Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 28.09.2022
by Daily end-of-shift report 28 Sep '22

28 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-09-2022 18:00 − Mittwoch 28-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft to retire Exchange Online client access rules in a year ∗∗∗ --------------------------------------------- Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-exchang… ∗∗∗ Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks ∗∗∗ --------------------------------------------- The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-us… ∗∗∗ Prilex: the pricey prickle credit card complex ∗∗∗ --------------------------------------------- Prilex is a Brazilian threat actor focusing on ATM and PoS attacks. In this report, we provide an overview of its PoS malware. --------------------------------------------- https://securelist.com/prilex-atm-pos-malware-evolution/107551/ ∗∗∗ New Malware Variants Serve Bogus CloudFlare DDoS Captcha ∗∗∗ --------------------------------------------- When attackers shift up their campaigns, change their payload or exfiltration domains, and put some extra effort into hiding their malware it’s usually a telltale sign that they are making some money off of their exploits. One such campaign is the fake CloudFlare DDoS pages which we reported on last month. --------------------------------------------- https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare… ∗∗∗ Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems ∗∗∗ --------------------------------------------- A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. --------------------------------------------- https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html ∗∗∗ Zielscheibe Open-Source-Paket: Angriffe 700 Prozent häufiger als vor drei Jahren ∗∗∗ --------------------------------------------- Open-Source-Repositories werden immer häufiger zum Angriffsziel Krimineller. Allein im letzten Jahr hat Sonatype über 55.000 infizierte Pakete identifiziert. --------------------------------------------- https://heise.de/-7278355 ∗∗∗ Attacking Encrypted HTTP Communications ∗∗∗ --------------------------------------------- The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers. --------------------------------------------- https://www.pentestpartners.com/security-blog/attacking-encrypted-http-comm… ∗∗∗ Decrypt “encrypted stub data” in Wireshark ∗∗∗ --------------------------------------------- I often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC But I’m often interrupted in my enthusiasm by the payload dissected as “encrypted stub data”: Can we decrypt this “encrypted stub data?” --------------------------------------------- https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshar… ∗∗∗ Stories from the SOC - C2 over port 22 ∗∗∗ --------------------------------------------- The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#855201: L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers ∗∗∗ --------------------------------------------- OverviewLayer-2 (L2) network security controls provided by various devices, such as switches, routers, and operating systems, can be bypassed by stacking Ethernet protocol headers. An attacker can send crafted packets through vulnerable devices to cause Denial-of-service (DoS) or to perform a man-in-the-middle (MitM) attack against a target network. This vulnerability exists within Ethernet encapsulation protocols that allow for stacking of Virtual Local Area Network (VLAN) headers. --------------------------------------------- https://kb.cert.org/vuls/id/855201 ∗∗∗ Cisco Security Advisories 2022-09-27 - 2022-09-28 ∗∗∗ --------------------------------------------- Cisco published 23 Security Advisories (13 High, 10 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Webbrowser Chrome 106: Neue Funktionen und 20 abgedichtete Sicherheitslecks ∗∗∗ --------------------------------------------- Google bessert 20 teils hochriskante Sicherheitslücken im Webbrowser Chrome aus. Zudem erhält der Browser neue Funktionen und Verbesserungen. --------------------------------------------- https://heise.de/-7277825 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15). --------------------------------------------- https://lwn.net/Articles/909676/ ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1552 ∗∗∗ Security Bulletin: A Security Vulnerability was fixed in IBM Application Gateway. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2022-35282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM QRadar User Behavior Analytics (CVE-2022-36771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to identity spoofing by an authenticated user using a specially crafted request. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to HTTP header injection, caused by improper validation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin:IBM TRIRIGA Application Platform discloses possible path command execution(CVE-2021-41878) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-tririga-application-pl… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1549 ∗∗∗ Moodle: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1546 ∗∗∗ Check Point ZoneAlarm Extreme Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1544 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2022
by Daily end-of-shift report 27 Sep '22

27 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 26-09-2022 18:00 − Dienstag 27-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers use PowerPoint files for mouseover malware delivery ∗∗∗ --------------------------------------------- The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-powerpoint-files… ∗∗∗ New Erbium password-stealing malware spreads as game cracks, cheats ∗∗∗ --------------------------------------------- The new Erbium information-stealing malware is being distributed as fake cracks and cheats for popular video games to steal victims credentials and cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing… ∗∗∗ Pass-the-Hash Attacks and How to Prevent them in Windows Domains ∗∗∗ --------------------------------------------- Hackers often start out with nothing more than a low-level user account and then work to gain additional privileges that will allow them to take over the network. One of the methods that is commonly used to acquire these privileges is a pass-the-hash attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pass-the-hash-attacks-and-ho… ∗∗∗ Anlagebetrug: Vorsicht vor Diensten, die Ihnen helfen wollen, Ihr verlorenes Geld zurückzubekommen ∗∗∗ --------------------------------------------- Haben Sie bei einer betrügerischen Investmentplattform Geld verloren? Dann nehmen Sie sich vor Folgebetrug in Acht. Kriminelle bewerben Dienstleistung, die Ihnen angeblich dabei helfen, Ihr verlorenes Geld zurückzubekommen. Angebote von finanzaufsicht.com oder firstmoneyback.com sind aber Fake! Sie werden erneut betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-vorsicht-vor-diensten-d… ∗∗∗ More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID ∗∗∗ --------------------------------------------- Polyglot files, such as the malicious CHM file analyzed here, can be abused to hide from anti-malware systems that rely on file format identification. --------------------------------------------- https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/ ∗∗∗ What happens with a hacked Instagram account – and how to recover it ∗∗∗ --------------------------------------------- Had your Instagram account stolen? Don’t panic – here’s how to get your account back and how to avoid getting hacked (again). --------------------------------------------- https://www.welivesecurity.com/2022/09/26/what-happens-hacked-instagram-acc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot and firefox-esr), Fedora (firefox and grafana), Red Hat (firefox and thunderbird), Slackware (dnsmasq and vim), SUSE (dpdk, firefox, kernel, libarchive, libcaca, mariadb, openvswitch, opera, permissions, podofo, snakeyaml, sqlite3, unzip, and vsftpd), and Ubuntu (expat, libvpx, linux-azure-fde, linux-oracle, squid, squid3, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/909576/ ∗∗∗ SECURITY - ABB Central Licensing System Vulnerabilities, impact on ABB Ability SCADAvantage ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A3198&Lan… ∗∗∗ Security Bulletin: A vulnerability in Apache Commons Fileupload affects IBM Tivoli Business Service Manager (CVE-2013-2186, CVE-2013-0248, CVE-2016-3092, CVE-2014-0050, 220723) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: A vulnerability in FasterXML Woodstox affects IBM Tivoli Business Service Manager (220573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-faster… ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1541 ∗∗∗ Publish SBA-ADV-20220328-01: Vtiger CRM Stored Cross-Site Scripting ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/28e164f1cb73e4885a58616d1b… ∗∗∗ Hitachi Energy APM Edge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-02 ∗∗∗ Rockwell Automation ThinManager ThinServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-03 ∗∗∗ Hitachi Energy AFS660/AFS665 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-01 ∗∗∗ September 23rd 2022 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2022
by Daily end-of-shift report 26 Sep '22

26 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-09-2022 18:00 − Montag 26-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NullMixer: oodles of Trojans in a single dropper ∗∗∗ --------------------------------------------- NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others. --------------------------------------------- https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/1074… ∗∗∗ Maldoc Analysis Info On MalwareBazaar, (Sat, Sep 24th) ∗∗∗ --------------------------------------------- When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump. --------------------------------------------- https://isc.sans.edu/diary/rss/29084 ∗∗∗ Downloading Samples From Takendown Domains, (Sun, Sep 25th) ∗∗∗ --------------------------------------------- Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down). --------------------------------------------- https://isc.sans.edu/diary/rss/29086 ∗∗∗ Easy Python Sandbox Detection , (Mon, Sep 26th) ∗∗∗ --------------------------------------------- Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this, but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism? --------------------------------------------- https://isc.sans.edu/diary/rss/29090 ∗∗∗ 13,8 Millionen Downloads: Malware-Apps unter Android und iOS ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsunternehmen hat Werbebetrugs-Apps in Google Play und im Apple Store gefunden, die auf insgesamt 13,8 Millionen Downloads kommen. --------------------------------------------- https://heise.de/-7275295 ∗∗∗ Ransomware: Nach Verschlüsseln kommt jetzt Kopieren & Zerstören ∗∗∗ --------------------------------------------- Das mit dem Verschlüsseln ist aufwendig und fehleranfällig – das denken sich wohl auch Cybercrime-Banden, die zuvor kopierte Daten unbrauchbar machen. --------------------------------------------- https://heise.de/-7275667 ∗∗∗ Microsoft Edge mit SOCKS Proxy über PuTTY / SSH nutzen ∗∗∗ --------------------------------------------- Microsoft Edge (dzt. geprüfte Versionen bis v107) bietet in den Einstellungen leider keine Nutzung von SOCKS-Proxys an. Edge unterstützt dies aber (obwohl sich hierzu in der offiziellen Doku leider nichts findet) über das CmdLine-Argument “--proxy-server“. --------------------------------------------- https://hitco.at/blog/microsoft-edge-socks-proxy-putty-ssh/ ∗∗∗ Betrügerisches Post-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie auf WhatsApp ein Gewinnspiel mit dem Titel „Österreichische Post Staatliche Förderung“ erhalten. Dabei handelt es sich um Fake. Sie tappen entweder in eine Abo-Falle oder laden Schadsoftware herunter. Klicken Sie nicht auf den Link und löschen Sie die Nachricht. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-post-gewinnspiel-auf… ∗∗∗ Hunting for Unsigned DLLs to Find APTs ∗∗∗ --------------------------------------------- Hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. Our examples include well-known APTs. --------------------------------------------- https://unit42.paloaltonetworks.com/unsigned-dlls/ ∗∗∗ BumbleBee: Round Two ∗∗∗ --------------------------------------------- In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. --------------------------------------------- https://thedfirreport.com/2022/09/26/bumblebee-round-two/ ∗∗∗ MISP 2.4.163 released with improved periodic notification system and many improvements ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.163 with an updated periodic notification systemand many improvements. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.163 ∗∗∗ Tell Me Where You Live and I Will Tell You About Your P@ssw0rd: Understanding the Macrosocial Factors Influencing Password’s Strength ∗∗∗ --------------------------------------------- Free Person Holding World Globe Facing Mountain Stock PhotoTo explore how a user’s environment influences password creation strategies, we present a blogpost series in which we consider several different perspectives – the macrosocial influence of your country (where you live), the influence of your peers (who your friends are), and a technical understanding of how they are attacked – to improve password security and mitigate the risk of poorly secured passwords. --------------------------------------------- https://www.gosecure.net/blog/2022/09/26/tell-me-where-you-live-and-i-will-… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Windows Shift F10 Bypass and Autopilot privilge escalation ∗∗∗ --------------------------------------------- This post demonstrates full chained exploitation, and it contains two steps. The second step is a known vulnerability, but there are other ways. --------------------------------------------- https://k4m1ll0.com/ShiftF10Bypass-and-privesc.html ∗∗∗ Sophos Firewalls: Kritische Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- Angreifer nutzen eine Schwachstelle in Sophos Firewalls aus, durch die sie eigenen Code auf verwundbare Maschinen schieben. Softwareflicken dichten das Leck ab. --------------------------------------------- https://heise.de/-7275195 ∗∗∗ Angreifer nisten sich in Exchange Online ein – mit bösartigen OAuth-Apps ∗∗∗ --------------------------------------------- Microsoft hat Angriffe auf Cloud-Exchange analysiert, bei denen Angreifer mit bösartigen OAuth-Apps nachhaltig Zugang erlangten und ihn für Spam missbrauchen. --------------------------------------------- https://heise.de/-7275757 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat and poppler), Fedora (dokuwiki), Gentoo (fetchmail, grub, harfbuzz, libaacplus, logcheck, mrxvt, oracle jdk/jre, rizin, smarty, and smokeping), Mageia (tcpreplay, thunderbird, and webkit2), SUSE (dpdk, permissions, postgresql14, puppet, and webkit2gtk3), and Ubuntu (linux-gkeop and sosreport). --------------------------------------------- https://lwn.net/Articles/909439/ ∗∗∗ Trend Micro Deep Security Agent: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Trend Micro Deep Security Agent ausnutzen, um Informationen offenzulegen oder seine Rechte zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1534 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1535 ∗∗∗ WhatsApp: Zwei Schwachstellen ermöglichen Remote Code-Ausführung ∗∗∗ --------------------------------------------- Meta-Tochter WhatsApp warnt vor zwei Schwachstellen in seinen Apps für Android und iOS, die die Sicherheit der Benutzer gefährden. Beide Schwachstellen ermöglichen eine Remote Code-Ausführung – die Apps sollten also zeitnah aktualisiert werden. --------------------------------------------- https://www.borncity.com/blog/2022/09/26/whatsapp-zwei-schwachstellen-ermgl… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager vulnerable to denial of service due to Apache Shiro (CVE-2022-32532) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: Due to RPM, AIX is vulnerable to arbitrary code execution (CVE-2021-20271), RPM database corruption (CVE-2021-3421), and denial of service (CVE-2021-20266) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-rpm-aix-is-vulnera… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to a denial of service due to Vmware Tanzu Spring Framework (CVE-2022-22971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-029/ ∗∗∗ CISA Has Added One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/23/cisa-has-added-on… ∗∗∗ Node.js: September 22nd 2022 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2022
by Daily end-of-shift report 23 Sep '22

23 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-09-2022 18:00 − Freitag 23-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schadsoftware: Betrüger verteilen Malware mit gefälschten Zoom-Webseiten ∗∗∗ --------------------------------------------- Die Webseiten geben sich als Downloadseite für Zoom aus, doch verteilen sie eine Schadsoftware, die es auf Bankdaten abgesehen hat. --------------------------------------------- https://www.golem.de/news/schadsoftware-betrueger-verteilen-malware-mit-gef… ∗∗∗ Google Play Store: Trojaner Harly kommt auf 4,8 Millionen Downloads ∗∗∗ --------------------------------------------- Im Google Play Store entdeckt Kaspersky zahlreiche trojanisierte Apps, die den Schädling Harly enthalten. Der schließt kostenpflichtige Dienste-Abos ab. --------------------------------------------- https://heise.de/-7273522 ∗∗∗ Fingerabdruck & Co. - Wie funktionieren biometrische Anmeldeverfahren? ∗∗∗ --------------------------------------------- Ihre Augen können das Fenster zu Ihrer Seele sein, aber sie können auch Ihre Bordkarte für das Flugzeug oder der Schlüssel zum Entsperren Ihres Telefons sein. Welche Vor- und Nachteile birgt die Verwendung biometrischer Merkmale für die Authentifizierung? --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/09/22/fingerabdruck-co-wie-funk… ∗∗∗ Microsoft: Windows KB5017383 preview update added to WSUS by mistake ∗∗∗ --------------------------------------------- Microsoft says that KB5017383, this months Windows preview update, has been accidentally listed in Windows Server Update Services (WSUS) and may lead to security update install problems in some managed environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5017383… ∗∗∗ Malicious OAuth applications used to compromise email servers and spread spam ∗∗∗ --------------------------------------------- Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange servers to launch spam runs. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applicat… ∗∗∗ Kids Like Cookies, Malware Too!, (Fri, Sep 23rd) ∗∗∗ --------------------------------------------- Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won't discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user. --------------------------------------------- https://isc.sans.edu/diary/rss/29082 ∗∗∗ Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts ∗∗∗ --------------------------------------------- GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted "many victim organizations. --------------------------------------------- https://thehackernews.com/2022/09/hackers-using-fake-circleci.html ∗∗∗ WAF bypasses via 0days ∗∗∗ --------------------------------------------- In May, I participated in 1337up0522 from Intigriti which was about hacking OWASP ModSecurity Core Rule Set (CRS). I’ve got 13 findings accepted including 3 exceptional, 2 critical, and 8 high severity vulnerabilities. In this article, I will showcase a couple of interesting findings. --------------------------------------------- https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec ∗∗∗ Surge in Magento 2 template attacks ∗∗∗ --------------------------------------------- The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In this article we share our findings of 3 template hacks, and hope it will help you if you are confronted with a similar attack. --------------------------------------------- https://sansec.io/research/magento-2-template-attacks ∗∗∗ Cross-Site Scripting: The Real WordPress Supervillain ∗∗∗ --------------------------------------------- Vulnerabilities are a fact of life for anyone managing a website, even when using a well-established content management system like WordPress. Not all vulnerabilities are equal, with some allowing access to sensitive data that would normally be hidden from public view, while others could allow a malicious actor to take full control of an affected [...] --------------------------------------------- https://www.wordfence.com/blog/2022/09/cross-site-scripting-the-real-wordpr… ∗∗∗ CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned of cyberattacks targeting a recently addressed vulnerability in Zoho ManageEngine. --------------------------------------------- https://www.securityweek.com/cisa-warns-zoho-manageengine-rce-vulnerability… ∗∗∗ NSA and CISA: Heres how hackers are going after critical systems, and what you need to do about it ∗∗∗ --------------------------------------------- NSA and CISA offer some advice for critical infrastructure operators to protect their industrial control systems. --------------------------------------------- https://www.zdnet.com/article/nsa-and-cisa-heres-how-hackers-are-going-afte… ∗∗∗ Experts fear LockBit spread after ransomware builder leaked ∗∗∗ --------------------------------------------- A toolkit to create DIY versions of the LockBit ransomware has leaked, raising alarms among incident responders and cybersecurity experts warning of more widespread use in attacks. The leak, for the LockBit 3.0 ransomware encryptor, was announced on Wednesday by security researcher 3xp0rt. Several experts and researchers confirmed to The Record that the builder works [...] --------------------------------------------- https://therecord.media/experts-fear-lockbit-spread-after-ransomware-builde… ∗∗∗ FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers ∗∗∗ --------------------------------------------- The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. --------------------------------------------- https://asec.ahnlab.com/en/39152/ ===================== = Vulnerabilities = ===================== ∗∗∗ HP-Drucker: Kritische Lücke erlaubt Codeschmuggel in diversen Modellen ∗∗∗ --------------------------------------------- HP warnt vor Sicherheitslücken in zahlreichen Druckermodellen, die Angreifern das Einschleusen von Schadcode ermöglichen. Der Hersteller stellt Updates bereit. --------------------------------------------- https://heise.de/-7250538 ∗∗∗ IBM Security Bulletins 2022-09-22 ∗∗∗ --------------------------------------------- IBM CICS TX Advanced, IBM CICS TX Standard, IBM Common Cryptographic Architecture (CCA), IBM InfoSphere Information Server, IBM Jazz for Service Management, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM Partner Engagement Manager, IBM Security Guardium, IBM Spectrum Control, Operations Dashboard, TXSeries for Multiplatforms, Watson Explorer and Watson Explorer Content Analytics Studio, z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, expat, firefox-esr, mediawiki, and unzip), Fedora (qemu and thunderbird), Oracle (webkit2gtk3), SUSE (ardana-ansible, ardana-cobbler, ardana-tempest, grafana, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-neutron-gbp, openstack-nova, python-Django1, rabbitmq-server, rubygem-puma, ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma, dpdk, [...] --------------------------------------------- https://lwn.net/Articles/909208/ ∗∗∗ New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access ∗∗∗ --------------------------------------------- Firmware security company Binarly has discovered another round of potentially serious firmware vulnerabilities that could allow an attacker to gain persistent access to any of the millions of affected devices. --------------------------------------------- https://www.securityweek.com/new-firmware-vulnerabilities-affecting-million… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2022
by Daily end-of-shift report 22 Sep '22

22 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-09-2022 18:00 − Donnerstag 22-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackCat ransomware’s data exfiltration tool gets an upgrade ∗∗∗ --------------------------------------------- The BlackCat ransomware (aka ALPHV) isnt showing any signs of slowing down, and the latest example of its evolution is a new version of the gangs data exfiltration tool used for double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-s-data-e… ∗∗∗ Critical Magento vulnerability targeted in new surge of attacks ∗∗∗ --------------------------------------------- Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-magento-vulnerabili… ∗∗∗ RAT Delivered Through FODHelper , (Thu, Sep 22nd) ∗∗∗ --------------------------------------------- I found a simple batch file that drops a Remcos RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). --------------------------------------------- https://isc.sans.edu/diary/rss/29078 ∗∗∗ Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure ∗∗∗ --------------------------------------------- Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. --------------------------------------------- https://thehackernews.com/2022/09/researchers-disclose-critical.html ∗∗∗ Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions ∗∗∗ --------------------------------------------- Recently (in August of 2022), the Sysinternals team released Sysmon 14.0 – a notable update of a powerful and configurable tool for monitoring Windows machines. While Sysmon already included a few valuable detection capabilities, the update introduced the first preventive measure – the FileBlockExecutable event (ID 27). --------------------------------------------- https://www.huntandhackett.com/blog/bypassing-sysmon ∗∗∗ A technical analysis of the leaked LockBit 3.0 builder ∗∗∗ --------------------------------------------- This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022. --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-buil… ∗∗∗ You can’t stop me. MS Teams session hijacking and bypass ∗∗∗ --------------------------------------------- How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-cant-stop-me-ms-teams-ses… ∗∗∗ Webinar: Love Scams im Internet erkennen ∗∗∗ --------------------------------------------- Am Mittwoch, den 28.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Love Scams" statt. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-love-scams-im-internet-erken… ∗∗∗ Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics ∗∗∗ --------------------------------------------- New version of Exmatter, and Eamfo malware, used by attackers deploying the Rust-based ransomware. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/no… ∗∗∗ AA22-265A: Control System Defense: Know the Opponent ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-265a ∗∗∗ MindShaRE: Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja ∗∗∗ --------------------------------------------- Disclosure of uninitialized memory is one of the common problems faced when copying data across trust boundaries. This can happen between the hypervisor and guest OS, kernel and user space, or across the network. --------------------------------------------- https://www.thezdi.com/blog/2022/9/19/mindshare-analyzing-bsd-kernels-with-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-21 ∗∗∗ --------------------------------------------- IBM Security Guardium, IBM Cloud Pak for Multicloud Management Managed Services, IBM Tivoli Netcool Impact, IBM Maximo Asset Management, IBM Spectrum Protect Plus SQL. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Notfallpatch für Microsoft Endpoint Configuration Manager erschienen ∗∗∗ --------------------------------------------- Admins sollten die IT-Managementlösung Endpoint Configuration Manager von Microsoft aktualisieren. Es könnten Attacken bevorstehen. --------------------------------------------- https://heise.de/-7272195 ∗∗∗ Python: 15 Jahre alte Schwachstelle betrifft potenziell 350.000 Projekte ∗∗∗ --------------------------------------------- Das Issue zu der Directory-Traversal-Schwachstelle in dem Modul tarfile existiert seit 2007. Geschlossen wurde es mit einem Hinweis in der Dokumentation. --------------------------------------------- https://heise.de/-7272186 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e17, fish, mako, and tinygltf), Fedora (mingw-poppler), Mageia (firefox, google-gson, libxslt, open-vm-tools, redis, and sofia-sip), Oracle (dbus-broker, kernel, kernel-container, mysql, and nodejs and nodejs-nodemon), Slackware (bind), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, [...] --------------------------------------------- https://lwn.net/Articles/909051/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/09/22/technical-advisory-multiple-vulner… ∗∗∗ HP LaserJet: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1499 ∗∗∗ Measuresoft ScadaPro Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-265-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2022
by Daily end-of-shift report 21 Sep '22

21 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-09-2022 18:00 − Mittwoch 21-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Angreifer könnten eigenen Code im Kontext von Thunderbird und Firefox ausführen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken im E-Mail-Client Thunderbird und den Webbrowsern Firefox und Firefox ESR. --------------------------------------------- https://heise.de/-7270944 ∗∗∗ Hinter Massenmails zu Paketzustellung und Lagergebühr steckt Betrug! ∗∗∗ --------------------------------------------- Aktuell erhalten unzählige Menschen eine personalisierte E-Mail zu einem Paket mit dem Betreff „Label/abgerissen/Zustellung“. Wegen unlesbarer Adresse sollen Sie einen Chat öffnen und Daten ergänzen, um eine Lagergebühr über 29,99 Euro zu vermeiden. Folgen Sie dem Link nicht, geben Sie keine Daten bekannt und bezahlen Sie nichts. Es handelt sich um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/hinter-massenmails-zu-paketzustellun… ∗∗∗ Windows 11 22H2 adds kernel exploit protection to security baseline ∗∗∗ --------------------------------------------- Microsoft has released the final version of security configuration baseline settings for Windows 11, version 22H2, downloadable today using the Microsoft Security Compliance Toolkit. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-22h2-adds-kernel… ∗∗∗ Identifying file manipulation in system files ∗∗∗ --------------------------------------------- Sometimes people send files to us that seem to be legitimate Microsoft system files at first glance, yet closer inspection reveals, that they have in fact been modified. Are those manipulations always malicious? And how can file manipulations be identified? Here are seven different ways to do that. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/09/37511-detecting-file-manipulatio… ∗∗∗ New Windows 11 security features are designed for hybrid work ∗∗∗ --------------------------------------------- With Windows 11, you can protect your valuable data and enable secure hybrid work with the latest advanced security. Were proud to announce the new security features you heard about this spring are now available. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/20/new-windows-11-security-… ∗∗∗ Defense-in-Depth Updates for Azure Identity SDK and Azure Key Vault SDK plus Best Practice Implementation Guidance ∗∗∗ --------------------------------------------- Today, Microsoft released a new version of the Azure Key Vault Software Development Kit (SDK) and Azure Identity SDK that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for processing. --------------------------------------------- https://msrc-blog.microsoft.com/2022/09/20/defense-in-depth-updates-for-azu… ∗∗∗ Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286) ∗∗∗ --------------------------------------------- This post covers a slightly different topic than my usual content: application vulnerability discovery and exploit development. --------------------------------------------- https://www.x86matthew.com/view_post?id=windows_seagate_lpe ∗∗∗ Open Source Tool to Collect Volatile Data for Incident Response ∗∗∗ --------------------------------------------- Varc collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident. --------------------------------------------- https://github.com/cado-security/varc ∗∗∗ How we Abused Repository Webhooks to Access Internal CI Systems at Scale ∗∗∗ --------------------------------------------- As adoption of CI systems and processes becomes more prevalent, organizations opt for a CI/CD architecture which combines SaaS-based source control management systems (like GitHub or GitLab) with an internal, self-hosted CI solution (e.g. Jenkins, TeamCity). [...] To allow the webhook requests to access the internally-hosted CI system, the SaaS-based SCM vendors provide IP ranges from which their webhooks requests arrive, so these ranges can be allowed in the organization’s firewall. In this blog post, we’ll dive into the potential security pitfalls of this control, and explain why it provides organizations with a false sense of security. --------------------------------------------- https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhook… ∗∗∗ Securing Developer Tools: OneDev Remote Code Execution ∗∗∗ --------------------------------------------- OneDev is a self-hosted Git server that comes with a lot of development-oriented features such as CI/CD, code search, and static analysis integration. With almost 10,000 stars on GitHub, it is gaining popularity and becoming an open-source and low-maintenance alternative to GitHub, GitLab, and Bitbucket. [...] In this article, we describe the vulnerabilities we found in OneDev that could be used by attackers to take over vulnerable instances. --------------------------------------------- https://blog.sonarsource.com/onedev-remote-code-execution/ ∗∗∗ Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers ∗∗∗ --------------------------------------------- Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers. --------------------------------------------- https://www.securityweek.com/hundreds-ecommerce-domains-infected-google-tag… ∗∗∗ Penetration testing is in the eye of the beholder ∗∗∗ --------------------------------------------- "Beauty is in the eye of the beholder." A famous phrase known to all indicates that our perceptions influence our definitions. The same can be said about penetration testing. Often when clients approach us for what they believe to be a penetration test, their definition and needs do not necessarily meet the accepted approach of those within the security field. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/penetration-testing… ∗∗∗ Authentication methods: choosing the right type ∗∗∗ --------------------------------------------- Recommended authentication models for organisations looking to move beyond passwords. --------------------------------------------- https://www.ncsc.gov.uk/guidance/authentication-methods-choosing-the-right-… ∗∗∗ Native function and Assembly Code Invocation ∗∗∗ --------------------------------------------- For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level language, this is not always feasible, and [...] --------------------------------------------- https://research.checkpoint.com/2022/native-function-and-assembly-code-invo… ∗∗∗ Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware ∗∗∗ --------------------------------------------- Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnera… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libconfuse, moodle, rizin, and thunderbird), Oracle (ELS kernel, gnupg2, ruby, and webkit2gtk3), Red Hat (booth, dbus-broker, gnupg2, kernel, kernel-rt, kpatch-patch, mysql, nodejs, nodejs-nodemon, ruby, and webkit2gtk3), Slackware (expat and mozilla), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and vsftpd), and Ubuntu (bind9, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-kvm, linux-lowlatency, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, lnux-hwe, inux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe-5.15, linux-lowlatency-hwe-5.15, and mako). --------------------------------------------- https://lwn.net/Articles/908893/ ∗∗∗ Information Disclosure in VIDEOJET Decoder and Operator Client application in BVMS ∗∗∗ --------------------------------------------- BOSCH-SA-464066-BT: BVMS Operator Client application or the VIDEOJET Decoder VJD-7513 may receive an *unencrypted* live-stream from a camera which allows a man-in-the-middle attacker to compromise the confidential video streams. This happens only in combination with cameras of platform CPP13 or CPP14.x when encrypted UDP connection is configured. Please be aware that encrypted UDP connection is default setting («Secure Connection» setting) for all cameras added into BVMS. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-464066-bt.html ∗∗∗ [R1] Nessus Network Monitor 6.1.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. Several third-party components (OpenSSL and moment.js) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2022-19 ∗∗∗ Security Bulletin: Rational Performance Tester contains a vulnerability which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate this vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-performance-test… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to multiple Golang Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to authentication bypass (CVE-2022-40616) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Microsoft Endpoint Configuration Manager: Schwachstelle ermöglicht Umgehen von Sicherheitseinstellungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1488 ∗∗∗ TIBCO Spotfire: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1487 ∗∗∗ Grafana: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1486 ∗∗∗ Hashicorp Vault: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1485 ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1492 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2022
by Daily end-of-shift report 20 Sep '22

20 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 19-09-2022 18:00 − Dienstag 20-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches ∗∗∗ --------------------------------------------- Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favo… ∗∗∗ Handling WebAuthn over remote SSH connections ∗∗∗ --------------------------------------------- Being able to SSH into remote machines and do work there is great. Using hardware security tokens for 2FA is also great. But trying to use them both at the same time doesnt work super well, because if you hit a WebAuthn request on the remote machine it doesnt matter how much you mash your token - its not going to work. But could it? --------------------------------------------- https://mjg59.dreamwidth.org/61232.html ∗∗∗ LastPass source code breach – incident response report released ∗∗∗ --------------------------------------------- Wondering how youd handle a data breach report if the worst happened to you? Heres a useful example. --------------------------------------------- https://nakedsecurity.sophos.com/2022/09/19/lastpass-source-code-breach-inc… ∗∗∗ Chainsaw: Hunt, search, and extract event log records, (Mon, Sep 19th) ∗∗∗ --------------------------------------------- Chainsaw is a standalone tool that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. --------------------------------------------- https://isc.sans.edu/diary/rss/29066 ∗∗∗ E-Mail von „GMX Sicherheit“ ist Fake ∗∗∗ --------------------------------------------- GMX-Nutzer:innen aufgepasst: Das E-Mail vom Absender „GMX Sicherheit“ ist nicht von GMX. Im betrügerischen E-Mail werden Sie aufgefordert, Ihre Kontoinformationen zu vervollständigen. Ansonsten wird angeblich Ihr Konto innerhalb von 24 Stunden gelöscht. Verschieben Sie das Mail in Ihren Spam-Ordner und klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-gmx-sicherheit-ist-fake/ ∗∗∗ Security Risks in Logistics APIs Used by E-Commerce Platforms ∗∗∗ --------------------------------------------- Our research examines the security flaws that we found in the logistics API implementation of e-commerce platforms that can potentially expose the consumers’ personal information. We discuss the security risks that such flaws present for software engineers, e-commerce platform providers, and consumers. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/security-risks-in-logistics-… ===================== = Vulnerabilities = ===================== ∗∗∗ Most common SAP vulnerabilities attackers try to exploit ∗∗∗ --------------------------------------------- Unpatched vulnerabilities, common misconfigurations and hidden flaws in custom code continue to make enterprise SAP applications a target rich environment for attackers at a time when threats like ransomware and credential theft have emerged as major concerns for organizations. --------------------------------------------- https://www.csoonline.com/article/3674119/most-common-sap-vulnerabilities-a… ∗∗∗ Vulnerabilities Identified in EZVIZ Smart Cams ∗∗∗ --------------------------------------------- As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. --------------------------------------------- https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-ezviz-s… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dokuwiki and rizin), SUSE (libcontainers-common, permissions, sqlite3, and wireshark), and Ubuntu (tiff, vim, and xen). --------------------------------------------- https://lwn.net/Articles/908779/ ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Dateien zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1475 ∗∗∗ Hitachi Energy PROMOD IV ICS Advisory (ICSA-22-263-01) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-01 ∗∗∗ Hitachi Energy AFF660/665 Series ICS Advisory (ICSA-22-263-02) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-02 ∗∗∗ Medtronic NGP 600 Series Insulin Pumps ICS Medical Advisory (ICSMA-22-263-01) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsma-22-263-01 ∗∗∗ Dataprobe iBoot-PDU ICS Advisory (ICSA-22-263-03) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03 ∗∗∗ Host Engineering Communications Module ICS Advisory (ICSA-22-263-04) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-04 ∗∗∗ Security Bulletin: A security vulnerability in react-scripts affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Due to use of Apache Commons, IBM Cloud PAK for Watson AI Ops is vulnerable to remote code execution (CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-comm… ∗∗∗ Security Bulletin: A security vulnerability in Nodejs marked affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-provision-to-add-https-an… ∗∗∗ Security Bulletin: Vulnerabilities in libcurl affect IBM Spectrum Protect Plus SQL, File Indexing, and Windows Host agents ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-libcur… ∗∗∗ Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js dicer affects IBM Cloud Pak for Watson AIOps Infrastructure Automation Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.13.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-39/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/ ∗∗∗ Security Vulnerabilities fixed in Firefox 105 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-40/ ∗∗∗ Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-036/ ∗∗∗ JetBrains IntelliJ IDEA: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1474 ∗∗∗ Apache Kafka: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1473 ∗∗∗ Budibase: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1472 ∗∗∗ Spring Data REST Vulnerability (CVE-2022-31679) ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/09/19/spring-data-rest-vulnerability-cve-2022-3… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2022
by Daily end-of-shift report 19 Sep '22

19 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-09-2022 18:00 − Montag 19-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gratis-Entschlüsselungstool: Opfer von Ransomware LockerGoga können aufatmen ∗∗∗ --------------------------------------------- Wer sich den Erpressungstrojaner LockerGoga unter Windows eingefangen hat, kann seine Daten nun ohne Lösegeldzahlung entschlüsseln. --------------------------------------------- https://heise.de/-7268170 ∗∗∗ Umfrage zu Cyberattacken: Viele Unternehmen haben keinen Notfallplan ∗∗∗ --------------------------------------------- Cyberangriff auf ein Unternehmen - und nun? 46 Prozent der Unternehmen in Deutschland haben dafür keinen Plan, sagt eine Studie des Digitalverbands Bitkom. --------------------------------------------- https://heise.de/-7268938 ∗∗∗ Gold kaufen: Gold-Handel-sofort.de ist Fake ∗∗∗ --------------------------------------------- Sie überlegen sich, in Gold zu investieren und suchen nach einem passenden Anbieter? Vorsicht: Nicht jeder Gold-Händler ist seriös. Gold-Handel-sofort.de wirkt zwar professionell, ist aber Fake. Wenn Sie dort bestellen, erhalten Sie trotz Bezahlung keine Ware. Wir zeigen Ihnen, wie Sie einen Online-Shop für Gold überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/gold-kaufen-gold-handel-sofortde-ist… ∗∗∗ Chrome & Edge senden persönliche Daten (u.a. Passwörter) an Google bzw. Microsoft ∗∗∗ --------------------------------------------- Neue, und irgendwie unschöne, aber erwartbare Entdeckung, die ein Sicherheitsforscher die Tage öffentlich gemacht hat. Der Google Chrome-Browser, und auch der auf Chromium basierende Microsoft Edge-Browser, übermitteln persönliche Daten aus Formularen an Google bzw. Microsoft (beim Edge). --------------------------------------------- https://www.borncity.com/blog/2022/09/19/chrome-edge-senden-persnliche-date… ∗∗∗ Preventing ISO Malware , (Sun, Sep 18th) ∗∗∗ --------------------------------------------- In the last few weeks, Ive seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things. --------------------------------------------- https://isc.sans.edu/diary/rss/29062 ∗∗∗ Can reflections in eyeglasses actually leak info from Zoom calls? Heres a study into it ∗∗∗ --------------------------------------------- About time someone shone some light onto this Boffins at the University of Michigan in the US and Zhejiang University in China want to highlight how bespectacled video conferencing participants are inadvertently revealing sensitive on-screen information via reflections in their eyeglasses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/09/17/glasses_refl… ∗∗∗ A Guide to Improving Security Through Infrastructure-as-Code ∗∗∗ --------------------------------------------- Modern organizations evolved and took the next step when they became digital. Organizations are using cloud and automation to build a dynamic infrastructure to support more frequent product release and faster innovation. This puts pressure on the IT department to do more and deliver faster. --------------------------------------------- https://research.nccgroup.com/2022/09/19/a-guide-to-improving-security-thro… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-15 and 2022-09-16 ∗∗∗ --------------------------------------------- IBM Spectrum Protect Plus, IBM Spectrum Copy Data Management, IBM Spectrum Plus Container Backup, Restore for Kubernetes, Red Hat OpenShift, IBM Spectrum Protect Operations Center, Client Management Service, IBM Spectrum Protect Server, IBM Security QRadar Network Threat Analytics, IBM Sterling Control Center, Rational Test Control Panel, Rational Test Workbench. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ High severity vulnerabilities found in Harbor open-source artifact registry ∗∗∗ --------------------------------------------- Oxeye security researchers have uncovered several new high severity variants of the IDOR (Insecure Director Object Reference) vulnerabilities (CVE-2022-31671, CVE-2022-31666, CVE-2022-31670, CVE-2022-31669, CVE-2022-31667) in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware. --------------------------------------------- https://www.helpnetsecurity.com/2022/09/19/vulnerabilities-harbor-open-sour… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman and e17), Fedora (curl, open-vm-tools, pcs, and python-lxml), Mageia (curl, dpkg, freecad, gimp, libtar, libtiff, mediawiki, ostree, python-lxml, schroot, SDL12, sdl2, wireshark, and zlib), Oracle (kernel and php:7.4), Red Hat (php:7.4), Slackware (vim), SUSE (chromium, kernel, libarchive, libtirpc, mupdf, python-rsa, ruby2.5, and virtualbox), and Ubuntu (linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/908627/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0009 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2022-32886, CVE-2022-32891,CVE-2022-32912. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0009.html ∗∗∗ Lexmark Firmware-Update schließt Schwachstelle und korrigiert Windows-Druckerproblem ∗∗∗ --------------------------------------------- Gute Nachrichten für Besitzer von Lexmark-Druckern. Der Hersteller hat endlich die Firmware-Updates für diverse Modelle bereitgestellt. Diese sollen einerseits eine Schwachstelle in mehr als Hundert Lexmark-Druckermodellen beseitigen, vor der Lexmark bereits im Juni 2022 gewarnt hat [...] --------------------------------------------- https://www.borncity.com/blog/2022/09/19/lexmark-firmware-update-schliet-sc… ∗∗∗ Netgear Routers impacted by FunJSQ Game Acceleration Module flaw ∗∗∗ --------------------------------------------- https://securityaffairs.co/wordpress/135887/security/netgear-game-accelerat… ∗∗∗ Mattermost: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1455 ∗∗∗ Kubernetes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1458 ∗∗∗ WithSecure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1464 ∗∗∗ Dell NetWorker: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1460 ∗∗∗ HPE Integrated Lights-Out: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1459 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2022
by Daily end-of-shift report 16 Sep '22

16 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-09-2022 18:00 − Freitag 16-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke in WordPress-Plug-in WPGateway macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Angreifer attackieren WordPress-Websites mit WPGateway. Sicherheitsupdates sind noch nicht verfügbar. --------------------------------------------- https://heise.de/-7265906 ∗∗∗ Update für Exchange Extended Protection-Script, aber weiterhin Fehler ∗∗∗ --------------------------------------------- Mit den Sicherheitsupdates vom August 2022 für Microsoft Exchange (On-Premises-Lösung) ist es erforderlich, Extended Protection (EP) zu aktivieren, um alle Schwachstellen zu schließen. Die Aktivierung erfolgt per Script, welches Microsoft bereitgestellt hat – was aber zu Problemen führte. --------------------------------------------- https://www.borncity.com/blog/2022/09/16/update-fr-exchange-extended-protec… ∗∗∗ PS2 Emulator: Exploit in PS4 und PS5 soll nicht behebbar sein ∗∗∗ --------------------------------------------- Eine Lücke im integrierten PS2-Emulator der Playstation 4 und 5 soll sich "grundsätzlich" nicht beheben lassen. Das reicht, um Code auszuführen. --------------------------------------------- https://www.golem.de/news/ps2-emulator-exploit-in-ps4-und-ps5-soll-nicht-be… ∗∗∗ Bitdefender releases free decryptor for LockerGoga ransomware ∗∗∗ --------------------------------------------- Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-de… ∗∗∗ Microsoft Edge’s News Feed ads abused for tech support scams ∗∗∗ --------------------------------------------- An ongoing malvertising campaign is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-edge-s-news-feed-a… ∗∗∗ Water Tank Management System Used Worldwide Has Unpatched Security Hole ∗∗∗ --------------------------------------------- A water tank management system used by organizations worldwide is affected by a critical vulnerability that can be exploited remotely and the vendor does not appear to want to patch it.read more --------------------------------------------- https://www.securityweek.com/water-tank-management-system-used-worldwide-ha… ∗∗∗ Word Maldoc With CustomXML and Renamed VBAProject.bin, (Fri, Sep 16th) ∗∗∗ --------------------------------------------- Friend and colleague 0xThiebaut just gave me a heads up for this interesting sample: 2056b52f8c2f62e222107e6fb6ca82708cdae73a91671d40e61aef8698e3e139 --------------------------------------------- https://isc.sans.edu/diary/rss/29056 ∗∗∗ Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies ∗∗∗ --------------------------------------------- Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware. --------------------------------------------- https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bzip2, chromium, glib2.0, libraw, mariadb-10.3, and mod-wsgi), Fedora (kdiskmark, wordpress, and zlib), Oracle (.NET 6.0, .NET Core 3.1, mariadb:10.3, nodejs:14, nodejs:16, ruby:2.7, and ruby:3.0), Red Hat (.NET 6.0, php:7.4, and webkit2gtk3), SUSE (389-ds, flatpak, kernel, libgit2, and thunderbird), and Ubuntu (sqlite3, vim, and wayland). --------------------------------------------- https://lwn.net/Articles/908297/ ∗∗∗ Synology-SA-22:15 GLPI ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers or remote authenticated users to obtain sensitive information, inject arbitrary web script or HTML or inject SQL command via a susceptible version of GLPI. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_15 ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/15/cisa-adds-six-kno… ∗∗∗ Achtung: Backdoor in TechLogix Networx Power Delivery-Unit, vom Internet isolieren und patchen ∗∗∗ --------------------------------------------- In Stromversorgungskomponenten (Power Delivery-Units) des US-Herstellers TechLogix Networx gibt es eine gravierende Schwachstelle in deren Firmware. Die Firmware nimmt in älteren Versionen (vor Version 2.0.2a) keine Authentifizierung vor, d.h. man kann über Netzwerk die Power Delivery-Unit abschalten. --------------------------------------------- https://www.borncity.com/blog/2022/09/16/achtung-backdoor-in-techlogix-netw… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX container is vulnerable to obtain sensitive information due to OpenSSL (CVE-2022-2097) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Dell BSAFE: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1452 ∗∗∗ xpdf: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1451 ∗∗∗ NGINX: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1450 ∗∗∗ Nextcloud: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1449 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2022
by Daily end-of-shift report 15 Sep '22

15 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-09-2022 18:00 − Donnerstag 15-09-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Gesetzentwurf: EU-Kommission will Sicherheitsupdates vorschreiben ∗∗∗ --------------------------------------------- Mit einem Entwurf für ein Cyberresilienzgesetz möchte die EU-Kommission für mehr IT-Sicherheit sorgen. --------------------------------------------- https://www.golem.de/news/gesetzentwurf-eu-kommission-will-sicherheitsupdat… ∗∗∗ Self-spreading stealer attacks gamers via YouTube ∗∗∗ --------------------------------------------- A malicious bundle containing the RedLine stealer and a miner is distributed on YouTube through cheats and cracks ads for popular games. --------------------------------------------- https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/10… ∗∗∗ Supply-Chain-Attacke: Trojaner in FishPig-Software bedroht Onlineshops ∗∗∗ --------------------------------------------- Derzeit platzieren Angreifer Hintertüren über kompromittierte Shop-Software unter anderem auf WordPress-Websites. --------------------------------------------- https://heise.de/-7265052 ∗∗∗ SideWalk Backdoor mit neuer Linux‑Variante ∗∗∗ --------------------------------------------- ESET-Forscher haben ein weiteres Tool im bereits umfangreichen Arsenal der SparklingGoblin APT-Gruppe entdeckt: eine Linux-Variante der SideWalk-Backdoor. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/09/14/sidewalk-backdoor-mit-neu… ∗∗∗ Vorsicht vor Bitcoin-Scams auf Discord ∗∗∗ --------------------------------------------- Es scheint verlockend – reich werden nur mit ein paar Klicks. Kriminelle verwenden Schlagwörter wie Bitcoin“ oder „Crypto", um immer mehr Menschen abzuzocken. In einer Nachricht auf Discord wird behauptet, Sie hätten Bitcoin gewonnen? Finger weg, bei diesem Scam verlieren Sie Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bitcoin-scams-auf-disco… ∗∗∗ Change in Magniber Ransomware (*.cpl → *.jse) – September 8th ∗∗∗ --------------------------------------------- After Magniber changed its method of distribution from an MSI format to a CPL format on July 20th, it has been monitored to show decreased distribution activity as of mid-August. --------------------------------------------- https://asec.ahnlab.com/en/38808/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Microsoft Teams entdeckt ∗∗∗ --------------------------------------------- Angreifer*innen könnten die Login-Daten der Desktop-App stehlen, auch bei aktiver Multifaktor-Authentifizierung. --------------------------------------------- https://futurezone.at/digital-life/schwere-sicherheitsluecke-microsoft-team… ∗∗∗ IBM Security Bulletins 2022-09-14 ∗∗∗ --------------------------------------------- FileNet Content Manager, IBM Call Center, IBM Cloud PAK for Watson AI Ops, IBM SDK (Java Technology Edition), IBM Semeru Runtime, IBM Sterling Connect, IBM Sterling Control Center, IBM Sterling Order Management, IBM Tivoli Application Dependency Discovery Manager, Transaction Processing Facility --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ ZDI: (0Day) Vulnerabilities (RCE) in NIKON NIS-Elements Viewer ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1211/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1212/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1213/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1214/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1215/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1216/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1217/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1218/ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1219/ ∗∗∗ Sicherheitsupdates: BIOS-Lücken gefährden unzählige Lenovo-PCs ∗∗∗ --------------------------------------------- Lenovo hat BIOS-Updates für praktisch sein gesamtes PC-Modell-Portfolio bereitgestellt. Unter anderem werden Schadcode-Lücken geschlossen. --------------------------------------------- https://heise.de/-7264659 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nova, pcs, and rails), Fedora (firejail, moby-engine, and pspp), Oracle (.NET 6.0, gnupg2, kernel, python3, and rsyslog rsyslog7), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (kernel), and Ubuntu (intel-microcode, poppler, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/908137/ ∗∗∗ ZDI-22-1210: (0Day) Ansys SpaceClaim X_T File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1210/ ∗∗∗ Cisco IOS XR Software Broadband Network Gateway PPP over Ethernet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Cisco Discovery Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Network Convergence System 4000 Series TL1 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ (Non-US) DIR-2150 :: Rev Rx :: FW v4.0.1 :: Multiple Vulnerabiltiies ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ ffmpeg: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1433 ∗∗∗ Google Chrome und Microsoft Edge: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1432 ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1431 ∗∗∗ genua genugate: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1438 ∗∗∗ Denial of Service in Printanista Hub / Printscout (SYSS-2022-042) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/codeausfuehrung-ueber-unsicheren-diagnosed… ∗∗∗ PAN-SA-2022-0005 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0005 ∗∗∗ PAN-SA-2022-0004 Informational: Cortex XDR Agent: Allow List is Visible to Low Privileged Users (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0004 ∗∗∗ CVE-2022-0029 Cortex XDR Agent: Improper Link Resolution Vulnerability When Generating a Tech Support File (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily