=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 10-08-2022 18:00 − Donnerstag 11-08-2022 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ OpenTIP, command line edition ∗∗∗
---------------------------------------------
We released Python-based command line tools for our OpenTIP service that also implement a client class that you can reuse in your own tools.
---------------------------------------------
https://securelist.com/opentip-command-line-edition/107109/
∗∗∗ InfoStealer Script Based on Curl and NSudo, (Thu, Aug 11th) ∗∗∗
---------------------------------------------
If sudo is a well known tool used daily by most UNIX system administrators, NSudo remains less below the radar. This is a tool running on Microsoft Windows which allows you to execute processes with different access tokens and privileges like System, TrustedInstaller and CurrentUser.
---------------------------------------------
https://isc.sans.edu/diary/rss/28932
∗∗∗ capa v4: casting a wider .NET ∗∗∗
---------------------------------------------
We are excited to announce version 4.0 of capa with support for analyzing .NET executables. This open-source tool automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering.
---------------------------------------------
https://www.mandiant.com/resources/capa-v4-casting-wider-net
∗∗∗ Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study ∗∗∗
---------------------------------------------
A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection.
---------------------------------------------
https://research.nccgroup.com/2022/08/11/detecting-dns-implants-old-kitten-…
∗∗∗ Palo Alto Networks Firewalls Targeted for Reflected, Amplified DDoS Attacks ∗∗∗
---------------------------------------------
Palo Alto Networks is working on fixes for a reflected amplification denial-of-service (DoS) vulnerability that impacts PAN-OS, the platform powering its next-gen firewalls.
---------------------------------------------
https://www.securityweek.com/palo-alto-networks-firewalls-targeted-reflecte…
∗∗∗ Years after claiming DogWalk wasn’t a vulnerability, Microsoft confirms flaw is being exploited and issues patch ∗∗∗
---------------------------------------------
This week Microsoft finally released a patch for a zero-day security flaw being exploited by hackers, that the company had claimed since 2019 was not actually a vulnerability.
---------------------------------------------
https://www.bitdefender.com/blog/hotforsecurity/years-after-claiming-dogwal…
∗∗∗ BlueSky Ransomware: Fast Encryption via Multithreading ∗∗∗
---------------------------------------------
BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.
---------------------------------------------
https://unit42.paloaltonetworks.com/bluesky-ransomware/
∗∗∗ AA22-223A: #StopRansomware: Zeppelin Ransomware ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022.
---------------------------------------------
https://us-cert.cisa.gov/ncas/alerts/aa22-223a
∗∗∗ Cisco Talos shares insights related to recent cyber attack on Cisco ∗∗∗
---------------------------------------------
On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical Flaws Disclosed in Device42 IT Asset Management Software ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems.
---------------------------------------------
https://thehackernews.com/2022/08/critical-flaws-disclosed-in-device42-it.h…
∗∗∗ [R1] Nessus Version 8.15.6 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Two separate vulnerabilities that utilize the Audit functionality in Nessus were discovered, reported and fixed.
---------------------------------------------
https://www.tenable.com/security/tns-2022-16
∗∗∗ Cisco: Angreifer könnten an private RSA-Schlüssel in ASA und Firepower gelangen ∗∗∗
---------------------------------------------
Der Netzwerkausrüster Cisco schließt mit aktualisierter Software eine Sicherheitslücke in ASA und Firepower. Angreifer könnten private RSA-Keys auslesen.
---------------------------------------------
https://heise.de/-7216863
∗∗∗ Kritische Sicherheitslücke in Zoho ManageEngine OpManager ∗∗∗
---------------------------------------------
Zoho hat Updates veröffentlicht, die eine kritische und weitere Sicherheitslücken in ManageEngine OpManager schließen. Angreifer könnten unbefugt zugreifen.
---------------------------------------------
https://heise.de/-7217521
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment).
---------------------------------------------
https://lwn.net/Articles/904457/
∗∗∗ Organizations Warned of Critical Vulnerabilities in NetModule Routers ∗∗∗
---------------------------------------------
Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in attacks.
---------------------------------------------
https://www.securityweek.com/organizations-warned-critical-vulnerabilities-…
∗∗∗ BOSCH-SA-463993: SafeLogic Designer vulnerabilities ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-463993.html
∗∗∗ Drupal: jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-052
∗∗∗ Security Bulletin: Vulnerability in the Node.js got module affects IBM Event Streams (CVE-2022-33987) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-node…
∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to CVE-2022-31129 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-…
∗∗∗ Security Bulletin: Multiple security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera…
∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au…
∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote access due to Go CVE-2022-29526 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au…
∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to information disclosure CVE-2022-30629 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 09-08-2022 18:00 − Mittwoch 10-08-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ BSI warnt vor dem Einsatz unsicherer Funk-Türschlösser der Marke ABUS ∗∗∗
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt nach §7 BSI-Gesetz vor dem Einsatz des digitalen Türschlosses "HomeTec Pro CFA3000" des Herstellers ABUS und empfiehlt, das Produkt zu ersetzen.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202…
∗∗∗ Achtung: Fake-Shops! Kaufen Sie nichts bei diesen Garten-Online-Shops ∗∗∗
---------------------------------------------
Online finden Sie viele Shops zu jedem Bereich. Auch Garten-Shops bilden da keine Ausnahme. Die Online-Shops gartenland-paradies.de, home-garten-shop.de und rasengarten.com sind allesamt Fake-Shops und versuchen, Sie zu betrügen.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-shops-kaufen-sie-nichts…
∗∗∗ Microsoft veröffentlicht Bedrohungsmatrix zu Azure für Sicherheits-Evaluierungen ∗∗∗
---------------------------------------------
Analog zum in Sicherheitskreisen vielgenutzten MITRE ATT&CK Framework hat Microsoft für Azure und Azure AD Informationen zu potenziellen Angriffen aufbereitet.
---------------------------------------------
https://heise.de/-7216398
∗∗∗ UnRAR Vulnerability Exploited in the Wild, Likely Against Zimbra Servers ∗∗∗
---------------------------------------------
The US Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday that a recently patched vulnerability affecting the UnRAR archive extraction tool is being exploited in the wild.
---------------------------------------------
https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-agai…
∗∗∗ Novel News on Cuba Ransomware aka Greetings From Tropical Scorpius ∗∗∗
---------------------------------------------
Beginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius.
---------------------------------------------
https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/
∗∗∗ 10 malicious PyPI packages found stealing developers credentials ∗∗∗
---------------------------------------------
Threat analysts have discovered ten malicious Python packages on the PyPI repository, used to infect developers systems with password-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/10-malicious-pypi-packages-f…
∗∗∗ VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges ∗∗∗
---------------------------------------------
VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and cryptocurrency trading companies.
---------------------------------------------
https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/
∗∗∗ Security Update Guide Notification System News: Create your profile now ∗∗∗
---------------------------------------------
Sharing information through the Security Update Guide (SUG) is an important part of our ongoing effort to help customers manage security risks and keep systems protected.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notificati…
∗∗∗ Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments ∗∗∗
---------------------------------------------
In this blog, I’ll explain how to quickly inventory, exploit, and remediate network shares configured with excessive permissions at scale in Active Directory environments. Excessive share permissions represent a risk that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments.
---------------------------------------------
https://www.netspi.com/blog/technical/network-penetration-testing/network-s…
∗∗∗ Discovering Domains via a Timing Attack on Certificate Transparency ∗∗∗
---------------------------------------------
There is a flaw in a way that deployment of TLS certificates might be set up. It allows anyone to discover all domain names used by the same server. Sometimes, even when there is no HTTPS there!
---------------------------------------------
https://swarm.ptsecurity.com/discovering-domains-via-timing-attack/
∗∗∗ The Security Pros and Cons of Using Email Aliases ∗∗∗
---------------------------------------------
One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a "+" character after the username portion of your email address -- followed by a notation specific to the site youre signing up at -- lets you create an infinite number of unique email addresses tied to the same account.
---------------------------------------------
https://krebsonsecurity.com/2022/08/the-security-pros-and-cons-of-using-ema…
=====================
= Vulnerabilities =
=====================
∗∗∗ Neue Sicherheitslücken in AMD- und Intel-Prozessoren: AEPIC & SQUIP ∗∗∗
---------------------------------------------
Internationale Expertenteams weisen Schwachstellen in zahlreichen aktuellen CPU-Typen von AMD und Intel nach, die auch künftige ARM-Chips treffen könnten.
---------------------------------------------
https://heise.de/-7211904
∗∗∗ Intel Patches Severe Vulnerabilities in Firmware, Management Software ∗∗∗
---------------------------------------------
Intel on Tuesday published 27 security advisories detailing roughly 60 vulnerabilities across firmware, software libraries, and endpoint and data center management products.
---------------------------------------------
https://www.securityweek.com/intel-patches-severe-vulnerabilities-firmware-…
∗∗∗ Microsoft Security Update Summary (9. August 2022) ∗∗∗
---------------------------------------------
Am 9. August 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen zudem 118 Schwachstellen, davon 17 kritisch und zwei 0-day-Schwachstellen.
---------------------------------------------
https://www.borncity.com/blog/2022/08/10/microsoft-security-update-summary-…
∗∗∗ Exchange Server Sicherheitsupdates (9. August 2022) ∗∗∗
---------------------------------------------
Microsoft hat zum 9. August Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht.
---------------------------------------------
https://www.borncity.com/blog/2022/08/10/exchange-server-sicherheitsupdates…
∗∗∗ Patchday: Adobe schließt kritische Lücken in Commerce und Kreativprogrammen ∗∗∗
---------------------------------------------
Adobe schließt zum August-Patchday mehrere, teils kritische Sicherheitslücken. Betroffen sind Adobe Commerce und Magento sowie PDF- und Kreativ-Software.
---------------------------------------------
https://heise.de/-7215839
∗∗∗ Jetzt handeln! Exploit-Code für VMware-Lücke aufgetaucht, neue Updates verfügbar ∗∗∗
---------------------------------------------
VMware hat für neu entdeckte Sicherheitslücken Updates bereitgestellt. Für eine ältere Schwachstelle ist jetzt Exploit-Code aufgetaucht, warnt der Hersteller.
---------------------------------------------
https://heise.de/-7216296
∗∗∗ IBM Security Bulletins 2022-08-09 ∗∗∗
---------------------------------------------
IBM Netezza, IBM Sterling Connect, IBM MQ Operator, IBM Queue manager, IBM Cloud Pak, IBM Sterling B2B Integrator, IBM Event Streams, IBM InfoSphere Information Server, IBM Process Mining.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Lenovo Product Security Advisories and Announcements 2022-08-09 ∗∗∗
---------------------------------------------
Lenovo published 9 security advisories.
---------------------------------------------
https://support.lenovo.com/de/de/product_security/home
∗∗∗ Dell Security Advisories and Notices ∗∗∗
---------------------------------------------
Dell published 1 security advisory.
---------------------------------------------
https://www.dell.com/support/security/en-us/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gst-plugins-good1.0), Fedora (firefox and ghostscript), Gentoo (consul, firefox, libass, libraw, lxml, mdbtools, pam_u2f, spice, and thunderbird), Oracle (kernel, kernel-container, and vim), Red Hat (galera, mariadb, and mysql-selinux, kernel, and kernel-rt), Scientific Linux (kernel), SUSE (bind, java-11-openjdk, kernel, mokutil, ncurses, and u-boot), and Ubuntu (epiphany-browser, libcdio, linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle).
---------------------------------------------
https://lwn.net/Articles/904374/
∗∗∗ PaloAlto Networks PAN-OS: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in PaloAlto Networks PAN-OS ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Code zur Ausführung zu bringen, einen Denial of Service Angriff durchzuführen oder vertrauliche Daten einzusehen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0952
∗∗∗ FreeBSD: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in FreeBSD ausnutzen, um einen Denial of Service Angriff durchzuführen, Informationen offenzulegen oder Code auszuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0995
∗∗∗ F5: K21600298: OpenSSL vulnerability CVE-2022-1292 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K21600298
∗∗∗ Red Hat Ceph Storage: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0979
∗∗∗ Apache Traffic Server: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0992
∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0989
∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-33745 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX463455/citrix-hypervisor-security-bul…
∗∗∗ SonicWall SMA1000 CVE-2021-33909 and CVE-2022-0847 ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0015
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-08-2022 18:00 − Dienstag 09-08-2022 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Kollaborationssoftware: Slack schließt jahrelanges Datenleck ∗∗∗
---------------------------------------------
Slack hat etliche Nutzer aufgefordert, ihr Passwort zu ändern. Über eine Sicherheitslücke wurden über Jahre Hashes der Passwörter versendet.
---------------------------------------------
https://www.golem.de/news/kollaborationssoftware-slack-schliesst-jahrelange…
∗∗∗ The Truth About False Positives in Security ∗∗∗
---------------------------------------------
As weird as it might sound, seeing a few false positives reported by a security scanner is probably a good sign and certainly better than seeing none. Lets explain why.
---------------------------------------------
https://thehackernews.com/2022/08/the-truth-about-false-positives-in.html
∗∗∗ Cyberangriffe auf Medizingeräte: Risikobewusstsein hoch, aber wenig Prävention ∗∗∗
---------------------------------------------
Seit 2020 fahren Cyberkriminelle ihre Angriffe verstärkt auf Gesundheitsinfrastrukturen. Schlecht gesicherte IoMT/IoT-Geräte erleichtern ihnen die Arbeit.
---------------------------------------------
https://heise.de/-7206153
∗∗∗ IT-Sicherheit: meistverbreitete Malware-Stämme im Jahr 2021 ∗∗∗
---------------------------------------------
Die US-IT-Sicherheitsbehörde CISA und das australische Cyber Security Center haben zusammengetragen, welche Malware-Stämme 2021 am häufigsten beobachtet wurden.
---------------------------------------------
https://heise.de/-7206775
∗∗∗ Twilio: Konten von Mitarbeitern und Kunden kompromittiert ∗∗∗
---------------------------------------------
Angestellte des Diensteanbieters Twilio sind Opfer von Phishing-Angriffen geworden. Die Angreifer konnten unbefugt auf Informationen zugreifen.
---------------------------------------------
https://heise.de/-7207070
∗∗∗ Open Redirect Flaws in American Express and Snapchat Exploited in Phishing Attacks ∗∗∗
---------------------------------------------
Open redirect vulnerabilities affecting American Express and Snapchat websites were exploited earlier this year as part of phishing campaigns targeting Microsoft 365 users, email security firm Inky reports.
---------------------------------------------
https://www.securityweek.com/open-redirect-flaws-american-express-and-snapc…
∗∗∗ Günstiges Brennholz: Vorsicht vor Fake-Angeboten im Facebook Marketplace ∗∗∗
---------------------------------------------
Sie haben auf Facebook ein günstiges Angebot für Brennholz gefunden? Vorsicht: Möglicherweise handelt es sich um ein betrügerisches Inserat. Überprüfen Sie das Angebot und Verkäufer:innen sehr genau und zahlen Sie nicht vorab!
---------------------------------------------
https://www.watchlist-internet.at/news/guenstiges-brennholz-vorsicht-vor-fa…
∗∗∗ Shodan Verified Vulns 2022-08-01 ∗∗∗
---------------------------------------------
Im Vergleich zum Juli gab es praktisch keine Veränderung. Die Schwachstellen FREAK (CVE-2015-0204) und Logjam (CVE-2015-4000) sind in den Daten für diesen Monat nicht enthalten (bzw. wird die Anzahl für beide mit 0 angegeben). Dabei handelt es sich aber offensichtlich um einen Fehler, auch bei den Shodan Trends ist für beide Schwachstellen ein plötzlicher Abfall zu sehen. Ob das seitens Shodan beabsichtig ist, da vielleicht nicht mehr nach diesen CVEs gescannt wird, wissen wir derzeit nicht; sachdienliche Hinweise dazu nehmen wir aber dankend entgegen.
---------------------------------------------
https://cert.at/de/aktuelles/2022/8/shodan-verified-vulns-2022-08-01
∗∗∗ SmarterTrack Full disclosure ∗∗∗
---------------------------------------------
On 27 October 2021 Wietse Boonstra found several vulnerabilities in the latest version of SmarterTrack. There were two XSS, an unauthenticated download and an upload / overwrite vulnerability. The researcher Wietse Boonstra and Finn van der Knaap, examined the vulnerability and made the proof of concept.
---------------------------------------------
https://csirt.divd.nl/2022/08/09/Smartertrak-Full-Disclosure/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, IBM Netezza for Cloud Pak for Data, node.js, IBM® SDK Java Technology Edition (Version 8), IBM Security SiteProtector System, Spring Framework, IBM Workload Scheduler, Liberty for Java for IBM Cloud.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Siemens Security Advisories ∗∗∗
---------------------------------------------
4 new, 38 updated
---------------------------------------------
https://new.siemens.com/global/en/products/services/cert.html?d=2022-08#Sec…
∗∗∗ Schneider Electric Security Advisories ∗∗∗
---------------------------------------------
Schneider Electric released 11 security advisories.
---------------------------------------------
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.…
∗∗∗ AUMA: Multiple Vulnerabilities in Automation Runtime NTP Service ∗∗∗
---------------------------------------------
The SIMA² Master Station features an NTP service based on ntpd, a reference implementation of the Network Time Protocol (NTP).
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-032/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gnutls28 and unzip), Fedora (dovecot and net-snmp), Red Hat (kernel-rt and vim), and Ubuntu (gst-plugins-good1.0).
---------------------------------------------
https://lwn.net/Articles/904271/
∗∗∗ SAP Patchday August 2022 ∗∗∗
---------------------------------------------
Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0949
∗∗∗ Keycloak: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0948
∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0946
∗∗∗ NetApp StorageGRID: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0945
∗∗∗ Red Hat OpenShift Service Mesh: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0944
∗∗∗ Mitsubishi Electric GT SoftGOT2000 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-221-01
∗∗∗ Emerson ControlWave ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-221-02
∗∗∗ Emerson OpenBSI ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-221-03
∗∗∗ Open Source Varnish Cache Denial of Service ∗∗∗
---------------------------------------------
https://docs.varnish-software.com/security/VSV00009/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-08-2022 18:00 − Montag 08-08-2022 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New GwisinLocker ransomware encrypts Windows and Linux ESXi servers ∗∗∗
---------------------------------------------
A new ransomware family called GwisinLocker targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-…
∗∗∗ Microsoft Office to publish symbols starting August 2022 ∗∗∗
---------------------------------------------
We are excited to announce that Microsoft Office will begin publishing Office symbols for Windows via the Microsoft Public Symbol Server on August 9th 2022. The publication of Office symbols is a part of our continuing investment to improve security and performance for customers and partners.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/08/08/microsoft-office-to-publish-symb…
∗∗∗ BumbleBee Roasts Its Way to Domain Admin ∗∗∗
---------------------------------------------
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193.
---------------------------------------------
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-adm…
∗∗∗ "Command&Control as a Service" – Cybercrime auf dem Weg in die Cloud ∗∗∗
---------------------------------------------
Ein neues As-a-Service-Angebot hat im Cybercrime-Untergrund innerhalb weniger Monate bereits tausende Kunden gewonnen.
---------------------------------------------
https://heise.de/-7204112
∗∗∗ Security-Informationen: Neues Ampel-Protokoll soll Vertraulichkeit vereinfachen ∗∗∗
---------------------------------------------
Das Trafic Light Protocol hat sich für die Kennzeichnung vertraulicher Informationen etabliert. TLP Version 2.0 soll die Absicht des Autors klarer machen.
---------------------------------------------
https://heise.de/-7205920
∗∗∗ Fake-Gewinnspiel für JBL-Lautsprecher auf Instagram ∗∗∗
---------------------------------------------
Zahlreiche Instagram-Nutzer:innen werden momentan von Fake-JBL-Profilen auf Beiträgen markiert: „Wenn du markiert wurdest, hast du einen tragbaren Lautsprecher von JBL gewonnen“ lautet der Beitrag.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-gewinnspiel-fuer-jbl-lautsprech…
∗∗∗ Ransomware-Attacken zurück im Geschäft ∗∗∗
---------------------------------------------
Doch keine Sommerpause: Nach einem leichten Rückgang zu Beginn des Jahres hat die Zahl der Ransomware-Angriffe im zweiten Quartal 2022 erneut zugelegt.
---------------------------------------------
https://www.zdnet.de/88402769/ransomware-attacken-zurueck-im-geschaeft/
∗∗∗ Google-Report von VirusTotal über Trends bei Malware ∗∗∗
---------------------------------------------
Auf seinem Dienst VirusTotal erhält Google täglich zahlreiche Einreichungen von Dateien zur Überprüfung, ob es sich um Malware handelt. In einem neuen Bericht "Deception at scale: Wie Malware Vertrauen missbraucht" hat ein Team von Google die Erkenntnisse zu verschiedene Techniken zusammengetragen, die Malware einsetzt, um Abwehrmechanismen zu umgehen und Social-Engineering-Angriffe effektiver zu gestalten.
---------------------------------------------
https://www.borncity.com/blog/2022/08/07/google-report-von-virustotal-ber-t…
∗∗∗ Small-time cybercrime is about to explode — We arent ready ∗∗∗
---------------------------------------------
The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking. When most people think of cybercrime they think of large-scale breaches because thats what dominates the headlines. However, the problem is much bigger.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/smalltime-cybercrime.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Cross-Site Request Forgery Vulnerability Patched in Ecwid Ecommerce Shopping Cart Plugin ∗∗∗
---------------------------------------------
On June 24, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a Cross-Site Request Forgery vulnerability we discovered in Ecwid Ecommerce Shopping Cart, a WordPress plugin installed on over 30,000 sites. This vulnerability made it possible for attackers to modify some of the plugin’s more advanced settings via a forged request.
---------------------------------------------
https://www.wordfence.com/blog/2022/08/cross-site-request-forgery-vulnerabi…
∗∗∗ Webbrowser: Google Chrome und Microsoft Edge 104 schließen Sicherheitslücken ∗∗∗
---------------------------------------------
Die Version 104 der Webbrowser Chrome und Edge dichten zahlreiche Sicherheitslecks ab. Einige Features von Chrome haben zudem eine Politur erfahren.
---------------------------------------------
https://heise.de/-7205970
∗∗∗ Übernahme möglich: DrayTek-Router mit kritischer Sicherheitslücke ∗∗∗
---------------------------------------------
Eine Schwachstelle in den Routern von DrayTek ermöglicht Angreifern aus dem Netz die Kompromittierung der Geräte. Nicht einmal eine Anmeldung ist dafür nötig.
---------------------------------------------
https://heise.de/-7206059
∗∗∗ Patchday: F5 dichtet Schwachstellen in BIG IP und Nginx ab ∗∗∗
---------------------------------------------
Zum Schließen von 21 Sicherheitslücken liefert F5 Software-Updates aus. Die meisten Fehler mit hohem Risiko betreffen die BIG-IP-Systeme des Anbieters.
---------------------------------------------
https://heise.de/-7205758
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, libtirpc, and xorg-server), Fedora (giflib, mingw-giflib, and teeworlds), Mageia (chromium-browser-stable, kernel, kernel-linus, mingw-giflib, osmo, python-m2crypto, and sqlite3), Oracle (httpd, php, vim, virt:ol and virt-devel:ol, and xorg-x11-server), SUSE (caddy, crash, dpkg, fwupd, python-M2Crypto, and trivy), and Ubuntu (gdk-pixbuf, libjpeg-turbo, and phpliteadmin).
---------------------------------------------
https://lwn.net/Articles/904191/
∗∗∗ Security Bulletin: Apache log4j vulnerabilities in Spark and Zookeeper affect QRadar User Behavior Analytics(CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Jquery-Ui, highcharts, and datatables are affecting QRadar User Behavior Analytics (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2021-23445, CVE-2021-29489) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Nextcloud Talk: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0935
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-08-2022 18:00 − Freitag 05-08-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ ENISA Threat Landscape for Ransomware Attacks ∗∗∗
---------------------------------------------
This report aims to bring new insights into the reality of ransomware incidents through mapping and studying ransomware incidents from May 2021 to June 2022.
---------------------------------------------
https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomw…
∗∗∗ Kopieren mit rsync anfällig für Angriffe ∗∗∗
---------------------------------------------
Die angekündigte neue rsync-Version soll verhindern, dass ein Server gezielt Dateien auf dem Client überschreibt und diesen damit kompromittiert.
---------------------------------------------
https://heise.de/-7202888
∗∗∗ VMware-Updates: Schnelles Handeln "extrem wichtig" ∗∗∗
---------------------------------------------
Admin-Zugang ohne Passwort – und das ist nur eine der zehn Lücken, für die VMware dringliche Updates bringt.
---------------------------------------------
https://heise.de/-7204524
∗∗∗ Achtung vor falschen Polizeianrufen! ∗∗∗
---------------------------------------------
Werden Sie von einer unauffälligen Nummer angerufen, wo Ihnen angeblich die Polizei verwirft, ein Verbrechen begangen zu haben? Bekommen Sie viele Anrufe, Nachrichten oder Sprachboxnachrichten von fremden Personen, die auf ein Telefongespräch hinweisen, welches Sie nicht führten? Das ist alles Teil einer Betrugsmasche.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vor-falschen-polizeianrufen/
∗∗∗ New Linux malware brute-forces SSH servers to breach networks ∗∗∗
---------------------------------------------
A new botnet called RapperBot has emerged in the wild since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers and then establishing persistence.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forc…
∗∗∗ Facebook finds new Android malware used by APT hackers ∗∗∗
---------------------------------------------
Meta (Facebook) has released its Q2 2022 adversarial threat report, and among the highlights is the discovery of two cyber-espionage clusters connected to hacker groups known as Bitter APT and APT36 (aka Transparent Tribe) using new Android malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/facebook-finds-new-android-m…
∗∗∗ Finding hooks with windbg ∗∗∗
---------------------------------------------
In this blogpost we are going to look into hooks, how to find them, and how to restore the original functions.
---------------------------------------------
https://blog.nviso.eu/2022/08/05/finding-hooks-with-windbg/
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Lücken in Ciscos SMB-Routern ∗∗∗
---------------------------------------------
Das Web-Interface der Cisco-Router der RV-Serie ermöglicht diverse unauthentifizierte Aktionen - Updates stellen das ab.
---------------------------------------------
https://heise.de/-7203891
∗∗∗ VU#495801: muhttpd versions 1.1.5 and earlier are vulnerable to path traversal ∗∗∗
---------------------------------------------
Versions 1.1.5 and earlier of the mu HTTP deamon (muhttpd) are vulnerable to path traversal via crafted HTTP request from an unauthenticated user. This vulnerability can allow unauthenticated users to download arbitrary files and collect private information on the target device.
---------------------------------------------
https://kb.cert.org/vuls/id/495801
∗∗∗ IBM Security Bulletins 2022-08-04 ∗∗∗
---------------------------------------------
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Security Identity Manager Virtual Appliance, IBM Robotic Process Automation, IBM Spectrum Scale Data Access Services, IBM Sterling Connect:Direct for UNIX Certified Container
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security update available in Foxit Reader for Linux 2.4.5 ∗∗∗
---------------------------------------------
Addressed a potential issue where the application could be exposed to Use-After-Free vulnerability. This occurs as the application executes the destructor under png_safe_execute. (CVE-2019-7317)
---------------------------------------------
https://www.foxit.com/support/security-bulletins.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, thunderbird, and xorg-x11-server), Debian (xorg-server), Gentoo (Babel, go, icingaweb2, lib3mf, and libmcpp), Oracle (389-ds:1.4, go-toolset:ol8, httpd, mariadb:10.5, microcode_ctl, and ruby:2.5), Red Hat (xorg-x11-server), Scientific Linux (xorg-x11-server), SUSE (buildah, go1.17, go1.18, harfbuzz, python-ujson, qpdf, u-boot, and wavpack), and Ubuntu (gnutls28, libxml2, mod-wsgi, openjdk-8, openjdk-8, openjdk-lts, openjdk-17, openjdk-18, [...]
---------------------------------------------
https://lwn.net/Articles/903997/
∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 04 August 2022 ∗∗∗
---------------------------------------------
Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below.
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/
∗∗∗ ZDI-22-1064: OPC Foundation UA .NET Standard BrowseRequest Missing Authentication Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1064/
∗∗∗ F-Secure Linux Security und Internet GateKeeper: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0928
∗∗∗ vim: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0926
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-08-2022 18:00 − Donnerstag 04-08-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ TLP 2.0 is here ∗∗∗
---------------------------------------------
Earlier this week, the global Forum of Incident Response and Security Teams – or FIRST, as it is commonly known – published a new version of its Traffic Light Protocol standard. The Traffic Light Protocol (TLP) is commonly used in the incident response community, as well as in the wider security space, to quickly and in a standardized way indicate any limitations on further sharing of any transferred information.
---------------------------------------------
https://isc.sans.edu/diary/rss/28914
∗∗∗ PersistenceSniper ∗∗∗
---------------------------------------------
PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines.
---------------------------------------------
https://github.com/last-byte/PersistenceSniper
∗∗∗ Woody RAT: A new feature-rich malware spotted in the wild ∗∗∗
---------------------------------------------
The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.
---------------------------------------------
https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-f…
∗∗∗ Dreiecksbetrug beim Verkauf von Gaming-Accounts über Kleinanzeigen ∗∗∗
---------------------------------------------
Vorsicht beim Kauf und Verkauf von Gaming-Accounts. Abgesehen davon, dass Kauf und Verkauf häufig durch die Spieleentwickler:innen verboten werden, kommt es immer wieder zu einem Dreiecksbetrug. Verkaufende verlieren ihren Gaming-Account und bekommen kein Geld oder Kaufende bekommen keinen Account und buchen das Geld zurück.
---------------------------------------------
https://www.watchlist-internet.at/news/dreiecksbetrug-beim-verkauf-von-gami…
∗∗∗ Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware ∗∗∗
---------------------------------------------
This blog presents a case study from recent Bumblebee malware activity distributed through Projector Libra that led to Cobalt Strike. Information presented here should provide a clearer picture of the group’s tactics and help security professionals better defend their organizations against this threat.
---------------------------------------------
https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/
∗∗∗ Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns ∗∗∗
---------------------------------------------
In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/dark-utilities.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco fixes critical remote code execution bug in VPN routers ∗∗∗
---------------------------------------------
Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-…
∗∗∗ Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks ∗∗∗
---------------------------------------------
A critical, pre-authenticated remote code execution (RCE) vulnerability has cropped up in the widely used line of DrayTek Vigor routers for smaller businesses. If it's exploited, researchers warn that it could allow complete device takeover, along with access to the broader network.
---------------------------------------------
https://www.darkreading.com/endpoint/critical-rce-bug-draytek-routers-smbs-…
∗∗∗ IBM Security Bulletins 2022-08-03 ∗∗∗
---------------------------------------------
IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Db2, IBM Sterling File Gateway, IBM Sterling B2B Integrator, IBM Data Risk Manager, IBM Tivoli Application Dependency Discovery Manager, IBM Java SDK Technology Edition.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security Advisory - The input verification vulnerability of a Huawei Device product is involved. ∗∗∗
---------------------------------------------
A Huawei device has an input verification vulnerability. Successful exploitation of this vulnerability may lead to DoS attacks. (Vulnerability ID: HWPSIRT-2022-49379) Affected Product: CV81-WDM FW
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220810-…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (lua), Oracle (kernel), Red Hat (389-ds:1.4, django, firefox, go-toolset and golang, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, java-1.8.0-ibm, java-17-openjdk, kernel, kernel-rt, kpatch-patch, mariadb:10.5, openssl, pcre2, php, rh-mariadb105-galera and rh-mariadb105-mariadb, ruby:2.5, thunderbird, vim, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox and thunderbird), SUSE (drbd, java-17-openjdk, java-1_8_0-ibm, keylime, ldb, samba, mokutil, oracleasm, pcre2, permissions, postgresql-jdbc, python-numpy, samba, tiff, u-boot, and xscreensaver), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-470, nvidia-graphics-drivers-470-server, nvidia-graphics-drivers-510, nvidia-graphics-drivers-510-server, nvidia-graphics-drivers-515, nvidia-graphics-drivers-515-server).
---------------------------------------------
https://lwn.net/Articles/903816/
∗∗∗ genua genugate: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
Ein Angreifer kann eine Schwachstelle in genua genugate ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0906
∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0907
∗∗∗ PostgreSQL: Schwachstelle ermöglicht SQL Injection ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in PostgreSQL ausnutzen, um eine SQL Injection durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0910
∗∗∗ Nextcloud Server und Nextcloud Mail: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0912
∗∗∗ Cisco Security Advisories 2022-08-03 ∗∗∗
---------------------------------------------
Cisco published 5 security advisories (1 critical, 4 medium severity).
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur…
∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0901
∗∗∗ Digi ConnectPort X2D ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-216-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-08-2022 18:00 − Mittwoch 03-08-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Wolf in sheep’s clothing: how malware tricks users and antivirus ∗∗∗
---------------------------------------------
One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how…
∗∗∗ Open Source: Gut getarnte Malware-Kampagne in Tausenden Github Repos ∗∗∗
---------------------------------------------
Ein Sicherheitsforscher hat eine groß angelegte Malware-Kampagne entdeckt, die versucht, sich durch einfache Pull Requests einzuschmuggeln.
---------------------------------------------
https://www.golem.de/news/open-source-gut-getarnte-malware-kampagne-in-taus…
∗∗∗ Creating Processes Using System Calls ∗∗∗
---------------------------------------------
When we think about EDR or AV evasion, one of the most widespread methods adopted by offensive teams is the use of system calls (syscalls) to carry out specific actions.
---------------------------------------------
https://www.coresecurity.com/core-labs/articles/creating-processes-using-sy…
∗∗∗ EMBA v1.1.0: The security analyzer for embedded device firmware ∗∗∗
---------------------------------------------
EMBA is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the firmware extraction process, doing static analysis and dynamic analysis via emulation and finally generating a report.
---------------------------------------------
https://github.com/e-m-b-a/emba/releases
∗∗∗ PART 3: How I Met Your Beacon – Brute Ratel ∗∗∗
---------------------------------------------
In part three of this series, we will analyse Brute Ratel, a command and control framework developed by Dark Vortex.
---------------------------------------------
https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
∗∗∗ Ransomware in Python-Paketmanager PyPI: Die Rückkehr der Skriptkiddies ∗∗∗
---------------------------------------------
Eine Reihe von Paketen hat auf Typosquatting gesetzt und Code verbreitet, der unter Windows Dateien verschlüsselt. Die Motive sind schleierhaft.
---------------------------------------------
https://heise.de/-7200335
∗∗∗ Vorsicht vor Fake-Mails der bank99 ∗∗∗
---------------------------------------------
Kriminelle geben sich als bank99 aus und wollen, dass Sie die „Okay99 App“ herunterladen. Klicken Sie nicht auf „Aktivierung starten“, da sonst Ihre Daten in die Hände der Kriminellen kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-fake-mails-der-bank99/
∗∗∗ Detection Rules for Lightning Framework (and How to Make Them With Osquery) ∗∗∗
---------------------------------------------
On 21 July, 2022, we released a blog post about a new malware called Lightning Framework. Lightning is a modular malware framework targeting Linux. At the time of the publication, the Core module had one suspicious detection and the Downloader module was not detected by any scanning engines on VirusTotal.
---------------------------------------------
https://www.intezer.com/blog/threat-hunting/lightning-framework-linux-detec…
=====================
= Vulnerabilities =
=====================
∗∗∗ Forti Security Advisories 2022-08-02 ∗∗∗
---------------------------------------------
Forti published 3 Security Advisories (1 High, 2 Medium Severity).
---------------------------------------------
https://fortiguard.fortinet.com/psirt?date=08-2022
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, postgresql, python, python-twisted-web, python-virtualenv, squid, thunderbird, and xz), Fedora (ceph, firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and kubernetes), Oracle (firefox, go-toolset and golang, libvirt libvirt-python, openssl, pcre2, qemu, and thunderbird), SUSE (connman, drbd, kernel, python-jupyterlab, samba, and seamonkey), [...]
---------------------------------------------
https://lwn.net/Articles/903676/
∗∗∗ Android Patchday August 2022 ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und beliebigen Code auszuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0887
∗∗∗ Chrome 104.0.5112.x fixt Schwachstellen ∗∗∗
---------------------------------------------
Google hat zum 2. August 2022 das Update des Google Chrome 104.0.5112.79 für Linux und MacOS sowie 104.0.5112.79/80/81 für Windows auf dem Desktop im Stable Channel freigegeben. Mit dem Sicherheitsupdate werden zahlreiche Schwachstellen geschlossen.
---------------------------------------------
https://www.borncity.com/blog/2022/08/03/chrome-104-0-5112-x-fixt-schwachst…
∗∗∗ Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities – IBM JDK 8.0.7.6 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin…
∗∗∗ K14649763: Overview of F5 vulnerabilities (August 2022) ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K14649763
∗∗∗ High Severity Vulnerability Patched in Download Manager Plugin ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-…
∗∗∗ Synology-SA-22:14 USB Copy ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_14
∗∗∗ Synology-SA-22:13 SSO Server ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_13
∗∗∗ Synology-SA-22:12 Synology Note Station Client ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_12
∗∗∗ Synology-SA-22:11 Storage Analyzer ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_11
∗∗∗ Ipswitch WS_FTP Server: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0895
∗∗∗ Nvidia GPU Treiber und NVIDIA vGPU software: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0894
∗∗∗ Rsync: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0891
∗∗∗ 2022-13 Denial of Service Vulnerability in EagleSDV ∗∗∗
---------------------------------------------
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14662&mediaformat…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 01-08-2022 18:00 − Dienstag 02-08-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Microsoft announces new solutions for threat intelligence and attack surface management ∗∗∗
---------------------------------------------
Defenders are up against the most sophisticated threat landscape we’ve ever seen. Today, we’re proud to execute our threat intelligence vision behind that acquisition and announce several new solutions to help security teams get ahead of adversaries and catch what others miss.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/08/02/microsoft-announces-new-…
∗∗∗ Raccoon Stealer v2: The Latest Generation of the Raccoon Family ∗∗∗
---------------------------------------------
In this blog, ThreatLabz will analyze Raccoon Stealer v2 in the exe format, and highlight key differences from its predecessors.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-g…
∗∗∗ Analyzing Attack Data and Trends Targeting Log4J ∗∗∗
---------------------------------------------
The Log4j vulnerability, initially reported in November 2021, has affected millions of devices and applications around the world.
---------------------------------------------
https://www.wordfence.com/blog/2022/08/analyzing-attack-data-and-trends-tar…
∗∗∗ Die Watchlist Internet ist jetzt auf Instagram ∗∗∗
---------------------------------------------
Wir versorgen Sie ab sofort auch auf Instagram mit Warnungen vor Internetbetrug. In den Beiträgen und Storys zeigen wir Ihnen, wie Sie sich vor Internetbetrug schützen, Fallen rasch erkennen und sicher im Internet surfen.
---------------------------------------------
https://www.watchlist-internet.at/news/die-watchlist-internet-ist-jetzt-auf…
∗∗∗ giesler-drogerie.com ist Fake ∗∗∗
---------------------------------------------
Bei giesler-drogerie.com finden Sie günstige Parfums, Styling-Produkte und Kosmetikartikel. Das vollständige Impressum sowie die angeführten Kontaktmöglichkeiten vermitteln einen seriösen Eindruck. Die Angaben sind aber gefälscht. Wenn Sie dort einkaufen, verlieren Sie Ihr Geld und erhalten keine Lieferung.
---------------------------------------------
https://www.watchlist-internet.at/news/giesler-drogeriecom-ist-fake/
∗∗∗ Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities ∗∗∗
---------------------------------------------
The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misus…
∗∗∗ Manjusaka: A Chinese sibling of Sliver and Cobalt Strike ∗∗∗
---------------------------------------------
Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
=====================
= Vulnerabilities =
=====================
∗∗∗ VMware urges admins to patch critical auth bypass bug immediately ∗∗∗
---------------------------------------------
VMware has warned admins today to patch a critical authentication bypass security flaw affecting local domain users in multiple products and enabling unauthenticated attackers to gain admin privileges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vmware-urges-admins-to-patch…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (curl and jetty9), Fedora (dovecot), Gentoo (vault), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and squid), SUSE (booth, dovecot22, dwarves and elfutils, firefox, gimp, java-11-openjdk, kernel, and oracleasm), and Ubuntu (linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, net-snmp, and samba).
---------------------------------------------
https://lwn.net/Articles/903555/
∗∗∗ Go-Based Apps Vulnerable to Attacks Due to URL Parsing Issue ∗∗∗
---------------------------------------------
Israeli cloud-native application security testing firm Oxeye discovered that the way URL parsing is implemented in some Go-based applications creates vulnerabilities that could allow threat actors to conduct unauthorized actions.
---------------------------------------------
https://www.securityweek.com/go-based-apps-vulnerable-attacks-due-url-parsi…
∗∗∗ GnuTLS patches memory mismanagement bug – update now! ∗∗∗
---------------------------------------------
https://nakedsecurity.sophos.com/2022/08/01/gnutls-patches-memory-mismanage…
∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by arbitrary code executiondue to GNU cpio (CVE-2021-38185) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec…
∗∗∗ VMSA-2022-0021 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0021.html
∗∗∗ vim: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0880
∗∗∗ FastStone ImageViewer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0883
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 29-07-2022 18:00 − Montag 01-08-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Sicherheitslücken als Türöffner in Nuki Smart Lock entdeckt und geschlossen ∗∗∗
---------------------------------------------
Angreifer könnten an zahlreichen Schwachstellen in verschiedenen smarten Türschlössern Nuki Smart Lock ansetzen. Die WLAN Bridge Nuki Bridge ist auch betroffen.
---------------------------------------------
https://heise.de/-7194709
∗∗∗ Adware-Apps aus Google Play tarnen sich auf Android-Geräten als Gestaltenwandler ∗∗∗
---------------------------------------------
Werbung auf Facebook für Fake-Apps zur Android-Systemoptimierung führt zu rund 7 Millionen Installationen. Opfer werden mit Werbeanzeigen belästigt.
---------------------------------------------
https://heise.de/-7194655
∗∗∗ Post-Quanten-Kryptographie: Verschlüsselung mit Isogenien ist unsicher ∗∗∗
---------------------------------------------
Ein Angriff auf den Schlüsselaustausch SIDH zeigt erneut, wie riskant experimentelle kryptographische Algorithmen sein können.
---------------------------------------------
https://www.golem.de/news/post-quanten-kryptographie-verschluesselung-mit-i…
∗∗∗ BlackCat ransomware claims attack on European gas pipeline ∗∗∗
---------------------------------------------
The ransomware group known as ALPHV (aka BlackCat) has assumed over the weekend responsibility for the cyberattack that hit Creos Luxembourg last week, a natural gas pipeline and electricity network operator in the central European country.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-a…
∗∗∗ A Detailed Analysis of the RedLine Stealer ∗∗∗
---------------------------------------------
RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc.
---------------------------------------------
https://securityscorecard.com/research/detailed-analysis-redline-stealer
∗∗∗ Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys ∗∗∗
---------------------------------------------
Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.h…
∗∗∗ A Little DDoS In the Morning, (Mon, Aug 1st) ∗∗∗
---------------------------------------------
Friday morning (at least it wasn't Friday afternoon), we got an alert that our database and web servers exceeded the expected load. Sometimes, this "happens." Often it is just some user innocently flooding our API with requests. We do use quite a bit of caching and such for requests, but it can happen that things pile up at the wrong time. So I took a look at the logs. In these cases, I first look at the top IPs sending requests to our API.
---------------------------------------------
https://isc.sans.edu/diary/rss/28900
∗∗∗ Month of PowerShell - PowerShell Remoting, Part 2 ∗∗∗
---------------------------------------------
In this article we finish up our look at PowerShell remoting by examining several options to run PowerShell commands on multiple remote systems.
---------------------------------------------
https://www.sans.org/blog/powershell-remoting-part-2/
∗∗∗ Month of PowerShell - Offensive PowerShell with Metasploit Meterpreter ∗∗∗
---------------------------------------------
In this article we look at how Metasploit Meterpreter can integrate PowerShell for extensible attacks in a red team or pen test engagement.
---------------------------------------------
https://www.sans.org/blog/offensive-powershell-metasploit-meterpreter/
∗∗∗ Month of PowerShell - Keyboard Shortcuts Like a Boss ∗∗∗
---------------------------------------------
In this article we look at several keyboard shortcuts to speed up your PowerShell sessions.
---------------------------------------------
https://www.sans.org/blog/keyboard-shortcuts-boss/
=====================
= Vulnerabilities =
=====================
∗∗∗ WordPress Vulnerabilities & Patch Roundup — July 2022 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-jul…
∗∗∗ Arris / Arris-variant DSL/Fiber router critical vulnerability exposure ∗∗∗
---------------------------------------------
Multiple vulnerabilities exist in the MIT-licensed muhttpd web server. This web server is widely used in ISP customer premise equipment (CPE), most notably in Arris firmware used in router models (at least, possibly other) NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320 (Arris has declined to confirm affected models).
---------------------------------------------
https://derekabdine.com/blog/2022-arris-advisory
∗∗∗ IBM Security Bulletins 2022-07-29 ∗∗∗
---------------------------------------------
IBM CICS TX Advanced, IBM CICS TX Standard, IBM PowerVM Novalink, IBM Sterling Secure Proxy, IBM DataPower Gateway, Rational Performance Tester, Rational Service Tester, Urbancode Deploy, IBM Robotic Process Automation, Cloud Pak System, IBM PowerVM Novalink, IBM Secure External Authentication Server.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Thunderbird vorstellbar ∗∗∗
---------------------------------------------
Die Entwickler von Mozilla haben im E-Mail-Client Thunderbird mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-7194671
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, [...]
---------------------------------------------
https://lwn.net/Articles/903455/
∗∗∗ HPE ProLiant und HP Integrated Lights-Out: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein lokaler Angreifer oder ein Angreifer aus dem angrenzenden Netzwerk kann mehrere Schwachstellen in HPE ProLiant und HPE Integrated Lights-Out ausnutzen, um beliebigen Programmcode auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0870
∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0867
∗∗∗ HCL Commerce: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
Ein lokaler Angreifer kann eine Schwachstelle in HCL Commerce ausnutzen, um Informationen offenzulegen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0866
∗∗∗ Multiple Vulnerabilities in BF-OS ∗∗∗
---------------------------------------------
BOSCH-SA-013924-BT: Multiple vulnerabilities were identified in BF-OS version 3.x up to and including 3.83 used by Bigfish V3 and PR21 (Energy Platform) devices and Bigfish VM image, which are part of the data collection infrastructure of the Energy Platform solution. The most critical vulnerability may allow an unauthenticated remote attacker to gain administrative privileges to the device by brute-forcing a weak password.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html
∗∗∗ K21192332: Apache HTTP Server vulnerability CVE-2022-31813 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K21192332
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-07-2022 18:00 − Freitag 29-07-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Web-Portale: Seit sechs Jahren kostenlose Hilfe für Ransomware-Opfer ∗∗∗
---------------------------------------------
Mit etwas Glück findet man auf den Websites von ID Ransomware und No More Ransom Infos zu kostenlosen Entschlüsselungstools für einige Erpressungstrojaner.
---------------------------------------------
https://heise.de/-7193953
∗∗∗ Jetzt patchen! Attacken auf Atlassian Confluence ∗∗∗
---------------------------------------------
Nachdem ein Standard-Passwort auf Social-Media-Plattformen aufgetaucht ist, nehmen Angreifer Confluence ins Visier. Aber nicht alle Instanzen sind verwundbar.
---------------------------------------------
https://heise.de/-7193458
∗∗∗ LockBit operator abuses Windows Defender to load Cobalt Strike ∗∗∗
---------------------------------------------
Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-wind…
∗∗∗ Month of PowerShell - Renaming Groups of Files ∗∗∗
---------------------------------------------
In this article we look at how to automate a massive file-rename task using PowerShell.
---------------------------------------------
https://www.sans.org/blog/renaming-groups-files?msc=rss
∗∗∗ Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network ∗∗∗
---------------------------------------------
The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the attack campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months.
---------------------------------------------
https://thehackernews.com/2022/07/researchers-warns-of-increase-in.html
∗∗∗ ENISA: Telecom Security Incidents 2021 ∗∗∗
---------------------------------------------
This report provides anonymised and aggregated information about major telecom security incidents in 2021. The 2021 annual summary contains reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.
---------------------------------------------
https://www.enisa.europa.eu/publications/telecom-security-incidents-2021
∗∗∗ UEFI rootkits and UEFI secure boot ∗∗∗
---------------------------------------------
Kaspersky describes a UEFI-implant used to attack Windows systems. Based on it appearing to require patching of the system firmware image, they hypothesise that its propagated by manually dumping the contents of the system flash, modifying it, and then reflashing it back to the board. [..] But lets think about why this is in the firmware at all.
---------------------------------------------
https://mjg59.dreamwidth.org/60654.html
∗∗∗ Microsoft has blocked hackers favourite trick. So now they are looking for a new route of attack ∗∗∗
---------------------------------------------
Microsofts default block on Office macro malware is working, which means hackers need to find a new way to carry out their attacks.
---------------------------------------------
https://www.zdnet.com/article/microsoft-has-blocked-hackers-favourite-trick…
∗∗∗ Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products ∗∗∗
---------------------------------------------
Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed?
---------------------------------------------
https://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-22-1031: OPC Labs QuickOPC Connectivity Explorer Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-22-1031/
∗∗∗ ABB Cyber Security Advisory: ABB Ability TM Operations Data Management Zenon Log Server file access control ∗∗∗
---------------------------------------------
These vulnerabilities affect the ABB Ability™ Operations Data Management Zenon. Subsequently, a successful exploit could allow attackers to log additional messages and access files from the Zenon system. While the passwords in the INI files are not stored in clear text, they can be subjected to further attacks against the hash algorithm.
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001479&Language…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0).
---------------------------------------------
https://lwn.net/Articles/902913/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead to arbitrary code execution.
---------------------------------------------
https://webkitgtk.org/security/WSA-2022-0007.html
∗∗∗ Synology-SA-22:10 Samba ∗∗∗
---------------------------------------------
CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synologys products are affected by CVE-2022-32745 as [...]
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_10
∗∗∗ JetBrains IntelliJ IDEA: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
Ein lokaler Angreifer kann mehrere Schwachstellen in JetBrains IntelliJ IDEA ausnutzen, um beliebigen Programmcode auszuführen oder Sicherheitsvorkehrungen zu umgehen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0860
∗∗∗ Foxit Reader und Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Foxit Reader und Foxit PDF Editor ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0862
∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Sicherheitsmaßnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuführen und vertrauliche Informationen offenzulegen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0861
∗∗∗ Rockwell Products Impacted by Chromium Type Confusion ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-209-01
∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris…
∗∗∗ Security Bulletin: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-vios-could-al…
∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in IBM Engineering Systems Design Rhapsody (Rhapsody) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-cve-2021-442…
∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to bypass security restrictions and obtain sensitive information due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b…
∗∗∗ Security Bulletin: AIX is affected by multiple vulnerabilities in Python ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-affected-by-multip…
∗∗∗ Security Bulletin: Denial of service vulnerability in OpenSSL as shipped with IBM Security Verify Bridge Docker image (CVE-2022-0778) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera…
∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Engineering Lifecycle Optimization – Publishing ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi…
∗∗∗ Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND (CVE-2021-25220) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-cach…
∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel…
∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2018-25031, CVE-2021-46708) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily