2022 18:00 − Freitag 09-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Unsichtbare npm-Malware umgeht Sicherheitsprüfungen mit manipulierten Versionen ∗∗∗ --------------------------------------------- JFrog hat ein unerwartetes Verhalten der npm-Werkzeuge entdeckt: Für Pakete bestimmter Versionsformate zeigen sie wohl keine sicherheitsrelevanten Hinweise an. --------------------------------------------- https://heise.de/-7372357 ∗∗∗ So schützen Sie sich vor Fake-Shops ∗∗∗ --------------------------------------------- Fake-Shops locken mit gutem Design und unschlagbaren Preisen in die Falle. Doch wie erkennen Sie Fake-Shops und andere betrügerische Online-Shops, bevor es zu spät ist? Hier beschreiben wir hier die gängigsten Formen von Fake-Shops und ihre Erkennungsmerkmale. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-fake-shops/ ∗∗∗ Ransomware: Löschen statt entschlüsseln ∗∗∗ --------------------------------------------- Die defekte Ransomware Cryptonite kann Ihre Dateien nicht entschlüsseln, selbst wenn Sie das Lösegeld bezahlen. Stattdessen werden alle Daten einfach gelöscht. --------------------------------------------- https://www.zdnet.de/88405737/ransomware-loeschen-statt-entschluesseln/ ∗∗∗ New Zombinder platform binds Android malware with legitimate apps ∗∗∗ --------------------------------------------- A darknet platform dubbed Zombinder allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds… ∗∗∗ Hacked corporate email accounts used to send MSP remote access tool ∗∗∗ --------------------------------------------- MuddyWater hackers, a group associated with Irans Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accou… ∗∗∗ DeathStalker targets legal entities with new Janicab variant ∗∗∗ --------------------------------------------- While hunting for less common Deathstalker intrusions, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020. --------------------------------------------- https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab… ∗∗∗ How to train your Ghidra ∗∗∗ --------------------------------------------- Brief introduction to setting up Ghidra, and then configuring it with a familiar UI and shortcuts, so that you would not need to re-learn all the key sequences you have got used to over the years. --------------------------------------------- https://securelist.com/how-to-train-your-ghidra/108272/ ∗∗∗ Finding Gaps in Syslog - How to find when nothing happened, (Wed, Dec 7th) ∗∗∗ --------------------------------------------- I recently got a call from a client, they had an outage that required a firewall reboot, but couldn't give me an exact clock time. They were looking for anything in the logs just prior to that reboot that might indicate a carrier issue, as they had experienced a few outages like this recently. --------------------------------------------- https://isc.sans.edu/diary/rss/29314 ∗∗∗ Port Scanning in Powershell Redux: Speeding Up the Results (challenge accepted!), (Fri, Dec 9th) ∗∗∗ --------------------------------------------- In the story I wrote in October about using PowerShell for Port Scanning (https://isc.sans.edu/diary/29202), I noted that the basic "test-connect" operation made for a pretty slow port scanner, which seems to be the message that everyone latched onto. Of course, my immediate response was "challenge accepted!", so let's go - let's make that operation faster! --------------------------------------------- https://isc.sans.edu/diary/rss/29324 ∗∗∗ Trojanized OneNote Document Leads to Formbook Malware ∗∗∗ --------------------------------------------- Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs’ researchers are always looking out for new or unusual file types, and through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-… ∗∗∗ Compromised Cloud Compute Credentials: Case Studies From the Wild ∗∗∗ --------------------------------------------- A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ ∗∗∗ Fantasy - a new Agrius wiper deployed through a supply‑chain attack ∗∗∗ --------------------------------------------- ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry --------------------------------------------- https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-c… ∗∗∗ On hacking forums, even the scammers aren’t safe ∗∗∗ --------------------------------------------- Cybercriminals use a range of techniques to steal victims’ money — from developing malicious software to siphon financial data to old-fashioned “rip-and-runs” — but that doesn’t mean they’re immune to falling for these scams themselves. Scammers scamming scammers, including sometimes the scammers who have scammed them, is “an entire sub-economy” on darknet marketplaces, according to [...] --------------------------------------------- https://therecord.media/on-hacking-forums-even-the-scammers-arent-safe/ ∗∗∗ OpenSSL CVE-2022-3786: Food for Thought on the Importance of Security Scanning ∗∗∗ --------------------------------------------- After a CVE on open source software has been discovered and a fix has been released, a fruitful practice for security researchers is to go deep into the nature of the CVE and the fix. --------------------------------------------- https://checkmarx.com/blog/openssl-cve-2022-3786-food-for-thought-on-the-im… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins 2022-12-05 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Cloud Transformation Advisor, IBM Event Streams, IBM InfoSphere Information Server, IBM Power System, IBM QRadar SIEM, IBM Rational Functional Tester, IBM Rational Test Automation Server, IBM Spectrum Scale, IBM Sterling Secure Proxy, IBM Watson Developer Cloud --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-06 ∗∗∗ --------------------------------------------- IBM Business Automation Workflow, IBM Content Navigator, IBM Operations Analytics, IBM Rational Business Developer, IBM SPSS Collaboration and Deployment Services, IBM Security SiteProtector System, IBM Sterling External Authentication Server, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Business Service Manager, IBM Tivoli Composite Application Manager for Transactions, IBM WebSphere Application Server --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-07 ∗∗∗ --------------------------------------------- AIX, HMC, IBM Business Automation Workflow Event Emitters, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Data Risk Manager, IBM Enterprise Content Management System Monitor, IBM Match 360, IBM PowerVM Novalink, IBM Virtualization Engine TS7700, IBM Watson Assistant for IBM Cloud Pak for Data --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-08 ∗∗∗ --------------------------------------------- AIX, IBM API Connect, IBM CICS Transaction Gateway, IBM Cloud Transformation Advisor, IBM InfoSphere Information Server, IBM MQ, IBM PowerVM Novalink, IBM Security Verify --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-09 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM Security Verify Governance, IBM Spectrum Copy Data Management, IBM Spectrum Protect for Space Management Client, IBM Tivoli Application Dependency Discovery Manager, z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ VMSA-2022-0030 ∗∗∗ --------------------------------------------- VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0030.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dlt-daemon, jqueryui, and virglrenderer), Fedora (firefox, vim, and woff), Oracle (kernel and nodejs:18), Red Hat (java-1.8.0-ibm and redhat-ds:11), Slackware (python3), SUSE (buildah, matio, and osc), and Ubuntu (heimdal and postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/917398/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (leptonlib), Fedora (woff), Red Hat (grub2), Slackware (emacs), SUSE (busybox, chromium, java-1_8_0-openjdk, netatalk, and rabbitmq-server), and Ubuntu (gcc-5, gccgo-6, glibc, protobuf, and python2.7, python3.10, python3.6, python3.8). --------------------------------------------- https://lwn.net/Articles/917530/ ∗∗∗ Synology-SA-22:23 PWN2OWN TORONTO 2022 ∗∗∗ --------------------------------------------- Multiple vulnerabilities reported by PWN2OWN TORONTO 2022 have been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_23 ∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500535-AMI-MEGARAC-SP-X-BMC-V… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Smart WiFi Router ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-dosvihsw… ∗∗∗ K87046687: VMware Tools vulnerability CVE-2022-31676 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87046687 ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-01 ∗∗∗ AVEVA InTouch Access Anywhere ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-02 ∗∗∗ Rockwell Automation Logix controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily