Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 11.01.2023
by Daily end-of-shift report 11 Jan '23

11 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-01-2023 18:00 − Mittwoch 11-01-2023 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Lorenz ransomware gang plants backdoors to use months later ∗∗∗ --------------------------------------------- Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lorenz-ransomware-gang-plant… ∗∗∗ Bad Paths & The Importance of Using Valid URL Characters ∗∗∗ --------------------------------------------- To ensure that your web files and pages are accessible to a wide range of users with various different devices and operating systems, it’s important to use valid URL characters. Unsafe characters are known to cause compatibility issues with various browser clients, web servers, and even lead to incompatibility issues with web application firewalls. --------------------------------------------- https://blog.sucuri.net/2023/01/bad-paths-the-importance-of-using-valid-url… ∗∗∗ Gefälschte Telegram-App spioniert unter Android ∗∗∗ --------------------------------------------- IT-Forscher von Eset haben eine gefälschte Telegram-App aufgespürt, die ihre Opfer umfassend ausspioniert. Sie wird jedoch außerhalb von Google Play verteilt. --------------------------------------------- https://heise.de/-7455996 ∗∗∗ Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products ∗∗∗ --------------------------------------------- A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms. --------------------------------------------- https://www.securityweek.com/cybercrime-group-exploiting-old-windows-driver… ∗∗∗ SMB “Access is denied” caused by anti-NTLM relay protection ∗∗∗ --------------------------------------------- We investigated a situation where an SMB client could not connect to an SMB server. The SMB server returned an “Access Denied” during the NTLM authentication, even though the credentials were correct and there were no restrictions on both the server-side share and client-side (notably UNC Hardened Access). --------------------------------------------- https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntl… ∗∗∗ Dark Pink ∗∗∗ --------------------------------------------- New APT hitting Asia-Pacific, Europe that goes deeper and darker --------------------------------------------- https://blog.group-ib.com/dark-pink-apt ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: 17 Sicherheitslücken in Google Chrome gestopft ∗∗∗ --------------------------------------------- Das erste Update des Jahres hievt den Webbrowser Chrome auf Stand 109. Die Entwickler schließen darin 17 Schwachstellen, von denen einige hochriskant sind. --------------------------------------------- https://heise.de/-7455130 ∗∗∗ Patchday: Schadcode-Attacken auf Adobe InCopy und InDesign möglich ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben in mehreren Anwendungen gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7455222 ∗∗∗ Patchday: Angreifer verschaffen sich unter Windows System-Rechte ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Exchange Server, Office und Windows veröffentlicht. --------------------------------------------- https://heise.de/-7455122 ∗∗∗ Exploit-Code gesichtet: Attacken auf IT-Monitoring-Tool Cacti möglich ∗∗∗ --------------------------------------------- Angreifer könnten an einer kritischen Sicherheitslücke in Cacti ansetzen und Schadcode auf Servern ausführen. --------------------------------------------- https://heise.de/-7455833 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0). --------------------------------------------- https://lwn.net/Articles/919649/ ∗∗∗ Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs ∗∗∗ --------------------------------------------- Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs). --------------------------------------------- https://www.securityweek.com/unpatchable-hardware-vulnerability-allows-hack… ∗∗∗ Exchange Server Sicherheitsupdates (10. Januar 2023), dringend patchen ∗∗∗ --------------------------------------------- Microsoft hat zum 10. Januar 2023 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software. --------------------------------------------- https://www.borncity.com/blog/2023/01/11/exchange-server-sicherheitsupdates… ∗∗∗ AMD Client Vulnerabilities - January 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500539-AMD-CLIENT-VULNERABILIT… ∗∗∗ AMD Server Vulnerabilities - January 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500538-AMD-SERVER-VULNERABILIT… ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Cloud due to the October 2022 CPU plus CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854413 ∗∗∗ Vulnerability in IBM WebSphere Liberty Profile affects IBM InfoSphere Identity Insight (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854451 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854571 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to OpenSSL as a part of Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854575 ∗∗∗ IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854577 ∗∗∗ The IBM Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for Log4j vulnerabilities CVE-2021-4104 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6825215 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2023
by Daily end-of-shift report 10 Jan '23

10 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 09-01-2023 18:00 − Dienstag 10-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels ∗∗∗ --------------------------------------------- Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist. --------------------------------------------- https://heise.de/-7447684 ∗∗∗ Meeting-Client Zoom unter Android, macOS und Windows angreifbar ∗∗∗ --------------------------------------------- Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7453606 ∗∗∗ Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte. --------------------------------------------- https://heise.de/-7453534 ∗∗∗ Patchday: SAP behandelt vier kritische Schwachstellen ∗∗∗ --------------------------------------------- SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren. --------------------------------------------- https://heise.de/-7454402 ∗∗∗ Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges ∗∗∗ --------------------------------------------- On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention. --------------------------------------------- https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/ ∗∗∗ New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th) ∗∗∗ --------------------------------------------- I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper. --------------------------------------------- https://isc.sans.edu/diary/rss/29416 ∗∗∗ ChatGPT-Written Malware ∗∗∗ --------------------------------------------- I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.…within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks. --------------------------------------------- https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html ∗∗∗ Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL ∗∗∗ --------------------------------------------- The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week. --------------------------------------------- https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html ∗∗∗ The Dark Side of Gmail ∗∗∗ --------------------------------------------- Behind one of Gmail’s lesser-known features lies a potential threat to websites and platforms managers. --------------------------------------------- https://osintmatter.com/the-dark-side-of-gmail/ ∗∗∗ Crypto-inspired Magecart skimmer surfaces via digital crime haven ∗∗∗ --------------------------------------------- One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspir… ∗∗∗ Malware-based attacks on ATMs - A summary ∗∗∗ --------------------------------------------- Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics. --------------------------------------------- https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/ ===================== = Vulnerabilities = ===================== ∗∗∗ Securepoint UTM: Hotfix schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet. --------------------------------------------- https://heise.de/-7453560 ∗∗∗ UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface ∗∗∗ --------------------------------------------- Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen. --------------------------------------------- https://heise.de/-7454141 ∗∗∗ Eleven Vulnerabilities Patched in Royal Elementor Addons ∗∗∗ --------------------------------------------- On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day. --------------------------------------------- https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-ro… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/919543/ ∗∗∗ 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider ∗∗∗ --------------------------------------------- The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities. --------------------------------------------- https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advi… ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A) --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two… ∗∗∗ Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-acce… ∗∗∗ IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗ --------------------------------------------- CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Siemens Security Advisories (7 new, 15 updated) ∗∗∗ --------------------------------------------- SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1 SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1 SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#Sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2023
by Daily end-of-shift report 09 Jan '23

09 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-01-2023 18:00 − Montag 09-01-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security: Kunden-Secrets von CircleCI wohl komplett kompromittiert ∗∗∗ --------------------------------------------- CircleCI warnt Kunden dringend, sämtliche Secrets zu tauschen. Builds und Netzwerke könnten über zwei Wochen lang kompromittiert worden sein. --------------------------------------------- https://www.golem.de/news/security-kunden-secrets-von-circleci-wohl-komplet… ∗∗∗ Verschlüsselung: RSA zerstört? Experten zweifeln ∗∗∗ --------------------------------------------- Ein neuer Algorithmus knackt die Verschlüsselung RSA angeblich schneller als jemals zuvor - diesmal mit einem Quantencomputer. Experten zweifeln daran. --------------------------------------------- https://heise.de/-7449806 ∗∗∗ Rust: bis zu 2500 Projekte durch Bibliothek Hyper für DoS verwundbar ∗∗∗ --------------------------------------------- Enthält die to_bytes-Funktion von Hyper keine Längenbeschränkung, so lassen sich schnell DoS-Attacken ausführen. Abhilfe schafft die offizielle Doku. --------------------------------------------- https://heise.de/-7451019 ∗∗∗ BaFin warnt vor "Godfather"-Banking-Trojaner ∗∗∗ --------------------------------------------- Die BaFin warnt vor einem Banking-Trojaner, der Android-Geräte angreift. Die "Godfather" genannte Malware kann 400 internationale Finanzinstitutionen ausspähen. --------------------------------------------- https://heise.de/-7453238 ∗∗∗ Android-Malware: Neue Version von SpyNote stiehlt Banking-Daten ∗∗∗ --------------------------------------------- Die Verbreitung erfolgt über Phishing-E-Mails. Seit Oktober 2022 ist der Quellcode von SpyNote frei verfügbar. Seitdem nehmen die Aktivitäten von SpyNote deutlich zu. --------------------------------------------- https://www.zdnet.de/88406317/android-malware-neue-version-von-spynote-stie… ∗∗∗ Kostenloses Entschlüsselungs-Tool für Ransomware MegaCortex veröffentlicht ∗∗∗ --------------------------------------------- Das Tool ist eine gemeinsame Entwicklung von Bitdefender und No More Ransom. Es funktioniert mit allen Varianten von MegaCortex. --------------------------------------------- https://www.zdnet.de/88406357/kostenloses-entschluesselungs-tool-fuer-ranso… ∗∗∗ Windows 11 GPO "Enable MPR notifications ..." zur Sicherheit setzen ∗∗∗ --------------------------------------------- Kleiner Tipp für Administratoren, die so langsam Windows 11 in Unternehmensumgebungen einführen. In den Standardeinstellungen des Betriebssystems lassen sich mittels einer einfachen DLL die Winlogon-Anmeldeinformationen im Klartext auslesen. Die neue Gruppenrichtlinie "Enable MPR notifications" soll dies nun verhindern. --------------------------------------------- https://www.borncity.com/blog/2023/01/08/windows-11-gpo-enable-mpr-notifica… ∗∗∗ VSCode Marketplace can be abused to host malicious extensions ∗∗∗ --------------------------------------------- Threat analysts at AquaSec have experimented with the security of VSCode Marketplace and found that its surprisingly easy to upload malicious extensions from accounts that appear verified on the platform. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-a… ∗∗∗ Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls ∗∗∗ --------------------------------------------- Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-crea… ∗∗∗ Unraveling the techniques of Mac ransomware ∗∗∗ --------------------------------------------- Understanding how Mac ransomware works is critical in protecting today’s hybrid environments. We analyzed several known Mac ransomware families and highlighted these families’ techniques, which defenders can study further to prevent attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-tec… ∗∗∗ Finding & Removing Malware From Weebly Sites ∗∗∗ --------------------------------------------- Weebly is an easy-to-use website builder that allows admins to quickly create and publish responsive blogs and sites. Website builder environments are usually considered to be very safe and not prone to malware infections, but during a recent investigation I found some malicious behavior which revealed that even closed proprietary systems for WYSIWYG website builders like Weebly can be abused. --------------------------------------------- https://blog.sucuri.net/2023/01/finding-removing-malware-from-weebly-sites.… ∗∗∗ Dridex Malware Now Attacking macOS Systems with Novel Infection Method ∗∗∗ --------------------------------------------- A variant of the infamous Dridex banking malware has set its sights on Apples macOS operating system using a previously undocumented infection method, according to latest research. --------------------------------------------- https://thehackernews.com/2023/01/dridex-malware-now-attacking-macos.html ∗∗∗ LummaC2 Stealer: A Potent Threat to Crypto Users ∗∗∗ --------------------------------------------- During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine. --------------------------------------------- https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto… ∗∗∗ Unwrapping Ursnifs Gifts ∗∗∗ --------------------------------------------- In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment [...] --------------------------------------------- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ ∗∗∗ Distribution of NetSupport RAT Malware Disguised as a Pokemon Game ∗∗∗ --------------------------------------------- NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. --------------------------------------------- https://asec.ahnlab.com/en/45312/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in MatrixSSL ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In der IoT-Bibliothek MatrixSSL haben IT-Forscher eine als kritisch eingestufte Sicherheitslücke entdeckt. Angreifer könnten dadurch Code einschleusen. --------------------------------------------- https://heise.de/-7453087 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14). --------------------------------------------- https://lwn.net/Articles/919202/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python2.7), SUSE (ca-certificates-mozilla, libksba, and ovmf), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, [...] --------------------------------------------- https://lwn.net/Articles/919422/ ∗∗∗ Kritische Sicherheitslücke in Open-Source-Projekt JsonWebToken entdeckt ∗∗∗ --------------------------------------------- Die Schwachstelle erlaubt unter Umständen eine Remotecodeausführung. Nutzer sollten auf die fehlerbereinigte Version 9.0.0 von JsonWebToken umsteigen. --------------------------------------------- https://www.zdnet.de/88406385/kritische-sicherheitsluecke-in-open-source-pr… ∗∗∗ ThinkPad X13s: BIOS-Update schließt Schwachstellen ∗∗∗ --------------------------------------------- Der Hersteller Lenovo hat in einer Sicherheitsmeldung auf eine Reihe Schwachstellen im BIOS des ThinkPad X13s hingewiesen. Diese ermöglichen eine Speicherbeschädigung (Memory Corruption) und die Offenlegung von Informationen. Es steht ein BIOS-Update zum Schließen der Schwachstellen bereit. --------------------------------------------- https://www.borncity.com/blog/2023/01/07/thinkpad-x13s-bios-update-schliet-… ∗∗∗ IBM Security Bulletins 2023-01-06 - 2023-01-09 ∗∗∗ --------------------------------------------- AIX, CICS Transaction Gateway, Enterprise Content Management System Monitor, IBM App Connect Enterprise, IBM Business Automation Workflow, IBM Connect:Direct Web Services, IBM InfoSphere Information Server, IBM Integration Bus, IBM Maximo Application Suite, IBM MQ, IBM Process Mining, IBM Robotic Process Automation for Cloud Pak, IBM Spectrum Protect Server, IBM SPSS Analytic Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct Web Services, IBM Tivoli Netcool Impact, Power HMC --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877 ∗∗∗ --------------------------------------------- https://github.com/numanturle/CVE-2022-44877 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2023
by Daily end-of-shift report 05 Jan '23

05 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-01-2023 18:00 − Donnerstag 05-01-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Bluebottle hackers used signed Windows driver in attacks on banks ∗∗∗ --------------------------------------------- A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bluebottle-hackers-used-sign… ∗∗∗ SpyNote Android malware infections surge after source code leak ∗∗∗ --------------------------------------------- The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as CypherRat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spynote-android-malware-infe… ∗∗∗ PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources ∗∗∗ --------------------------------------------- We take a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. --------------------------------------------- https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/ ∗∗∗ ProxyNotShell Mitigations K.O. ∗∗∗ --------------------------------------------- Warum ist ProxyNotShell noch ein Thema? Die Schwachstellen wurden doch von Microsoft Anfang November geschlossen? Kurz gesagt, weil sich viele auf die letzte Mitigation von Microsoft verlassen haben, anstatt auf den November-Patch. --------------------------------------------- https://cert.at/de/blog/2023/1/proxynotshell-mitigations-ko ∗∗∗ The dos and don’ts of ransomware negotiations ∗∗∗ --------------------------------------------- Has your organization suddenly been attacked by a ransomware virus? Take a deep breath and try to remain composed. It can be easy to panic or become overwhelmed in the face of an attack, but it is vital to remain calm and focused in order to make the best decisions for your organization. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/the-dos-and-donts-o… ∗∗∗ Dridex Returns, Targets MacOS Using New Entry Method ∗∗∗ --------------------------------------------- The Dridex variant we analyzed targets MacOS platforms with a new technique to deliver documents embedded with malicious macros to users. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-01-05 ∗∗∗ --------------------------------------------- AIX, IBM Content Navigator, IBM Maximo Application Suite, IBM Robotic Process Automation, IBM Robotic Process Automation for Cloud Pak, IBM Security Verify Governance, IBM Sterling B2B Integrator, IBM TXSeries for Multiplatforms, IBM Tivoli Network Manager, ITNM, Operations Dashboard, TADDM, IBM Cloud Object Storage Systems --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Zoho fixt Datenbank-Lücke in Password Manager Pro und Zugriffskontroll-Software ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die ManageEngine-Produkte Access Manager Plus, PAM360 und Password Manager Pro. --------------------------------------------- https://heise.de/-7449108 ∗∗∗ Patchday: Kritische Kernel-Lücken bedrohen Android ∗∗∗ --------------------------------------------- Google stellt gegen mögliche Attacken abgesicherte Android-Versionen 10, 11, 12, 12L und 13 zum Download bereit. Angreifer können sich Nutzerrechte verschaffen. --------------------------------------------- https://heise.de/-7449147 ∗∗∗ Fortinet stopft Schadcode-Lücken in Netzwerk-Produkten ∗∗∗ --------------------------------------------- Angreifer könnten unberechtigt unter anderem auf FortiManager zugreifen. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-7449288 ∗∗∗ Sicherheitspatch: Angreifer könnten Systeme mit IBM Tivoli Monitoring übernehmen ∗∗∗ --------------------------------------------- Schwachstellen in mehreren Komponenten bedrohen die System- und Netzwerküberwachungslösung IBM Tivoli Monitoring. --------------------------------------------- https://heise.de/-7449768 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus). --------------------------------------------- https://lwn.net/Articles/919112/ ∗∗∗ Hitachi Energy UNEM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-01 ∗∗∗ Hitachi Energy FOXMAN-UN ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-02 ∗∗∗ Hitachi Energy Lumada Asset Performance Management ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2023
by Daily end-of-shift report 04 Jan '23

04 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-01-2023 18:00 − Mittwoch 04-01-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Noch 60.000 Exchange-Server für ProxyNotShell-Attacken anfällig ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor verwundbaren Exchange-Servern. 30.000 davon sind in Europa – der Großteil in Deutschland. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-7448029 ∗∗∗ l+f: Flipper Zero – Delfin auf Phishing-Tour ∗∗∗ --------------------------------------------- Vorsicht beim Kauf des beliebten Hacking-Gadgets Flipper Zero. Cyberkriminelle haben Fake-Shops eingerichtet, um Interessierte abzukassieren. --------------------------------------------- https://heise.de/-7448371 ∗∗∗ Nur noch eine Woche Zeit: Support-Ende von Windows 8.1 ∗∗∗ --------------------------------------------- Die letzten Stunden für Windows 8.1 haben geschlagen. In nicht einmal einer Woche stellt Microsoft die Unterstützung für Windows 8.1 endgültig ein. --------------------------------------------- https://heise.de/-7448516 ∗∗∗ Update to RTRBK - Diff and File Dates in PowerShell, (Wed, Jan 4th) ∗∗∗ --------------------------------------------- I use my RTRBK script pretty much every week, every single time that I work with a client that doesn't have their network gear in a backup cycle in fact. (for a review of this tool, see the original post https://isc.sans.edu/diary/RTRBK+Router+Switch+Firewall+Backups+in+PowerShe… ) Anyway, I was considering how I could improve this script, aside from adding more and more device types to the backups. A "diff" report was my obvious first thought - [...] --------------------------------------------- https://isc.sans.edu/diary/rss/29400 ∗∗∗ Breaking RSA with a Quantum Computer ∗∗∗ --------------------------------------------- A group of Chinese researchers have just published a paper claiming that they can—although they have not yet done so—break 2048-bit RSA. This is something to take seriously. It might not be correct, but it’s not obviously wrong. We have long known from Shor’s algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today. What the researchers have done is combine classical lattice reduction factoring techniques with a quantum approximate optimization algorithm. --------------------------------------------- https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-… ∗∗∗ Androids First Security Updates for 2023 Patch 60 Vulnerabilities ∗∗∗ --------------------------------------------- Google announced on Tuesday the first Android security updates for 2023, which patch a total of 60 vulnerabilities. The first part of the update, which arrives on devices as the 2023-01-01 security patch level, addresses 19 security defects in the Framework and System components. --------------------------------------------- https://www.securityweek.com/androids-first-security-updates-2023-patch-60-… ∗∗∗ Ransomware predictions in 2023: more gov’t action and a pivot to data extortion ∗∗∗ --------------------------------------------- There were thousands of ransomware attacks in 2022, from breaches targeting militaries to incidents that brought entire governments to a standstill. Ransomware giants like Conti closed shop, while groups like LockBit and Hive took their place, attacking thousands of hospitals, governments, businesses and schools across the world. So what does 2023 have in store for us? --------------------------------------------- https://therecord.media/ransomware-predictions-in-2023-more-govt-action-and… ∗∗∗ DeTT&CT: Automate your detection coverage with dettectinator ∗∗∗ --------------------------------------------- Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usage. If you missed it, you can find the article here. Although, after writing that article, I encountered some challenges. For instance, I considered using DeTT&CT in a production environment but there were hundreds of existing detection rules to consider, and it would have been a tedious process to manually create the necessary YAML file for building a detection coverage layer. --------------------------------------------- https://blog.nviso.eu/2023/01/04/dettct-automate-your-detection-coverage-wi… ∗∗∗ Shc Linux Malware Installing CoinMiner ∗∗∗ --------------------------------------------- The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl. --------------------------------------------- https://asec.ahnlab.com/en/45182/ ∗∗∗ Three easy steps to dramatically improve your AWS security posture: Step 1, set up IAM properly ∗∗∗ --------------------------------------------- Have you ever heard the saying that the greatest benefit of the cloud is that limitless resources can be spun-up with just a few clicks of the mouse? If so, you would be best served by forgetting that saying altogether. Just because cloud resources can be spun-up with a few clicks of the mouse does not mean that they should be. Rather, prior to launching anything in the cloud, careful consideration and planning are a necessity. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/three-easy-steps-to… ===================== = Vulnerabilities = ===================== ∗∗∗ January 2023 Vulnerability Advisories ∗∗∗ --------------------------------------------- FortiTester (CVSS Score: 7.6), FortiPortal (CVSS Score: 6.6), FortiWeb (CVSS Score: 5.3), FortiManager (CVSS Score: 6), FortiADC (CVSS Score: 8.6) --------------------------------------------- https://fortiguard.fortinet.com/psirt-monthly-advisory/january-2023-vulnera… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xorg-x11-server-Xwayland), Red Hat (webkit2gtk3), SUSE (rmt-server), and Ubuntu (freeradius). --------------------------------------------- https://lwn.net/Articles/919051/ ∗∗∗ IBM Security Bulletins 2023-01-04 ∗∗∗ --------------------------------------------- IBM Common Licensings Administration And Reporting Tool (ART), IBM DataPower Gateway, IBM Global Mailbox, IBM Integration Bus, IBM MQ, IBM Security Verify Governance, IBM Sterling Global Mailbox, IBM WebSphere MQ, IBM WebSphere Message Broker, ITNM --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2023
by Daily end-of-shift report 03 Jan '23

03 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 02-01-2023 18:00 − Dienstag 03-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BMW, Mercedes, Kia, Porsche: Sicherheitsforscher hacken etliche Autohersteller ∗∗∗ --------------------------------------------- Forschern ist es gelungen die API-Endpunkte etlicher Autohersteller wie BMW oder Kia zu hacken - von der Konten- bis zur Autoübernahme war alles möglich. --------------------------------------------- https://www.golem.de/news/bmw-mercedes-kia-porsche-sicherheitsforscher-hack… ∗∗∗ Schadcode auf PyPI: Supply-Chain-Angriff auf PyTorch Nightly Builds ∗∗∗ --------------------------------------------- Wer kürzlich PyTorch-nightly unter Linux via pip installiert hat, erhielt Schadcode. Das PyTorch-Team hat Gegenmaßnahmen eingeleitet. --------------------------------------------- https://heise.de/-7447195 ∗∗∗ Its about time: OS Fingerprinting using NTP, (Tue, Jan 3rd) ∗∗∗ --------------------------------------------- Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP. --------------------------------------------- https://isc.sans.edu/diary/rss/29394 ∗∗∗ Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe ∗∗∗ --------------------------------------------- Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar. "What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday. --------------------------------------------- https://thehackernews.com/2023/01/raspberry-robin-worm-evolves-to-attack.ht… ∗∗∗ Cloud Metadata - AWS IAM Credential Abuse ∗∗∗ --------------------------------------------- [...] In this run through we have a vulnerable AWS EC2 instance configured to use IMDSv1 (Instance Metadata Service) which we will exploit, escalate our privileges and carry out post-compromise activities. While not every AWS EC2 instance has an associated IAM role (AWS Identity and Access Management), when they do these role profiles contain credentials/keys. --------------------------------------------- https://sneakymonkey.net/cloud-credential-abuse/ ∗∗∗ SSRF vulnerabilities caused by SNI proxy misconfigurations ∗∗∗ --------------------------------------------- SNI proxies are load balancers that use the SNI extension field to select backend systems. When misconfigured, SNI proxies can be vulnerable to SSRF attacks that provide access to web application backends. --------------------------------------------- https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sn… ∗∗∗ Exploiting GraphQL Query Depth ∗∗∗ --------------------------------------------- GraphQL was created and developed with flexibility in mind: clients should be given the power to ask for exactly what they need and nothing more. Much of this flexibility involves allowing customers to execute multiple queries in a single request, [...] --------------------------------------------- https://checkmarx.com/blog/exploiting-graphql-query-depth/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-01-03 ∗∗∗ --------------------------------------------- IBM Business Automation Workflow, IBM InfoSphere Information Server, IBM Integrated Analytics System, IBM Process Mining, IBM Security SOAR, IBM Security Verify Governance, IBM Sterling B2B Integrator, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Rational Directory Server (Tivoli) & Rational Directory Administrator --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Trend Micros Sicherheitslösung Maximum Security benötigt einen Sicherheitspatch ∗∗∗ --------------------------------------------- Angreifer könnten Windows-PCs mit Sicherheitssoftware von Trend Micro attackieren. Ein Sicherheitspatch ist verfügbar. --------------------------------------------- https://heise.de/-7446553 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir). --------------------------------------------- https://lwn.net/Articles/918965/ ∗∗∗ ThinkPad X13s BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500537 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2023
by Daily end-of-shift report 02 Jan '23

02 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-12-2022 18:00 − Montag 02-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ EarSpy-Lauschangriff auf Smartphones: Forschern gelingt Abhören aus der Ferne ∗∗∗ --------------------------------------------- In Mobiltelefone integrierte Ohrlautsprecher werden immer leistungsstärker. Dies hat den Nachteil, dass die verursachten Mini-Vibrationen verräterischer sind. --------------------------------------------- https://heise.de/-7444910 ∗∗∗ Rund 230 Millionen Deezer-Datensätze zu Have I been pwned hinzugefügt ∗∗∗ --------------------------------------------- Bei einem Einbruch in einen Deezer-Dienstleister konnten offenbar rund 230 Millionen Datensätze kopiert werden. Have I been pwned hat sie jetzt hinzugefügt. --------------------------------------------- https://heise.de/-7445237 ∗∗∗ Sicherheitsrisiko Microsoft Outlook App: Überträgt Anmeldedaten und Mails in die Cloud ∗∗∗ --------------------------------------------- Ich hole zum Jahresanfang 2023 nochmals ein Thema hoch, welches ich hier im Blog bereits 2015 und im Januar 2021 angesprochen habe. Es geht um die Microsoft Outlook App, die für Android- und iOS-Geräte angeboten und meines Erachtens breit eingesetzt [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/01/sicherheitsrisiko-microsoft-outloo… ∗∗∗ Ransomware gang cloned victim’s website to leak stolen data ∗∗∗ --------------------------------------------- The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victims site to publish stolen data on it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victi… ∗∗∗ NetworkMiner 2.8 Released, (Mon, Jan 2nd) ∗∗∗ --------------------------------------------- First of all, happy new year to all our Readers! There exist tools that are very popular for a long time because they are regularly updated and... just make the job! NetworkMiner is one of them (the first release was in 2007). I don't use it regularly but it is part of my forensic toolbox for a while and already helped me in many investigations. --------------------------------------------- https://isc.sans.edu/diary/rss/29390 ∗∗∗ WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws ∗∗∗ --------------------------------------------- WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. --------------------------------------------- https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html ∗∗∗ Python developers, uninstall this malicious package right now ∗∗∗ --------------------------------------------- If youre a Python developer and one who is accustomed to installed the latest preview builds of libraries, you might want to take immediate mitigative action. PyTorch, an open-source machine learning framework initially developed by Meta and now under the Linux Foundation, has seemingly been the target of a supply chain attack, which has potentially led to many users installing a malicious package. --------------------------------------------- https://www.neowin.net/news/python-developers-uninstall-this-malicious-pack… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗ --------------------------------------------- IBM Content Collector, IBM Tivoli Monitoring --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Jetzt patchen: Netgear schließt hochriskante Lücke in mehreren Routern ∗∗∗ --------------------------------------------- Netgear empfiehlt ein dringendes Sicherheitsupdate für mehrere seiner Router-Modelle. Betroffen sind von der Lücke auch Modelle der Nighthawk-Reihe. --------------------------------------------- https://heise.de/-7444672 ∗∗∗ Synology warnt vor kritischer Lücke in VPN-Plus-Server ∗∗∗ --------------------------------------------- Wer Synology-Router als VPN-Server einsetzt, muss die Software zügig aktualisieren. Eine kritische Sicherheitslücke ermöglicht Angreifern sonst Codeschmuggel. --------------------------------------------- https://heise.de/-7444783 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918883/ ∗∗∗ Vulnerabilities in Java and IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights - CVE-2022-34165, CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852357 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2022
by Daily end-of-shift report 30 Dec '22

30 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-12-2022 18:00 − Freitag 30-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Netgear warns users to patch recently fixed WiFi router bug ∗∗∗ --------------------------------------------- Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch… ∗∗∗ New Linux malware uses 30 plugin exploits to backdoor WordPress sites ∗∗∗ --------------------------------------------- A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-pl… ∗∗∗ Security Update Guide Improvement – Representing Hotpatch Updates ∗∗∗ --------------------------------------------- Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. --------------------------------------------- https://msrc-blog.microsoft.com/2022/12/29/security-update-guide-improvemen… ∗∗∗ Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th) ∗∗∗ --------------------------------------------- There are a variety of services listening for connections on DShield honeypots. Different systems scanning the internet can connect to these listening services due to exceptions in the firewall. Any attempted connections blocked by the firewall are logged and can be analyzed later. This can be useful to see TCP port connection attempts, but it usefulness is limited. --------------------------------------------- https://isc.sans.edu/diary/rss/29382 ∗∗∗ SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th) ∗∗∗ --------------------------------------------- Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call robust or secure. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy. --------------------------------------------- https://isc.sans.edu/diary/rss/29384 ∗∗∗ CISA Warns of Active exploitation of JasperReports Vulnerabilities ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two-years-old security flaws impacting TIBCO Softwares JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. --------------------------------------------- https://thehackernews.com/2022/12/cisa-warns-of-active-exploitation-of.html ∗∗∗ ENLBufferPwn (CVE-2022-47949) ∗∗∗ --------------------------------------------- ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victims console by just having an online game with them (remote code execution). --------------------------------------------- https://github.com/PabloMK7/ENLBufferPwn ∗∗∗ Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463 ∗∗∗ --------------------------------------------- Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an introduction to browser internals and delve into the topic of Chrome browser exploitation on Windows in greater depth. --------------------------------------------- https://jhalon.github.io/chrome-browser-exploitation-3/ ∗∗∗ EU-Regeln für Cybersicherheit bald in Kraft: Rund 20.000 Betriebe betroffen ∗∗∗ --------------------------------------------- Die EU hat die novellierte Richtlinie zur Netz- und Informationssicherheit (NIS2) im Amtsblatt veröffentlicht. Der Countdown zur Umsetzung in Deutschland läuft. --------------------------------------------- https://heise.de/-7444366 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Automation, IBM Cloud Pak for Business Automation, IBM Cloud Application Business Insights, IBM Cloud Transformation Advisor, Tivoli Netcool/OMNIbus, Netcool/System Service Monitor --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918778/ ∗∗∗ Synology-SA-22:26 VPN Plus Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_26 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2022
by Daily end-of-shift report 29 Dec '22

29 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-12-2022 18:00 − Donnerstag 29-12-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Google Home speakers allowed hackers to snoop on conversations ∗∗∗ --------------------------------------------- A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed… ∗∗∗ WordPress Vulnerability & Patch Roundup December 2022 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. --------------------------------------------- https://blog.sucuri.net/2022/12/wordpress-vulnerability-patch-roundup-decem… ∗∗∗ The Worst Hacks of 2022 ∗∗∗ --------------------------------------------- The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks. --------------------------------------------- https://www.wired.com/story/worst-hacks-2022/ ∗∗∗ New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection ∗∗∗ --------------------------------------------- We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses. --------------------------------------------- https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hi… ∗∗∗ One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware. (arXiv:2212.13716v1 [cs.CR]) ∗∗∗ --------------------------------------------- Currently, the development of IoT firmware heavily depends on third-partycomponents (TPCs) to improve development efficiency. Nevertheless, TPCs are notsecure, and the vulnerabilities in TPCs will influence the security of IoTf irmware. --------------------------------------------- http://arxiv.org/abs/2212.13716 ∗∗∗ A survey and analysis of TLS interception mechanisms and motivations. (arXiv:2010.16388v2 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- TLS is an end-to-end protocol designed to provide confidentiality andintegrity guarantees that improve end-user security and privacy. While TLShelps defend against pervasive surveillance of intercepted unencrypted traffic,it also hinders several common beneficial operations typically performed bymiddleboxes on the network traffic. --------------------------------------------- http://arxiv.org/abs/2010.16388 ∗∗∗ HardCIDR – Network CIDR and Range Discovery Tool ∗∗∗ --------------------------------------------- HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test. --------------------------------------------- https://www.darknet.org.uk/2022/12/hardcidr-network-cidr-and-range-discover… ===================== = Vulnerabilities = ===================== ∗∗∗ Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting ∗∗∗ --------------------------------------------- The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918715/ ∗∗∗ Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers ∗∗∗ --------------------------------------------- Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities. --------------------------------------------- https://www.securityweek.com/several-dos-code-execution-vulnerabilities-fou… ∗∗∗ Ungepatchte Citrix-Server zu Tausenden über kritische Schwachstellen angreifbar ∗∗∗ --------------------------------------------- Citrix hat in den letzten Monaten Sicherheitsupdates für kritische Schwachstellen in Citrix ADC- und Gateway-Produkten freigegeben und entsprechende Sicherheitswarnungen veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/12/29/ungepatchte-citrix-server-zu-tause… ∗∗∗ (Non-US) DIR-825/EE : H/W Rev. R2 & DIR-825/AC Rev. G1A:: F/W 1.0.9 :: Multiple Vulnerabilities by Trend Micro, the Zero Day Initiative (ZDI) ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM Synthetic Playback Agent is vulnerable due to its use of Apache Commons Text [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852105 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2022
by Daily end-of-shift report 28 Dec '22

28 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-12-2022 18:00 − Mittwoch 28-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ KI-Wunder ChatGPT kann bösartige E-Mails und Code generieren ∗∗∗ --------------------------------------------- Check Point Research (CPR) warnt vor Hackern, die ChatGPT und Codex von OpenAI nutzen könnten, um gezielte Cyberangriffe durchzuführen. https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hac… --------------------------------------------- https://www.zdnet.de/88406214/ki-wunder-chatgpt-kann-boesartige-e-mails-und… ∗∗∗ Droht eine Exchange ProxyNotShell-Katastrophe zum Jahreswechsel 2022/2023? ∗∗∗ --------------------------------------------- Beunruhigende Informationen, die mich gerade erreicht haben. Nicht auf dem aktuellen Patchstand befindliche Microsoft Exchange On-Premises-Server sind anfällig für Angriffe über die ProxyNotShell-Schwachstellen. Vor Weihnachten gab es dann die Information, dass die Hackergruppe FIN7 seit längerem eine automatisierte Angriffsplattform zum [...] --------------------------------------------- https://www.borncity.com/blog/2022/12/28/droht-eine-exchange-proxynotshell-… ∗∗∗ Why Attackers Target GitHub, and How You Can Secure It ∗∗∗ --------------------------------------------- The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain. --------------------------------------------- https://www.darkreading.com/edge-articles/why-attackers-target-github-and-h… ∗∗∗ Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th) ∗∗∗ --------------------------------------------- In this post we'll take a look at parsing and manipulating JSON in Powershell. --------------------------------------------- https://isc.sans.edu/diary/rss/29380 ∗∗∗ CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet ∗∗∗ --------------------------------------------- Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given the situation of past Citrix vulnerabilities, RIFT started to research on how to identify the [...] --------------------------------------------- https://blog.fox-it.com/2022/12/28/cve-2022-27510-cve-2022-27518-measuring-… ∗∗∗ EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer ∗∗∗ --------------------------------------------- As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. --------------------------------------------- https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibratio… ∗∗∗ Alias and Directive Overloading in GraphQL ∗∗∗ --------------------------------------------- Denial of Service (DoS) attacks in GraphQL APIs are nothing new. It turns out that when you let clients control what data they want to receive from the server, malicious users try to abuse this flexibility to exhaust resources. --------------------------------------------- https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim). --------------------------------------------- https://lwn.net/Articles/918655/ ∗∗∗ Microsoft Patches Azure Cross-Tenant Data Access Flaw ∗∗∗ --------------------------------------------- Microsoft has silently fixed an important-severity security flaw in its Azure Cognitive Search (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks. --------------------------------------------- https://www.securityweek.com/microsoft-patches-azure-cross-tenant-data-acce… ∗∗∗ ABB Security Advisory: NE843 Pulsar Plus Controller ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&Lan… ∗∗∗ A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 (CVE-2022-34165). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851953 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily