=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 10-11-2022 18:00 − Freitag 11-11-2022 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ US Health Dept warns of Venus ransomware targeting healthcare orgs ∗∗∗
---------------------------------------------
The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks are also targeting the countrys healthcare organizations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-venu…
∗∗∗ Microsoft fixes Windows zero-day bug exploited to push malware ∗∗∗
---------------------------------------------
Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-zer…
∗∗∗ NIS2-Richtlinie: Domaininhaber müssen künftig Adressdaten hinterlegen ∗∗∗
---------------------------------------------
Die neue EU-Richtlinie zur IT-Sicherheit (NIS2) untersagt die anonyme Registrierung von Domains.
---------------------------------------------
https://www.golem.de/news/nis2-richtlinie-domaininhaber-muessen-kuenftig-ad…
∗∗∗ Sicherheitslücke: Sperrbildschirm von Pixel-Smartphones ließ sich umgehen ∗∗∗
---------------------------------------------
Einem Forscher ist es gelungen, ein Pixel-Smartphone von Google ohne PIN zu entsperren. Doch Fix und Bug Bounty ließen lange auf sich warten.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-sperrbildschirm-von-pixel-smart…
∗∗∗ Cisco dichtet Sicherheitslecks in ASA und Firepower ab ∗∗∗
---------------------------------------------
Cisco dichtet teils hochriskante Sicherheitslücken in der Software der Adaptive Security Appliance und Firepower Threat Defense. Admins sollten aktiv werden.
---------------------------------------------
https://heise.de/-7336757
∗∗∗ Digitalbarometer 2022: Weiter leichtes Spiel für Cyber-Kriminelle ∗∗∗
---------------------------------------------
BSI und Polizeiliche Kriminalprävention der Länder und des Bundes (ProPK) veröffentlichen die vierte gemeinsame Bürgerbefragung: Viele Bürgerinnen und Bürger vernachlässigen grundlegende Maßnahmen, um sich vor Angriffen im Netz zu schützen.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202…
∗∗∗ CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching ∗∗∗
---------------------------------------------
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced the release of a Stakeholder-Specific Vulnerability Categorization (SSVC) guide that can help organizations prioritize vulnerability patching using a decision tree model.
---------------------------------------------
https://www.securityweek.com/cisa-releases-decision-tree-model-help-compani…
∗∗∗ Phishing-resistente Multifaktor Authentifizierung ∗∗∗
---------------------------------------------
Multifaktor Authentifizierung (MFA) kann durch Phishing ausgehebelt werden. Es kommt darauf an, MFA widerstandsfähiger zu machen, betont Lance Spitzner, SANS Security Awareness Director, in einem Gastbeitrag.
---------------------------------------------
https://www.zdnet.de/88404820/phishing-resistente-multifaktor-authentifizie…
∗∗∗ HackHound IRC Bot Being Distributed via Webhards ∗∗∗
---------------------------------------------
Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past.
---------------------------------------------
https://asec.ahnlab.com/en/41806/
∗∗∗ CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS ∗∗∗
---------------------------------------------
This blog entry details our investigation of CVE-2019-8561, a vulnerability that exists in the macOS PackageKit framework, a component used to install software installer packages (PKG files).
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/k/cve-2019-8561-a-hard-to-bani…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and exiv2), Fedora (curl, device-mapper-multipath, dotnet6.0, mediawiki, mingw-gcc, and php-pear-CAS), Gentoo (lesspipe), Slackware (php), SUSE (git, glibc, kernel, libarchive, python, python-rsa, python3-lxml, rpm, sudo, xen, and xwayland), and Ubuntu (wavpack).
---------------------------------------------
https://lwn.net/Articles/914571/
∗∗∗ Preisgabe von sensiblen Informationen in Zoom (SYSS-2022-048) ∗∗∗
---------------------------------------------
Bei einer Videokonferenz über Zoom werden Chatnachrichten im Installationsverzeichnis gespeichert. Ein Angreifer kann diese Nachrichten entschlüsseln.
---------------------------------------------
https://www.syss.de/pentest-blog/preisgabe-von-sensiblen-informationen-in-z…
∗∗∗ Rapid7’s Impact from OpenSSL Buffer Overflow Vulnerabilities (CVE-2022-3786 & CVE-2022-3602) ∗∗∗
---------------------------------------------
CVE-2022-3786 & CVE-2022-3602 vulnerabilities affecting OpenSSL’s 3.0.x versions both rely on a maliciously crafted email address in a certificate.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/11/11/rapid7s-impact-from-openssl-buf…
∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-…
∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime used by the IBM Installation Manager and IBM Packaging Utility – CVE-2021-2163 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Omron NJ/NX-series Machine Automation Controllers ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-07
∗∗∗ Omron NJNX-series ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-314-08
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 09-11-2022 18:00 − Donnerstag 10-11-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ New StrelaStealer malware steals your Outlook, Thunderbird accounts ∗∗∗
---------------------------------------------
A new information-stealing malware named StrelaStealer is actively stealing email account credentials from Outlook and Thunderbird, two widely used email clients.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-strelastealer-malware-st…
∗∗∗ VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations ∗∗∗
---------------------------------------------
Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks.
---------------------------------------------
https://kb.cert.org/vuls/id/434994
∗∗∗ Windows breaks under upgraded IceXLoader malware ∗∗∗
---------------------------------------------
Were the malware of Nim! A malware loader deemed in June to be a "work in progress" is now fully functional and infecting thousands of Windows corporate and home PCs.…
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/11/10/icexloader_m…
∗∗∗ [SANS ISC] Do you collect “Observables” or “IOCs”? ∗∗∗
---------------------------------------------
Indicators of Compromise, or IOCs, are key elements in blue team activities. IOCs are mainly small pieces of technical information that have been collected during investigations, threat hunting activities or malware analysis.
---------------------------------------------
https://blog.rootshell.be/2022/11/10/sans-isc-do-you-collect-observables-or…
∗∗∗ Phishing-Resistant MFA Does Not Mean Un-Phishable ∗∗∗
---------------------------------------------
Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse “phishing-resistant” with being impossible to phish or socially engineer.
---------------------------------------------
https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishabl…
∗∗∗ The Case of Cloud9 Chrome Botnet ∗∗∗
---------------------------------------------
The Zimperium zLabs team recently discovered a malicious browser extension, which not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device. In this blog, we will take a deeper look into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author.
---------------------------------------------
https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/
∗∗∗ Certificates and Pwnage and Patches, Oh My! ∗∗∗
---------------------------------------------
A lot has happened since we released the “Certified Pre-Owned” blog post and whitepaper in June of last year. [...] A lot of organizations (and a lot of pentesters ;) definitely realized how pervasive misconfigurations in Active Directory Certificate Service are and how easy it is now to enumerate and abuse these issues. [...] With all of these changes, we wanted to revisit some of the offensive AD CS attacks, detail how the patch has affected some of the existing escalations, and
---------------------------------------------
https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f…
∗∗∗ The November 2022 Security Update Review ∗∗∗
---------------------------------------------
Welcome to the penultimate Patch Tuesday of 2021. As expected, Adobe and Microsoft have released their latest security updates and fixes to the world. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
---------------------------------------------
https://www.thezdi.com/blog/2022/11/8/the-november-2022-security-update-rev…
∗∗∗ How LNK Files Are Abused by Threat Actors ∗∗∗
---------------------------------------------
LNK files are based on the Shell Link Binary file format, also known as Windows shortcuts. But what seems a relatively simple ability to execute other binaries on the system can inflict great harm when abused by threat actors.
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-f…
∗∗∗ Penetration and Distribution Method of Gwisin Attacker ∗∗∗
---------------------------------------------
The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware.
---------------------------------------------
https://asec.ahnlab.com/en/41565/
=====================
= Vulnerabilities =
=====================
∗∗∗ Bios: Sicherheitslücken im UEFI etlicher Lenovo-Laptops ∗∗∗
---------------------------------------------
Lenovo hat Treiber verwendet, die nur für die Produktion vorgesehen waren. Dadurch lässt sich Secure Boot aus dem Betriebssystem heraus deaktivieren.
---------------------------------------------
https://www.golem.de/news/bios-sicherheitsluecken-im-uefi-etlicher-lenovo-l…
∗∗∗ Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure ∗∗∗
---------------------------------------------
Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability.
---------------------------------------------
https://jvn.jp/en/jp/JVN75437943/
∗∗∗ Cisco Security Advisories 2022-11-09 ∗∗∗
---------------------------------------------
Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first…
∗∗∗ IBM Security Bulletins 2022-11-09 ∗∗∗
---------------------------------------------
IBM Cloud Pak for Security, IBM Master Data Management, IBM Planning Analytics, IBM Planning Analytics Workspace, IBM QRadar, IBM Tivoli Business Service Manager
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ HTML Injection in BMC Remedy ITSM-Suite ∗∗∗
---------------------------------------------
Die Anwendung BMC Remedy erlaubt es Benutzern Incidents über Email weiterzuleiten. Im Email Editor ist es möglich HTML-Code in das "To" Feld einzufügen. Danach zeigt die Anwendung an, dass der Incident an Empfänger weitergeleitet wurde. Durch Klicken auf die Anzahl der Empfänger wird der eingefügte HTML-Code geladen und ausgeführt.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/html-injection-in-bmc…
∗∗∗ CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine ∗∗∗
---------------------------------------------
A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system allows a local attacker with shell access to the engine to execute programs with elevated privileges.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0031
∗∗∗ Bugfix-Updates: Apple stellt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 bereit ∗∗∗
---------------------------------------------
Fehlerbehebungen und gestopfte Sicherheitslücken außer der Reihe: Apple legt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 für Mac, iPad und iPhone vor.
---------------------------------------------
https://heise.de/-7335516
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libjettison-java and xorg-server), Slackware (sysstat and xfce4), SUSE (python3 and xen), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/914347/
∗∗∗ Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server ∗∗∗
---------------------------------------------
Unit 42 discovered three vulnerabilities in OpenLiteSpeed Web Server and LiteSpeed Web Server that could be used together for remote code execution.
---------------------------------------------
https://unit42.paloaltonetworks.com/openlitespeed-vulnerabilities/
∗∗∗ [R1] Nessus Version 8.15.7 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, zlib) were found to contain vulnerabilities, and updated versions have been made available by the providers.Out of caution and in line with good practice, Tenable has opted to upgrade these components to address the potential impact of the issues.
---------------------------------------------
https://www.tenable.com/security/tns-2022-26
∗∗∗ 2022-12 Multiple Java SE vulnerabilities in Belden/Hirschmann software products ∗∗∗
---------------------------------------------
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14996&mediaformat…" target="_blank
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 08-11-2022 18:00 − Mittwoch 09-11-2022 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Intel, AMD Address Many Vulnerabilities With Patch Tuesday Advisories ∗∗∗
---------------------------------------------
Intel and AMD have announced fixes for many vulnerabilities on this Patch Tuesday, including for flaws that have been assigned a ‘high severity’ rating.
---------------------------------------------
https://www.securityweek.com/intel-amd-address-many-vulnerabilities-patch-t…
∗∗∗ Microsoft: Windows 10 21H1 reaches end of service next month ∗∗∗
---------------------------------------------
Microsoft has reminded customers today that all editions of Windows 10 21H1 (also known as the May 2021 Update) are reaching the end of service (EOS) next month.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-21h1-r…
∗∗∗ Lenovo fixes flaws that can be used to disable UEFI Secure Boot ∗∗∗
---------------------------------------------
Lenovo has fixed two high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models that could allow an attacker to deactivate UEFI Secure Boot.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lenovo-fixes-flaws-that-can-…
∗∗∗ Phishing-Resistant MFA Does Not Mean Un-Phishable ∗∗∗
---------------------------------------------
Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse “phishing-resistant” with being impossible to phish or socially engineer.
---------------------------------------------
https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishabl…
∗∗∗ SMS „Hallo Mama, mein Handy ist kaputt“ ist betrügerisch! ∗∗∗
---------------------------------------------
Eine großangelegte SMS-Betrugsmasche sorgt aktuell für Verunsicherung bei Empfänger:innen. Der Inhalt der „Hallo Mama“ oder „Hallo Papa“ SMS soll vermitteln, dass das eigene Kind eine neue Nummer hätte. Das Kind bittet deshalb um Kontaktaufnahme über WhatsApp. Wer hier antwortet, wird schon bald vom vermeintlichen Kind zu Zahlungen aufgefordert. Ignorieren Sie die Nachrichten und führen Sie auf keinen Fall Überweisungen durch.
---------------------------------------------
https://www.watchlist-internet.at/news/sms-hallo-mama-mein-handy-ist-kaputt…
∗∗∗ Massive ois[.]is Black Hat Redirect Malware Campaign ∗∗∗
---------------------------------------------
Since September 2022, our research team has tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines. PublicWWW results show nearly 15,000 websites have been affected by this malware so far.
---------------------------------------------
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-c…
∗∗∗ Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns ∗∗∗
---------------------------------------------
The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors. Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
---------------------------------------------
https://blog.talosintelligence.com/ipfs-abuse/
∗∗∗ Check Point CloudGuard Spectral exposes new obfuscation techniques for malicious packages on PyPI ∗∗∗
---------------------------------------------
Check Point Research (CPR) detects a new and unique malicious package on PyPI, the leading package index used by developers for the Python programming language The new malicious package was designed to hide code in images and infect through open-source projects on Github CPR responsibly disclosed this information to PyPI, who removed the packages.
---------------------------------------------
https://research.checkpoint.com/2022/check-point-cloudguard-spectral-expose…
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks ∗∗∗
---------------------------------------------
Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-proxynotshe…
∗∗∗ Kritische Sicherheitslücken in VMware Workspace ONE - Updates verfügbar ∗∗∗
---------------------------------------------
VMware hat Updates für drei kritische Authentication Bypass Sicherheitslücken im Remote-Access-Tool VMware Workspace ONE veröffentlicht. Entfernte, anonyme Angreifer:innen können die Authentifizierung in erreichbaren VMware Workspace ONE Instanzen umgehen und Administratorrechte auf den betroffenen Systemen erlangen.
---------------------------------------------
https://cert.at/de/warnungen/2022/11/kritische-sicherheitslucken-in-vmware-…
∗∗∗ Citrix Gateway und ADC: Kritische Lücke ermöglicht unbefugten Zugriff ∗∗∗
---------------------------------------------
Citrix schließt Sicherheitslücken, durch die Angreifer etwa unberechtigt auf die Gerätefunktionen zugreifen können. Administratoren sollten zügig aktualisieren.
---------------------------------------------
https://heise.de/-7334851
∗∗∗ Multiple vulnerabilities in WordPress ∗∗∗
---------------------------------------------
WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature.
---------------------------------------------
https://jvn.jp/en/jp/JVN09409909/
∗∗∗ IBM Security Bulletins 2022-11-08 ∗∗∗
---------------------------------------------
IBM App Connect Enterprise, IBM Cloud Application Business Insights, IBM Security Guardium, IBM Security Verify Access
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Lenovo Product Security Advisories 2022-11-08 ∗∗∗
---------------------------------------------
AMD Graphics Driver, AMD IBPB Return Branch Predictions, Brocade EZSwitch, Elan UltraNav and MiniPort Driver, Intel AMT SDK, Intel EMA, Intel MC, Intel Chipset Firmware, Intel PROSet Wireless WiFi, Intel vPro CSME WiFi, Killer WiFi, Intel SGX SDK, Lenovo Diagnostics, Lenovo Notebook BIOS, Lenovo Vantage Component, Multi-Vendor BIOS
---------------------------------------------
https://support.lenovo.com/at/en/product_security/home
∗∗∗ Cisco Security Advisories 2022-11-09 ∗∗∗
---------------------------------------------
Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first…
∗∗∗ Webbrowser: Zehn Sicherheitslücken weniger in Google Chrome ∗∗∗
---------------------------------------------
In dem jetzt verfügbaren Update für den Webbrowser Chrome schließt Google 10 Sicherheitslücken. Mit manipulierten Webseiten könnten Angreifer Code ausführen.
---------------------------------------------
https://heise.de/-7334255
∗∗∗ Foxit PDF Reader: Schadcode-Attacken über präparierte PDFs möglich ∗∗∗
---------------------------------------------
Die Foxit-Entwickler haben in ihren PDF-Anwendungen unter macOS und Windows Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-7334993
∗∗∗ Patchday: SAP stopft neun zum Teil kritische Schwachstellen ∗∗∗
---------------------------------------------
Am November-Patchday dichtet SAP teils kritische Sicherheitslücken in mehreren Produkten ab. Administratoren sollten sie zügig auf den aktuellen Stand bringen.
---------------------------------------------
https://heise.de/-7334573
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (vim, webkit2gtk, and wpewebkit), Fedora (mingw-python3, vim, webkit2gtk3, webkitgtk, and xen), Mageia (389-ds-base, bluez, ffmpeg, libtasn1, libtiff, libxml2, and mbedtls), Red Hat (kpatch-patch and linux-firmware), SUSE (conmon, containerized data importer, exim, expat, ganglia-web, gstreamer-0_10-plugins-base, gstreamer-0_10-plugins-good, gstreamer-plugins-base, gstreamer-plugins-good, kernel, kubevirt, protobuf, sendmail, and vsftpd), and Ubuntu (libzstd, openjdk-8, openjdk-lts, openjdk-17, openjdk-19, php7.2, php7.4, php8.1, and pixman).
---------------------------------------------
https://lwn.net/Articles/914221/
∗∗∗ Zahlreiche kritische Schwachstellen in Simmeth System GmbH Lieferantenmanager ∗∗∗
---------------------------------------------
Die Software Lieferantenmanager der Simmeth System GmbH ist von mehreren kritischen Schwachstellen betroffen. Durch diese lassen sich beliebige Befehle ohne Authentifizierung auf dem SQL Server ausführen. Des Weiteren können beliebige Dateien auf dem Webserver gelesen und Nutzersessions gestohlen werden. Außerdem wurde das E-Mail Passwort der Firma Simmeth mithilfe eines unauthentifizierten Requests ausgelesen.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/multiple-critical-vul…
∗∗∗ [R1] Nessus Network Monitor Version 6.1.1 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Nessus Network Monitor leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers.
---------------------------------------------
https://www.tenable.com/security/tns-2022-25
∗∗∗ Xen Security Advisory CVE-2022-23824 / XSA-422 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-422.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 07-11-2022 18:00 − Dienstag 08-11-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ How to mimic Kerberos protocol transition using reflective RBCD ∗∗∗
---------------------------------------------
We know that a delegation is dangerous if an account allows delegating third-party user authentication to a privileged resource. In the case of constrained delegation, all it takes is to find a privileged account in one of the SPN (Service Principal Name) set in the msDS-AllowedToDelegateTo attribute of a compromised service account.
---------------------------------------------
https://medium.com/tenable-techblog/how-to-mimic-kerberos-protocol-transiti…
∗∗∗ Azov-Malware zerstört Dateien in 666-Byte-Schritten ∗∗∗
---------------------------------------------
Der Windows-Schädling Azov ist ein Wiper und vernichtet Dateien unwiderruflich. Sicherheitsforscher beobachten ein erhöhtes Aufkommen.
---------------------------------------------
https://heise.de/-7333231
∗∗∗ Open Bug Bounty: Eine Million Sicherheitslücken im Web behoben ∗∗∗
---------------------------------------------
Eine offene Plattform für das Offenlegen von Sicherheitslücken im Web hat einen Meilenstein erreicht. Open Bug Bounty verzeichnet über 1,3 Mio. Entdeckungen.
---------------------------------------------
https://heise.de/-7333872
∗∗∗ Achtung Fake-Shop: marktstores.com gibt sich als Media Markt aus ∗∗∗
---------------------------------------------
Die Playstation 5 ist momentan überall ausverkauft. Vorsicht, wenn Sie im Internet dennoch einen Anbieter finden, der sie angeblich liefern kann. Dieser könnte sich als Fake-Shop herausstellen.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-shop-marktstorescom-gib…
∗∗∗ LockBit 3.0 Being Distributed via Amadey Bot ∗∗∗
---------------------------------------------
The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker.
---------------------------------------------
https://asec.ahnlab.com/en/41450/
∗∗∗ Prepare, respond & recover: Battling complex Cybersecurity threats with fundamentals ∗∗∗
---------------------------------------------
The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/prepare-respond-rec…
∗∗∗ Cracking 2.3M Attackers-Supplied Credentials: What Can We Learn from RDP Attacks ∗∗∗
---------------------------------------------
To study credentials attacks on RDP, we operate high-interaction honeypots on the Internet. We analyzed over 2.3 million connections that supplied hashed credentials and attempted to crack them.
---------------------------------------------
https://www.gosecure.net/blog/2022/11/08/cracking-2-3m-attackers-supplied-c…
∗∗∗ DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework ∗∗∗
---------------------------------------------
This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-a…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-11-07 ∗∗∗
---------------------------------------------
IBM Tivoli Monitoring, IBM App Connect Enterprise Certified Container, IBM Operations Analytics - Log Analysis
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Siemens Security Advisories 2022-11-08 ∗∗∗
---------------------------------------------
Siemens released 9 new and 8 updated Advisories. (CVSS Scores 5.3-9.9)
---------------------------------------------
https://new.siemens.com/global/en/products/services/cert.html?d=2022-11#Sec…
∗∗∗ Patchday: Angreifer könnten Android-Geräte über Attacken lahmlegen ∗∗∗
---------------------------------------------
Google hat wichtige Sicherheitsupdates für Android 10 bis 13 veröffentlicht. Einige andere Hersteller bieten ebenfalls Patches an.
---------------------------------------------
https://heise.de/-7333334
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (pixman and sudo), Fedora (mingw-binutils and mingw-gdb), Red Hat (bind, bind9.16, container-tools:3.0, container-tools:4.0, container-tools:rhel8, dnsmasq, dotnet7.0, dovecot, e2fsprogs, flatpak-builder, freetype, fribidi, gdisk, grafana, grafana-pcp, gstreamer1-plugins-good, httpd:2.4, kernel, kernel-rt, libldb, libreoffice, libtiff, libxml2, mingw-expat, mingw-zlib, mutt, nodejs:14, nodejs:18, openblas, openjpeg2, osbuild, pcs, php:7.4, php:8.0, [...]
---------------------------------------------
https://lwn.net/Articles/914119/
∗∗∗ ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities ∗∗∗
---------------------------------------------
Siemens and Schneider Electric have released their Patch Tuesday advisories for November 2022. Siemens has released nine new security advisories covering a total of 30 vulnerabilities, but Schneider has only published one new advisory.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-critical-v…
∗∗∗ Varnish HTTP/2 Request Forgery ∗∗∗
---------------------------------------------
https://docs.varnish-software.com/security/VSV00011/
∗∗∗ Open Source Varnish Request Smuggling ∗∗∗
---------------------------------------------
https://docs.varnish-software.com/security/VSV00010/
∗∗∗ PHOENIX CONTACT: Automationworx BCP File Parsing Vulnerabilities ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-048/
∗∗∗ Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-…
∗∗∗ McAfee Total Protection: Update fixt Schwachstelle CVE-2022-43751 ∗∗∗
---------------------------------------------
https://www.borncity.com/blog/2022/11/08/mcafee-total-protection-update-fix…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 04-11-2022 18:00 − Montag 07-11-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Windows Malware with VHD Extension, (Sat, Nov 5th) ∗∗∗
---------------------------------------------
Windows 10 supports various virtual drives natively and can recognize and use ISO, VHD and VHDX files. The file included as an attachment with this email, when extracted appears in the email as a PDF but is is in fact a VHD file.
---------------------------------------------
https://isc.sans.edu/diary/rss/29222
∗∗∗ IPv4 Address Representations, (Sun, Nov 6th) ∗∗∗
---------------------------------------------
A reader asked for help with this maldoc. Not with the analysis itself, but how to understand where the URL is pointing to.
---------------------------------------------
https://isc.sans.edu/diary/rss/29224
∗∗∗ Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data ∗∗∗
---------------------------------------------
Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. "Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022.
---------------------------------------------
https://thehackernews.com/2022/11/experts-find-urlscan-security-scanner.html
∗∗∗ AWS Organizations Defaults ∗∗∗
---------------------------------------------
[...] These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator. For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise.
---------------------------------------------
https://hackingthe.cloud/aws/general-knowledge/aws_organizations_defaults/
∗∗∗ Kommentar: Angriffe lassen sich nicht vermeiden – übernehmt die Verantwortung! ∗∗∗
---------------------------------------------
Shit happens, ebenso wie Sicherheitsvorfälle. Die Frage kann also nur sein, wie damit umzugehen ist - vorher wie nachher.
---------------------------------------------
https://heise.de/-7328918
∗∗∗ Versteckte Kosten für Kündigungen auf stornierenbei.de ∗∗∗
---------------------------------------------
Wenn Sie einen Vertrag kündigen wollen und dazu über Ihre Suchmaschine recherchieren, stoßen Sie womöglich auf stornierenbei.de. Dort wird eine einfache Kündigung von Verträgen unterschiedlichster Anbieter als Dienstleistung angeboten. Achtung: Statt der Kündigung des angegebenen Vertrages, kommen versteckte Kosten auf Sie zu, die auch eingemahnt werden! Bezahlen Sie nichts. Es besteht kein gültiger Vertrag mit stornierenbei.de.
---------------------------------------------
https://www.watchlist-internet.at/news/versteckte-kosten-fuer-kuendigungen-…
∗∗∗ BYODC - Bring Your Own Domain Controller ∗∗∗
---------------------------------------------
BYODC or bring your own domain controller is a post-exploitation technique and another option for performing a DCSync in a more opsec safe manner.
---------------------------------------------
https://blog.zsec.uk/byodc-attack/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-11-04 ∗∗∗
---------------------------------------------
AIX LPARs in IBM PureData System for Operational Analytics, IBM App Connect Enterprise, IBM MQ, IBM WebSphere Application Server Liberty / CICS Transaction Gateway
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg, libxml2, python-django, python-scciclient, and xen), Fedora (ghc-cmark-gfm, java-latest-openjdk, and vim), Mageia (expat, ntfs-3g, and wkhtmltopdf), Oracle (kernel), Slackware (sudo), and SUSE (expat, libxml2, rubygem-loofah, and xmlbeans).
---------------------------------------------
https://lwn.net/Articles/914012/
∗∗∗ Shodan Verified Vulns 2022-11-01 ∗∗∗
---------------------------------------------
Mit Stand 2022-11-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2022/11/shodan-verified-vulns-2022-11-01
∗∗∗ Nov 3 2022 Security Releases ∗∗∗
---------------------------------------------
(Update 04-November-2022) Security releases available
Updates are now available for v14,x, v16.x, v18.x and v19.x Node.jsrelease lines for the following issues. [...]
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/november-2022-security-releases
∗∗∗ WebKit HTMLSelectElement Use-After-Free ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022110007
∗∗∗ TRUMPF: Multiple products prone to X.Org server vulnerabilities ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-049/
∗∗∗ Wiesemann &Theis: Multiple Vulnerabilities in the Com-Server Family ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-043/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 03-11-2022 18:00 − Freitag 04-11-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ WLAN-Sicherheitslücke: Für Spezialdrohnen sind Wände wie Glas ∗∗∗
---------------------------------------------
Kanadische Forscher haben eine Funktion entdeckt, die es Angreifern ermöglicht, durch Wände zu sehen - trotz Passwortschutz.
---------------------------------------------
https://www.golem.de/news/wlan-sicherheitsluecke-fuer-eine-spezialdrohne-si…
∗∗∗ A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain ∗∗∗
---------------------------------------------
Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later. As defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the “ground truth” data about the vulnerabilities and exploit techniques they’re using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. To do this, we need to know that the vulnerabilities and exploit samples were found in-the-wild.
---------------------------------------------
https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-sa…
∗∗∗ What Is Cross-Origin Resource Sharing (CORS)? ∗∗∗
---------------------------------------------
Thanks to the rapid growth of JavaScript frameworks like Angular, React, and Vue, Cross-Origin Resource Sharing (CORS) has become a popular word in the developer’s vocabulary — and for good reason. It’s common practice for modern web applications to load resources from multiple domains. But accessing these website resources from different origins requires a thorough understanding of CORS. In this post, we’ll take a look at what CORS is and why proper implementation is an important component of building secure websites and applications. We’ll also examine some common examples of how to use CORS, dive into preflight requests, and discuss how to protect your website against attacks.
---------------------------------------------
https://blog.sucuri.net/2022/11/what-is-cross-origin-resource-sharing-cors.…
∗∗∗ Multi-factor auth fatigue is real – and its why you may be in the headlines next ∗∗∗
---------------------------------------------
Overwhelmed by waves of push notifications, worn-down users inadvertently let the bad guys in
Analysis
The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/11/03/mfa_fatigue_…
∗∗∗ Inside the V1 Raccoon Stealer’s Den ∗∗∗
---------------------------------------------
Team Cymru’s S2 Research Team has blogged previously on the initial Raccoon stealer command and control methodology (Raccoon Stealer - An Insight into Victim “Gates”), which utilized “gate” IP addresses to proxy victim traffic / data to static threat actor-controlled infrastructure. Since the publication of our previous blog, the following timeline of events has occurred: [...]
---------------------------------------------
https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den
∗∗∗ Cisco-Sicherheitsupdates: Angreifer könnten durch Lücken in Netzwerke eindringen ∗∗∗
---------------------------------------------
Die Softwareentwickler von Cisco haben unter anderem in Identity Services Engine und Email Security Appliance Schwachstellen geschlossen.
---------------------------------------------
https://heise.de/-7329978
∗∗∗ UK-Cybersicherheitsbehörde startet landesweites Schwachstellen-Scanning ∗∗∗
---------------------------------------------
Die IT-Sicherheitsbehörde des Vereinigten Königreichs startet einen Schwachstellen-Scanner-Dienst. Der untersucht alle Systeme des Landes auf Sicherheitslücken.
---------------------------------------------
https://heise.de/-7330532
∗∗∗ Apple Rolls Out Xcode Update Patching Git Vulnerabilities ∗∗∗
---------------------------------------------
Apple this week announced a security update for the Xcode macOS development environment, to resolve three Git vulnerabilities, including one leading to arbitrary code execution.
---------------------------------------------
https://www.securityweek.com/apple-rolls-out-xcode-update-patching-git-vuln…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-11-03 ∗∗∗
---------------------------------------------
IBM App Connect Enterprise Certified Container, IBM InfoSphere Information server, IBM Operations Analytics - Log Analysis, IBM Security Verify Governance, IBM WebSphere Application Server Liberty
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Patchday: Big-Data-Spezialist Splunk dichtet zwölf Schwachstellen ab ∗∗∗
---------------------------------------------
Der Big-Data-Experte Splunk aktualisiert die gleichnamige Software Splunk Enterprise und Cloud. Nach den Updates klaffen darin zwölf Schwachstellen weniger.
---------------------------------------------
https://heise.de/-7329933
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (pypy3), Fedora (drupal7, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and php), Oracle (kernel, lua, openssl, pcs, php-pear, pki-core, python3.9, and zlib), Red Hat (kernel, kernel-rt, kpatch-patch, lua, openssl-container, pcs, php-pear, pki-core, python3.9, and zlib), Scientific Linux (kernel, pcs, and php-pear), SUSE (EternalTerminal, hsqldb, ntfs-3g_ntfsprogs, privoxy, rubygem-actionview-4_2, sqlite3, and xorg-x11-server), and Ubuntu [...]
---------------------------------------------
https://lwn.net/Articles/913771/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (clickhouse, distro-info-data, and ntfs-3g), Fedora (firefox), Oracle (kernel), Slackware (mozilla), and SUSE (python-Flask-Security-Too).
---------------------------------------------
https://lwn.net/Articles/913849/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0010 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-32888 Versions affected: WebKitGTK and WPE WebKit before 2.38.0. Credit to P1umer (@p1umer). Impact: Processing maliciously crafted web content may lead toarbitrary code execution.
---------------------------------------------
https://webkitgtk.org/security/WSA-2022-0010.html
∗∗∗ CVE Report Published for Spring Tools ∗∗∗
---------------------------------------------
We have released STS 4.16.1 for Eclipse and Spring VSCode extensions 1.40.0 to address the following CVE report: - CVE-2022-31691: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode
Please review the information in the CVE report and upgrade immediately.
---------------------------------------------
https://spring.io/blog/2022/11/03/cve-report-published-for-spring-tools
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 02-11-2022 18:00 − Donnerstag 03-11-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Emotet botnet starts blasting malware again after 5 month break ∗∗∗
---------------------------------------------
The Emotet malware operation is again spamming malicious emails after almost a five-month "vacation" that saw little activity from the notorious cybercrime operation.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blastin…
∗∗∗ Hundreds of U.S. news sites push malware in supply-chain attack ∗∗∗
---------------------------------------------
The compromised infrastructure of an undisclosed media company is being used by threat actors to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hundreds-of-us-news-sites-pu…
∗∗∗ Was tun, wenn ich Opfer von Cybercrime geworden bin? ∗∗∗
---------------------------------------------
Die Online-Identität kann schnell gestohlen werden, wenn jemand seine Daten auf unseriösen Websites eingibt. Dann kann es zu weiteren Konsequenzen kommen.
---------------------------------------------
https://futurezone.at/digital-life/cybercrime-identitaetsdiebstahl-phishing…
∗∗∗ The OpenSSL security update story – how can you tell what needs fixing? ∗∗∗
---------------------------------------------
How to Hack! Finding OpenSSL library files and accurately identifying their version numbers...
---------------------------------------------
https://nakedsecurity.sophos.com/2022/11/03/the-openssl-security-update-sto…
∗∗∗ P2P Botnets: Review - Status - Continuous Monitoring ∗∗∗
---------------------------------------------
P2P networks are more scalable and robust than traditional C/S structures, and these advantages were recognized by the botnet authors early on and used in their botnets.
---------------------------------------------
https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/
∗∗∗ Breakpoints in Burp, (Wed, Nov 2nd) ∗∗∗
---------------------------------------------
No, this is not a story about the Canadian Thanksgiving long weekend, it's about web application testing. I recently had a web application to assess, and I used Burp Suite Pro as part of that project.
---------------------------------------------
https://isc.sans.edu/diary/rss/29214
∗∗∗ Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT ∗∗∗
---------------------------------------------
The operators of RomCom RAT are continuing to evolve their campaigns with rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro.
---------------------------------------------
https://thehackernews.com/2022/11/hackers-using-rogue-versions-of-keepass.h…
∗∗∗ Researchers discover security loophole allowing attackers to use Wi-Fi to see through walls ∗∗∗
---------------------------------------------
The Wi-Peep exploits a loophole the researchers call polite Wi-Fi. Even if a network is password protected, smart devices will automatically respond to contact attempts from any device within range. The Wi-Peep sends several messages to a device as it flies and then measures the response time on each, enabling it to identify the devices location to within a meter.
---------------------------------------------
https://techxplore.com/news/2022-11-loophole-wi-fi-walls.html
∗∗∗ Passwörter: 64 Prozent der User verwenden Kennwörter mehrmals ∗∗∗
---------------------------------------------
Eine Umfrage unter 3750 Angestellten auch aus deutschen Organisationen fördert bedenkliche Passwortnutzung zutage. Und das trotz besseren Wissens.
---------------------------------------------
https://heise.de/-7328871
∗∗∗ BSI-Lagebericht 2022: Gefährdungslage im Cyber-Raum hoch wie nie ∗∗∗
---------------------------------------------
Im Berichtszeitraum hat sich die bereits zuvor angespannte Lage weiter zugespitzt. Grund dafür sind anhaltende Aktivitäten im Bereich der Cyber-Kriminalität, Cyber-Angriffe im Kontext des russischen Angriffs auf die Ukraine und eine unzureichende Produktqualität von IT- und Software-Produkten.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202…
∗∗∗ A new crop of malicious modules found on PyPI ∗∗∗
---------------------------------------------
Phylum has posted anarticle with a detailed look at a set of malicious packages discoveredby an automated system they have developed. Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase.
---------------------------------------------
https://lwn.net/Articles/913555/
∗∗∗ Vorsicht vor Scam-Versuchen auf Telegram ∗∗∗
---------------------------------------------
Eine Nachricht auf Telegram erreicht Sie aus heiterem Himmel: Jemand, den Sie nicht kennen bietet Ihnen eine lukrative Investment-Möglichkeit an, oder sogar eine große Summe Geld. Vorsicht, bei diesen Nachrichten handelt es sich um Betrugsversuche!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-scam-versuchen-auf-tele…
∗∗∗ Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild ∗∗∗
---------------------------------------------
We present new techniques that leverage active probing and network fingerprint technology to help you detect Cobalt Strike’s Team Servers.
---------------------------------------------
https://unit42.paloaltonetworks.com/cobalt-strike-team-server/
∗∗∗ ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022) ∗∗∗
---------------------------------------------
This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday).
---------------------------------------------
https://asec.ahnlab.com/en/41139/
=====================
= Vulnerabilities =
=====================
∗∗∗ Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) ∗∗∗
---------------------------------------------
Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/11/02/microsoft-guidance-related-to-op…
∗∗∗ IBM Security Bulletins 2022-11-02 ∗∗∗
---------------------------------------------
Content Collector for Email in Content Search Services container, IBM Business Automation Workflow, IBM Business Process Manager (BPM), IBM InfoSphere DataStage, IBM MQ, IBM Operations Analytics - Log Analysis, IBM SPSS Modeler, IBM Security SOAR, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Schwachstellenscanner Nessus: Updates schließen mehrere Sicherheitslücken ∗∗∗
---------------------------------------------
Der Netzwerk-Schwachstellenscanner Nessus behebt mit neuen Versionen mehrere Schwachstellen in Drittherstellerkomponenten. Admins sollten sie installieren.
---------------------------------------------
https://heise.de/-7328440
∗∗∗ Patchday Fortinet: FortiSIEM speichert Log-in-Daten unverschlüsselt ∗∗∗
---------------------------------------------
Es gibt wichtige Updates für Sicherheitsprodukte von Fortinet. Darunter etwa FortiADC und FortiOS. Keine Lücke gilt als kritisch.
---------------------------------------------
https://heise.de/-7328476
∗∗∗ (Non-US) DIR-1935 : Rev. Ax : F/W v1.03b02 :: Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name…
∗∗∗ Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product ∗∗∗
---------------------------------------------
https://www.securityweek.com/splunk-patches-9-high-severity-vulnerabilities…
∗∗∗ ETIC Telecom Remote Access Server (RAS) ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-307-01
∗∗∗ Nokia ASIK AirScale System Module ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-307-02
∗∗∗ Delta Industrial Automation DIALink ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-307-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 31-10-2022 18:00 − Mittwoch 02-11-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Sicherheitslücken: OpenSSL korrigiert Fehler im Zertifikatsparser ∗∗∗
---------------------------------------------
Zwei Buffer Overflows bei der Verarbeitung von Punycode können OpenSSL zum Absturz bringen - und möglicherweise Codeausführung ermöglichen.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecken-openssl-korrigiert-fehler-im-z…
∗∗∗ Lenovo kündigt gegen Schadcode-Attacken abgesicherte BIOS-Versionen an ∗∗∗
---------------------------------------------
Der Computer-Hersteller Lenovo will mehrere BIOS-Lücken in verschiedenen Laptop-Modellen schließen. Einige Updates sind aber erst für Anfang 2023 angekündigt.
---------------------------------------------
https://heise.de/-7327115
∗∗∗ Eine Million Downloads: Bösartige Android-Apps leiten auf Phishing-Seiten ∗∗∗
---------------------------------------------
Ein App-Entwickler fällt wiederholt auf, verseuchte Apps in Google Play anzubieten. Die derzeitig problematischen Apps kommen auf über eine Million Downloads.
---------------------------------------------
https://heise.de/-7327239
∗∗∗ Ausweiskopien mit Wasserzeichen versehen ∗∗∗
---------------------------------------------
Zahlreiche Betrugsmaschen zielen auf eine Kopie Ihres Ausweises ab. Damit können Kriminelle sich bei anderen Betrugsmaschen als Sie ausgeben, in Ihrem Namen Verträge abschließen oder andere Straftaten begehen. Versenden Sie Ausweiskopien daher nur, wenn es unbedingt notwendig ist. Gibt es keine andere Möglichkeit, sollten Sie die Ausweiskopie mit einem Wasserzeichen versehen. Wir zeigen Ihnen, wie Sie unkompliziert ein Wasserzeichen erstellen.
---------------------------------------------
https://www.watchlist-internet.at/news/ausweiskopien-mit-wasserzeichen-vers…
∗∗∗ Raspberry Robin Wurm transportiert Malware ∗∗∗
---------------------------------------------
Laut den Sicherheitsforschern von Microsoft verbreitet die bisher vor allem auf USB-Laufwerken bekannte Malware Raspberry Robin jetzt auch die Ransomware Clop.
---------------------------------------------
https://www.zdnet.de/88404569/raspberry-robin-wurm-transportiert-malware/
∗∗∗ Windows PowerShell-Backdoor entdeckt; gibt sich als Teil des Windows Update-Prozesses aus ∗∗∗
---------------------------------------------
Sicherheitsforscher von SafeBreach sind kürzlich auf eine bisher unbekannte PowerShell-Backdoor in Windows gestoßen. Diese verwendet ein bösasartiges Word-Dokument, um die PowerShell-Scripte einzuschleusen. Die Backdoor kann Active Directory-Benutzer und Remote-Desktops auflisten und soll vermutlich zu einem späteren Zeitpunkt zur Ausbreitung in [...]
---------------------------------------------
https://www.borncity.com/blog/2022/11/01/windows-powershell-backdoor-als-te…
∗∗∗ Gregor Samsa: Exploiting Javas XML Signature Verification ∗∗∗
---------------------------------------------
Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an integer truncation bug in this JIT compiler resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard.
---------------------------------------------
https://googleprojectzero.blogspot.com/2022/11/gregor-samsa-exploiting-java…
∗∗∗ Server-side attacks, C&C in public clouds and other MDR cases we observed ∗∗∗
---------------------------------------------
This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. We hope that it helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.
---------------------------------------------
https://securelist.com/server-side-attacks-cc-in-public-clouds-mdr-cases/10…
∗∗∗ SHA-3 code execution bug patched in PHP – check your version! ∗∗∗
---------------------------------------------
As everyone waits for news of a bug in OpenSSL, heres a reminder that other cryptographic code in your life may also need patching!
---------------------------------------------
https://nakedsecurity.sophos.com/2022/11/01/sha-3-code-execution-bug-patche…
∗∗∗ Ransomware: Not enough victims are reporting attacks, and thats a problem for everyone ∗∗∗
---------------------------------------------
The true impact of ransomware is unclear because some victims arent disclosing that theyve been attacked.
---------------------------------------------
https://www.zdnet.com/article/ransomware-not-enough-victims-are-reporting-a…
∗∗∗ A technical analysis of Pegasus for Android – Part 3 ∗∗∗
---------------------------------------------
Pegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and we recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out that vendors wrongly attributed [...]
---------------------------------------------
https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB ∗∗∗
---------------------------------------------
Microsoft recently fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB (currently in preview) reported by Orca Security. Customers not using Jupyter Notebooks (99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks) were not susceptible to this vulnerability. The bug was introduced on August 12th and fully patched worldwide [...]
---------------------------------------------
https://msrc-blog.microsoft.com/2022/11/01/microsoft-mitigates-vulnerabilit…
∗∗∗ Multiple Vulnerabilities Reported in Checkmk IT Infrastructure Monitoring Software ∗∗∗
---------------------------------------------
Multiple vulnerabilities have been disclosed in Checkmk IT Infrastructure monitoring software that could be chained together by an unauthenticated, remote attacker to fully take over affected servers.
---------------------------------------------
https://thehackernews.com/2022/11/multiple-vulnerabilities-reported-in.html
∗∗∗ Xcode 14.1 ∗∗∗
---------------------------------------------
This document describes the security content of Xcode 14.1.
---------------------------------------------
https://support.apple.com/kb/HT213496
∗∗∗ Cisco Security Advisories 2022-11-02 ∗∗∗
---------------------------------------------
Security Impact Rating: 4x High, 7x Medium
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first…
∗∗∗ Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022 ∗∗∗
---------------------------------------------
On November 1, 2022, the OpenSSL Project announced the following vulnerabilities: CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow For a description of these vulnerabilities, see OpenSSL Security Advisory [Nov 1 2022]. This advisory will be updated as additional information becomes available.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
AIX, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Cloud Object Storage Systems, IBM Cloud Pak for Integration, IBM Cloud Pak for Security, IBM DataPower Gateway, IBM Elastic Storage System, IBM Event Streams, IBM FlashSystem, IBM FlashSystem models FS900 and V9000, IBM InfoSphere Information Server, IBM MQ, IBM QRadar SIEM, IBM SAN Volume Controller, IBM Security Guardium, IBM Security Verify Access, IBM Spectrum Virtualize, IBM Storwize, IBM Voice Gateway, IBM WebSphere Application Server, IBM WebSphere Application Server used by IBM Master Data Management, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Power System, Zlib for IBM i
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ An Update on the OpenSSL vulnerability CVE-2022-3602 ∗∗∗
---------------------------------------------
November 1, 2022: IBM is responding to the reported buffer overflow vulnerability that the OpenSSL open-source community disclosed for OpenSSL versions 3.0.0 – 3.0.6. We are taking action as an enterprise, and for IBM products and services that may potentially be impacted, as we do for all vulnerabilities rated High.
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-preparing-to-respond-to-the-upcoming-op…
∗∗∗ FortiGuard PSIRT Advisories 2022-11-01 ∗∗∗
---------------------------------------------
AV Engine, FortiADC, FortiClient (MAC), FortiDeceptor, FortiEDR CollectorWindows, FortiMail, FortiManager/FortiAnalyzer, FortiOS, FortiSIEM, FortiSOAR, FortiTester
---------------------------------------------
https://fortiguard.fortinet.com/psirt
∗∗∗ Xen Security Advisories 2022-11-01 ∗∗∗
---------------------------------------------
Xen released 10 Security Advisories.
---------------------------------------------
https://xenbits.xen.org/xsa/
∗∗∗ Bitdefender: Löschen von Registry-Keys durch Sicherheitslücke möglich ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in den Virenscannern von Bitdefender ermöglicht Angreifern, Registry-Schlüssel zu löschen. Bitdefender verteilt Aktualisierungen dagegen.
---------------------------------------------
https://heise.de/-7327061
∗∗∗ Kritische Sicherheitslücke in IT-Managementsoftware von Hitachi geschlossen ∗∗∗
---------------------------------------------
Admins sollten die aktuellen Versionen von Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer und Hitachi Ops Center Viewpoint installieren.
---------------------------------------------
https://heise.de/-7327825
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (batik, chromium, expat, libxml2, ncurses, openvswitch, pysha3, python-django, thunderbird, and tomcat9), Fedora (cacti, cacti-spine, curl, mbedtls, mingw-expat, and xen), Gentoo (apptainer, bind, chromium, exif, freerdp, gdal, gitea, hiredis, jackson-databind, jhead, libgcrypt, libksba, libtirpc, lighttpd, net-snmp, nicotine+, open-vm-tools, openexr, rpm, schroot, shadow, sofia-sip, tiff, and xorg-server), Mageia (libreoffice), Oracle (expat), Red [...]
---------------------------------------------
https://lwn.net/Articles/913261/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python3.7), Gentoo (android-tools, expat, firefox, libjxl, libxml2, pjproject, sqlite, thunderbird, and zlib), Oracle (compat-expat1), Slackware (php8 and vim), SUSE (kernel, libtasn1, podman, and pyenv), and Ubuntu (libtasn1-6).
---------------------------------------------
https://lwn.net/Articles/913352/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg and linux-5.10), Fedora (libksba, openssl, and php), Gentoo (openssl), Mageia (curl, gdk-pixbuf2.0, libksba, nbd, php, and virglrenderer), Red Hat (kernel, kernel-rt, libksba, and openssl), SUSE (gnome-desktop, hdf5, hsqldb, kernel, nodejs10, openssl-3, php7, podofo, python-Flask-Security, python-lxml, and xorg-x11-server), and Ubuntu (backport-iwlwifi-dkms, firefox, ntfs-3g, and openssl).
---------------------------------------------
https://lwn.net/Articles/913504/
∗∗∗ Nov 3 2022 Security Releases ∗∗∗
---------------------------------------------
The Node.js project will release new versions of the 14.x, 16.x, 18.x, 19.xreleases lines on or shortly after Thursday, November 3, 2022 in order to address: One medium severity issues. Two high severity issues that affect OpenSSL as per secadv/20221101.txt These security releases are driven by the OpenSSL security release as announced in OpenSSL November Security Release as well as an additional vulnerability that affects all supported release lines.
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/november-2022-security-releases
∗∗∗ Chromium: CVE-2022-3723 Type Confusion in V8 ∗∗∗
---------------------------------------------
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild.
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3723
∗∗∗ Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN46345126/
∗∗∗ Security Advisory - Path Traversal Vulnerability in a Huawei Childrens Watch ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20221102-…
∗∗∗ K44454157: Expat vulnerability CVE-2022-40674 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K44454157
∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-42316, CVE-2022-42317 & CVE-2022-42318 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX472851/citrix-hypervisor-security-bul…
∗∗∗ [R1] Nessus Agent Version 10.2.1 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2022-22
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 28-10-2022 18:00 − Montag 31-10-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Es könnten Attacken auf VMware Cloud Foundation bevorstehen ∗∗∗
---------------------------------------------
Für eine kritische Sicherheitslücke in Cloud Foundation von VMware ist Exploit-Code in Umlauf.
---------------------------------------------
https://heise.de/-7324777
∗∗∗ Apple räumt ein: Nur aktuelles macOS stopft alle bekannten Sicherheitslücken ∗∗∗
---------------------------------------------
Apple hat zum ersten Mal bestätigt, dass der Hersteller in früheren macOS-Versionen nicht alle Schwachstellen beseitigt. Dasselbe gilt offensichtlich für iOS.
---------------------------------------------
https://heise.de/-7324991
∗∗∗ Backup-Software von ConnectWise für Ransomware-Attacken anfällig ∗∗∗
---------------------------------------------
Angreifer könnten Systeme mit Recover oder R1Soft Server Backup Manager von ConnectWise attackieren. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-7324856
∗∗∗ Gefälschtes A1-Mail im Umlauf ∗∗∗
---------------------------------------------
In einem gefälschten E-Mail von A1 behaupten Kriminelle, dass Sie bereits 80% Ihres Postfach-Speicherplatzes aufgebraucht haben. Sie werden aufgefordert, auf einen Link zu klicken, um zusätzlichen Speicherplatz freizuschalten. Klicken Sie nicht auf den Link, Sie landen auf einer manipulierten Login-Seite.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-a1-mail-im-umlauf/
∗∗∗ 2022 OpenSSL vulnerability ∗∗∗
---------------------------------------------
This repo contains operational information regarding the recently announced vulnerability in OpenSSL 3. [...] Currently no complete overview of vulnerable products is available. Please see https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md for a list of products that are known to be vulnerable. The list is a work in progress.
---------------------------------------------
https://github.com/NCSC-NL/OpenSSL-2022
∗∗∗ Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th) ∗∗∗
---------------------------------------------
Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open-source projects to rethink how they address security issues and communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time. This week, OpenSSL announced they would release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability [1].
---------------------------------------------
https://isc.sans.edu/diary/rss/29192
∗∗∗ APT10: Tracking down LODEINFO 2022, part I ∗∗∗
---------------------------------------------
The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.
---------------------------------------------
https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/
∗∗∗ APT10: Tracking down LODEINFO 2022, part II ∗∗∗
---------------------------------------------
In the second part of this report, we discuss improvements made to the LODEINFO backdoor shellcode in 2022.
---------------------------------------------
https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/
∗∗∗ NMAP without NMAP - Port Testing and Scanning with PowerShell, (Mon, Oct 31st) ∗∗∗
---------------------------------------------
Ever needed to do a portscan and didn't have nmap installed? I've had this more than once on an internal pentest or more often just on run-rate "is that port open? / is there a host firewall in the way?" testing.
---------------------------------------------
https://isc.sans.edu/diary/rss/29202
∗∗∗ WordPress Vulnerability & Patch Roundup October 2022 ∗∗∗
---------------------------------------------
[...] To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2022/10/wordpress-vulnerability-patch-roundup-octob…
∗∗∗ Hardware Trojans Under a Microscope ∗∗∗
---------------------------------------------
While the security industry generally focuses on software cyber attacks, we can’t forget the security impact of lower level hardware flaws, such as those that affect semiconductors.
---------------------------------------------
https://ryancor.medium.com/hardware-trojans-under-a-microscope-bf542acbcc29
∗∗∗ What I learnt from reading 217* Subdomain Takeover bug reports. ∗∗∗
---------------------------------------------
My two prior blogs, What I Learnt From Reading 220 IDOR bug reports, and What I Learnt From Reading 126 Information Disclosure Writeups*, were well received, so I’m continuing the series. I once more scraped ALL 143 SDTO bug reports from hackerone, and 74 detailed write-ups, then went into hiding as I read and took notes on them. I’m here to show you my actionable findings, and show you how to properly hunt for SDTOs.
---------------------------------------------
https://medium.com/@nynan/what-i-learnt-from-reading-217-subdomain-takeover…
∗∗∗ Free Micropatches For Bypassing MotW Security Warning with Invalid Signature (0day) ∗∗∗
---------------------------------------------
Nine days ago we issued micropatches for a vulnerability that allows attackers to bypass the warning Windows normally present to users when they try to open a document or executable obtained from an untrusted source (Internet, email, USB key, network drive). That vulnerability, affecting all supported and many legacy Windows versions, still has no official patch from Microsoft so our (free!) patches are the only actual patches in existence as of this writing. On the very same day we issued these micropatches, Will Dormann - who researched said vulnerability - replied to a tweet by another security researcher, Patrick Schläpfer. Patrick works at HP Wolf Security where they analyzed the Magniber Ransomware and wrote a detailed analysis of its working. Will asked Patrick about the ZIP files used in the malware campaign to see if they were exploiting the same vulnerability or employing some other trick to bypass the "Mark of the Web". [...] And so a new 0day - already exploited in the wild - was revealed.
---------------------------------------------
https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-motw.html
∗∗∗ The Defender’s Guide to the Windows Registry ∗∗∗
---------------------------------------------
Welcome to the Defender’s Guide. This is a series of blog posts designed to give you a ground-up start to defending a specific technology from potential attackers. While a lot of this information may be redundant to a more seasoned information security personnel, even the best of us rely on Google and blog posts to get information. These posts are designed to be a one-stop shop, bringing a lot of that information together.
---------------------------------------------
https://posts.specterops.io/the-defenders-guide-to-the-windows-registry-feb…
∗∗∗ Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure ∗∗∗
---------------------------------------------
Learning about the variety of techniques used by banking Trojans can help us detect other activities of financially motivated threat groups.
---------------------------------------------
https://unit42.paloaltonetworks.com/banking-trojan-techniques/
∗∗∗ Follina Exploit Leads to Domain Compromise ∗∗∗
---------------------------------------------
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain.
---------------------------------------------
https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compro…
∗∗∗ Vulnerabilities in Apache Batik Default Security Controls – SSRF and RCE Through Remote Class Loading ∗∗∗
---------------------------------------------
I stumbled upon the Apache Batik library while researching other Java-based products. It immediately caught my attention, as this library parses Scalable Vector Graphics (SVG) files and transforms them into different raster graphics formats (i.e., PNG, PDF, or JPEG). I was even more encouraged when I looked at the Batik documentation. It was obvious that such a library could be prone to Server-Side Request Forgery (SSRF) issues (e.g., loading of images from remote resources).
---------------------------------------------
https://www.thezdi.com/blog/2022/10/28/vulnerabilities-in-apache-batik-defa…
∗∗∗ AgentTesla Being Distributed via VBS ∗∗∗
---------------------------------------------
The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.
---------------------------------------------
https://asec.ahnlab.com/en/40890/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
App Connect Professional, IBM Business Automation Manager Open Editions 8.0.1, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Cloud Pak for Business Automation, IBM Cloud Pak for Security, IBM Event Streams, IBM Host Access Transformation Services, IBM MQ Appliance
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client ∗∗∗
---------------------------------------------
Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible.
---------------------------------------------
https://spring.io/blog/2022/10/31/cve-2022-31690-privilege-escalation-in-sp…
∗∗∗ CVE-2022-31692: Authorization rules can be bypassed via forward or include in Spring Security ∗∗∗
---------------------------------------------
Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for [CVE-2022-31692](https://tanzu.vmware.com/security/cve-2022-31692) affecting the AuthorizationFilter. Users are encouraged to update as soon as possible.
---------------------------------------------
https://spring.io/blog/2022/10/31/cve-2022-31692-authorization-rules-can-be…
∗∗∗ CISA Has Added One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/10/28/cisa-has-added-on…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-10-2022 18:00 − Freitag 28-10-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Windows: Gefährliche, IE-basierende Schwachstellen ∗∗∗
---------------------------------------------
Sicherheitsforscher der Varonis Threat Labs haben zwei Windows-Sicherheitslücken aufgedeckt, die große blinde Flecken für Sicherheits-Software erzeugen und Rechner mittels DoS-Angriffe außer Betrieb setzen können. LogCrusher und OverLog nutzen dabei das Internet Explorer-spezifische Ereignisprotokoll MS-EVEN, das auf allen aktuellen Windows-Betriebssystemen vorhanden ist, unabhängig davon, ob der Browser genutzt wurde oder wird. Während OverLog mittlerweile gefixt ist, hat Microsoft für LogCrusher kürzlich nur einen partiellen Patch herausgegeben: Cyberkriminelle können deshalb immer noch Angriffe durchführen, wenn sie sich einen Administrator-Zugang zum Netzwerk des Opfers verschaffen.
---------------------------------------------
https://www.borncity.com/blog/2022/10/28/windows-gefhrliche-ie-basierende-s…
∗∗∗ Neue Website: Apple erleichtert Sicherheitsforschung ∗∗∗
---------------------------------------------
Ein zentrales neues Portal erklärt das Bug–Bounty-Programm und ermöglicht es, schneller und direkter mit dem Security-Team des Konzerns in Kontakt zu kommen.
---------------------------------------------
https://heise.de/-7323634
∗∗∗ macOS 13: Anti-Malware-Tools nach Upgrade zahnlos ∗∗∗
---------------------------------------------
Antivirus-Software und andere Sicherheits-Tools funktionieren durch einen Apple-Bug in macOS Ventura nicht mehr richtig. Das Problem kann behoben werden.
---------------------------------------------
https://heise.de/-7322669
∗∗∗ Vorsicht vor dieser Fake-Raiffeisen Investmentfalle ∗∗∗
---------------------------------------------
Geld verdienen mit Raiffeisen, angeboten werden angeblich Aktien einer der größten Banken Österreichs. Das Versprechen klingt gut, doch es handelt sich um eine gut getarnte Phishing-Seite. Investieren Sie nicht auf lps.snowgross.com, Sie tappen in eine Anlagebetrugsfalle!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-raiffeisen-…
∗∗∗ One-Time Programs ∗∗∗
---------------------------------------------
One of the things I like to do on this blog is write about new research that has a practical angle. Most of the time (I swear) this involves writing about other folks’ research: it’s not that often that I write about work that comes out of my own lab. Today I’m going make an [...]
---------------------------------------------
https://blog.cryptographyengineering.com/2022/10/27/one-time-programs/
∗∗∗ Apple clarifies security update policy: Only the latest OSes are fully patched ∗∗∗
---------------------------------------------
New document confirms what security researchers have observed for a few years.
---------------------------------------------
https://arstechnica.com/?p=1893235
∗∗∗ Android malware droppers with 130K installs found on Google Play ∗∗∗
---------------------------------------------
A set of Android malware droppers were found infiltrating the Google Play store to install malicious programs by pretending to be app updates.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-malware-droppers-wit…
∗∗∗ Exploit released for critical VMware RCE vulnerability, patch now ∗∗∗
---------------------------------------------
Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-critica…
∗∗∗ Researchers Expose Over 80 ShadowPad Malware C2 Servers ∗∗∗
---------------------------------------------
As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022. Thats according to VMwares Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications.
---------------------------------------------
https://thehackernews.com/2022/10/researchers-expose-over-80-shadowpad.html
∗∗∗ Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints ∗∗∗
---------------------------------------------
The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up.
---------------------------------------------
https://thehackernews.com/2022/10/raspberry-robin-operators-selling.html
∗∗∗ TCP/IP Vulnerability CVE-2022–34718 PoC Restoration and Analysis ∗∗∗
---------------------------------------------
The patch released by Microsoft last month contained a vulnerability in the TCP/IP protocol that allowed for code execution. To ascertain the impact of the vulnerability, Numen’s security research team conducted an in-depth analysis of the vulnerability and restored the PoC through patch comparison.
---------------------------------------------
https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol…
∗∗∗ Defeating Guloader Anti-Analysis Technique ∗∗∗
---------------------------------------------
Unit 42 is providing a script to deobfuscate a recently discovered Guloader variant that uses anti-analysis techniques, and other samples like it.
---------------------------------------------
https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/
∗∗∗ Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign ∗∗∗
---------------------------------------------
Group uses novel method of reading commands from legitimate IIS logs.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/threat-intelligence/cranefly…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdates für älteres iOS und iPadOS ∗∗∗
---------------------------------------------
iPadOS 15.7.1 und iOS 15.7.1 stopfen problematische Sicherheitslücken für alle, die nicht auf iPadOS 16 und iOS 16 aktualisieren wollen - oder können.
---------------------------------------------
https://heise.de/-7323199
∗∗∗ Webbrowser: Entwickler schließen hochriskante Sicherheitslücke in Chrome ∗∗∗
---------------------------------------------
Google hat ein Update für den Webbrowser Chrome veröffentlicht. Darin dichten die Programmierer eine Schwachstelle mit hohem Risiko ab.
---------------------------------------------
https://heise.de/-7322963
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
CP4D Match 360, IBM Answer Retrieval for Watson Discovery versions 2.8 and earlier, IBM Cloud Pak System, IBM Db2 On Openshift, IBM Db2® on Cloud Pak for Data, Db2 Warehouse® on Cloud Pak for Data, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM QRadar SIEM, IBM TXSeries for Multiplatforms, IBM Voice Gateway, IBM Watson Assistant for IBM Cloud Pak for Data, IBM® SDK, Java™ Technology Edition, Liberty for Java for IBM Cloud, node.js
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (expat, ruby-sinatra, and thunderbird), Fedora (glances), Mageia (cups, firefox, git, heimdal, http-parser, krb5-appl, minidlna, nginx, and thunderbird), Oracle (389-ds:1.4, device-mapper-multipath, firefox, mysql:8.0, postgresql:12, and thunderbird), SUSE (dbus-1, libconfuse0, libtasn1, openjpeg2, qemu, and thunderbird), and Ubuntu (dbus, linux-azure-fde, and tiff).
---------------------------------------------
https://lwn.net/Articles/912873/
∗∗∗ Corel Coreldraw graphics suite vulnerabilities ∗∗∗
---------------------------------------------
https://secalerts.co/vulnerabilities/corel/coreldraw_graphics_suite
∗∗∗ Case update: DIVD-2022-00020 - Multiple injection vulnerabilities identified within Feathers.js ∗∗∗
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2022-00020/
∗∗∗ Case update: DIVD-2022-00045 - Injection vulnerability found within Socket.io ∗∗∗
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2022-00045/
∗∗∗ [R1] Nessus Version 10.4.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2022-21
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily