Daily

daily@lists.cert.at

1 participants
3085 discussions

Tageszusammenfassung - 24.06.2022
by Daily end-of-shift report 24 Jun '22

24 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-06-2022 18:00 − Freitag 24-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 2FA: Wie sicher sind TOTP, Fido, SMS und Push-Apps? ∗∗∗ --------------------------------------------- Zwei- oder Multi-Faktor-Authentifizierung soll uns sicherer machen. Wir erklären, wie TOTP, Fido & Co. funktionieren und wovor sie schützen. --------------------------------------------- https://www.golem.de/news/2fa-wie-sicher-sind-totp-fido-sms-und-push-apps-2… ∗∗∗ Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys ∗∗∗ --------------------------------------------- Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. --------------------------------------------- https://thehackernews.com/2022/06/multiple-backdoored-python-libraries.html ∗∗∗ Black Basta Ransomware Becomes Major Threat in Two Months ∗∗∗ --------------------------------------------- Black Basta ransomware has become a major new threat in just a couple months. Evidence suggests it was still in development in February 2022, and only became operational in April 2022. --------------------------------------------- https://www.securityweek.com/black-basta-ransomware-becomes-major-threat-tw… ∗∗∗ There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families ∗∗∗ --------------------------------------------- Learn about the unique implementations of API Hammering malware samples and how to mitigate them. --------------------------------------------- https://unit42.paloaltonetworks.com/api-hammering-malware-families/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer nutzen kontinuierlich Log4Shell-Lücke in VMware Horizon aus ∗∗∗ --------------------------------------------- Die Cybersecurity & Infrastructure Security Agency warnt vor Attacken auf die Virtualisierungslösung VMware Horizon. Admins sollten zügig handeln. --------------------------------------------- https://heise.de/-7152258 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ntfs-3g and ntfs-3g-system-compression), SUSE (389-ds, chafa, containerd, mariadb, php74, python3, salt, and xen), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/898925/ ∗∗∗ Codesys Patches 11 Flaws Likely Affecting Controllers From Several ICS Vendors ∗∗∗ --------------------------------------------- Codesys this week announced patches for nearly a dozen vulnerabilities discovered in the company’s products by researchers at Chinese cybersecurity firm NSFocus. --------------------------------------------- https://www.securityweek.com/codesys-patches-11-flaws-likely-affecting-cont… ∗∗∗ ZDI-22-872: DevExpress SafeBinaryFormatter Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-872/ ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2022-22389) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics (CVE-2020-4230,CVE-2020-4135,CVE-2020-4204,CVE-2020-4200) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2019-10086, CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities due to the consumed Expat library ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-mu… ∗∗∗ Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an information leak vulnerability within Kafka (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in zlib affects IBM Common Inventory Technology (CIT). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-zlib-a… ∗∗∗ Security Bulletin: CVE-2020-35550 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-35550-may-affect… ∗∗∗ K26314875: Apache vulnerability CVE-2022-26377 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26314875 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-upd… ∗∗∗ OFFIS DCMTK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-174-01 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-01 ∗∗∗ Yokogawa CAMS for HIS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-02 ∗∗∗ Secheron SEPCOS Control and Protection Relay ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-03 ∗∗∗ Pyramid Solutions EtherNet/IP Adapter Development Kit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-04 ∗∗∗ Elcomplus SmartICS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2022
by Daily end-of-shift report 23 Jun '22

23 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-06-2022 18:00 − Donnerstag 23-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti ransomware hacking spree breaches over 40 orgs in a month ∗∗∗ --------------------------------------------- The Conti cybercrime syndicate runs one of the most aggressive ransomware operations and has grown highly organized, to the point that affiliates were able to hack more than 40 companies in a little over a month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-hacking-spr… ∗∗∗ Malicious Windows LNK attacks made easy with new Quantum builder ∗∗∗ --------------------------------------------- Malware researchers have noticed a new tool that helps cybercriminals build malicious .LNK files to deliver payloads for the initial stages of an attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attack… ∗∗∗ The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs ∗∗∗ --------------------------------------------- We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks. --------------------------------------------- https://securelist.com/modern-ransomware-groups-ttps/106824/ ∗∗∗ Understanding the Compound File Binary Format and OLE Structures to Mess with CVE-2022-30190 ∗∗∗ --------------------------------------------- Initially, I began this research to generate weaponized RTF files delivering the CVE-2022-30190(Follina) exploit. --------------------------------------------- https://cymulate.com/blog/cve-2022-30190-2/ ∗∗∗ Miracle - One Vulnerability To Rule Them All ∗∗∗ --------------------------------------------- As mentioned in Jang blog, We (me and Jang) found a mega 0-day. After April Critical Patch, finally the vulnerability was patched properly. If you never known about this vulnerability, please patch your system ASAP! --------------------------------------------- https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3a… ∗∗∗ Vorsicht vor betrügerischen „Remote Jobs“ auf LinkedIn ∗∗∗ --------------------------------------------- “Work from Home Jobs No Experience Required” – von zuhause aus arbeiten, dabei bis zu 2.000€ pro Woche verdienen und das alles ohne Berufserfahrung? Laut der massenhaft geschaltenen Stellenanzeigen von KADANSE ist das möglich. Was nicht erwähnt wird: Für diesen scheinbar lukrativen Job müssen Sie erst Geld bezahlen, der Job existiert so nicht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-remote-… ∗∗∗ Schwachstellen in Programmierschnittstellen ∗∗∗ --------------------------------------------- Weltweit sind 4,1 bis 7,5 Prozent der Cybersecurity-Vorfälle und -schäden auf Schwachstellen in Programmierschnittstellen (Application Programming Interfaces, APIs) zurückzuführen und verursachen Kosten in Milliardenhöhe. --------------------------------------------- https://www.zdnet.de/88402008/schwachstellen-in-programmierschnittstellen/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-22 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Engineering Lifecycle Management, WebSphere Liberty, CICS Transaction Gateway, Watson Knowledge Catalog for IBM Cloud Pak for Data, IBM Robotic Process Automation, IBM Tivoli Business Service Manager, IBM MQ Internet Pass-Thru, IBM Cognos Analytics, IBM Sterling Global Mailbox. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Synology: Aktualisierte Firmware dichtet Sicherheitslecks in Routern ab ∗∗∗ --------------------------------------------- In Firmware von Synology-Geräten hat der Hersteller Sicherheitslücken gefunden. Angreifer könnten unter anderem unberechtigt auf Dateien zugreifen. --------------------------------------------- https://heise.de/-7151202 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firejail, and request-tracker4), Fedora (ghex, golang-github-emicklei-restful, and openssl1.1), Oracle (postgresql), Scientific Linux (postgresql), Slackware (openssl), SUSE (salt and tor), and Ubuntu (apache2 and squid, squid3). --------------------------------------------- https://lwn.net/Articles/898720/ ∗∗∗ Cisco Adaptive Security Device Manager and Adaptive Security Appliance Software Client-side Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ K55051330: Intel BIOS vulnerability CVE-2021-33123 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55051330 ∗∗∗ K87351324: Intel BIOS vulnerability CVE-2021-33124 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87351324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2022
by Daily end-of-shift report 22 Jun '22

22 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-06-2022 18:00 − Mittwoch 22-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign ∗∗∗ --------------------------------------------- A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021. --------------------------------------------- https://thehackernews.com/2022/06/newly-discovered-magecart.html ∗∗∗ Du kommst hier nicht rein: Adobes PDF-Tools blockieren Antivirenschutz ∗∗∗ --------------------------------------------- Adobe Acrobat und Reader legen einen Registry-Eintrag an. Dieser hält über Chromiums libcef.dll Sicherheitsprogramm-DLLs aus den PDF-Programmen fern. --------------------------------------------- https://heise.de/-7147804 ∗∗∗ Sharehoster Mega: Sicherheitsforscher entschlüsseln eigentlich geschützte Daten ∗∗∗ --------------------------------------------- Eine problematische Kryptografie-Implementierung kann verschlüsselte Dateien für den Betreiber oder Angreifer lesbar machen. --------------------------------------------- https://heise.de/-7148227 ∗∗∗ Machen Sie mit bei unserer Studie zum Fake-Shop-Detector! ∗∗∗ --------------------------------------------- Fake-Shops stellen Konsument:innen vor große Herausforderungen: Sie werden immer zahlreicher und sind gleichzeitig schwieriger zu erkennen. Um das Einkaufen im Internet sicherer zu machen, haben wir den Fake-Shop Detector entwickelt. --------------------------------------------- https://www.watchlist-internet.at/news/machen-sie-mit-bei-unserer-studie-zu… ∗∗∗ Keeping PowerShell: Measures to Use and Embrace ∗∗∗ --------------------------------------------- Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell. The CIS provides recommendations for proper configuration and monitoring of PowerShell, as opposed to removing or disabling it entirely due to its use by malicious actors after gaining access into victim networks. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/22/keeping-powershel… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Google schließt 14 Sicherheitslücken in Chrome ∗∗∗ --------------------------------------------- Mit dem Sprung auf das 103er-Release dichtet Google im Webbrowser Chrome 14 Schwachstellen ab. Auch für Android und iOS steht die neue Version bereit. --------------------------------------------- https://heise.de/-7147522 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exo and ntfs-3g), Fedora (collectd, golang-github-cli-gh, grub2, qemu, and xen), Red Hat (httpd:2.4, kernel, and postgresql), SUSE (drbd, fwupdate, neomutt, and trivy), and Ubuntu (apache2, openssl, openssl1.0, and qemu). --------------------------------------------- https://lwn.net/Articles/898605/ ∗∗∗ JTEKT TOYOPUC ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-172-02 ∗∗∗ VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/142546 ∗∗∗ Security Bulletin: June 2022 :Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-june-2022-multiple-vulner… ∗∗∗ Security Bulletin: A vulnerability (CVE-2021-35550) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-cve-2021-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) OpenSSL vulnerability CVE-2021-4044 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-team-concert-rtc… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2022-22475, CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized sensitive information access due to IBM Java vulnerability (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Watson Explorer (CVE-2022-22971, CVE-2022-22968, CVE-2022-22970) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server January 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized data access due to IBM Java (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Watson Explorer (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface has multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2022 – Includes Oracle® January 2022 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ K53252134: Intel BIOS vulnerability CVE-2021-0155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53252134 ∗∗∗ K16162257: Intel BIOS vulnerability CVE-2021-0154 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16162257 ∗∗∗ K14454359: Intel BIOS vulnerability CVE-2021-0153 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14454359 ∗∗∗ K04303225: Intel BIOS vulnerability CVE-2021-0190 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04303225 ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247052-bt.html ∗∗∗ PHP Vulnerability ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-20 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2022
by Daily end-of-shift report 21 Jun '22

21 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 20-06-2022 18:00 − Dienstag 21-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New DFSCoerce NTLM Relay attack allows Windows domain takeover ∗∗∗ --------------------------------------------- A new Windows NTLM relay attack called DFSCoerce has been discovered that uses MS-DFSNM, Microsofts Distributed File System, to completely take over a Windows domain. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-at… ∗∗∗ APT ToddyCat ∗∗∗ --------------------------------------------- ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’. --------------------------------------------- https://securelist.com/toddycat/106799/ ∗∗∗ Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack ∗∗∗ --------------------------------------------- A reported a "potentially dangerous piece of functionality" allows an attacker to launch an attack on cloud infrastructure and ransom files stored in SharePoint and OneDrive. --------------------------------------------- https://threatpost.com/office-365-opens-ransomware-attacks-on-onedrive-shar… ∗∗∗ Bestellen Sie nicht bei funkelnmarkt.de ∗∗∗ --------------------------------------------- Der Online-Shop funkelnmarkt.de bietet Laptops, Waschmaschinen, Konsolen und Co. Die Preise sind teilweise etwas günstiger als bei anderen Shops und die Webseite wirkt professionell. Grund genug dort zu bestellen. Oder? Lieber nicht! Wenn Sie dort bestellen, erhalten Sie keine Ware und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-funkelnmarkt… ===================== = Vulnerabilities = ===================== ∗∗∗ Icefall: 56 flaws impact thousands of exposed industrial devices ∗∗∗ --------------------------------------------- A security report has been published on a set of 56 vulnerabilities that are collectively called Icefall and affect operational technology (OT) equipment used in various critical infrastructure environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thou… ∗∗∗ OpenSSL Security Advisory [21 June 2022] ∗∗∗ --------------------------------------------- When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. --------------------------------------------- https://openssl.org/news/secadv/20220621.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Oracle (cups), and SUSE (atheme, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, node_exporter, python36, release-notes-susemanager, release-notes-susemanager-proxy, SUSE Manager 4.1.15 Release Notes, SUSE Manager Client Tools, and SUSE Manager Server 4.2). --------------------------------------------- https://lwn.net/Articles/898504/ ∗∗∗ SSA-111512: Client-side Authentication in SIMATIC WinCC OA ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-111512.txt ∗∗∗ ABB Security Advisory: ABB Relion REX640 Insufficient file access control ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001421 ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Flaw in Go may affect DataPower Operator (CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-flaw-in-go-may-affect-dat… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM DataPower Operator affected by flaw in Go (CVE-2022-23773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-af… ∗∗∗ Security Bulletin: IBM Spectrum Symphony is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-symphony-is-… ∗∗∗ Security Bulletin: IBM Spectrum Conductor is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-conductor-is… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM DataPower Operator potentially vulnerable to Denial of Service (CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-po… ∗∗∗ Security Bulletin: IBM QRadar Wincollect agent is vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-age… ∗∗∗ Security Bulletin: DataPower Operator vulnerable to a Denial of Service (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datapower-operator-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a postgresql-42.0.0.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a mongodb-driver-legacy-4.1.1.jar vulnerability (CVE-2021-20328) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ PHOENIX CONTACT: Missing Authentication in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-028/ ∗∗∗ PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-026/ ∗∗∗ PHOENIX CONTACT: Vulnerability in classic line industrial controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-025/ ∗∗∗ WEIDMUELLER: EtherNet/IP Fieldbus Coupler out-of-bounds write ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2022
by Daily end-of-shift report 20 Jun '22

20 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-06-2022 18:00 − Montag 20-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Kritische CVE-2022-20825 in Cisco Small-Business-Routern wird nicht gefixt ∗∗∗ --------------------------------------------- In den Small-Business-Routern RV110W, RV130, RV130W und RV215W gibt es eine kritische Schwachstelle CVE-2022-20825, die mit dem CVE-Wert von 9.8 bewertet wurde. Auf Grund einer fehlenden Authentifizierung ermöglicht die Schwachstelle sowohl eine Remote Command Execution als auch Denial of Service-Angriffe. --------------------------------------------- https://www.borncity.com/blog/2022/06/20/kritische-cve-2022-20825-in-cisco-… ∗∗∗ New phishing attack infects devices with Cobalt Strike ∗∗∗ --------------------------------------------- Security researchers have noticed a new malicious spam campaign that delivers the Matanbuchus malware to drop Cobalt Strike beacons on compromised machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-attack-infects-… ∗∗∗ Android-wiping BRATA malware is evolving into a persistent threat ∗∗∗ --------------------------------------------- The threat actors operating the BRATA banking trojan have evolved their tactics and incorporated new information-stealing features into their malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware… ∗∗∗ Decoding Obfuscated BASE64 Statistically ∗∗∗ --------------------------------------------- In diary entry "Houdini is Back Delivered Through a JavaScript Dropper", Xavier mentions that he had to deal with an obfuscated BASE64 string. --------------------------------------------- https://isc.sans.edu/diary/rss/28758 ∗∗∗ The Importance of White-Box Testing: A Dive into CVE-2022-21662 ∗∗∗ --------------------------------------------- When CVE-2022-21662 came out there wasn’t a much-published material regarding this vulnerability. I want to take some time to explain the importance of using a white-box approach when testing applications for vulnerabilities. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-importa… ∗∗∗ Cerber2021 Ransomware Back in Action ∗∗∗ --------------------------------------------- In December 2021, researchers identified a new version of Cerber ransomware targeting both Linux and Windows users. In this infection, Cerber2021 was delivered by targeting the vulnerabilities in the Confluence and Gitlab servers. These vulnerabilities are tracked as CVE-2021-26084 and CVE-2021-22205, respectively. --------------------------------------------- https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/ ∗∗∗ Europol-Masche: Neue Welle betrügerischer Anrufe ∗∗∗ --------------------------------------------- Die Telefonbetrugsmasche, bei der sich die Kriminellen als Ermittlungsbehörde ausgeben, ist nicht neu. Dennoch rollt aktuell wieder eine Welle solcher Anrufe. --------------------------------------------- https://heise.de/-7146013 ∗∗∗ Erpressung per E-Mail: Hacker fordert die Überweisung von Bitcoins ∗∗∗ --------------------------------------------- Sie haben ein E-Mail von einem Hacker bekommen? Er schreibt, dass er Ihren Computer gehackt hat und Sie beim Masturbieren gefilmt hat? Er droht damit das Video zu verbreiten, wenn Sie keine Bitcoins überweisen? Im E-Mail wird sogar eines Ihrer Passwörter genannt? Machen Sie sich keine Sorgen! Dieses E-Mail ist Fake. Lassen Sie sich nicht erpressen und überweisen Sie keinesfalls Bitcoins. Ändern Sie aber umgehend Ihr Passwort! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-hacker-fordert… ∗∗∗ Azure Attack Paths: Common Findings and Fixes (Part 1) ∗∗∗ --------------------------------------------- This post will walk through various services within the Azure catalogue and look at potential attack paths. --------------------------------------------- https://blog.zsec.uk/azure-fundamentals-pt1/ ===================== = Vulnerabilities = ===================== ∗∗∗ AWS: Amazon-Hotpatch für log4j-Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- In einem Skript zum Absichern vor der log4j-Lücke von Amazon findet sich eine Sicherheitslücke. Angreifer könnten ihre Rechte damit ausweiten. --------------------------------------------- https://heise.de/-7145383 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cyrus-imapd, exo, sleuthkit, slurm-wlm, vim, and vlc), Fedora (golang-github-docker-libnetwork, kernel, moby-engine, ntfs-3g-system-compression, python-cookiecutter, python2.7, python3.6, python3.7, python3.8, python3.9, rubygem-mechanize, and webkit2gtk3), Mageia (bluez, dnsmasq, exempi, halibut, and php), Oracle (.NET 6.0, .NET Core 3.1, and xz), SUSE (chafa, firejail, kernel, python-Twisted, and tensorflow2), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/898413/ ∗∗∗ Security Advisory - Input Verification Vulnerability Involving Huawei Printer Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220620-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due to Apache Log4j (CVE-2021-44228). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due To Apache Log4j (CVE-2021-4104). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: Potential module resolution error in DataPower Operator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-module-resoluti… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: StoredIQ is vulnerable to denial of service and remote code execution in Apache Log4j (CVE-2021-44228, CVE-2021-45046). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM QRadar WinCollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-is-… ∗∗∗ Security Bulletin: Potential Denial of Service in IBM DataPower Gateway (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-denial-of-servi… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to json-schema (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics for Communications Service Providers and Datasets Impacted by Log4j Vulnerabilities ( CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-analytic-accelerator-… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, Eclipse Jetty, and OpenJDK affect IBM Cloud Object Storage Systems (June 2022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: Cúram Social Program Management is affected by session timeout issues (CVE-2022-22318, CVE-2022-22317) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980) ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/06/20/spring-data-mongodb-spel-expression-injec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2022
by Daily end-of-shift report 17 Jun '22

17 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-06-2022 18:00 − Freitag 17-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Security: Github informiert über Malware im Open-Source-Ökosystem ∗∗∗ --------------------------------------------- Nicht nur Sicherheitslücken machen Open-Source-Software anfällig. Auch Malware bereitet viele Probleme, die Github jetzt sammeln möchte. --------------------------------------------- https://www.golem.de/news/security-github-informiert-ueber-malware-im-open-… ∗∗∗ Zügig aktualisieren: Angreifer könnten Citrix ADM übernehmen ∗∗∗ --------------------------------------------- In Citrix Application Delivery Management-Software könnten Angreifer aus dem Netz eine Sicherheitslücke ausnutzen. Sie können damit volle Kontrolle erlangen. --------------------------------------------- https://heise.de/-7142301 ∗∗∗ NAS: Qnap warnt vor Angriffswelle mit DeadBolt-Ransomware ∗∗∗ --------------------------------------------- Der Hersteller Qnap warnt vor derzeit laufenden Angriffen auf die NAS-Systeme mit der DeadBolt-Ransomware. Administratoren sollen den Update-Stand überprüfen. --------------------------------------------- https://heise.de/-7144383 ∗∗∗ Kritische Sicherheitslücke in WordPress-Plug-in Ninja Forms behoben ∗∗∗ --------------------------------------------- WordPress-Admins, die das Plug-in Ninja Forms einsetzen, sollten unverzüglich dessen Aktualität sicherstellen. Angreifer könnten sonst eigenen Code ausführen. --------------------------------------------- https://heise.de/-7143515 ∗∗∗ Zahlreiche betrügerische Nachrichten im Namen der Post im Umlauf! ∗∗∗ --------------------------------------------- Sie warten auf ein Paket. Plötzlich werden Sie per SMS oder E-Mail benachrichtigt, dass es ein Problem mit Ihrer Lieferung gäbe. Immer wieder berichten wir von dieser Betrugsmasche, bei der Kriminelle willkürlich Nachrichten versenden und behaupten, dass ein Paket nicht geliefert werden könnte. Wer tatsächlich gerade auf ein Paket wartet, kann leicht in diese Falle tappen. Meist wollen die Kriminellen an Ihre Kreditkartendaten oder an Ihr Geld. Dieses Mal wird aber auch versucht Ihr Post-Konto zu kapern. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-nachrichte… ∗∗∗ Anatomie eines Hive Ransomware-Angriffs auf Exchange per ProxyShell ∗∗∗ --------------------------------------------- Häufig bleiben ja die Details einer Ransomware-Infektion für Außenstehende im Dunkeln. Mir ist diese Woche eine Information vom Sicherheitsdienstleister Varonis zugegangen, deren Sicherheitsteam den Ablauf eines Angriffs mit der Hive-Ransomware aufbereitet haben. --------------------------------------------- https://www.borncity.com/blog/2022/06/17/anatomie-eines-hive-ransomware-ang… ∗∗∗ Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike ∗∗∗ --------------------------------------------- The threat actor known as Blue Mockingbird has been observed by analysts targeting Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-three-year-o… ∗∗∗ New MaliBot Android banking malware spreads as a crypto miner ∗∗∗ --------------------------------------------- Threat analysts have discovered a new Android malware strain named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malibot-android-banking-… ∗∗∗ Facebook Messenger Scam Duped Millions ∗∗∗ --------------------------------------------- One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting. --------------------------------------------- https://threatpost.com/acebook-messenger-scam/179977/ ∗∗∗ WooCommerce Credit Card Skimmer Uses Telegram Bot to Exfiltrate Stolen Data ∗∗∗ --------------------------------------------- Our story starts like many others told on this blog: A new client came to us with reported cases of credit card theft on their eCommerce website. The website owner had received complaints from several customers who reported bogus transactions on their cards shortly after purchasing from their webstore, so the webmaster suspected that something could be amiss. --------------------------------------------- https://blog.sucuri.net/2022/06/woocommerce-credit-card-skimmer-uses-telegr… ∗∗∗ Difference Between Agent-Based and Network-Based Internal Vulnerability Scanning ∗∗∗ --------------------------------------------- For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear. However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra. --------------------------------------------- https://thehackernews.com/2022/06/difference-between-agent-based-and.html ∗∗∗ Details of Twice-Patched Windows RDP Vulnerability Disclosed ∗∗∗ --------------------------------------------- Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches. --------------------------------------------- https://www.securityweek.com/details-twice-patched-windows-rdp-vulnerabilit… ∗∗∗ DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach ∗∗∗ --------------------------------------------- [...] This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature. --------------------------------------------- https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-fire… ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Vulnerability Reported in Popular Fastjson Library ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType." --------------------------------------------- https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html ∗∗∗ IBM Security Bulletins 2022-06-15 - 2022-06-16 ∗∗∗ --------------------------------------------- IBM Spectrum Protect Server, IBM Disconnected Log Collector, IBM Cloud Application Business Insights, IBM Tivoli Application Dependency Discovery Manager, IBM CICS TX Advanced, IBM Analytic Accelerator Framework, IBM Customer and Network Analytics, IBM QRadar SIEM, IBM QRadar Use Case Manager App, Rational Test Virtualization Server and Rational Test Workbench, IBM Robotic Process Automation, IBM Security QRadar Event and Flow Exporter App, IBM WebSphere Application Server Liberty, IBM TXSeries, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Java Runtime, ISC BIND and IBM HTTP Server. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-06-15 ∗∗∗ --------------------------------------------- Cisco published 7 Security Advisories (2 Critical, 1 High, 4 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Kritische Lücke mit Höchstwertung in Smart-Home-Zentrale Anker Eufy Homebase 2 ∗∗∗ --------------------------------------------- Angreifer könnten sich über drei Sicherheitslücken in Eufy Homebase 2 Zugang zum Smart Home verschaffen. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-7143710 ∗∗∗ VMSA-2022-0017 ∗∗∗ --------------------------------------------- VMware HCX update addresses an information disclosure vulnerability (CVE-2022-22953) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/898121/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, [...] --------------------------------------------- https://lwn.net/Articles/898234/ ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerability in Welch Allyn resting electrocardiograph devices. Hillrom Medical. Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-167-01 ∗∗∗ AutomationDirect C-More EA9 HMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Search Path Element, Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-01 ∗∗∗ AutomationDirect DirectLOGIC with Serial Communication ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in DirectLOGIC programmable controllers with serial communication. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-02 ∗∗∗ AutomationDirect DirectLOGIC with Ethernet ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Resource Consumption, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect DirectLOGIC programmable logic Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2022
by Daily end-of-shift report 15 Jun '22

15 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-06-2022 18:00 − Mittwoch 15-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft 365 Apps for enterprise v2206 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2206. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers ∗∗∗ --------------------------------------------- A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. --------------------------------------------- https://thehackernews.com/2022/06/panchan-new-golang-based-peer-to-peer.html ∗∗∗ TPM Sniffing Attacks Against Non-Bitlocker Targets ∗∗∗ --------------------------------------------- Last year, during an uptick in media attention for Trusted Platform Module (TPM) security triggered by a blog post from the Dolos Group describing a sniffing attack on Windows Bitlocker relying on a TPM, a customer asked us to investigate their TPM-based Full Disk Encryption (FDE) set up in light of this type of attack. --------------------------------------------- https://www.secura.com/blog/tpm-sniffing-attacks-against-non-bitlocker-targ… ∗∗∗ Bypassing CSP with dangling iframes ∗∗∗ --------------------------------------------- Our Web Security Academy has a topic on dangling markup injection - a technique for exploiting sites protected by CSP. --------------------------------------------- https://portswigger.net/research/bypassing-csp-with-dangling-iframes ∗∗∗ A tiny botnet launched the largest DDoS attack on record ∗∗∗ --------------------------------------------- A small but powerful army of just 5,000 devices generated a record-breaking web attack. --------------------------------------------- https://www.zdnet.com/article/a-tiny-botnet-launched-the-largest-ddos-attac… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix warns critical bug can let attackers reset admin passwords ∗∗∗ --------------------------------------------- Citrix warned customers to deploy security updates that address a critical Citrix Application Delivery Management (ADM) vulnerability that can let attackers reset admin passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/citrix-warns-critical-bug-ca… ∗∗∗ Patchday: Updates bessern zehn SAP-Schwachstellen aus ∗∗∗ --------------------------------------------- Am Juni-Patchday hat SAP zehn Sicherheitslücken geschlossen. Für zwei ältere Sicherheitsmeldungen aktualisiert der Hersteller die Sicherheitsmeldungen. --------------------------------------------- https://heise.de/-7141579 ∗∗∗ Patchday: Microsoft schließt MSDT-Lücke, die auch ohne Makros funktioniert ∗∗∗ --------------------------------------------- Windows ist unter anderem über Word verwundbar, wobei auch RTF-Formate genutzt werden können. Aber auch Azure, Edge & Co. bekommen wichtige Sicherheitsupdates. --------------------------------------------- https://heise.de/-7141070 ∗∗∗ Patchday Adobe: Schadcode-Lücken in InDesign, Illustrator & Co. geschlossen ∗∗∗ --------------------------------------------- Mehrere Adobe-Anwendungen sind über als kritisch eingestufte Schwachstellen attackierbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-7141175 ∗∗∗ Sicherheitslücke Hertzbleed: x86-Prozessortaktung verrät Geheimnisse ∗∗∗ --------------------------------------------- Ein Forscherteam belauscht kryptografische Berechnungen auf modernen x86-CPUs anhand charakteristischer Taktfrequenzänderungen. --------------------------------------------- https://heise.de/-7141221 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (.NET 6.0 and log4j), SUSE (389-ds, grub2, kernel, openssl-1_1, python-Twisted, webkit2gtk3, and xen), and Ubuntu (php7.2, php7.4, php8.0, php8.1 and util-linux). --------------------------------------------- https://lwn.net/Articles/897992/ ∗∗∗ Critical Code Execution Vulnerability Patched in Splunk Enterprise ∗∗∗ --------------------------------------------- Splunk this week announced the release of out-of-band patches that address multiple vulnerabilities across Splunk Enterprise, including a critical issue that could lead to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/critical-code-execution-vulnerability-patched-… ∗∗∗ Schneider Electric Advisories 2022-06-15 ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Security Bulletin: IBM Financial Transaction Manager for Digital Payments for Multi-Platform is vulnerable to SQL injection. (CVE-2019-4575) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-financial-transaction… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2022-28327 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Netcool Operations Insight v1.6.4 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential Cross-Site Scripting (Reflected) vulnerability (CVE-2020-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights – Quaterly Java update, CVE-2021-35603 and CVE-2021-35550 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2022-24675 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential SQL Injection CVE-2020-4328 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ VMSA-2022-0016 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0016.html ∗∗∗ AUMA: SIMA² Master Station Denial of Service Vulnerability on Automation Runtime Webserver ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-024/ ∗∗∗ Johnson Controls Metasys ADS ADX OAS Servers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-01 ∗∗∗ Hardkodierte Backdoor Benutzer und veraltete Software Komponenten in der Nexans FTTO GigaSwitch Serie ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/nexans-ftto-gigaswitc… ∗∗∗ Synaptics Fingerprint Driver Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500494-SYNAPTICS-FINGERPRINT-D… ∗∗∗ Intel Processors MMIO Stale Data Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500497-INTEL-PROCESSORS-MMIO-S… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2022
by Daily end-of-shift report 14 Jun '22

14 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 13-06-2022 18:00 − Dienstag 14-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ The many lives of BlackCat ransomware ∗∗∗ --------------------------------------------- The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. --------------------------------------------- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackc… ∗∗∗ Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter thats being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers. --------------------------------------------- https://thehackernews.com/2022/06/researchers-detail-purecrypter-loader.html ∗∗∗ Public Travis CI Logs (Still) Expose Users to Cyber Attacks ∗∗∗ --------------------------------------------- In our latest research, we at Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available. --------------------------------------------- https://blog.aquasec.com/travis-ci-security ∗∗∗ Sicherheitslücke im Apple M1 Chip: Pacman-Attacke umgeht Schutzschicht ∗∗∗ --------------------------------------------- Angriffe auf den M1-Prozessor sind durch ein Zusammenspiel von Hard- und Software möglich. Apple sieht allerdings keine unmittelbare Gefahr. --------------------------------------------- https://heise.de/-7140316 ∗∗∗ Vorsicht vor gefälschten Zahlungsaufforderungen per WhatsApp ∗∗∗ --------------------------------------------- Ihre Chefin bittet Sie, eine Rechnung zu begleichen. Sie fragen nach den Details und bekommen die Rechnung mit Zahlungsanweisungen zugesendet. Sie überweisen. Erst später bemerken Sie, dass es gar nicht Ihre Chefin war – sondern Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-zahlungsau… ∗∗∗ Internet Explorer 11 erreicht am 15. Juni 2022 End-of-Life (EOL) ∗∗∗ --------------------------------------------- Noch eine kurze Information an die Blog-Leserschaft, die ggf. noch den Internet Explorer 11 von Microsoft unter Windows im Einsatz haben. Zum heutigen Patchday, 14. Juni 2022, erhält der Browser letztmalig Sicherheitsupdates für verschiedene Windows-Versionen und fällt dann (zum 15. Juni 2022) aus dem Support. --------------------------------------------- https://www.borncity.com/blog/2022/06/14/internet-explorer-11-erreicht-am-1… ∗∗∗ CHM Malware Types with Anti-Sandbox Technique and Targeting Companies ∗∗∗ --------------------------------------------- Among CHM strains that are recently being distributed in Korea, the ASEC analysis team has discovered those applied with the anti-sandbox technique and targeting companies. --------------------------------------------- https://asec.ahnlab.com/en/35268/ ∗∗∗ NPM Replicator Remote Code Execution Deserialization ∗∗∗ --------------------------------------------- NPM, the package manager for Node.js, is an open source project that serves as a critical part of the JavaScript community and helps support one of the largest developer ecosystems. --------------------------------------------- https://checkmarx.com/blog/npm-replicator-remote-code-execution-deserializa… ∗∗∗ Supply Chain Attack: CTX Account Takeover and PHPass Hijack Explained ∗∗∗ --------------------------------------------- A threat actor recently hacked a popular PyPi repo on GitHub, setting off a supply chain attack that could have impacted millions of users. --------------------------------------------- https://orca.security/resources/blog/python-supply-chain-attack-ctx-phpass/ ∗∗∗ SynLapse – Technical Details for Critical Azure Synapse Vulnerability ∗∗∗ --------------------------------------------- Recently, the Orca Security research team discovered SynLapse, a tenant separation violation vulnerability in the Microsoft Azure Synapse environment. --------------------------------------------- https://orca.security/resources/blog/synlapse-critical-azure-synapse-analyt… ===================== = Vulnerabilities = ===================== ∗∗∗ New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials ∗∗∗ --------------------------------------------- A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. --------------------------------------------- https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-docker-libnetwork and moby-engine), Mageia (apache, docker-containerd, kernel, kernel-linus, nats-server, and php-smarty), Slackware (php), SUSE (gimp, grub2, thunderbird, u-boot, and xen), and Ubuntu (firefox, liblouis, ncurses, and rsync). --------------------------------------------- https://lwn.net/Articles/897847/ ∗∗∗ JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5708.php ∗∗∗ SSA-988345 V1.0: Local Privilege Escalation Vulnerability in Xpedition Designer ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-988345.txt ∗∗∗ SSA-911567 V1.0: Missing HTTP headers in SINEMA Remote Connect Server before V3.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-911567.txt ∗∗∗ SSA-740594 V1.0: Privilege Escalation Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-740594.txt ∗∗∗ SSA-712929 V1.0: Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-712929.txt ∗∗∗ SSA-693555 V1.0: Memory Corruption Vulnerability in EN100 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-693555.txt ∗∗∗ SSA-685781 V1.0: Multiple Vulnerabilities in Apache HTTP Server Affecting Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-685781.txt ∗∗∗ SSA-631336 V1.0: Multiple Web Server Vulnerabilities in SICAM GridEdge Software ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-631336.txt ∗∗∗ SSA-484086 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-484086.txt ∗∗∗ SSA-401167 V1.0: Cross-site scripting Vulnerability in Teamcenter Active Workspace ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-401167.txt ∗∗∗ SSA-388239 V1.0: Default Password Leakage affecting the Component Shared HIS used in Spectrum Power Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-388239.txt ∗∗∗ SSA-330556 V1.0: PwnKit Vulnerability in SCALANCE LPE9403 and SINUMERIK Edge Products (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-330556.txt ∗∗∗ SSA-222547 V1.0: Third-Party Component Vulnerabilities in SCALANCE LPE9403 before V2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-222547.txt ∗∗∗ SSA-220589 V1.0: Hard Coded Default Credential Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-220589.txt ∗∗∗ SSA-145224 V1.0: Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-145224.txt ∗∗∗ IBM Security Bulletins 2022-06-13 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ TYPO3 CORE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/typo3-cms ∗∗∗ ABB Security Advisory: Link Following Local Privilege Escalation Vulnerabilities in ABB Automation Builder, Drive Composer and Mint WorkBench ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&Lan… ∗∗∗ Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460016/citrix-application-delivery-ma… ∗∗∗ Meridian Cooperative Meridian ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-02 ∗∗∗ Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2022
by Daily end-of-shift report 13 Jun '22

13 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-06-2022 18:00 − Montag 13-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Krypto-Miner und Verschlüsselungstrojaner schlüpfen durch Confluence-Lücke ∗∗∗ --------------------------------------------- Es häufen sich Attacken auf ungepatchte Instanzen von Confluence und Data Center. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-7138563 ∗∗∗ Buchen Sie Ihr Hotel nicht über hotels-in-tyrol.com ∗∗∗ --------------------------------------------- Die Buchungsplattform hotels-in-tyrol.com vermittelt Unterkünfte in Tirol. Wir raten zur Vorsicht. Auf der Plattform gibt es weder Informationen zum Betreiber noch Kontaktdaten. Im Reiter „Über uns“ wird lediglich ein Unternehmen namens „LocalHotels Ltd“ angeführt. Wir gehen aber davon aus, dass dieses Unternehmen gar nicht existiert. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihr-hotel-nicht-ueber-hot… ∗∗∗ Massenhafte Kontenübernahme bei smarten Yunmai Waagen möglich ∗∗∗ --------------------------------------------- Vom chinesischen Hersteller Yunmai wurden auch in Deutschland smarte Körperfettwaagen angeboten. Diese lassen sich per Bluetooth mit einer App auf dem Smartphone koppeln, so dass die persönlichen Daten mehrerer Personen in persönlichen Profilen gespeichert werden können. Leider hapert es mit der Sicherheit, wie Sicherheitsexperten festgestellt haben. Das Yunmai API ermöglicht die massenhafte Kontenübernahme oder die Umgehung der Hersteller-Restriktionen. --------------------------------------------- https://www.borncity.com/blog/2022/06/11/massenhafte-kontenbernahme-bei-sma… ∗∗∗ PyPI package keep mistakenly included a password stealer ∗∗∗ --------------------------------------------- PyPI packages keep, pyanxdns, api-res-py were found to contain a password-stealer and a backdoor due to the presence of malicious request dependency within some versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly… ∗∗∗ New Syslogk Linux rootkit uses magic packets to trigger backdoor ∗∗∗ --------------------------------------------- A new rootkit malware named Syslogk has been spotted in the wild, and it features advanced process and file hiding techniques that make detection highly unlikely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-syslogk-linux-rootkit-us… ∗∗∗ EPSScall: An Exploit Prediction Scoring System App, (Fri, Jun 10th) ∗∗∗ --------------------------------------------- If you follow Cyentia Institute’s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022). --------------------------------------------- https://isc.sans.edu/diary/rss/28732 ∗∗∗ Translating Saitamas DNS tunneling messages, (Mon, Jun 13th) ∗∗∗ --------------------------------------------- Saitama is a backdoor that uses the DNS protocol to encapsulate its command and control (C2) messages - a technique known as DNS Tunneling (MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordans foreign ministry on an attack [...] --------------------------------------------- https://isc.sans.edu/diary/rss/28738 ∗∗∗ ModBus 101: One Protocol to Rule the OT World ∗∗∗ --------------------------------------------- Ever wondered how large-scale power plants monitor or control the myriad of systems that fill their environment? Have you thought about how some of the world’s greatest industrial hacks were enacted? This post will look to illuminate how one tiny legacy protocol, namely "ModBus" could help to understand just how straight forward this could be. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modbus-101-… ∗∗∗ Smilodon Credit Card Skimming Malware Shifts to WordPress ∗∗∗ --------------------------------------------- WordPress’ massive market share has come with an unsurprising side effect: As more and more site admins turn to popular plugins like WooCommerce to turn a profit on their website and set up online stores we’ve seen a significant increase in the number of attacks targeting WordPress eCommerce sites. What’s more, bad actors are repurposing their old Magento credit card stealing malware for use against WordPress. --------------------------------------------- https://blog.sucuri.net/2022/06/smilodon-credit-card-skimming-malware-shift… ∗∗∗ MIT Researchers Discover New Flaw in Apple M1 CPUs That Cant Be Patched ∗∗∗ --------------------------------------------- A novel hardware attack dubbed PACMAN has been demonstrated against Apples M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems. It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," [...] --------------------------------------------- https://thehackernews.com/2022/06/mit-researchers-discover-new-flaw-in.html ∗∗∗ Extracting Clear-Text Credentials Directly From Chromium’s Memory ∗∗∗ --------------------------------------------- Credential data (URL/username/password) is stored in Chrome’s memory in clear-text format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager (“Login Data” file). --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/extracting-clear-te… ∗∗∗ Researchers: Wi-Fi Probe Requests Expose User Data ∗∗∗ --------------------------------------------- A group of academic researchers from the University of Hamburg in Germany has discovered that mobile devices leak identifying information about their owners via Wi-Fi probe requests. Mobile devices use these probe requests to receive information about nearby Wi-Fi access points and establish connections to them when a probe response is received. --------------------------------------------- https://www.securityweek.com/researchers-wi-fi-probe-requests-expose-user-d… ∗∗∗ Exposing HelloXD Ransomware and x4k ∗∗∗ --------------------------------------------- HelloXD is a ransomware family in its initial stages - but already seeking to impact organizations. We analyze samples and hunt for attribution. --------------------------------------------- https://unit42.paloaltonetworks.com/helloxd-ransomware/ ∗∗∗ GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool ∗∗∗ --------------------------------------------- A new, difficult-to-detect remote access trojan named PingPull is being used by GALLIUM, an advanced persistent threat (APT) group. --------------------------------------------- https://unit42.paloaltonetworks.com/pingpull-gallium/ ∗∗∗ Microsoft Azure Synapse Pwnalytics ∗∗∗ --------------------------------------------- [...] Synapse Analytics utilizes Apache Spark for the underlying provisioning of clusters that user code is run on. User code in these environments is run with intentionally limited privileges because the environments are managed by internal Microsoft subscription IDs, which is generally indicative of a multi-tenant environment. Tenable Research has discovered a privilege escalation flaw that allows a user to escalate privileges to that of the root user within the context of a Spark VM. We have also discovered a flaw that allows a user to poison the hosts file on all nodes in their Spark pool, which allows one to redirect subsets of traffic and snoop on services users generally do not have access to. The full privilege escalation flaw has been adequately addressed. However, the hosts file poisoning flaw remains unpatched at the time of this writing. --------------------------------------------- https://medium.com/tenable-techblog/microsoft-azure-synapse-pwnalytics-87c9… ===================== = Vulnerabilities = ===================== ∗∗∗ QTS 5.0.0-Sicherheitsupdates für QNAP-NAS Geräte (8. Juni 2022) ∗∗∗ --------------------------------------------- Kurzer Hinweis an Leser und Leserinnen, die NAS-Laufwerke von QNAP im Einsatz haben. In der QTS 5.0.0-Software gibt es in älteren Versionen gravierende Schwachstellen, die am 8. Juni 2022 mit einem Update der Firmware auf QTS 5.0.0.2055 build 20220531 beseitigt wurden. --------------------------------------------- https://www.borncity.com/blog/2022/06/11/qts-5-sicherheitsupdates-fr-qnap-n… ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329) ∗∗∗ --------------------------------------------- The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories: [...] --------------------------------------------- https://research.nccgroup.com/2022/06/10/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, containerd, kernel, ntfs-3g, and vlc), Fedora (buildah and logrotate), Red Hat (xz), and SUSE (google-gson, netty3, rubygem-sinatra, and u-boot). --------------------------------------------- https://lwn.net/Articles/897711/ ∗∗∗ Drupal Releases Security Updates ∗∗∗ --------------------------------------------- Drupal has released security updates to address a Guzzle third-party library vulnerability that does not affect Drupal core but may affect some contributed projects or custom code on Drupal sites. Exploitation of this vulnerability could allow a remote attacker to take control of an affected website. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/13/drupal-releases-s… ∗∗∗ Screams of Power vulnerabilities (Powertek-based PDUs) ∗∗∗ --------------------------------------------- Even if the PDUs you use in your data center aren't branded "Powertek", please keep reading. Powertek is a company that makes datacenter class smart PDUs (Power Distribution Units - i.e. heavy duty power cords) for server racks. They sell both directly (or at least used to in the past I think?) and through their resellers. There is one reseller per country and they commonly rebrand their PDUs (e.g. mine has a logo of the Swiss reseller - schneikel). Anyway, in March I've done a quick 3h review of the firmware and found multiple vulnerabilities and weaknesses in Powertek PDU's firmware v3.30.23 and possibly prior (details below). So, if you're using a PDU that is running Powertek firmware, you might want to patch now. --------------------------------------------- https://gynvael.coldwind.pl/?id=748 ∗∗∗ OTRS: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0702 ∗∗∗ Security Bulletin: A vulnerability in OpenSSL affects IBM InfoSphere Information Server (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openss… ∗∗∗ Security Bulletin: A Unspecified Java Vulnerability is affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-unspecified-java-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: Due to use of Spring Framework, IBM Db2 Web Query for i is vulnerable to unprotected fields (CVE-2022-22968), remote code execution (CVE-2022-22965), and denial of service (CVE-2022-22950). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-spring-fram… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service, due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Java XML vulnerability affects Liberty for Java for IBM Cloud due to CVE-2022-21299 deferred from Oracle Jan 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-xml-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2022
by Daily end-of-shift report 10 Jun '22

10 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-06-2022 18:00 − Freitag 10-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cyber Europe 2022 – europaweite Cyber-Sicherheitsübung ∗∗∗ --------------------------------------------- Im Zuge der 2-tägigen Cyber-Sicherheitsübung „Cyber Europe“ arbeiteten Behörden und nationale Computer-Notfallteams in ganz Europa intensiv an Schutz und Abwehr der angegriffenen IT-Bereiche. Über 800 Teilnehmer:innen waren dazu EU-weit an der Übung beteiligt. In Österreich war für die Koordination das Bundeskanzleramt zuständig. Das Gesundheitsministerium, das Innenministerium, das Außenministerium, das Verteidigungsministerium und die zuständigen Computernotfallteams waren in die Übung eingebunden. --------------------------------------------- https://www.ots.at/presseaussendung/OTS_20220609_OTS0200/cyber-europe-2022-… ∗∗∗ Phishing Campaigns featuring Ursnif Trojan on the Rise ∗∗∗ --------------------------------------------- McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-fea… ∗∗∗ Neue Linux-Malware aufgespürt ∗∗∗ --------------------------------------------- Eine gemeinsame Forschungsarbeit hat zur Entdeckung von Symbiote geführt, einer neuen Form von Linux-Malware, die nur schwer zu erkennen ist. Hacker erhalten damit Rootkit-Zugriff. --------------------------------------------- https://www.zdnet.de/88401771/neue-linux-malware-aufgespuert/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-09 - 2022-06-10 ∗∗∗ --------------------------------------------- IBM TXSeries, IBM Connections, IBM Watson, IBM Spectrum, IBM SDK, IBM Cloud Pak, IBM Db2 Mirror for i and IBM StoredIQ. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwachstellen in Infiray IRAY-A8Z3 Wärmebildkamera ∗∗∗ --------------------------------------------- Die IRAY A8Z3 Wärmebildkamera für Industrieapplikationen von Infiray/IRay Technologies ist anfällig auf verschiedene Schwachstellen, welche sich aus unsicherer Programmierung, unsicherer Konfiguration sowie veralteten eingebetteten Softwarekomponenten ergeben. Mehrere Angriffsmöglichkeiten für Remote Code Execution (RCE) wurden gefunden. Der Hersteller hat sich im Zuge unserer Responsible Disclosure nicht mehr gemeldet, weshalb unklar ist, ob Patches verfügbar sind. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/schwachstellen-infira… ∗∗∗ PHP: Updates verhindern Einschleusen von Schadcode ∗∗∗ --------------------------------------------- Fehler in PHP-Modulen zur Verbindung mit SQL-Datenbanken erlauben die Ausführung beliebigen Codes. Admins von Shared-Hosting-Servern sollten schnell updaten. --------------------------------------------- https://heise.de/-7136766 ∗∗∗ Fortinet entfernt hartcodierten Schlüssel und verhindert unberechtigte Zugriffe ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Fortinet. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-7136620 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-bottle), Fedora (grub2 and kernel), Mageia (python-pypdf2, python-ujson, and vim), and SUSE (fribidi, grub2, mozilla-nss, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/897518/ ∗∗∗ Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors ∗∗∗ --------------------------------------------- https://www.securityweek.com/vulnerabilities-hid-mercury-access-controllers… ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-160-01 ∗∗∗ "Undocumented Functionality" (Backdoor) in Mitel Desk Phones (SYSS-2022-021) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/undocumented-functionality-backdoor-in-mit… ∗∗∗ Kritische Schwachstelle in Crypto USB Flash Drive Lepin EP-KP001 (SYSS-2022-024) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstelle-in-crypto-usb-flas… ∗∗∗ Chrome 102.0.5005.115 fixt Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/06/10/chrome-102-0-5005-115-fixt-schwach… ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily