Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 25.01.2023
by Daily end-of-shift report 25 Jan '23

25 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-01-2023 18:00 − Mittwoch 25-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht vor Phishing-Mails von FinanzOnline und ID Austria ∗∗∗ --------------------------------------------- Betrüger*innen versuchen mit gefälschten Mails an sensible Daten zu kommen. --------------------------------------------- https://futurezone.at/digital-life/phishing-mails-finanzonline-id-austria-v… ∗∗∗ GoTo-Hacker erbeuten verschlüsselte Backups inklusive Schlüssel ∗∗∗ --------------------------------------------- GoTo, ein Anbieter für Software-as-a-Service und Remote-Work-Tools, veröffentlicht weitere Erkenntnisse über einen IT-Sicherheitsvorfall. --------------------------------------------- https://heise.de/-7470609 ∗∗∗ OTORIO DCOM Hardening Toolkit für Windows für OT-Systeme veröffentlicht ∗∗∗ --------------------------------------------- In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle, die eine Umgehung der Sicherheitsfunktionen ermöglicht. Microsoft hat das dokumentiert und gepatcht, und will im März 2023 aber einen letzten einen Patch freigeben. Sicherheitsanbieter OTORIO hat im Vorfeld ein OpenSource DCOM Hardening Toolkit für OT-Systeme veröffentlicht, mit dem Unternehmen ihre DCOM-Umgebungen analysieren und ggf. härten können. --------------------------------------------- https://www.borncity.com/blog/2023/01/25/otorio-dcom-hardening-toolkit-fr-w… ∗∗∗ Recovery-Scam durch betrugsdezernat.com und betrugsdezernat.org! ∗∗∗ --------------------------------------------- Wer auf betrügerischen Investment-Plattformen Geld verloren hat, wünscht sich meist nichts mehr, als sämtliche Einzahlungen zurückerhalten zu können. Darauf setzen auch die Kriminellen, die schon hinter dem Investitionsbetrug steckten. Sie geben sich als (häufig erfundene) Behörden aus und behaupten, das verlorene Geld festgesetzt zu haben. Eine kleine Vorauszahlung der Opfer soll zur Rückbuchung aller Verluste führen. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scam-durch-betrugsdezernatc… ∗∗∗ Senden Sie Ihre Daten nicht an gewerbe-datenanzeiger.at! ∗∗∗ --------------------------------------------- Haben auch Sie eine Nachricht von Gewerbe Datenanzeiger bekommen, die Sie auffordert, Ihre Firmendaten preiszugeben? Ignorieren Sie die Nachricht, wenn Sie antworten, schließen Sie ein teures Abo in Höhe von 1.992 € ab! --------------------------------------------- https://www.watchlist-internet.at/news/senden-sie-ihre-daten-nicht-an-gewer… ∗∗∗ Ransomware access brokers use Google ads to breach your network ∗∗∗ --------------------------------------------- A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims passwords, and ultimately breach networks for ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-access-brokers-us… ∗∗∗ New stealthy Python RAT malware targets Windows in attacks ∗∗∗ --------------------------------------------- A new Python-based malware has been spotted in the wild featuring remote access trojan (RAT) capabilities to give its operators control over the breached systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-python-rat-malw… ∗∗∗ Lessons Learned from the Windows Remote Desktop Honeypot Report ∗∗∗ --------------------------------------------- Over several weeks in October of 2022, Specops collected 4.6 million attempted passwords on their Windows Remote Desktop honeypot system. Here is what they learned. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lessons-learned-from-the-win… ∗∗∗ A First Malicious OneNote Document, (Wed, Jan 25th) ∗∗∗ --------------------------------------------- Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1]. --------------------------------------------- https://isc.sans.edu/diary/rss/29470 ∗∗∗ Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network ∗∗∗ --------------------------------------------- Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often related to redirecting legitimate website traffic to third party sites of their choosing - including tech support scams, adult dating, phishing, or drive-by-downloads. Since late December, our team has been tracking a new spike in WordPress website infections related to the following malicious domain: [...] --------------------------------------------- https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-site… ∗∗∗ At the Edge of Tier Zero: The Curious Case of the RODC ∗∗∗ --------------------------------------------- The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case. While RODCs, by definition, are not part of the set of resources that can control “enterprise identities”, known as Tier Zero, we have seen cases where there is a privilege escalation path from an RODC to domain dominance. --------------------------------------------- https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-th… ∗∗∗ Vulnerability of Zyxel switches posed serious risk for business processes of many companies ∗∗∗ --------------------------------------------- The issue received a CVSSv3 score of 8.2, qualifying it as high severity --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/vulnerability-of-zyxel-switches… ∗∗∗ Attacking The Supply Chain: Developer ∗∗∗ --------------------------------------------- In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/attacking-the-supply-chain-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2022-42330 / XSA-425 ∗∗∗ --------------------------------------------- Guests can cause Xenstore crash via soft reset --------------------------------------------- https://xenbits.xen.org/xsa/advisory-425.html ∗∗∗ Kritische Schadcode-Lücken in Logging-Tool VMware vRealize Log geschlossen ∗∗∗ --------------------------------------------- Netzwerk-Admins sollten ihre Systeme mit VMware vRealize Log auf den aktuellen Stand bringen, um Angreifer auszusperren. --------------------------------------------- https://heise.de/-7470157 ∗∗∗ Kritische Sicherheitslücke: Neuere Lexmark-Drucker ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Lexmark warnt vor Sicherheitslücken in seinen Druckern. Neuere Modelle ermöglichten Angreifern, Schadcode einzuschleusen und auszuführen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7470640 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind, --------------------------------------------- https://lwn.net/Articles/921194/ ∗∗∗ [R1] Tenable.sc 6.0.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-03 ∗∗∗ IBM Security Verify Governance, Identity Manager virtual appliance component uses weaker than expected cryptography (CVE-2022-22462) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857339 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2022-40750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857579 ∗∗∗ IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. (CVE-2022-31772) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6833806 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libxml2, expat, libtasn1 and systemd ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857613 ∗∗∗ Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857607 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2023
by Daily end-of-shift report 24 Jan '23

24 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 23-01-2023 18:00 − Dienstag 24-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers use Golang source code interpreter to evade detection ∗∗∗ --------------------------------------------- A Chinese-speaking hacking group tracked as DragonSpark was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-co… ∗∗∗ Microsoft 365 to block downloaded Excel XLL add-ins to boost security ∗∗∗ --------------------------------------------- Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-down… ∗∗∗ Emotet Malware Makes a Comeback with New Evasion Techniques ∗∗∗ --------------------------------------------- The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. --------------------------------------------- https://thehackernews.com/2023/01/emotet-malware-makes-comeback-with-new.ht… ∗∗∗ Identitätsdiebstahl: Erste Hilfe bei Onlinebetrug unter Ihrem Namen ∗∗∗ --------------------------------------------- Kriminelle kaufen mit illegal erworbenen Login-Daten auf Ihre Rechnung ein oder posten Beschimpfungen in Ihrem Namen? Das sollten Sie jetzt tun. --------------------------------------------- https://heise.de/-7452745 ∗∗∗ A security audit of Git ∗∗∗ --------------------------------------------- The Open Source Technology Improvement Fund has announced the completion of a security audit of the Git source. --------------------------------------------- https://lwn.net/Articles/921067/ ∗∗∗ OSINT your OT suppliers ∗∗∗ --------------------------------------------- There is much talk about supply chain security and reviewing your suppliers for cyber security. But how much information do they intentionally and unintentionally leak about your organisation online? --------------------------------------------- https://www.pentestpartners.com/security-blog/osint-your-ot-suppliers/ ∗∗∗ Facebook: E-Bike-Gewinnspiele sind Fake ∗∗∗ --------------------------------------------- Mit „Danke“ kommentieren und E-Bike gewinnen: Dieses Gewinnspiel macht gerade auf Facebook die Runde. Angeblich haben die Fahrräder kleine Kratzer, die Motoren funktionieren aber einwandfrei. Vorsicht: Das Gewinnspiel ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/facebook-e-bike-gewinnspiele-sind-fa… ∗∗∗ Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats ∗∗∗ --------------------------------------------- We observed a recent spate of supply chain attacks attempting to exploit CVE-2021-35394, affecting IoT devices with chipsets made by Realtek. --------------------------------------------- https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ ∗∗∗ Vice Society Ransomware Group Targets Manufacturing Companies ∗∗∗ --------------------------------------------- In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-grou… ∗∗∗ A step-by-step introduction to the use of ROP gadgets to bypass DEP ∗∗∗ --------------------------------------------- DEP (Data Execution Prevention) is a memory protection feature that allows the system to mark memory pages as non-executable. ROP (Return-oriented programming) is an exploit technique that allows an attacker to execute shellcode with protections such as DEP enabled. --------------------------------------------- https://cybergeeks.tech/a-step-by-step-introduction-to-the-use-of-rop-gadge… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Symantec Endpoint Protection als Sprungbrett für Angreifer ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle könnten Angreifer Windows-PCs mit Sicherheitssoftware von Symantec attackieren. --------------------------------------------- https://heise.de/-7468961 ∗∗∗ iOS 16.3, iPadOS 16.3 und macOS 13.2: Welche Lücken Apple stopft ∗∗∗ --------------------------------------------- Erneut bekommen Macs, iPhones und iPads jede Menge Sicherheitsfixes. Zu den Details schweigt sich Apple teilweise mal wieder aus. --------------------------------------------- https://heise.de/-7469023 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and spip), Fedora (kernel), Mageia (chromium-browser-stable, docker, firefox, jpegoptim, nautilus, net-snmp, phoronix-test-suite, php, php-smarty, samba, sdl2, sudo, tor, viewvc, vim, virtualbox, and x11-server), Red Hat (bash, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, pcs, postgresql-jdbc, [...] --------------------------------------------- https://lwn.net/Articles/921024/ ∗∗∗ Critical Vulnerabilities Patched in OpenText Enterprise Content Management System ∗∗∗ --------------------------------------------- Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-patched-opentext-ente… ∗∗∗ Pgpool-II vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN72418815/ ∗∗∗ pgAdmin 4 vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN01398015/ ∗∗∗ VMSA-2023-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0001.html ∗∗∗ XINJE XD ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-024-01 ∗∗∗ SOCOMEC MODULYS GP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-024-02 ∗∗∗ IBM WebSphere Application Server traditional container is vulnerable to information disclosure (CVE-2022-43917) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857007 ∗∗∗ Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857039 ∗∗∗ FileNet Content Manager GraphQL jackson-databind security vulnerabilities, affected but not vulnerable ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857047 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2023
by Daily end-of-shift report 23 Jan '23

23 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-01-2023 18:00 − Montag 23-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Anmeldung bei ManageEngine ServiceDesk Plus MSP mit beliebigem Passwort möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Helpdesk-Software ManageEngine ServiceDesk Plus MSP von Zoho. --------------------------------------------- https://heise.de/-7467650 ∗∗∗ "Cyberkriminelle" verschaffen sich Zugang zu Sky-Kundenkonten ∗∗∗ --------------------------------------------- Der Pay-TV-Anbieter Sky bestätigt, dass sich bösartige Akteure Zugriff zu Kundenkonten verschafft haben. Details gibt es noch nicht, der Schaden ist unklar. --------------------------------------------- https://heise.de/-7468078 ∗∗∗ Vorsicht vor Betrug bei der Wohnungssuche im Ausland ∗∗∗ --------------------------------------------- Sie planen ein Auslandssemester oder suchen für einen befristeten Zeitraum eine Wohnung oder ein WG-Zimmer? Nehmen Sie sich vor günstigen Traumwohnungen in Acht! Dahinter könnte eine Betrugsmasche stecken. Finger weg, wenn Sie ohne Besichtigung eine Zahlung leisten müssen, die angeblich von TripAdvisor, Airbnb oder Booking.com verwaltet wird. Sie verlieren Ihr Geld und stehen ohne Wohnung da. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-wohnungssuche-fuer-… ∗∗∗ Massive ad-fraud op dismantled after hitting millions of iOS devices ∗∗∗ --------------------------------------------- A massive ad fraud operation dubbed Vastflux that spoofed more than 1,700 applications from 120 publishers, mostly for iOS, has been disrupted by security researchers at cybersecurity company HUMAN. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-ad-fraud-op-dismantl… ∗∗∗ Whos Resolving This Domain?, (Mon, Jan 23rd) ∗∗∗ --------------------------------------------- Challenge of the day: To find the process that resolved a specific domain. And this is not always easy! --------------------------------------------- https://isc.sans.edu/diary/rss/29462 ∗∗∗ Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks ∗∗∗ --------------------------------------------- The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week. --------------------------------------------- https://thehackernews.com/2023/01/threat-actors-turn-to-sliver-as-open.html ∗∗∗ ShareFinder: How Threat Actors Discover File Shares ∗∗∗ --------------------------------------------- Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all [...] --------------------------------------------- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover… ∗∗∗ Activation Context Cache Poisoning: Exploiting CSRSS for Privilege Escalation ∗∗∗ --------------------------------------------- Starting in July of 2022, the Windows CSRSS process entered the consciousness of the infosec community as the source of several local privilege escalation vulnerabilities in Microsoft Windows. The first public information appeared on July 12 with the release of the patch for CVE-2022-22047, which was being actively exploited. Shortly thereafter, Microsoft published an article providing some technical details [...] --------------------------------------------- https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-ex… ∗∗∗ Inglourious Drivers - A Journey of Finding Vulnerabilities in Drivers ∗∗∗ --------------------------------------------- TL;DR I discovered multiple bugs in OEM vendors for peripheral devices, which affected many users of these OEM vendors (Razer, EVGA, MSI, AMI). Many of the vulnerabilities originated in a [...] --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers… ===================== = Vulnerabilities = ===================== ∗∗∗ Unter Attacke: Sicherheitsleck in GTA V ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Angreifer missbrauchen eine Sicherheitslücke im Spiel GTA V, um die Statistiken von Opfern zu verändern. Sie könnten jedoch Schadcode unterzuschieben. --------------------------------------------- https://heise.de/-7467685 ∗∗∗ Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347) ∗∗∗ --------------------------------------------- U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and [...] --------------------------------------------- https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecke… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/920829/ ∗∗∗ A CVE-2022-21626 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856759 ∗∗∗ Multiple vulnerability affect IBM Business Automation Workflow - CVE-2022-42003, CVE-2022-42004 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856761 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2023
by Daily end-of-shift report 20 Jan '23

20 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-01-2023 18:00 − Freitag 20-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit released for critical ManageEngine RCE bug, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now available for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Exploiting null-dereferences in the Linux kernel ∗∗∗ --------------------------------------------- While the null-dereference bug itself was fixed in October 2022, the more important fix was the introduction of an oops limit which causes the kernel to panic if too many oopses occur. While this patch is already upstream, it is important that distributed kernels also inherit this oops limit and backport it to LTS releases if we want to avoid treating such null-dereference bugs as full-fledged security issues in the future. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences… ∗∗∗ Importance of signing in Windows environments, (Fri, Jan 20th) ∗∗∗ --------------------------------------------- NTLM relaying has been a plague in Windows environments for many years and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services. --------------------------------------------- https://isc.sans.edu/diary/rss/29456 ∗∗∗ Vulnerable WordPress Sites Compromised with Different Database Infections ∗∗∗ --------------------------------------------- Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels. We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. --------------------------------------------- https://blog.sucuri.net/2023/01/vulnerable-wordpress-sites-compromised-with… ∗∗∗ New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability ∗∗∗ --------------------------------------------- Earlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server. --------------------------------------------- https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.ht… ∗∗∗ Neue Love-Scam Masche: Wenn die Internetbekanntschaft Sie zum Online-Handel überredet ∗∗∗ --------------------------------------------- Betrügerische Internetbekanntschaften versuchen auf unterschiedlichsten Wegen an Ihr Geld zu kommen. Bei einer neuen Masche erschleichen sich die Kriminellen Ihr Vertrauen, um Sie später auf den Online-Marktplatz haremark. --------------------------------------------- https://www.watchlist-internet.at/news/neue-love-scam-masche-wenn-die-inter… ∗∗∗ CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion ∗∗∗ --------------------------------------------- n this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Adobe ColdFusion. --------------------------------------------- https://www.thezdi.com/blog/2023/1/18/cve-2022-35690-unauthenticated-rce-in… ∗∗∗ NCSC to retire Logging Made Easy ∗∗∗ --------------------------------------------- The NCSC is retiring Logging Made Easy (LME). After 31 March 2023, we will no longer support LME, and the GitHub page will close shortly after. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/ncsc-to-retire-logging-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco: Hochriskantes Sicherheitsleck in Unified Communications Manager ∗∗∗ --------------------------------------------- In der Unified Communications Manager-Software von Cisco klafft eine Sicherheitslücke mit hohem Risiko. Der Hersteller stellt Updates zum Schließen bereit. --------------------------------------------- https://heise.de/-7465203 ∗∗∗ Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434) ∗∗∗ --------------------------------------------- The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications. --------------------------------------------- https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/920646/ ∗∗∗ Vulnerability Spotlight: XSS vulnerability in Ghost CMS ∗∗∗ --------------------------------------------- The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-xss-vulnerabilit… ∗∗∗ Hitachi Energy PCU400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-019-01 ∗∗∗ ;">uniFLOW MOM Tech Support Potential Data Exposure Vulnerability – 20 January 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Vulnerability in minimatch affects IBM Process Mining . CVE-2022-3517 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856471 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856659 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856661 ∗∗∗ Liberty is vulnerable to denial of service due to GraphQL Java affecting IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856687 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856719 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856717 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-34305 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856713 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-45143 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856721 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2023
by Daily end-of-shift report 19 Jan '23

19 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-01-2023 18:00 − Donnerstag 19-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Illegal Solaris darknet market hijacked by competitor Kraken ∗∗∗ --------------------------------------------- Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named Kraken, who claims to have hacked it on January 13, 2022. --------------------------------------------- https://www.bleepingcomputer.com/news/security/illegal-solaris-darknet-mark… ∗∗∗ Microsoft investigates bug behind unresponsive Windows Start Menu ∗∗∗ --------------------------------------------- Microsoft is investigating an issue causing the Windows taskbar and Start Menu to become unresponsive and triggering Outlook and Teams login problems. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-bug-… ∗∗∗ PayPal accounts breached in large-scale credential stuffing attack ∗∗∗ --------------------------------------------- PayPal is sending out notices of a data breach to thousands of users who had their accounts accessed by credential stuffing actors, resulting in the compromise of some personal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-… ∗∗∗ New Blank Image attack hides phishing scripts in SVG files ∗∗∗ --------------------------------------------- An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides… ∗∗∗ Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 ∗∗∗ --------------------------------------------- Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. --------------------------------------------- https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/1… ∗∗∗ SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th) ∗∗∗ --------------------------------------------- Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world. The results werent too optimistic, it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published. --------------------------------------------- https://isc.sans.edu/diary/rss/29452 ∗∗∗ Android Users Beware: New Hook Malware with RAT Capabilities Emerges ∗∗∗ --------------------------------------------- The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. --------------------------------------------- https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html ∗∗∗ CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA ∗∗∗ --------------------------------------------- CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/circleci-malware-stole-githu… ∗∗∗ Pwned or Bot ∗∗∗ --------------------------------------------- Its fascinating to see how creative people can get with breached data. Of course theres all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone elses system. --------------------------------------------- https://www.troyhunt.com/pwned-or-bot/ ∗∗∗ LockBit ransomware – what you need to know ∗∗∗ --------------------------------------------- It is the worlds most active ransomware group - responsible for an estimated 40% of all ransomware infections worldwide. Find out what you need to know about LockBit in my article on the Tripwire State of Security blog. --------------------------------------------- https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need… ∗∗∗ Windows 11 22H2: Systemwiederherstellung verursacht "This app can’t open"-Fehler ∗∗∗ --------------------------------------------- Ich höre zwar immer wieder "läuft ohne Probleme", aber für den Fall der Fälle, also falls Windows 11 22H2 mal Schluckauf haben sollte und den Fehler "Diese App kann nicht geöffnet werden" zeigt, da hätte ich was zur Ursache. Hochoffiziell von Microsoft als Fehler bestätigt. --------------------------------------------- https://www.borncity.com/blog/2023/01/19/windows-11-22h2-systemwiederherste… ∗∗∗ Windows 10: "Schlagloch" Windows PE-Patch zum Fix der Bitlocker-Bypass-Schwachstelle CVE-2022-41099 ∗∗∗ --------------------------------------------- Nachtrag zum Januar 2023 Patchday für Windows. Es gibt in der Windows PE-Umgebung von Windows 10 eine Schwachstelle (CVE-2022-41099), die eine Umgehung der Bitlocker-Verschlüsselung umgeht. Zum Fixen muss die Windows PE-Umgebung der Clients manuell aktualisiert werden. --------------------------------------------- https://www.borncity.com/blog/2023/01/19/windows-10-schlagloch-windows-pe-p… ∗∗∗ Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest ∗∗∗ --------------------------------------------- In this blog, we’ll tackle encrypting AWS in transit and at rest. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/improve-your-aws-se… ∗∗∗ Following the LNK metadata trail ∗∗∗ --------------------------------------------- While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. --------------------------------------------- https://blog.talosintelligence.com/following-the-lnk-metadata-trail/ ∗∗∗ Darth Vidar: The Dark Side of Evolving Threat Infrastructure ∗∗∗ --------------------------------------------- Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. Upon initial inspection, the identified sample appeared to be Arkei (another info-stealer), however differences in both the sample’s code and C2 communications were observed. --------------------------------------------- https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo). --------------------------------------------- https://lwn.net/Articles/920478/ ∗∗∗ Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM ∗∗∗ --------------------------------------------- Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME). --------------------------------------------- https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vuln… ∗∗∗ CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services ∗∗∗ --------------------------------------------- A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered. --------------------------------------------- https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execu… ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-001 ∗∗∗ [R1] Nessus Version 8.15.8 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-02 ∗∗∗ Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856209 ∗∗∗ IBM Security Guardium is affected by a gson-1.7.1.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856221 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856221 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2022-48195, CVE-2022-29577, CVE-2022-28367, CVE-2015-6420) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856401 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856409 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39011) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856403 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39089) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856405 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39090) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856407 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856439 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856443 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2023
by Daily end-of-shift report 18 Jan '23

18 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-01-2023 18:00 − Mittwoch 18-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ RC4 Is Still Considered Harmful ∗∗∗ --------------------------------------------- Ive been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number 2310 with the handling of RC4 encryption that allowed you to authenticate as another user if you could either interpose on the Kerberos network traffic to and from the KDC or directly if the user was configured to disable typical pre-authentication requirements. This blog post goes into more detail [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harm… ∗∗∗ Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware, (Wed, Jan 18th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/29448 ∗∗∗ Is WordPress Secure? ∗∗∗ --------------------------------------------- According to W3Techs, 43.2% of all websites on the internet use WordPress. And of all websites that use a CMS (Content Management System) more than half (64%) leverage WordPress to power their blog or website. Unfortunately, since WordPress has such a large market share it has also become a prime target for attackers. You might be wondering whether WordPress is safe to use. And the short answer is yes - WordPress core is safe to use, but only if you maintain it to the latest version and [...] --------------------------------------------- https://blog.sucuri.net/2023/01/is-wordpress-secure.html ∗∗∗ CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9) --------------------------------------------- https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html ∗∗∗ Jetzt patchen! Tausende Firewalls von Sophos angreifbar ∗∗∗ --------------------------------------------- Sicherheitsforscher haben das Internet auf verwundbare Sophos-Firewalls gescannt und sind fündig geworden. Sicherheitspatches gibt es seit Dezember 2022. --------------------------------------------- https://heise.de/-7462565 ∗∗∗ MSI-Motherboards sollen trotz aktivem Secure Boot manipulierte Systeme starten ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat herausgefunden, dass der Schutzmechanismus Secure Boot auf MSI-Motherboards standardmäßig aktiv ist, aber trotzdem alles durchwinkt. --------------------------------------------- https://heise.de/-7462913 ∗∗∗ Hochriskante Sicherheitslücken in Qt "nur ein Bug" ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher von Cisco Thalos haben hochriskante Sicherheitslücken in Qt-QML gefunden. Qt sieht App-Entwickler am Zuge und stuft sie nur als Bug ein. --------------------------------------------- https://heise.de/-7462956 ∗∗∗ Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability ∗∗∗ --------------------------------------------- Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns. --------------------------------------------- https://www.securityweek.com/vendors-actively-bypass-security-patch-year-ol… ∗∗∗ The Defender’s Guide to Windows Services ∗∗∗ --------------------------------------------- This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. --------------------------------------------- https://posts.specterops.io/the-defenders-guide-to-windows-services-67c1711… ∗∗∗ Silo, or not silo, that is the question ∗∗∗ --------------------------------------------- As we (security folks) were working on the hardening of WSUS update servers, we had to answer an interesting question dealing with how to best isolate a sensitive server like WSUS on on-premises Active Directory. The question was: should I put my WSUS server into my T0 silo? --------------------------------------------- https://medium.com/tenable-techblog/silo-or-not-silo-that-is-the-question-d… ∗∗∗ Elastic IP Transfer: Identifying and Mitigating Risks from a New Attack-Vector on AWS ∗∗∗ --------------------------------------------- Elastic IPs (EIPs) are public and static IPv4 addresses provided by AWS. EIPs can be viewed as a pool of IPv4 addresses, accessible from the internet, that can be used in numerous ways. Once an EIP is allocated to an AWS account, it can be associated with a single compute instance or an elastic network [...] --------------------------------------------- https://orca.security/resources/blog/elastic-ip-transfer-attack-vector-on-a… ∗∗∗ An in-depth HTTP Strict Transport Security Tutorial ∗∗∗ --------------------------------------------- HSTS is an Internet standard and policy that tells the browser to only interact with a website using a secure HTTPS connection. Check out this article to learn how to leverage the security of your website and customers’ data and the security benefits you’ll gain from doing so. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/a/http-strict-transport-security… ∗∗∗ Kriminelle versprechen Geld für Haarspenden auf Job-Börsen, aber zahlen nicht! ∗∗∗ --------------------------------------------- Wenn Sie auf Facebook in diversen Job-Börsen nach einer Beschäftigung suchen, stoßen Sie womöglich auf ein verlockendes Angebot für Ihre Haare. Um für Krebskranke Perücken anzufertigen, ist man bereit, Ihnen bis zu 2000 Euro für Ihre Haare zu bezahlen. Achtung: Wenn Sie hier Kontakt aufnehmen, gibt man Ihnen genaue Anweisungen zum Abschneiden Ihrer Haare und verspricht eine Bezahlung bei Abholung. Doch dann sind Ihre Haare ab, Sie werden blockiert und [...] --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versprechen-geld-fuer-haa… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Sicherheitslücken in über 100 Oracle-Produkten ∗∗∗ --------------------------------------------- Das erste Oracle Critical Patch Update des Jahres 2023 liefert Beschreibungen und Updates für Sicherheitslücken in mehr als 100 Produkten des Unternehmens. --------------------------------------------- https://heise.de/-7462438 ∗∗∗ Versionsverwaltung: Git schließt zwei kritische Lücken in Version 2.39 ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Lücken in Git entdeckt, durch die beliebiger Code ausgeführt werden konnte. Patches stehen bereit, Nutzer sollten umgehend updaten. --------------------------------------------- https://heise.de/-7462680 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3). --------------------------------------------- https://lwn.net/Articles/920318/ ∗∗∗ Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers ∗∗∗ --------------------------------------------- Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).Two security defects were identified in TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 SOHO (small office/home office) routers, allowing attackers to execute code, crash devices, or guess login credentials. --------------------------------------------- https://www.securityweek.com/remote-code-execution-vulnerabilities-found-tp… ∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850801 ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp… ∗∗∗ Security Advisory - Misinterpretation of Input in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moiiahpp-… ∗∗∗ Security Advisory - Data Processing Error Vulnerability in a Huawei Band ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-dpeviahb-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-boviahpp-… ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp… ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-5… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2023
by Daily end-of-shift report 17 Jan '23

17 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 16-01-2023 18:00 − Dienstag 17-01-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th) ∗∗∗ --------------------------------------------- I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it. --------------------------------------------- https://isc.sans.edu/diary/rss/29442 ∗∗∗ The misadventures of an SPF record ∗∗∗ --------------------------------------------- I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT, University, University of Miami, along with 1000+ other domains had mistakenly used the “+all” SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf. --------------------------------------------- https://caniphish.com/phishing-resources/blog/scanning-spf-records ∗∗∗ Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung ∗∗∗ --------------------------------------------- Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen. --------------------------------------------- https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-s… ∗∗∗ Beware of DDosia, a botnet created to facilitate DDoS attacks ∗∗∗ --------------------------------------------- The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky. --------------------------------------------- https://blog.avast.com/ddosia-project ∗∗∗ The prevalence of RCE exploits and what you should know about RCEs ∗∗∗ --------------------------------------------- Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem. --------------------------------------------- https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what… ∗∗∗ Attackers Can Abuse GitHub Codespaces for Malware Delivery ∗∗∗ --------------------------------------------- A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports. --------------------------------------------- https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-… ∗∗∗ Gefälschtes Post-SMS im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/ ∗∗∗ Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks ∗∗∗ --------------------------------------------- We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-leg… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft resolves four SSRF vulnerabilities in Azure cloud services ∗∗∗ --------------------------------------------- Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security. --------------------------------------------- https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vul… ∗∗∗ Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich ∗∗∗ --------------------------------------------- Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren. --------------------------------------------- https://heise.de/-7461118 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor). --------------------------------------------- https://lwn.net/Articles/920217/ ∗∗∗ Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc. ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen. --------------------------------------------- https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-… ∗∗∗ LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-control… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 109 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/ ∗∗∗ A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855731 ∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855777 ∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855831 ∗∗∗ AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855827 ∗∗∗ IBM Robotic Process Automation is vulnerable to Cross-Site Scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2023
by Daily end-of-shift report 16 Jan '23

16 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-01-2023 18:00 − Montag 16-01-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Viele Cacti-Server öffentlich erreichbar und verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher stoßen auf tausende über das Internet erreichbare Server mit dem IT-Monitoring-Tool Cacti. Zahlreiche Instanzen wurden noch nicht gepatcht. --------------------------------------------- https://heise.de/-7459904 ∗∗∗ CircleCI-Hack: 2FA-Zugangsdaten von Mitarbeiter ergaunert ∗∗∗ --------------------------------------------- Die Betreiber der Cloud-basierten Continuous-Integration-Plattform CircleCI haben ihren Bericht über den Sicherheitsvorfall veröffentlicht. --------------------------------------------- https://heise.de/-7460123 ∗∗∗ Gefälschte Job-Angebote im Namen der Wirtschafskammer auf Facebook ∗∗∗ --------------------------------------------- Auf Facebook kursieren gefälschte Jobangebote im Namen der Wirtschaftskammer Österreich. Die Anzeigen versprechen Gehälter zwischen 50 und 200 Euro pro Stunde. Die Wirtschaftskammern selbst warnen bereits auf Facebook vor den gefälschten Stellenangeboten. Bewerben Sie sich nicht und klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-job-angebote-im-namen-de… ∗∗∗ Avast releases free BianLian ransomware decryptor ∗∗∗ --------------------------------------------- Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-releases-free-bianlian… ∗∗∗ Malicious ‘Lolip0p’ PyPi packages install info-stealing malware ∗∗∗ --------------------------------------------- A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packa… ∗∗∗ PSA: Why you must run an ad blocker when using Google, (Mon, Jan 16th) ∗∗∗ --------------------------------------------- Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time. --------------------------------------------- https://isc.sans.edu/diary/rss/29438 ∗∗∗ Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware ∗∗∗ --------------------------------------------- Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022. --------------------------------------------- https://thehackernews.com/2023/01/beware-tainted-vpns-being-used-to.html ∗∗∗ Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software ∗∗∗ --------------------------------------------- A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. --------------------------------------------- https://thehackernews.com/2023/01/raccoon-and-vidar-stealers-spreading.html ∗∗∗ Hacked! My Twitter user data is out on the dark web -- now what? ∗∗∗ --------------------------------------------- Your Twitter user data may now be out there too, including your phone number. Heres how to check and what you can do about it. --------------------------------------------- https://www.zdnet.com/article/hacked-my-twitter-user-data-is-out-on-the-dar… ∗∗∗ Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML ∗∗∗ --------------------------------------------- Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML. Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all [...] --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-integer-and-buff… ===================== = Vulnerabilities = ===================== ∗∗∗ PoC exploits released for critical bugs in popular WordPress plugins ∗∗∗ --------------------------------------------- Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-cr… ∗∗∗ Webbrowser: Microsoft Edge-Update schließt hochriskante Lücken ∗∗∗ --------------------------------------------- Microsoft hat in einem Update des Webbrowsers Edge Sicherheitslücken aus dem Chromium-Projekt abgedichtet. Sie schließt auch weitere hochriskante Lücken. --------------------------------------------- https://heise.de/-7459742 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp). --------------------------------------------- https://lwn.net/Articles/920120/ ∗∗∗ Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) ∗∗∗ --------------------------------------------- Im April 2021 hatten Sicherheitsforscher eine Privilege Escalation Schwachstelle im Windows RPC-Protokoll entdeckt, der eine lokale Privilegienerweiterung durch NTLM-Relay-Angriffe ermöglichte. Nun scheint ein Sicherheitsforscher auf eine nicht so bekannte Möglichkeit zur Durchführung von NTLM Reflection-Angriffen gestoßen zu sein, die er [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/15/nach-remotepotato0-kommt-die-windo… ∗∗∗ IBM Security Bulletins 2023-01-16 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM® Engineering Lifecycle Engineering products, IBM Integration Bus, IBM Maximo Asset Management, IBM MQ Internet Pass-Thru, IBM QRadar SIEM, IBM Sterling Partner Engagement Manager, IBM Tivoli Application Dependency Discovery Manager (TADDM), IBM Tivoli Netcool Configuration Manager, IBM Tivoli Network Manager (ITNM), IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM), Rational Functional Tester --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ HIMA: unquoted path vulnerabilities in X-OPC and X-OTS ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-059/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2023
by Daily end-of-shift report 13 Jan '23

13 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-01-2023 18:00 − Freitag 13-01-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fortinet says hackers exploited critical vulnerability to infect VPN customers ∗∗∗ --------------------------------------------- Remote code-execution bug was exploited to backdoor vulnerable servers. --------------------------------------------- https://arstechnica.com/?p=1909594 ∗∗∗ NortonLifeLock warns that hackers breached Password Manager accounts ∗∗∗ --------------------------------------------- Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-ha… ∗∗∗ Malware: Android-TV-Box mit vorinstallierter Schadsoftware gekauft ∗∗∗ --------------------------------------------- Auf Amazon hat ein Sicherheitsforscher eine Android-TV-Box gekauft - und entdeckte eine tief ins System integrierte Schadsoftware. --------------------------------------------- https://www.golem.de/news/malware-android-tv-box-mit-vorinstallierter-schad… ∗∗∗ Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar ∗∗∗ --------------------------------------------- Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar. --------------------------------------------- https://thehackernews.com/2023/01/cybercriminals-using-polyglot-files-in.ht… ∗∗∗ Keeping the wolves out of wolfSSL ∗∗∗ --------------------------------------------- Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). --------------------------------------------- https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-f… ∗∗∗ Bad things come in large packages: .pkg signature verification bypass on macOS ∗∗∗ --------------------------------------------- Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root. [..] This was fixed by Apple with a 2 character fix: changing uint32_t to uint64_t in macOS 13.1. --------------------------------------------- https://sector7.computest.nl/post/2023-01-xar/ ∗∗∗ Crassus Windows privilege escalation discovery tool ∗∗∗ --------------------------------------------- Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal. --------------------------------------------- https://github.com/vullabs/Crassus ∗∗∗ Cyber-Attacken auf kritische Lücke in Control Web Panel ∗∗∗ --------------------------------------------- Cyberkriminelle greifen eine kritische Sicherheitslücke in CWP (Control Web Panel, ehemals CentOS Web Panel) an. Sie kompromittieren die verwundbaren Systeme. --------------------------------------------- https://heise.de/-7458440 ∗∗∗ Red Hat ergänzt Malware-Erkennungsdienst für RHEL ∗∗∗ --------------------------------------------- Im Rahmen von Red Hat Insights ergänzt das Unternehmen nun einen Malware-Erkennungsdienst. Der ist für RHEL 8 und 9 verfügbar. --------------------------------------------- https://heise.de/-7458189 ∗∗∗ Most Cacti Installations Unpatched Against Exploited Vulnerability ∗∗∗ --------------------------------------------- Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks. --------------------------------------------- https://www.securityweek.com/most-cacti-installations-unpatched-against-exp… ∗∗∗ Bestellen Sie nicht auf Cardione.at! ∗∗∗ --------------------------------------------- Cardione ist ein Nahrungsergänzungsmittel, das angeblich bei Bluthochdruck helfen soll. Cardione.at wirbt mit gefälschten Empfehlungen eines Arztes, es gibt keine Impressums- oder sonstige Unternehmensdaten. Wir raten: Bestellen Sie keine Cardione Tabletten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bestellung-auf-cardione… ∗∗∗ Fake-Shop alvensleben.net imitiert Sofortüberweisung und fragt TANs ab! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor Fake-Shops wie alvensleben.net in Acht. Der Shop hat insbesondere Kinderspielzeug, Brettspiele und Sportgeräte im Sortiment, bietet aber auch Gartenmöbel und Klettergerüste sowie Bettwäsche an. Bezahlt werden soll per Sofortüberweisung. Achtung: Die Daten werden nicht an den Zahlungsdienstleister weitergeleitet, sondern von den Kriminellen abgegriffen. Später werden Sie zur Übermittlung von TAN-Codes überredet und dadurch um Ihr Geld gebracht! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alvenslebennet-imitiert-so… ∗∗∗ Microsoft ASR/Defender Update kann Desktop-/Startmenü-Verknüpfungen löschen ∗∗∗ --------------------------------------------- Wie aktuell in mehreren Medien berichtet wird, scheint das letzte Update von MS ASR/Defender Auswirkungen auf Desktop-/Startmenüverknüpfungen zu haben, und kann unter anderem dazu führen dass O365 Applikationen nicht mehr gestartet werden können. Gängiger Workaround scheint momentan zu sein, die entsprechenden Regeln auf "Audit" zu setzen. Microsoft hat die Regel wieder entfernt, es kann aber noch dauern, bis das global wirksam wird. Inzwischen wird empfohlen, im Admin Center auf SI MO497128 zu schauen. --------------------------------------------- https://cert.at/de/aktuelles/2023/1/microsoft-asrdefender-update-kann-deskt… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/919907/ ∗∗∗ IBM Security Bulletins 2023-01-13 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Data, IBM Cloud Pak for Security, IBM Security Verify Access Appliance, IBM Watson Speech Services, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1), ICP Speech to Text and Text to Speech --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Releases Twelve Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/cisa-releases-twe… ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/juniper-networks-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2023
by Daily end-of-shift report 12 Jan '23

12 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-01-2023 18:00 − Donnerstag 12-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Konten leergeräumt: Neue Phishing-Welle mit Apple Pay ∗∗∗ --------------------------------------------- Mit einem ausgeklügelten Trick versuchen Kriminelle an Kreditkartendaten zu kommen. Wer Grundlegendes beachtet, ist allerdings ausreichend geschützt. --------------------------------------------- https://futurezone.at/digital-life/apple-pay-phishing-welle-mail-kreditkart… ∗∗∗ Hack: Sicherheitslücke in SugarCRM-Servern wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Etliche SugarCRM-Server in den USA und Deutschland wurden schon gehackt. Ein Hotfix wurde bereits veröffentlicht. --------------------------------------------- https://www.golem.de/news/hack-sicherheitsluecke-in-sugarcrm-servern-wird-a… ∗∗∗ Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability ∗∗∗ --------------------------------------------- Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. --------------------------------------------- https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html ∗∗∗ New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors ∗∗∗ --------------------------------------------- A new analysis of Raspberry Robins attack infrastructure has revealed that its possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. --------------------------------------------- https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html ∗∗∗ IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours ∗∗∗ --------------------------------------------- A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access. --------------------------------------------- https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html ∗∗∗ Prowler v3: AWS & Azure security assessments ∗∗∗ --------------------------------------------- Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. Prowler v3 is now multi-cloud with Azure added as the second supported cloud provider. --------------------------------------------- https://isc.sans.edu/diary/rss/29430 ∗∗∗ Exfiltration Over a Blocked Port on a Next-Gen Firewall ∗∗∗ --------------------------------------------- [..] all successfully exfiltrated data packets were in small formats [..], smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size. When asked about this finding, the NG-FW vendor acknowledged that "to determine which application is being used, and whether the session aligned with the protocol’s standard, the NG-FW must allow at least one packet to pass." --------------------------------------------- https://cymulate.com/blog/data-exfiltration-firewall/ ∗∗∗ Kritische Sicherheitslücke bedroht End-of-Life-Router von Cisco ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa verschiedene Router, IP-Telefone und Webex veröffentlicht. --------------------------------------------- https://heise.de/-7456480 ∗∗∗ AI-generated phishing attacks are becoming more convincing ∗∗∗ --------------------------------------------- Its time for you and your colleagues to become more skeptical about what you read. Thats a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harrass, and spread fake news. Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed. --------------------------------------------- https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-ar… ∗∗∗ Threema Under Fire After Downplaying Security Research ∗∗∗ --------------------------------------------- The developers of the open source secure messaging app Threema have come under fire over their public response to a security analysis conducted by researchers at the Swiss university ETH Zurich. --------------------------------------------- https://www.securityweek.com/threema-under-fire-after-downplaying-security-… ∗∗∗ SCCM Site Takeover via Automatic Client Push Installation ∗∗∗ --------------------------------------------- tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation. --------------------------------------------- https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-in… ∗∗∗ Gefährliche Fehlkonfigurationen von Active Directory-Dienstkonten ∗∗∗ --------------------------------------------- Das Identifizieren von Schwachstellen in der AD-Konfiguration kann sich als Albtraum erweisen, warnt Gastautor Guido Grillenmeier von Semperis. --------------------------------------------- https://www.zdnet.de/88406475/gefaehrliche-fehlkonfigurationen-von-active-d… ∗∗∗ Microsoft Exchange Januar 2023 Patchday-Nachlese: Dienste starten nicht etc. ∗∗∗ --------------------------------------------- Zum 10. Januar 2023 (Patchday) hat Microsoft Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software, haben aber bekannte Fehler und verursachen neue neue Probleme bei der Installation. Hier ein kurzer Überblick über den Sachstand. --------------------------------------------- https://www.borncity.com/blog/2023/01/12/microsoft-exchange-januar-2023-pat… ∗∗∗ What is Red Teaming & How it Benefits Orgs ∗∗∗ --------------------------------------------- Running real-world attack simulations can help improve organizations cybersecurity resilience --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/what-is-red-teaming.html ∗∗∗ Shodan Verified Vulns 2023-01-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-01-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/1/shodan-verified-vulns-2023-01-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 ∗∗∗ --------------------------------------------- Description: This module enables users to create private vocabularies. The module doesnt enforce permissions appropriately for the taxonomy overview page and overview form. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-001 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, [...] --------------------------------------------- https://lwn.net/Articles/919785/ ∗∗∗ TP-Link SG105PE vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78481846/ ∗∗∗ WAGO: Unauthenticated Configuration Export in web-based management in multiple devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-054/ ∗∗∗ Visual Studio Code Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21779 ∗∗∗ Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854685 ∗∗∗ Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854713 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854647 ∗∗∗ Vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Servers used by IBM Master Data Management (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854595 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering products using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851835 ∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854915 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854927 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to arbitrary code execution due to [CVE-2022-25893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854929 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854931 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily