Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 12.09.2022
by Daily end-of-shift report 12 Sep '22

12 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-09-2022 18:00 − Montag 12-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Krypto-Malware Shikitega überlistet den herkömmlichen Linux-Schutz ∗∗∗ --------------------------------------------- AT&T Alien Labs hat eine Analyse zur neuen Linux-Malware Shikitega veröffentlicht. Der Schädling verschafft sich Root-Zugriff, seine Entdeckung ist schwierig. --------------------------------------------- https://heise.de/-7260803 ∗∗∗ Bericht: Um nicht erwischt zu werden, verschlüsselt Ransomware Daten partiell ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten bei Erpressungstrojanern einen Trend zur schnelleren Verschlüsselung. --------------------------------------------- https://heise.de/-7261001 ∗∗∗ SMS von der Post? Klicken Sie nicht auf den Link! ∗∗∗ --------------------------------------------- „Die Zustellung Ihres letzten Pakets hat sich aufgrund zusätzlicher Zollgebühren verzögert“ lautet eine SMS-Benachrichtigung von der Post. Im SMS ist ein Link, den Sie anklicken sollten, um das Problem zu lösen. Wir raten zur Vorsicht: Diese Nachricht ist nicht von der Post. Wer auf den Link klickt, tappt in eine Internetfalle! --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-der-post-klicken-sie-nicht-a… ∗∗∗ SharkBot-Trojaner im Play Store – Risiko "Antivirus-Apps" ∗∗∗ --------------------------------------------- Im Google Play Store ist erneut der Banking-Trojaner SharkBot aufgetaucht und hat sich als Antiviren- und Cleaner-App getarnt. Sicherheitsforscher von CyberNews schreiben: Android-Nutzer sollten es sich zweimal überlegen, bevor sie kostenlose Apps zur Reinigung ihres Mobiltelefons und zum "Schutz" vor Viren herunterladen - denn viele von ihnen enthalten Daten-Tracker und einige scheinen sogar Links zu potenziell bösartigen Domains zu beinhalten. --------------------------------------------- https://www.borncity.com/blog/2022/09/12/sharkbot-trojaner-im-play-store-ri… ∗∗∗ Maldoc With Decoy BASE64, (Fri, Sep 9th) ∗∗∗ --------------------------------------------- There is also a video for this analysis: "Maldoc Analysis: Rehearsed vs. Unrehearsed". I analysed this maldoc. It contains an old exploit for the equation editor. Nothing special. And it's easy to analyze. But there is one more thing: it contains a very long BASE64 string, 800,000+ characters, and it turns out to be a decoy. --------------------------------------------- https://isc.sans.edu/diary/rss/29032 ∗∗∗ WMI Internals Part 3 ∗∗∗ --------------------------------------------- In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as an example and how when an instance of this class is created the COM method ITaskServices:NewTask is invoked. This blog will take this process a step further and look at what happens after the COM method ITaskServices:NewTask. --------------------------------------------- https://posts.specterops.io/wmi-internals-part-3-38e5dad016be?source=rss---… ∗∗∗ Dead or Alive? An Emotet Story ∗∗∗ --------------------------------------------- In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after [...] --------------------------------------------- https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/ ∗∗∗ Ransomware attacks on retail increase, average retail payment grows to more than $200K ∗∗∗ --------------------------------------------- More than 300 organizations in the retail industry said they were hit with ransomware attacks in 2021, according to a survey conducted by security company Sophos. Sophos researchers spoke to 422 IT workers at mid-sized organizations in the retail sector across 31 countries, finding startling increases in the number of respondents who said their organizations [...] --------------------------------------------- https://therecord.media/ransomware-attacks-on-retail-increase-average-retai… ∗∗∗ Security Breaks: TeamTNT’s DockerHub Credentials Leak ∗∗∗ --------------------------------------------- One of our honeypots based on exposed Docker REST APIs showed cybercriminal group TeamTNT’s potential attack scenario and leak of container registry credentials for docker-abuse malware. The full version of this research will be presented at the c0c0n XV Hacking and Cyber Security Conference in September 2022. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-doc… ===================== = Vulnerabilities = ===================== ∗∗∗ Firmware bugs in many HP computer models left unfixed for over a year ∗∗∗ --------------------------------------------- A set of six high-severity firmware vulnerabilities impacting a broad range of HP devices used in enterprise environments are still waiting to be patched, although some of them were publicly disclosed since July 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-com… ∗∗∗ Patchday: Ansatzpunkte für Angreifer in Android 10, 11 und 12 geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten sich auf Android-Geräten weitreichende Nutzerrechte erschleichen. In Googles Pixel-Serie wurden kritische Lücken ausgebessert. --------------------------------------------- https://heise.de/-7260572 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdk-pixbuf, libxslt, linux-5.10, paramiko, and zlib), Fedora (webkit2gtk3), Mageia (gstreamer1.0-plugins-good, jupyter-notebook, kernel, and rpm), Slackware (vim), SUSE (bluez, clamav, freetype2, frr, gdk-pixbuf, keepalived, libyang, nodejs16, python-PyYAML, qpdf, samba, and vim), and Ubuntu (linux-azure-fde and tiff). --------------------------------------------- https://lwn.net/Articles/907770/ ∗∗∗ Critical KEPServerEX Flaws Can Put Attackers in Powerful Position in OT Networks ∗∗∗ --------------------------------------------- Critical KEPServerEX vulnerabilities that impact the products of several major industrial automation vendors can put attackers in a powerful position in OT networks.read more --------------------------------------------- https://www.securityweek.com/critical-kepserverex-flaws-can-put-attackers-p… ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1376 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375 ∗∗∗ Jenkins: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Jenkins ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1373 ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Liberty affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: qs (QueryString) package in the Service Portal of IBM Control Desk is vulnerable (CVE-2014-7191 and CVE-2017-1000048) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-qs-querystring-package-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2022
by Daily end-of-shift report 09 Sep '22

09 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-09-2022 18:00 − Freitag 09-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Bumblebee malware adds post-exploitation tool for stealthy infections ∗∗∗ --------------------------------------------- A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-… ∗∗∗ GIFShell attack creates reverse shell using Microsoft Teams GIFs ∗∗∗ --------------------------------------------- A new attack technique called GIFShell allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using ... GIFs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reve… ∗∗∗ What Is Clickjacking and How Do I Prevent It? ∗∗∗ --------------------------------------------- There are a plethora of techniques that attackers use to redirect site visitors and harvest sensitive information on compromised websites. But when most webmasters think about securing their website, they often don’t think about how attackers can inject clicks on it from another site. --------------------------------------------- https://blog.sucuri.net/2022/09/what-is-clickjacking-and-how-do-i-prevent-i… ∗∗∗ Credential Gathering From Third-Party Software ∗∗∗ --------------------------------------------- Users often store passwords in third-party software for convenience – but credential gathering techniques can target this behavior. --------------------------------------------- https://unit42.paloaltonetworks.com/credential-gathering-third-party-softwa… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts ∗∗∗ --------------------------------------------- A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said. --------------------------------------------- https://thehackernews.com/2022/09/hackers-exploit-zero-day-in-wordpress.html ∗∗∗ Sicherheitslücke in vorinstalliertem Tool HP Support Assistant geschlossen ∗∗∗ --------------------------------------------- HP Support Assistant ist standardmäßig auf HP-Computern installiert. Eine Schwachstelle gefährdet nun Systeme. --------------------------------------------- https://heise.de/-7258790 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mediawiki), SUSE (libEMF, libnl-1_1, libnl3, mariadb, nodejs16, php8-pear, postgresql12, and rubygem-rake), and Ubuntu (linux-raspi, linux-raspi-5.4, and tiff). --------------------------------------------- https://lwn.net/Articles/907573/ ∗∗∗ CISA Adds Twelve Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added twelve new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/08/cisa-adds-twelve-… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Oracle April 2022 CPU for Java 8 shipped with IBM® Intelligent Operations Center(CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability foud in IBM Installation Manager which is shipped with IBM® Intelligent Operations Center(CVE-2021-36374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-foud-in-i… ∗∗∗ Security Bulletin: A vulnerability have been identified in Java 8 shipped with IBM® Intelligent Operations Center (CVE-2021-35561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulneraqbility in Zlib affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-zlib-… ∗∗∗ Security Bulletin: A vulnerability foud in IBM Installation Manager which is shipped with IBM® Intelligent Operations Center(CVE-2021-36373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-foud-in-i… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for i5/OS is vulnerable to denial of service due to Zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities found in IBM DB2 which is shipped with IBM® Intelligent Operations Center(CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability found in Apache HttpClient which is shipped with IBM® Intelligent Operations Center (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-found-in-… ∗∗∗ Security Bulletin: XML vulnerability found in IBM Java 8.0 which is shipped with IBM® Intelligent Operations Center (CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xml-vulnerability-found-i… ∗∗∗ Security Bulletin: A vulnerability found in XMLBeans which hipped with IBM® Intelligent Operations Center (CVE-2021-23926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-found-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities found in IBM MQ and Java 8 which is shipped with IBM® Intelligent Operations Center(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability have been identified in IBM Java 8 shipped with IBM® Intelligent Operations Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulneraqbility in Zlib affects IBM Tivoli Composite Application Manager for Transactions Response Time agents (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-zlib-… ∗∗∗ Security Bulletin: A vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM® Intelligent Operations Center (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-have-be… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2022
by Daily end-of-shift report 08 Sep '22

08 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-09-2022 18:00 − Donnerstag 08-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ RAID-Manager von Hitachi könnte Ansatzpunkt für Schadcode-Attacken sein ∗∗∗ --------------------------------------------- Für einige Versionen von Hitachi RAID Manager SRA sind Sicherheitsupdates erschienen. Für einige Ausgaben gibt es jedoch keinen Support mehr. --------------------------------------------- https://heise.de/-7257664 ∗∗∗ Threat landscape for industrial automation systems for H1 2022 ∗∗∗ --------------------------------------------- This report is based on an analysis of statistical data collected through the Kaspersky Security Network (KSN), a distributed antivirus network. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-f… ∗∗∗ Profiling DEV-0270: PHOSPHORUS’ ransomware operations ∗∗∗ --------------------------------------------- Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosp… ∗∗∗ Analyzing Obfuscated VBS with CyberChef, (Thu, Sep 8th) ∗∗∗ --------------------------------------------- I took a closer look at this sample on MalwareBazaar, because it had no tags (now it has a VBS tag). --------------------------------------------- https://isc.sans.edu/diary/rss/29028 ∗∗∗ HTTPS-Zertifikate: Die Rückkehr der Sperrlisten ∗∗∗ --------------------------------------------- Zukünftig soll es endlich wieder möglich sein, kompromittierte Zertifikate einfach zu sperren. Apple und Mozilla preschen vor und Lets Encrypt zieht mit. --------------------------------------------- https://heise.de/-7257554 ∗∗∗ Tensel-markt.de ist Fake! ∗∗∗ --------------------------------------------- Vorsicht vor Fake-Elektronik und Technik-Shops! Tensel-markt.de, gohlke-shop.de und Techno-max.de locken mit ihrem professionellen Design zahlreiche Konsument:innen in die Falle. Bestellen Sie nicht bei diesen Shops, Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/tensel-marktde-ist-fake/ ∗∗∗ Lazarus and the tale of three RATs ∗∗∗ --------------------------------------------- Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations. --------------------------------------------- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html ∗∗∗ How Malicious Actors Abuse Native Linux Tools in Attacks ∗∗∗ --------------------------------------------- Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-n… ===================== = Vulnerabilities = ===================== ∗∗∗ HP fixes severe bug in pre-installed Support Assistant tool ∗∗∗ --------------------------------------------- HP issued a security advisory alerting users about a newly discovered vulnerability in HP Support Assistant, a software tool that comes pre-installed on all HP laptops and desktop computers, including the Omen sub-brand. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-i… ∗∗∗ Cisco Security Advisories 2022-09-07 ∗∗∗ --------------------------------------------- Cisco published 4 security advisories (2 high, 2 medium severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ VPN-Lücke in älteren Cisco-Routern wird nicht mehr geschlossen ∗∗∗ --------------------------------------------- Für einige Cisco-Router ist der Support ausgelaufen. Es gibt wichtige Sicherheitsupdates für unter anderem Webex. --------------------------------------------- https://heise.de/-7257206 ∗∗∗ IBM Security Bulletins 2022-09-07 ∗∗∗ --------------------------------------------- IBM Java 8, IBM Aspera Faspex, IBM WebSphere Application Server, IBM WebSphere Application Server Liberty, Enterprise Content Management System Monitor, IBM DB2, IBM Semeru Runtime, IBM Robotic Process Automation for Cloud Pak, IBM Intelligent Operations Center --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgoogle-gson-java), Fedora (autotrace, insight, and open-vm-tools), Oracle (open-vm-tools), Red Hat (open-vm-tools, openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, ovirt-host, and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), Scientific Linux (open-vm-tools), Slackware (python3), SUSE (clamav, gdk-pixbuf, gpg2, icu, ImageMagick, java-1_8_0-ibm, libyajl, mariadb, udisks2, webkit2gtk3, and yast2-samba-provision), and Ubuntu (dnsmasq). --------------------------------------------- https://lwn.net/Articles/907508/ ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Nagios Enterprises Nagios XI ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Daten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1338 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1335 ∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Drupal ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1341 ∗∗∗ Aruba ClearPass Policy Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Aruba ClearPass Policy Manager ausnutzen, um Daten zu manipulieren oder offenzulegen, seine Rechte zu erweitern, Code auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1340 ∗∗∗ MZ Automation libIEC61850 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-251-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2022
by Daily end-of-shift report 07 Sep '22

07 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-09-2022 18:00 − Mittwoch 07-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ So schützen Sie sich vor Schadsoftware! ∗∗∗ --------------------------------------------- Auf dubiosen Websites, in betrügerischen E-Mails, in scheinbar harmlosen Chat-Nachrichten oder durch Sicherheitslücken in nicht aktualisierten Programmen: Schadsoftware kann auf unterschiedlichen Wegen auf Ihren Computer gelangen, um dort beispielsweise sensible Daten auszulesen und zu stehlen oder gar ganze Systeme lahmzulegen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-schadsoftw… ∗∗∗ Worok: The big picture ∗∗∗ --------------------------------------------- Focused mostly on Asia, this new cyberespionage group uses undocumented tools, including steganographically extracting PowerShell payloads from PNG files. --------------------------------------------- https://www.welivesecurity.com/2022/09/06/worok-big-picture/ ∗∗∗ Wie Cyberkriminelle USB missbrauchen ∗∗∗ --------------------------------------------- Den Fluch des Universal Serial Bus (USB) und die Attraktion für Cyberkriminelle untersucht Andrew Rose, Resident CISO, EMEA bei Proofpoint, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88403293/wie-cyberkriminelle-usb-missbrauchen/?utm_sou… ∗∗∗ AA22-249A: #StopRansomware: Vice Society ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-249a ∗∗∗ Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues ∗∗∗ --------------------------------------------- Since Aug. 20, 2022, Cisco Talos has been monitoring suspected distributed denial-of-service (DDoS) attacks resulting in intermittent downtime and outages affecting several ransomware-as-a-service (RaaS) data leak sites. --------------------------------------------- http://blog.talosintelligence.com/2022/09/ransomware-leaksite-ddos.html ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-06 ∗∗∗ --------------------------------------------- IBM Elastic Storage System, IBM Planning Analytics Workspace, IBM Rational Asset analyzer, IBM App Connect Enterprise, IBM Integration Bus, IBM WebSphere Application Server Liberty, IBM Sterling Connect, IBM Spectrum Scale, IBM SPSS Analytic Server, IBM Business Automation Workflow. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Auf NAS-Systeme von Zyxel könnte Schadcode gelangen ∗∗∗ --------------------------------------------- Aktualisierte Firmware-Versionen schließen eine kritische Sicherheitslücke in mehreren NAS-Modellen des Herstellers Zyxel. --------------------------------------------- https://heise.de/-7255585 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, protobuf-c, and vim) and SUSE (gimp, java-1_8_0-openj9, libostree, openvswitch, python-bottle, python-Flask-Security-Too, and zabbix). --------------------------------------------- https://lwn.net/Articles/907382/ ∗∗∗ K12055286: Intel CPU vulnerability CVE-2021-33060 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12055286 ∗∗∗ Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-039/ ∗∗∗ Helmholz: Unauthenticated user enumeration in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-017/ ∗∗∗ MB connect line: Unauthenticated user enumeration in mbCONNECT24 and mymbCONNECT24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-011/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.21.0: Patch SC-202209.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2022
by Daily end-of-shift report 06 Sep '22

06 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 05-09-2022 18:00 − Dienstag 06-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New EvilProxy service lets all hackers use advanced phishing tactics ∗∗∗ --------------------------------------------- A reverse-proxy Phishing-as-a-Service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-a… ∗∗∗ Mythic Case Study: Assessing Common Offensive Security Tools ∗∗∗ --------------------------------------------- Having covered the Sliver C2 framework in a previous post (May 2022), this blog will continue our examination of Cobalt Strike “alternatives”, focusing on the Mythic C2 framework. --------------------------------------------- https://team-cymru.com/blog/2022/09/06/mythic-case-study-assessing-common-o… ∗∗∗ Analysis of an Encoded Cobalt Strike Beacon, (Tue, Sep 6th) ∗∗∗ --------------------------------------------- Someone reached out to me for the analysis of a Cobalt Strike beacon. This is the sample. --------------------------------------------- https://isc.sans.edu/diary/rss/29014 ∗∗∗ TA505 Groups TeslaGun In-Depth Analysis ∗∗∗ --------------------------------------------- TA505 is a financially motivated threat group that has been active since 2014. The group frequently changes its malware attack strategies in response to global cybercrime trends. It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on. --------------------------------------------- https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-… ∗∗∗ Vorsicht vor gefälschten PayPal-Nachrichten ∗∗∗ --------------------------------------------- Gefälschte PayPal-Nachrichten befinden sich momentan vermehrt im Umlauf. Sie haben eine angebliche Rechnung von PayPal erhalten, über ein Produkt, das Sie nicht bestellt haben? Oder es wird eine Vorabzahlung für eine angebliche Transaktion gefordert? Ignorieren Sie diese Nachrichten, sie sind Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-paypal-nac… ∗∗∗ Mirai Variant MooBot Targeting D-Link Devices ∗∗∗ --------------------------------------------- Attackers are leveraging known vulnerabilities in D-Link devices to deliver MooBot, a Mirai variant, potentially leading to further DDoS attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/moobot-d-link-devices/ ∗∗∗ Shikitega - New stealthy malware targeting Linux ∗∗∗ --------------------------------------------- Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-ma… ∗∗∗ Over Half of Global Firms Supply Chains Compromised by Ransomware ∗∗∗ --------------------------------------------- Cybersecurity leader Trend Micro announced new research today that reveals global organizations are increasingly at risk of ransomware compromise via their extensive supply chains. --------------------------------------------- https://newsroom.trendmicro.com/2022-09-06-Over-Half-of-Global-Firms-Supply… ∗∗∗ Play Ransomwares Attack Playbook Similar to that of Hive, Nokoyawa ∗∗∗ --------------------------------------------- Play is a new ransomware that takes a page out of Hive and Nokoyawas playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-pla… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2022-09-06 ∗∗∗ --------------------------------------------- On Sep 06, 2022, Fortinet has released 12 advisories for issues resolved in Fortinet products. (Severity: Low (2), Medium (9), High (1)) --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=09-2022 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (pcs), SUSE (389-ds and firefox), and Ubuntu (linux-hwe-5.4 and linux-oracle). --------------------------------------------- https://lwn.net/Articles/907275/ ∗∗∗ Hitachi Storage: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Hitachi Storage ausnutzen, um Informationen offenzulegen und beliebigen Code zur Ausführung zu bringen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1292 ∗∗∗ Hitachi Energy TXpert Hub CoreTec 4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-04 ∗∗∗ Triangle Microworks Libraries ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-01 ∗∗∗ AVEVA Edge 2020 R2 SP1 and all prior versions ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-02 ∗∗∗ Cognex 3D-A1000 Dimensioning System ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2022
by Daily end-of-shift report 05 Sep '22

05 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-09-2022 18:00 − Montag 05-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware dev open-sources CodeRAT after being exposed ∗∗∗ --------------------------------------------- The source code of a remote access trojan (RAT) dubbed CodeRAT has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-dev-open-sources-cod… ∗∗∗ Quickie: Grep & Tail -f With Notepad++, (Mon, Sep 5th) ∗∗∗ --------------------------------------------- Notepad++ is a free and open source text editor for Windows. You can simulate grep-like functionality with Notepad++ in 2 steps. --------------------------------------------- https://isc.sans.edu/diary/rss/29018 ∗∗∗ Prynt Stealer Contains a Backdoor to Steal Victims Data Stolen by Other Cybercriminals ∗∗∗ --------------------------------------------- Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a copy of victims exfiltrated data when used by other cybercriminals. --------------------------------------------- https://thehackernews.com/2022/09/prynt-stealer-contains-backdoor-to.html ∗∗∗ Win32/Hive.ZY: Update stoppt Fehlalarmserie von Microsoft Defender unter Windows ∗∗∗ --------------------------------------------- Die Windows-Virenabwehr Defender hat fälschlicherweise Chrome, Edge & Co. als Trojaner eingestuft. --------------------------------------------- https://heise.de/-7253919 ∗∗∗ Ransomware: Der Trend geht zum Angriff auf Linux-Server ∗∗∗ --------------------------------------------- Trend Micro sieht im ersten Halbjahr 2022 ein Wachstum bei Ransomware-Angriffen. Linux-Umgebungen sind 75 Prozent häufiger ein Ziel als im Vorjahreszeitraum. --------------------------------------------- https://heise.de/-7254059 ∗∗∗ There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities ∗∗∗ --------------------------------------------- As part of this research, NCC Group focused on the secure boot chain implemented by UNISOC processors used in Android phones and tablets. Several vulnerabilities in the Boot ROM were discovered which could persistently undermine secure boot. --------------------------------------------- https://research.nccgroup.com/2022/09/02/theres-another-hole-in-your-soc-un… ∗∗∗ Was tun, wenn mein Gerät mit Schadsoftware infiziert wurde? ∗∗∗ --------------------------------------------- Schadsoftware (auch Malware) kann viele Formen annehmen und mit unterschiedlichen Bedrohungen für Sie und Ihr Gerät einhergehen. Schäden, die dabei entstehen können, bewegen sich vom Datendiebstahl, über das Zuspammen mit Werbung bis hin zu Lösegeldforderungen. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-mein-geraet-mit-schadso… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Google warnt vor möglichen Attacken auf Chrome ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt eine Lücke im Webbrowser Chrome. --------------------------------------------- https://heise.de/-7253510 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flac, ghostscript, libmodbus, qemu, rails, ruby-rack, and thunderbird), Fedora (kernel, kernel-headers, kernel-tools, libtar, qt5-qtwebengine, subscription-manager-cockpit, tcpreplay, and vim), Mageia (chromium-browser-stable, webkit2, and ytnef), SUSE (curl, firefox, freerdp, gdk-pixbuf, ImageMagick, json-c, libgda, php-composer2, and python-pyxdg), and Ubuntu (libzstd, linux-aws, linux-aws-5.4, linux-azure-5.4, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/907201/ ∗∗∗ DeadBolt Ransomware ∗∗∗ --------------------------------------------- QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-24 ∗∗∗ Security Bulletin: DataStage on Cloud Pak for Data Is Vulnerable to Sensitive Information Disclosure Error (CVE-2022-38714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datastage-on-cloud-pak-fo… ∗∗∗ Security Bulletin: Information Disclosure and Denial of Service Vulnerabilities in the IBM Spectrum Protect Backup-Archive Client may affect IBM Spectrum Protect for Space Management (CVE-2022-22478, CVE-2022-22474) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-an… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for August 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Prototype pollution vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – [CVE-2021-23450] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-prototype-pollution-vulne… ∗∗∗ Security Bulletin: Persistent Cross-Site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-35644 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-persistent-cross-site-scr… ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1286 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2022
by Daily end-of-shift report 02 Sep '22

02 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-09-2022 18:00 − Freitag 02-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft will disable Exchange Online basic auth next month ∗∗∗ --------------------------------------------- Microsoft warned customers today that it will finally disable basic authentication in random tenants worldwide to improve Exchange Online security starting October 1, 2022. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-exch… ∗∗∗ Sharkbot is back in Google Play ∗∗∗ --------------------------------------------- This new dropper doesn’t rely Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware. Instead, this new version ask the victim to install the malware as a fake update for the antivirus to stay protected against threats. --------------------------------------------- https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/ ∗∗∗ NSA gibt Sicherheitstipps gegen Supply-Chain-Attacken ∗∗∗ --------------------------------------------- Die Cybersecurity and Infrastructure Agency (CISA), die National Security Agency (NSA) und das Office of the Director of National Intelligence (ODNI) haben wichtige Tipps zum Entwickeln von sicherer Software veröffentlicht. --------------------------------------------- https://heise.de/-7251765 ∗∗∗ Unverschlüsselte Access Tokens: Sicherheitslücke in tausenden Apps ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor unverschlüsselten Access Tokens in Apps. Oft holen sich Entwickler Probleme ungewollt ins Haus. Besonders betroffen: iOS-Apps. --------------------------------------------- https://heise.de/-7252134 ∗∗∗ When disclosure goes wrong. People ∗∗∗ --------------------------------------------- My experience of vulnerability disclosure is that it is rarely as easy or simple as it could be. I had hoped that bug bounty programmes and vulnerability disclosure programmes (VDPs) would help matters. Broadly that doesn’t seem to be the case, often for unexpected reasons. --------------------------------------------- https://www.pentestpartners.com/security-blog/when-disclosure-goes-wrong-pe… ∗∗∗ Ransomware auf IoT: Anderer Sicherheitsansatz bei IoT-Geräten erforderlich ∗∗∗ --------------------------------------------- Wir haben uns vermutlich an die täglichen Ransomware-Angriffe auf IT-Systeme gewöhnt. Aber mit der Zunahme von IoT-Geräten droht eine wachsende Gefahr für solche Sicherheitsvorfälle. CheckPoint meint, dass IoT-Geräte einen anderen Sicherheitsansatz brauchen, um dieser Gefahr (z.B. Infektionen durch Ransomware) zu begegnen. --------------------------------------------- https://www.borncity.com/blog/2022/09/02/ransomware-auf-iot-anderer-sicherh… ∗∗∗ Architecting for Extortion: Acting on the IST’s Blueprint for Ransomware Defense ∗∗∗ --------------------------------------------- Last month, the Institute for Security and Technology’s Ransomware Task Force launched the Blueprint for Ransomware Defense. --------------------------------------------- https://www.rapid7.com/blog/post/2022/09/02/architecting-for-extortion-acti… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, rsync, systemd, and thunderbird), Debian (chromium, dpdk, and sofia-sip), Fedora (kernel, thunderbird, and zlib), Red Hat (pcs and rh-mariadb103-galera and rh-mariadb103-mariadb), Slackware (poppler), SUSE (cifs-utils, curl, dwarves and elfutils, firefox, flatpak, gnutls, gpg2, harfbuzz, ignition, kernel, ldb, samba, libslirp, libsolv, libzypp, zypper, libtirpc, logrotate, mozilla-nss, ncurses, open-vm-tools, openssl-1_1, p11-kit, pcre, pcre2, podman, postgresql12, postgresql13, postgresql14, python-M2Crypto, python3, rsync, salt, spice, systemd-presets-common-SUSE, tiff, ucode-intel, xen, and zlib), and Ubuntu (curl, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-snapdragon, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux-aws-hwe). --------------------------------------------- https://lwn.net/Articles/906973/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1263 ∗∗∗ Security Bulletin: Vulnerability in IBM® Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2022 CPU plus deferred CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, GnuTLS affect IBM Cloud Object Storage Systems (August 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2022
by Daily end-of-shift report 01 Sep '22

01 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-08-2022 18:00 − Donnerstag 01-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Apple backports fix for actively exploited iOS zero-day to older iPhones ∗∗∗ --------------------------------------------- Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-backports-fix-for-activel… ∗∗∗ Underscores and DNS: The Privacy Story, (Wed, Aug 31st) ∗∗∗ --------------------------------------------- The use of underscores in DNS records can easily trigger DNS purists into a rage. Since the beginning of (DNS) time, only the letters a-z, numbers, and dashes are allowed in DNS labels (RFC 1035 section 2.3.1). After all, we want to remain compatible with ARPANET. --------------------------------------------- https://isc.sans.edu/diary/rss/29002 ∗∗∗ Jolokia Scans: Possible Hunt for Vulnerable Apache Geode Servers (CVE-2022-37021), (Thu, Sep 1st) ∗∗∗ --------------------------------------------- On Tuesday, the Apache project released an update for Geode. The update patches a typical deserialization issue we often see in Java software like Geode (CVE-2022-37021). [...] But the vulnerability has a few dependencies: [...] JMX and RMI are used for the attack. [...] And here comes Jolokia. "JMX on Capsaicin," as it calls itself. It provides a simple HTTP to JMX gateway. So it is somewhat interesting that I also saw some scans for Jol[o]kia starting yesterday. --------------------------------------------- https://isc.sans.edu/diary/rss/29006 ∗∗∗ Authority-Scam: Neue Welle von Fake-Mails der Polizei ∗∗∗ --------------------------------------------- Kriminelle geben dem Authority-Scam einen neuen Anstrich: Momentan befinden sich wieder viele gefälschte E-Mails der Polizei im Umlauf. Die Empfänger:innen werden beschuldigt eine Straftat begangen zu haben. Die Anschuldigungen umfassen Pädophilie, Cyberpornographie und Exhibitionismus. Antworten Sie nicht und ignorieren Sie das Schreiben, es ist Fake! --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-neue-welle-von-fake-m… ∗∗∗ Over 900K Kubernetes clusters are misconfigured! Is your cluster a target? ∗∗∗ --------------------------------------------- Kubernetes is an amazing platform for managing containers at scale. However, a recent study found that over 900,000 Kubernetes clusters are vulnerable to attack because they are misconfigured! This means that your Kubernetes cluster could be a target for malicious actors if it is not properly secured. In this blog post, we will discuss how to secure your Kubernetes cluster and protect it from attack. --------------------------------------------- https://grahamcluley.com/feed-sponsor-teleport-4/ ∗∗∗ Android TikTok-App: Microsoft findet 1-Klick-Schwachstelle, die Kontenübernahme erlaubte ∗∗∗ --------------------------------------------- Microsoft hat eine gefährliche Sicherheitslücke in der TikTok-App für Android entdeckt, die es ermöglichte, Benutzerkonten mit einem einzigen Klick zu kompromittieren. Inzwischen wurde diese Schwachstelle in der TikTok-App für Android geschlossen. --------------------------------------------- https://www.borncity.com/blog/2022/09/01/android-tiktok-app-microsoft-finde… ∗∗∗ RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of a RAT Tool disguised as a solution file (*.sln) on GitHub. As shown in Figure 1, the malware distributor is sharing a source code on GitHub titled “Jpg Png Exploit Downloader Fud Cryter Malware Builder Cve 2022”. The file composition looks normal, but the solution file (*.sln) is actually a RAT tool. It is through methods like this that the malware distributor lures users to run the RAT tool by disguising it as a solution file (*.sln). Generally, programmers who receive the code that includes the solution file run the file in order to open the project. Users should take caution against social engineering techniques that take advantage of such a thought process. --------------------------------------------- https://asec.ahnlab.com/en/38150/ ∗∗∗ Azure Synapse: Local Privilege Escalation Vulnerability in Spark ∗∗∗ --------------------------------------------- The story of a simple race condition leading to a Local Privilege Escalation, and how we discovered, in retrospect, that we crossed paths with another researcher and a previous Microsoft case. --------------------------------------------- https://orca.security/resources/blog/synapse-local-privilege-escalation-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücke in zlib-Bibliothek ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In der weit verbreiteten Kompressionsbibliothek zlib könnten Angreifer unter Umständen Schadcode einschleusen und ausführen. Erste Patches sind verfügbar. --------------------------------------------- https://heise.de/-7250044 ∗∗∗ Sicherheitsupdate: Präparierte Mails könnten Thunderbird gefährlich werden ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für den Mailclient Thunderbird erschienen. Damit haben die Entwickler vier Lücken geschlossen. --------------------------------------------- https://heise.de/-7250566 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (pdns-recursor, thunderbird, and vim), Gentoo (firefox, thunderbird-bin, virtualbox, and webkit-gtk), Red Hat (convert2rhel), SUSE (gstreamer-plugins-good, open-vm-tools, postgresql12, rsync, and ucode-intel), and Ubuntu (linux-azure, linux-gcp, linux-hwe). --------------------------------------------- https://lwn.net/Articles/906778/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in libTIFF ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1250 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um Code auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1253 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1251 ∗∗∗ Security Advisory - Out-of-bounds Read and Write Vulnerability in Some Huawei Headset Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220826-… ∗∗∗ Security Bulletin:IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl, pcre2 and Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-mq-operator-and-queue-… ∗∗∗ Security Bulletin: CVE-2021-2163 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2163-may-affect-… ∗∗∗ Security Bulletin: Netcool Operations Insight v1.6.5 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8, affect IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-244-01 ∗∗∗ Contec Health CMS8000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-244-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2022
by Daily end-of-shift report 31 Aug '22

31 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-08-2022 18:00 − Mittwoch 31-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers hide malware in James Webb telescope images ∗∗∗ --------------------------------------------- Threat analysts have spotted a new malware campaign dubbed GO#WEBBFUSCATOR that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hide-malware-in-jame… ∗∗∗ Watering Hole Attacks Push ScanBox Keylogger ∗∗∗ --------------------------------------------- Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool. --------------------------------------------- https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/ ∗∗∗ Infoblox Threat Intelligence: IOCs related to the Russia-Ukraine conflict ∗∗∗ --------------------------------------------- This folder contains IOCs related to the Russian invasion of Ukraine. The majority of the content is based on Infoblox internal analytics and validation analysis, though some OSINT is also included. --------------------------------------------- https://github.com/infobloxopen/threat-intelligence/tree/main/ukraine ∗∗∗ Webinar: Betrugsfallen im Internet erkennen ∗∗∗ --------------------------------------------- Am Dienstag, den 06.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Betrugsfallen im Internet erkennen" statt. Melden Sie sich jetzt an! --------------------------------------------- https://www.watchlist-internet.at/news/webinar-betrugsfallen-im-internet-er… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-08-30 ∗∗∗ --------------------------------------------- IBM TRIRIGA Application Platform, IBM b-type SAN directors and switches, IBM Integration Bus, IBM App Connect Enterprise, IBM Watson Assistant for IBM Cloud Pak for Data, IBM Engineering Lifecycle Engineering, IBM Cloud Transformation Advisor, IBM Cloud Object Storage Systems. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten WordPress-Websites attackieren ∗∗∗ --------------------------------------------- Die WordPress-Entwickler haben drei Lücken im Content-Management-System geschlossen. --------------------------------------------- https://heise.de/-7249431 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, net-snmp, php-horde-mime-viewer, php-horde-turba, and webkit2gtk), Fedora (rsync), Oracle (openssl and systemd), Red Hat (booth, kernel, kernel-rt, and openssl), Slackware (vim), SUSE (bluez, java-1_8_0-ibm, postgresql10, and zlib), and Ubuntu (kernel, linux, linux-raspi, linux-aws, and linux-oem-5.14). --------------------------------------------- https://lwn.net/Articles/906579/ ∗∗∗ Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220831-… ∗∗∗ Grafana: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1221 ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1239 ∗∗∗ ArubaOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1238 ∗∗∗ GNU libc: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1234 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1230 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1228 ∗∗∗ Chrome 105.0.5195.5x fixt 24 Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/08/31/chrome-105-0-5195-5x-fixt-24-schwa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2022
by Daily end-of-shift report 30 Aug '22

30 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 29-08-2022 18:00 − Dienstag 30-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows malware delays coinminer install by a month to evade detection ∗∗∗ --------------------------------------------- A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-malware-delays-coinm… ∗∗∗ Two things that will never die: bash scripts and IRC!, (Tue, Aug 30th) ∗∗∗ --------------------------------------------- Last week, Brock Perry, one of our SANS.edu undergraduate students, came across a neat bash script uploaded to the honeypot as part of an attack. I am sure this isn't new, but I never quite saw something like this before myself. --------------------------------------------- https://isc.sans.edu/diary/rss/28998 ∗∗∗ Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users ∗∗∗ --------------------------------------------- A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuff… ∗∗∗ Keine „Testzahlungen“ auf Kleinanzeigen-Plattformen durchführen! ∗∗∗ --------------------------------------------- Auf Kleinanzeigen-Plattformen wie Willhaben, Vinted, eBay Kleinanzeigen und Co finden Sie tolle Schnäppchen oder können Gebrauchtes zu Geld machen. Doch Vorsicht: Auch Kriminelle, die Ihnen das Geld aus der Tasche ziehen wollen, tummeln sich dort zuhauf. Bei einer aktuellen Masche fälschen diese die Zahlungsseiten der Plattformen und fordern zu Testzahlungen auf. Brechen Sie sofort den Kontakt ab. Man will Sie betrügen! --------------------------------------------- https://www.watchlist-internet.at/news/keine-testzahlungen-auf-kleinanzeige… ∗∗∗ ModernLoader delivers multiple stealers, cryptominers and RATs ∗∗∗ --------------------------------------------- Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. --------------------------------------------- http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in Foxit PDF Editor und Reader ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Angreifer könnten etwa mit manipulierten Dokumenten in Foxit PDF Editor und Reader Schadcode einschleusen. Aktualisierte Software schließt die Sicherheitslücke. --------------------------------------------- https://heise.de/-7247760 ∗∗∗ Sicherheitslücke: Zwischenablage in Chromium-basierten Browsern frei zugreifbar ∗∗∗ --------------------------------------------- Webseiten können derzeit in aktuellen Chromium-basierten Webbrowsern beliebig auf die Zwischenablage zugreifen. Das ermöglicht etwa Angriffe auf Nutzer. --------------------------------------------- https://heise.de/-7248070 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (ctk, dcmtk, OpenImageIO, and varnish-modules), Red Hat (systemd), SUSE (libslirp, open-vm-tools, and opera), and Ubuntu (jupyter-notebook, libsdl1.2, and systemd). --------------------------------------------- https://lwn.net/Articles/906461/ ∗∗∗ [20220801] - Core - Multiple Full Path Disclosures because of missing _JEXEC or die check ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/884-20220801-core-multiple… ∗∗∗ Security Bulletin: Tririga is vulnerable to remote hacker due to dom4j open source ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tririga-is-vulnerable-to-… ∗∗∗ Security Bulletin: A security vulnerability has been fixed in IBM Security Identity Manager (CVE-2021-29864) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-3999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Linux Kernel vulnerability may affect IBM Elastic Storage System (CVE-2021-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Due to use of OpenSSL, IBM Virtualization Engine TS7700 is vulnerable to denial of service (CVE-2022-0778) and privilege escalation (CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-openssl-ibm… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-45346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ K00994461: GSON vulnerability CVE-2022-25647 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00994461 ∗∗∗ poppler: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1214 ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1212 ∗∗∗ Hitachi Energy FACTS Control Platform (FCP) Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-01 ∗∗∗ Hitachi Energy Gateway Station (GWS) Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-02 ∗∗∗ Hitachi Energy MSM Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-03 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-04 ∗∗∗ Fuji Electric D300win ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-05 ∗∗∗ Honeywell ControlEdge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-06 ∗∗∗ Honeywell Experion LX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-07 ∗∗∗ Honeywell Trend Controls Inter-Controller Protocol ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-08 ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-09 ∗∗∗ PTC Kepware KEPServerEX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily