=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 24-11-2022 18:00 − Freitag 25-11-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Docker Hub repositories hide over 1,650 malicious containers ∗∗∗
---------------------------------------------
Over 1,600 publicly available Docker Hub images hide malicious behavior, including cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/docker-hub-repositories-hide…
∗∗∗ Redacted Documents Are Not as Secure as You Think ∗∗∗
---------------------------------------------
Popular redaction tools don’t always work as promised, and new attacks can reveal hidden information, researchers say.
---------------------------------------------
https://www.wired.com/story/redact-pdf-online-privacy/
∗∗∗ Alte Social-Media-Konten löschen: Sicherheit durch weniger eigener Daten im Netz ∗∗∗
---------------------------------------------
Ungenutzte Social-Media-Accounts beinhalten persönliche Daten und bergen Sicherheitsrisiken. Unser Ratgeber zeigt, wie Sie veraltete Konten finden und löschen.
---------------------------------------------
https://heise.de/-7321954
∗∗∗ UEFI-BIOS mit bekannt unsicherem Code gespickt ∗∗∗
---------------------------------------------
In einem BIOS-Update fanden Experten mehrere OpenSSL-Versionen, teils mit uralten Sicherheitslücken. Das wirft ein Schlaglicht auf Risiken von PC-Firmware.
---------------------------------------------
https://heise.de/-7351884
∗∗∗ Word Documents Disguised as Normal MS Office URLs Being Distributed ∗∗∗
---------------------------------------------
Recently, there has been a case of malware disguised as a Word document being distributed through certain paths (e.g. KakaoTalk group chats). The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users.
---------------------------------------------
https://asec.ahnlab.com/en/42554/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (firefox), Mageia (dropbear, freerdp, java, libx11, and tumbler), Slackware (ruby), SUSE (erlang, grub2, libdb-4_8, and tomcat), and Ubuntu (exim4, jbigkit, and tiff).
---------------------------------------------
https://lwn.net/Articles/915984/
∗∗∗ Chrome 107.0.5304.121/122 Sicherheitsupdates ∗∗∗
---------------------------------------------
Google hat zum 24. November 2022 einen Schwung an Sicherheitsupdates des Google Chrome im 107er Zweig im Stable Channel für Mac, Linux und Windows sowie für Android freigegeben. Es werden dabei bereits ausgenutzte Schwachstellen geschlossen.
---------------------------------------------
https://www.borncity.com/blog/2022/11/25/chrome-107-0-5304-121-122-sicherhe…
∗∗∗ Canon: Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers (CVE-2022-43608) – 25 November 2022 ∗∗∗
---------------------------------------------
Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below.
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/
∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-…
∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-28167) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-41041) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 23-11-2022 18:00 − Donnerstag 24-11-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Investigating a backdoored PyPi package targeting FastAPI applications ∗∗∗
---------------------------------------------
On November 23rd, 2022, the Datadog Security Labs team identified a utility Python package on PyPI related to FastAPI, fastapi-toolkit, that has likely been compromised by a malicious actor.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/malicious-pypi-package-fastapi-…
∗∗∗ THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies ∗∗∗
---------------------------------------------
In this threat alert, the Cybereason team describes one attack scenario that started from a QBot infection, resulting in multiple key machines loading Cobalt Strike, which finally led to the global deployment of Black Basta ransomware.
---------------------------------------------
https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and…
∗∗∗ MSI Afterburner: Vorsicht vor Fake-Software mit Trojaner im Gepäck ∗∗∗
---------------------------------------------
Immer wieder versuchen Kriminelle Opfern Schadcode unter dem Deckmantel von legitimen Tools, wie aktuell dem GPU-Tool MSI Afterburner, unterzuschieben.
---------------------------------------------
https://heise.de/-7351380
∗∗∗ In eine Phishing-Falle getappt? Das können Sie tun: ∗∗∗
---------------------------------------------
Wurden Sie über ein betrügerisches E-Mail oder SMS auf eine gefälschte Login-Seiten gelockt? Haben Sie dort Ihre Daten eingetippt? Dann haben Kriminelle Zugriff auf Ihr Konto. Wir zeigen Ihnen, was Sie tun können, wenn Sie Ihre Benutzerdaten preisgegeben haben.
---------------------------------------------
https://www.watchlist-internet.at/news/in-eine-phishing-falle-getappt-das-k…
∗∗∗ Neue Betrugsmasche: Kriminelle stehlen Kreditkartendaten und hinterlegen sie für Apple Pay ∗∗∗
---------------------------------------------
Kriminelle erschleichen sich mit Phishing-Nachrichten per SMS oder E-Mail Kreditkartendaten und hinterlegen diese für Apple Pay. Betroffene werden dann unter falschen Vorwänden verleitet, den Aktivierungscode für Apple Pay an die Kriminellen weiterzugeben.
---------------------------------------------
https://www.watchlist-internet.at/news/neue-betrugsmasche-kriminelle-stehle…
∗∗∗ Bahamut cybermercenary group targets Android users with fake VPN apps ∗∗∗
---------------------------------------------
Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram.
---------------------------------------------
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targ…
∗∗∗ IBM: RansomExx becomes latest ransomware group to create Rust variant ∗∗∗
---------------------------------------------
The RansomExx ransomware group has become the latest gang to create a variant in the Rust programming language, according to IBM Security X-Force Threat researchers.
---------------------------------------------
https://therecord.media/ibm-ransomexx-becomes-latest-ransomware-group-to-cr…
=====================
= Vulnerabilities =
=====================
∗∗∗ TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input ∗∗∗
---------------------------------------------
tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash.
---------------------------------------------
https://jvn.jp/en/jp/JVN29657972/
∗∗∗ Security update available in Foxit PDF Editor for Mac 11.1.4 ∗∗∗
---------------------------------------------
Foxit has released Foxit PDF Editor for Mac 11.1.4, which addresses potential security and stability issues.
---------------------------------------------
https://www.foxit.com/support/security-bulletins.html
∗∗∗ SolarWinds Security Advisories 2022-11-22 ∗∗∗
---------------------------------------------
SolarWinds published 7 Security Advisories (3 High, 1 Medium, 3 Low Severity).
---------------------------------------------
https://www.solarwinds.com/trust-center/security-advisories
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (vim), Fedora (drupal7-context, drupal7-link, firefox, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (container-tools:ol8, device-mapper-multipath, dotnet7.0, firefox, hsqldb, keylime, podman, python3.9, python39:3.9, thunderbird, and xorg-x11-server), SUSE (exiv2-0_26, keylime, libarchive, net-snmp, nginx, opensc, pixman, python-joblib, strongswan, and webkit2gtk3), and Ubuntu (expat, imagemagick, mariadb-10.3, mariadb-10.6, [...]
---------------------------------------------
https://lwn.net/Articles/915929/
∗∗∗ Security Bulletin: IBM Sterling Control Center vulnerable to multiple issues to due IBM Cognos Analystics (CVE-2022-4160, CVE-2021-3733) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent…
∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service due to Websphere Liberty (CVE-2022-24839) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent…
∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to HTTP header injection due to Websphere Liberty (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent…
∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affects Cloud Pak System [CVE-2021-28167] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java…
∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to unauthenticated data manipulation due to Java SE (CVE-2021-2163) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent…
∗∗∗ Security Bulletin: For IBM Cloudpak for Watson AIOPS 3.5.1 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-for-ibm-cloudpak-for-wats…
∗∗∗ Security Bulletin: Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-mari…
∗∗∗ Pilz: PAS 4000 prone to ZipSlip ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-045/
∗∗∗ Pilz: Multiple products affected by ZipSlip ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-044/
∗∗∗ Pilz: PASvisu and PMI affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-033/
∗∗∗ 2022-18Multiple vulnerabilities in BAT-C2 ∗∗∗
---------------------------------------------
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15087-sour…
∗∗∗ 2022-21Authenticated Command Injection in Hirschmann BAT-C2 ∗∗∗
---------------------------------------------
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-sour…
∗∗∗ 2022-20TinyXML vulnerability in Hirschmann HiLCOS products ∗∗∗
---------------------------------------------
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15089-sour…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 22-11-2022 18:00 − Mittwoch 23-11-2022 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Backdoored Chrome extension installed by 200,000 Roblox players ∗∗∗
---------------------------------------------
Chrome browser extension SearchBlox installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/backdoored-chrome-extension-…
∗∗∗ Ducktail Malware Operation Evolves with New Malicious Capabilities ∗∗∗
---------------------------------------------
The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign."The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victims Facebook account," ...
---------------------------------------------
https://thehackernews.com/2022/11/ducktail-malware-operation-evolves-with.h…
∗∗∗ Mind the Gap ∗∗∗
---------------------------------------------
Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but at the time of publication, these fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo and others). Devices with a Mali GPU are currently vulnerable.
---------------------------------------------
https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html
∗∗∗ Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice ∗∗∗
---------------------------------------------
In September 2022, Proofpoint researchers identified initial delivery of a penetration testing framework called Nighthawk. Launched in late 2021 by MDSec, Nighthawk is similar to other frameworks such as Brute Ratel and Cobalt Strike and, like those, could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal.
---------------------------------------------
https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pent…
∗∗∗ Kritische Infrastruktur: EU-Richtlinie nimmt Betreiber in die Pflicht ∗∗∗
---------------------------------------------
Das EU-Parlament hat eine Richtlinie zur Resilienz kritischer Einrichtungen beschlossen. Sie gilt für elf Branchen. Manche Betreiber sind besonders wichtig.
---------------------------------------------
https://heise.de/-7349574
∗∗∗ Google will Missbrauch des Pentesting-Tools Cobalt Strike eindämmen ∗∗∗
---------------------------------------------
Damit Admins Netzwerk-Attacken durch Cobalt-Strike-Missbrauch besser erkennen können, hat Google unter anderem Erkennungsregeln auf Yara-Basis veröffentlicht.
---------------------------------------------
https://heise.de/-7349813
∗∗∗ Standard für maschinenlesbare Sicherheitshinweise verabschiedet ∗∗∗
---------------------------------------------
Das Common Security Advisory Framework soll Administratoren die Arbeit erleichtern und aktuelle Sicherheitsinformationen leichter auffindbar machen.
---------------------------------------------
https://heise.de/-7350491
∗∗∗ Angriffe auf Boa Web Server gefährden IoT ∗∗∗
---------------------------------------------
Anfällige SDK-Komponenten führen zu Lieferkettenrisiken in IoT- und OT-Umgebungen, insbesondere durch den veralteten Boa Web Server, warnt Microsoft Security Threat Intelligence (MSTI).
---------------------------------------------
https://www.zdnet.de/88405186/angriffe-auf-boa-web-server-gefaehrden-iot/
∗∗∗ Web Application Firewalls umgehen ∗∗∗
---------------------------------------------
Web Application Firewalls (WAFs) sind beliebte Infrastrukturkomponenten, die verwendet werden, um Angriffe auf Webanwendungen zu erschweren. Was bieten WAFs wirklich? Können sie auch nur theoretisch perfekt sein, um jede Art von Webangriff zu verhindern? Lassen Sie uns WAFs entmystifizieren!
---------------------------------------------
https://certitude.consulting/blog/de/web-application-firewalls-umgehen/
∗∗∗ CVE-2022-23088: Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack ∗∗∗
---------------------------------------------
In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. [..] The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug.
---------------------------------------------
https://www.thezdi.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-over…
∗∗∗ CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management ∗∗∗
---------------------------------------------
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products.
---------------------------------------------
https://www.thezdi.com/blog/2022/11/22/cve-2022-40300-sql-injection-in-mana…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-11-22 ∗∗∗
---------------------------------------------
IBM Operations Analytics, IBM QRadar, IBM SDK, IBM Sterling Connect, Rational Service Tester, Rational Performance Tester, IBM HTTP Server, IBM Security Verify Governance, IBM InfoSphere DataStage, IBM Cloud Pak for Security
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Sicherheitslücke in HPE-Switches OfficeConnect gefährdet Netzwerke ∗∗∗
---------------------------------------------
Angreifer könnten Switches von Hewlett Packard Enterprise attackieren. Sicherheitsupdates stehen zum Download bereit.
---------------------------------------------
https://heise.de/-7350116
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (heimdal, libarchive, and nginx), Fedora (varnish-modules and xterm), Red Hat (firefox), Scientific Linux (firefox, hsqldb, and thunderbird), SUSE (Botan, colord, containerized-data-importer, ffmpeg-4, java-1_8_0-ibm, krb5, nginx, redis, strongswan, tomcat, and xtrabackup), and Ubuntu (apr-util, freerdp2, and sysstat).
---------------------------------------------
https://lwn.net/Articles/915802/
∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
Original release date: November 22, 2022CISA has released eight (8) Industrial Control Systems (ICS) advisories on 22 November 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
- ICSA-22-326-01 AVEVA Edge
- ICSA-22-326-02 Digital Alert Systems DASDEC
- ICSA-22-326-03 Phoenix Contact Automation Worx
- ICSA-22-326-04 GE Cimplicity
- ICSA-22-326-05 Moxa Multiple ARM-Based Computers
- ICSMA-21-152-01 Hillrom Medical Device Management (Update C)
- ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update I)
- ICSA-21-049-02 Mitsubishi Electric FA Engineering Software Products (Update G)
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/11/22/cisa-releases-eig…
∗∗∗ WordPress BeTheme 26.5.1.4 PHP Object Injection ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022110040
∗∗∗ Security Advisory - Improper Input Validation Vulnerability in a Huawei Childrens Watch ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-iivviahcw…
∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in some Huawei Band Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20221130-…
∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-247053-bt.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 21-11-2022 18:00 − Dienstag 22-11-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Google Chrome extension used to steal cryptocurrency, passwords ∗∗∗
---------------------------------------------
An information-stealing Google Chrome browser extension named VenomSoftX is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-chrome-extension-used…
∗∗∗ Android file manager apps infect thousands with Sharkbot malware ∗∗∗
---------------------------------------------
A new collection of malicious Android apps posing as harmless file managers had infiltrated the official Google Play app store, infecting users with the Sharkbot banking trojan.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-file-manager-apps-in…
∗∗∗ ICS cyberthreats in 2023 – what to expect ∗∗∗
---------------------------------------------
The coming year looks to be much more complicated. In the post we share some of our thoughts on potential developments of 2023, though we cannot claim to be providing either a complete picture or a high degree of precision.
---------------------------------------------
https://securelist.com/ics-cyberthreats-in-2023/108011/
∗∗∗ Crimeware and financial cyberthreats in 2023 ∗∗∗
---------------------------------------------
This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023.
---------------------------------------------
https://securelist.com/crimeware-financial-cyberthreats-2023/108005/
∗∗∗ Log4Shell campaigns are using Nashorn to get reverse shell on victims machines, (Mon, Nov 21st) ∗∗∗
---------------------------------------------
Almost one year later, Log4Shell attacks are still alive and making victims.
---------------------------------------------
https://isc.sans.edu/diary/rss/29266
∗∗∗ Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware ∗∗∗
---------------------------------------------
A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of campaigns designed to steal sensitive information from compromised hosts.
---------------------------------------------
https://thehackernews.com/2022/11/researchers-warn-of-cyber-criminals.html
∗∗∗ Werbung für beheizbare Jacken auf TikTok ∗∗∗
---------------------------------------------
Haben Sie beim Durchscrollen von TikTok Werbung für eine beheizbare Jacke gesehen? Dann sind Sie wohl über die Marke „Mont Gerrard“ gestolpert. Die Jacken dürften bei TikTok-Nutzer:innen sehr beliebt sein, denn es gibt bereits Fake-Shops, die die Jacken zu einem günstigeren Preis anbieten und auf TikTok und Instagram bewerben.
---------------------------------------------
https://www.watchlist-internet.at/news/werbung-fuer-beheizbare-jacken-auf-t…
∗∗∗ Vulnerability Spotlight: Callback Technologies CBFS Filter denial-of-service vulnerabilities ∗∗∗
---------------------------------------------
Cisco Talos recently discovered three denial-of-service vulnerabilities in Callback Technologies CBFS Filter.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-callback-technol…
∗∗∗ What is EPSS? A new rating system for vulnerabilities to replace CVSS. ∗∗∗
---------------------------------------------
LunaSec Security Researchers give a quick look at the EPSS scoring system, a new rating system for vulnerabilities that aims to replace CVSS.
---------------------------------------------
https://www.lunasec.io/docs/blog/what-is-epss
=====================
= Vulnerabilities =
=====================
∗∗∗ Attacken auf Backuplösung IBM Spectrum Protect Plus Container Backup möglich ∗∗∗
---------------------------------------------
Sicherheitslücken in der Programmiersprache Golang Go bedrohen IBM-Software. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-7348556
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ntfs-3g), Fedora (krb5 and samba), Gentoo (firefox-bin, ghostscript-gpl, pillow, sudo, sysstat, thunderbird-bin, and xterm), Red Hat (firefox, hsqldb, and thunderbird), SUSE (cni, cni-plugins, and krb5), and Ubuntu (isc-dhcp and sqlite3).
---------------------------------------------
https://lwn.net/Articles/915708/
∗∗∗ BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks ∗∗∗
---------------------------------------------
Researchers at industrial cybersecurity firm Nozomi Networks have discovered more than a dozen vulnerabilities in baseboard management controller (BMC) firmware.
---------------------------------------------
https://www.securityweek.com/bmc-firmware-vulnerabilities-expose-ot-iot-dev…
∗∗∗ ZDI-22-1615: TP-Link TL-WR940N httpd Incorrect Implementation of Authentication Algorithm Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1615/
∗∗∗ ZDI-22-1614: TP-Link TL-WR940N httpd Use of Insufficiently Random Values Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1614/
∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of dom4j (CVE-2018-1000632) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover…
∗∗∗ Security Bulletin: Potential Vulnerability in Apache HttpClient used by Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2020-13956) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i…
∗∗∗ Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics – Log Analysis (CVE-2018-17196) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache…
∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis susceptible to vulnerability in Apache Tika (CVE-2022-25169) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
∗∗∗ Security Bulletin: Vulnerabilities in SnakeYAML used by Logstash affects IBM Operations Analytics – Log Analysis (CVE-2022-25857, CVE-2017-18640) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-snakey…
∗∗∗ Security Bulletin: IBM DataPower Gateway does not invalidate active sessions on a password change (CVE-2022-40228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-doe…
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-…
∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to HTTP request smuggling ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-pot…
∗∗∗ Security Bulletin: Vulnerability in Bouncy Castle used by Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2017-13098) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bouncy-c…
∗∗∗ Vulnerability Summary for the Week of November 14, 2022 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/bulletins/sb22-325
∗∗∗ Advisory: Impact of Vulnerability in WIBU CodeMeter Runtime to B&R Products ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16677451…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 18-11-2022 18:00 − Montag 21-11-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ New AxLocker ransomware encrypts files, then steals your Discord account ∗∗∗
---------------------------------------------
The new AXLocker ransomware family is not only encrypting victims files and demanding a ransom payment but also stealing the Discord accounts of infected users.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-axlocker-ransomware-encr…
∗∗∗ Apps with over 3 million installs leak Admin search API keys ∗∗∗
---------------------------------------------
Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/apps-with-over-3-million-ins…
∗∗∗ Google releases 165 YARA rules to detect Cobalt Strike attacks ∗∗∗
---------------------------------------------
The Google Cloud Threat Intelligence team has open-sourced YARA Rules and a VirusTotal Collection of indicators of compromise (IOCs) to help defenders detect Cobalt Strike components in their networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-releases-165-yara-rul…
∗∗∗ McAfee Fake Antivirus Phishing Campaign is Back!, (Sat, Nov 19th) ∗∗∗
---------------------------------------------
Yesterday I received this email that my McAfee antivirus subscription is expired and that my computer is already infected with 5 viruses (how do they know?).
---------------------------------------------
https://isc.sans.edu/diary/rss/29264
∗∗∗ Vulnerable Code Snippets ∗∗∗
---------------------------------------------
YesWeHack present code snippets containing several different vulnerabilities to practice your code analysis. The code snippets are beginner friendly but suitable for all levels!
---------------------------------------------
https://github.com/yeswehack/vulnerable-code-snippets
∗∗∗ A Confused Deputy Vulnerability in AWS AppSync ∗∗∗
---------------------------------------------
We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync. This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/appsync-vulnerability-disclosur…
∗∗∗ 5 free resources from the Cybersecurity and Infrastructure Security Agency (CISA) ∗∗∗
---------------------------------------------
To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services.
---------------------------------------------
https://www.helpnetsecurity.com/2022/11/21/5-free-resources-cybersecurity-a…
∗∗∗ Gefälschtes SMS von Netflix droht mit Kontosperrung ∗∗∗
---------------------------------------------
Aktuell macht ein Netflix-SMS die Runde. Darin steht, dass Sie eine Rechnung nicht bezahlt haben. Daher droht man Ihnen mit einer Kontosperrung. Im SMS befindet sich auch ein Link. Klicken Sie nicht auf den Link, Kriminelle stehlen Ihre Netflix-Zugangsdaten.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-sms-von-netflix-droht-m…
∗∗∗ An AI Based Solution to Detecting the DoubleZero .NET Wiper ∗∗∗
---------------------------------------------
Unit 42 presents a machine learning model to predict maliciousness of .NET samples based on file structures, by analyzing the DoubleZero .NET wiper.
---------------------------------------------
https://unit42.paloaltonetworks.com/doublezero-net-wiper/
∗∗∗ Reputationsverlust durch Cyberangriffe ∗∗∗
---------------------------------------------
Die am meisten befürchteten Schäden durch Cyberangriffe sind finanzielle Schäden sowie Verlust von Reputation und Kundenvertrauen. Bei der Umsetzung von Cybersicherheitsmaßnahmen stehen jedoch Schutz von Geschäftskontinuität, Daten und Kunden im Vordergrund.
---------------------------------------------
https://www.zdnet.de/88405082/reputationsverlust-durch-cyberangriffe/
∗∗∗ Luna Moth: Erfolg mit Callback-Phishing ∗∗∗
---------------------------------------------
Die Luna Moth/Silent Ransom Kriminellen erbeuteten durch Callback-Phishing Hunderttausende von Euro, wie eine Analyse von Palo Alto Networks aufdeckt.
---------------------------------------------
https://www.zdnet.de/88405109/luna-moth-erfolg-mit-callback-phishing/
=====================
= Vulnerabilities =
=====================
∗∗∗ Exploit released for actively abused ProxyNotShell Exchange bug ∗∗∗
---------------------------------------------
Proof-of-concept exploit code has been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-activel…
∗∗∗ New attacks use Windows security bypass zero-day to drop malware ∗∗∗
---------------------------------------------
New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-secu…
∗∗∗ IBM Security Bulletins 2022-11-18 ∗∗∗
---------------------------------------------
Power HMC, InfoSphere Information Server, IBM Operations Analytics, IBM i Access Client Solutions, IBM DataPower Gateway, IBM Tivoli, IBM Spectrum Protect Plus
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (graphicsmagick and krb5), Fedora (dotnet6.0, js-jquery-ui, kubernetes, and xterm), Gentoo (php and postgresql), Mageia (php-pear-CAS, sysstat, varnish, vim, and x11-server), Red Hat (thunderbird), SUSE (389-ds, binutils, dpkg, firefox, frr, grub2, java-11-openjdk, java-17-openjdk, kernel, kubevirt stack, libpano, nodejs16, openjpeg, php7, php74, pixman, python-Twisted, python39, rubygem-loofah, sccache, sudo, thunderbird, tor, and tumbler), [...]
---------------------------------------------
https://lwn.net/Articles/915623/
∗∗∗ PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability ∗∗∗
---------------------------------------------
A security researcher has published details and proof-of-concept (PoC) code for a macOS vulnerability that could be exploited to escape a sandbox and execute code within Terminal.
---------------------------------------------
https://www.securityweek.com/poc-code-published-high-severity-macos-sandbox…
∗∗∗ Typora fails to properly neutralize JavaScript code ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN26044739/
∗∗∗ MISP 2.4.165 released with many improvements, bugs fixed and security fixes. ∗∗∗
---------------------------------------------
https://www.misp-project.org/2022/11/21/MISP.2.4.165.released.html/
∗∗∗ Miele: Vulnerability in ease2pay cloud service used by appWash ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-052/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 17-11-2022 18:00 − Freitag 18-11-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Zeppelin: Heimlich die Schlüssel einer Ransomware geknackt ∗∗∗
---------------------------------------------
Eine Sicherheitsfirma ist es gelungen die Ransomware Zeppelin zu knacken. Sie half heimlich mehreren Organisationen, wieder an ihre Daten zu gelangen.
---------------------------------------------
https://www.golem.de/news/zeppelin-heimlich-die-schluessel-einer-ransomware…
∗∗∗ Security baseline for Microsoft Edge v107 ∗∗∗
---------------------------------------------
We have reviewed the settings in Microsoft Edge version 107 and updated our guidance with the addition of one new setting. We’re also highlighting three settings we would like you to consider based on your organizational needs.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit…
∗∗∗ Successful Hack of Time-Triggered Ethernet ∗∗∗
---------------------------------------------
Time-triggered Ethernet (TTE) is used in spacecraft, basically to use the same hardware to process traffic with different timing and criticality. Researchers have defeated it.
---------------------------------------------
https://www.schneier.com/blog/archives/2022/11/successful-hack-of-time-trig…
∗∗∗ Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware ∗∗∗
---------------------------------------------
A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.
---------------------------------------------
https://www.securityweek.com/microsoft-warns-cybercrime-group-delivering-ro…
∗∗∗ CISA, NSA, and ODNI Release Guidance for Customers on Securing the Software Supply Chain ∗∗∗
---------------------------------------------
Today, CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI), published the third of a three-part series on securing the software supply chain: Securing Software Supply Chain Series - Recommended Practices Guide for Customers.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/11/17/cisa-nsa-and-odni…
*** #StopRansomware: Hive Ransomware ***
---------------------------------------------
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.
---------------------------------------------
https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (asterisk, firefox-esr, php-phpseclib, phpseclib, python-django, and thunderbird), Fedora (grub2, samba, and thunderbird), Mageia (firefox, sudo, systemd, and thunderbird), Slackware (freerdp), SUSE (firefox, go1.18, go1.19, kernel, openvswitch, python-Twisted, systemd, and xen), and Ubuntu (expat, git, multipath-tools, unbound, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/915378/
∗∗∗ WordPress Plugin "WordPress Popular Posts" accepts untrusted external inputs to update certain internal variables ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN13927745/
∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis vulnerable to multiple vulnerabilities in Apache Tika (CVE-2022-30126, CVE-2022-33879, CVE-2022-30973) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
∗∗∗ Security Bulletin: Vulnerabilities with Kernel affect IBM Cloud Object Storage Systems (August 2022v2) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern…
∗∗∗ Security Bulletin: Rational Asset Analyzer is vulnerable to HTTP header injection (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i…
∗∗∗ Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics – Log Analysis (CVE-2019-17571, CVE-2020-9488) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4…
∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-22488 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-…
∗∗∗ Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics – Log Analysis (CVE-2021-44832, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4…
∗∗∗ Security Bulletin: Rational Asset Analyzer is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i…
∗∗∗ Security Bulletin: Potential vulnerability in Eclipse Jetty affects IBM Operations Analytics – Log Analysis (CVE-2022-2047) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i…
∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by multiple vulnerabilities in libcurl (CVE-2022-42915, CVE-2022-42916, CVE-2022-32221) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-…
∗∗∗ Security Bulletin: IBM Transform Services for IBM i is vulnerable to denial of service, buffer overflow, and allowing attacker to obtain sensitive information due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transform-services-fo…
∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23305) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 16-11-2022 18:00 − Donnerstag 17-11-2022 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Evil Maid Attacks - Remediation for the Cheap, (Wed, Nov 16th) ∗∗∗
---------------------------------------------
The so-called evil maid attack is an attack against hardware devices utilizing hard- and/or software. It is carried out when the hardware is left unattended, e.g., in a hotel room when you're out for breakfast. The attacker manipulates the device in a malicious way.
---------------------------------------------
https://isc.sans.edu/diary/rss/29256
∗∗∗ WASP malware stings Python developers ∗∗∗
---------------------------------------------
Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages.
---------------------------------------------
https://www.theregister.com/2022/11/16/wasp_python_malware_checkmarx/
∗∗∗ Disneyland Malware Team: It’s a Puny World After All ∗∗∗
---------------------------------------------
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic and Ukrainian.
---------------------------------------------
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-worl…
∗∗∗ Onlinebetrug-Simulator: Testen Sie Ihr Wissen zu Betrugsmaschen im Internet ∗∗∗
---------------------------------------------
Um Sie für die Gefahren von Fake-Shops und Phishing-Emails zu sensibilisieren und Sie im Bereich der Cyber-Sicherheit zu schulen, hat die AK Niederösterreich in Kooperation mit der Universität Wien den Onlinebetrug-Simulator ins Leben gerufen.
---------------------------------------------
https://www.watchlist-internet.at/news/onlinebetrug-simulator-testen-sie-ih…
∗∗∗ Domain Controller gegen Angriffe absichern ∗∗∗
---------------------------------------------
Active Directory ist eine kritische Infrastruktur und sollte als solche behandelt werden. Aber wie sichert man als Administrator seine Domain Controller gegen Angriffe?
---------------------------------------------
https://www.borncity.com/blog/2022/11/17/domain-controller-gegen-angriffe-a…
∗∗∗ Get a Loda This: LodaRAT meets new friends ∗∗∗
---------------------------------------------
LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta. Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
---------------------------------------------
https://blog.talosintelligence.com/get-a-loda-this/
=====================
= Vulnerabilities =
=====================
∗∗∗ Schadcode-Attacken auf Bitbucket Server und Data Center möglich ∗∗∗
---------------------------------------------
Eine Sicherheitslücke bedroht mehrere Versionen von Atlassians Versionsverwaltungssoftware.
---------------------------------------------
https://heise.de/-7343226
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (expat, xen, and xorg-x11-server), Oracle (kernel, kernel-container, qemu, xorg-x11-server, and zlib), Scientific Linux (xorg-x11-server), Slackware (firefox, krb5, samba, and thunderbird), SUSE (ant, apache2-mod_wsgi, jsoup, rubygem-nokogiri, samba, and tomcat), and Ubuntu (firefox and linux, linux-aws, linux-aws-hwe, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/915245/
∗∗∗ Samba Releases Security Updates ∗∗∗
---------------------------------------------
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/11/16/samba-releases-se…
∗∗∗ Security Bulletin: IBM Partner Engagement Manager is vulnerable to sensitive data exposure (CVE-2022-34354) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-partner-engagement-ma…
∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by a vulnerability [CVE-2022-31129] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo…
∗∗∗ Security Bulletin: CVE-2022-3676 may affect IBM® SDK, Java™ Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2022-3676-may-affect-…
∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow – CVE-2022-38390 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln…
∗∗∗ Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-…
∗∗∗ Security Bulletin: Tivoli Business Service Manager is vulnerable to cross-site scripting due to improper validation in Angular (CVE-2022-25869) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-business-service-m…
∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana…
∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana…
∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) is vulnerable to Insufficiently Protected LDAP Search Credentials ( CVE-2022-40751 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-…
∗∗∗ Security Bulletin: Apache Tomcat could allow a remote attacker to obtain sensitive information (CVE-2021-43980) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-could-allow…
∗∗∗ Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163) ∗∗∗
---------------------------------------------
https://research.nccgroup.com/2022/11/17/cve-2022-45163/
∗∗∗ Red Lion Crimson ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-321-01
∗∗∗ Cradlepoint IBR600 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-321-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 15-11-2022 18:00 − Mittwoch 16-11-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Forscher erraten Passwörter via Wärmebild mit Machine Learning und KI ∗∗∗
---------------------------------------------
In einem Versuchsaufbau haben Sicherheitsforscher auf einer Tastatur eingetippte zwölfstellige Passwörter mit einer Erfolgsquote von 83 Prozent rekonstruiert.
---------------------------------------------
https://heise.de/-7341957
∗∗∗ ESET APT Activity Report T2 2022 ∗∗∗
---------------------------------------------
Ein Überblick über die Aktivitäten ausgewählter APT-Gruppen, die von ESET Research in T2 2022 untersucht und analysiert wurden.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/11/16/apt-activity-report-t2-20…
∗∗∗ Fake Black Friday Gewinnspiele auf WhatsApp und Instagram im Umlauf ∗∗∗
---------------------------------------------
Vorsicht vor betrügerischen Gewinnspielen rund um den Black Friday. Zahlreiche WhatsApp- und Instagram-Nutzer:innen erhalten aktuell betrügerische Nachrichten von Unbekannten, aber auch eigenen Kontakten, die beispielsweise Gewinnspiele im Namen Amazons bewerben. Achtung: Es handelt sich um einen Versuch, Sie in eine Abo-Falle zu locken. Folgen Sie keinen Links in solchen Nachrichten und geben Sie keine Kreditkartendaten bekannt!
---------------------------------------------
https://www.watchlist-internet.at/news/fake-black-friday-gewinnspiele-auf-w…
∗∗∗ Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend ∗∗∗
---------------------------------------------
By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as “DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC”. After successful validation, it was immediately submitted to Microsoft. They patched both bugs along with several other Exchange vulnerabilities in the November Patch Tuesday release. It is a beautiful chain, with an ingenious vector [...]
---------------------------------------------
https://www.thezdi.com/blog/2022/11/14/control-your-types-or-get-pwned-remo…
∗∗∗ CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures ∗∗∗
---------------------------------------------
Rapid7 discovered several vulnerabilities and exposures in specific F5 BIG-IP and BIG-IQ devices in August 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-418…
∗∗∗ Magento stores targeted in massive surge of TrojanOrders attacks ∗∗∗
---------------------------------------------
At least seven hacking groups are behind a massive surge in TrojanOrders attacks targeting Magento 2 websites, exploiting a vulnerability that allows the threat actors to compromise vulnerable servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-m…
∗∗∗ Token tactics: How to prevent, detect, and respond to cloud token theft ∗∗∗
---------------------------------------------
As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-…
∗∗∗ Packet Tuesday: Network Traffic Analysis for the Whole Family, (Tue, Nov 15th) ∗∗∗
---------------------------------------------
A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below.
---------------------------------------------
https://isc.sans.edu/diary/rss/29252
∗∗∗ New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques ∗∗∗
---------------------------------------------
Readers of this blog should already be familiar with SocGholish: a widespread, years-long malware campaign aimed at pushing fake browser updates to unsuspecting web users. Once installed, fake browser updates infect the victim’s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware attacks against corporations and other organizations.
---------------------------------------------
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-com…
∗∗∗ Researchers Discover Hundreds of Amazon RDS Instances Leaking Users Personal Data ∗∗∗
---------------------------------------------
"Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot," Amazon cautions in its documentation. "When a snapshot is shared publicly, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it."
---------------------------------------------
https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.h…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Secure Email Gateway Malware Detection Evasion ∗∗∗
---------------------------------------------
This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time
frame. As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022110021
∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗
---------------------------------------------
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks. For more information about these vulnerabilities, see the Details section of this advisory. Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (grub2, nginx, and wordpress), Red Hat (389-ds-base, bind, buildah, curl, device-mapper-multipath, dnsmasq, dotnet7.0, dpdk, e2fsprogs, grafana-pcp, harfbuzz, ignition, Image Builder, kernel, keylime, libguestfs, libldb, libtiff, libvirt, logrotate, mingw-zlib, mutt, openjpeg2, podman, poppler, python-lxml, qt5, rsync, runc, samba, skopeo, toolbox, unbound, virt-v2v, wavpack, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), SUSE (389-ds, bluez, dhcp, freerdp, jackson-databind, kernel, LibVNCServer, libX11, nodejs12, nodejs16, php7, php8, python-Mako, python-Twisted, python310, sudo, systemd, and xen), and Ubuntu (mako).
---------------------------------------------
https://lwn.net/Articles/915097/
∗∗∗ RICOH Aficio SP 4210N vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN24659622/
∗∗∗ Multiple vulnerabilities in Movable Type ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN37014768/
∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update July 2022 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e…
∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.2ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 14-11-2022 18:00 − Dienstag 15-11-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ DTrack activity targeting Europe and Latin America ∗∗∗
---------------------------------------------
DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. [..] So, what’s new? DTrack itself hasn’t changed much over the course of time. Nevertheless, there are some interesting modifications that we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts.
---------------------------------------------
https://securelist.com/dtrack-targeting-europe-latin-america/107798/
∗∗∗ ABI compatibility in Python: How hard could it be? ∗∗∗
---------------------------------------------
This post will cover just one tiny piece of Python packaging’s complexity: the CPython stable ABI. We’ll see what the stable ABI is, why it exists, how it’s integrated into Python packaging, and how each piece goes terribly wrong to make accidental ABI violations easy.
---------------------------------------------
https://blog.trailofbits.com/2022/11/15/python-wheels-abi-abi3audit/
∗∗∗ Checkmk: Remote Code Execution by Chaining Multiple Bugs ∗∗∗
---------------------------------------------
Within the series of articles, we take a detailed look at multiple vulnerabilities we identified in Checkmk and its NagVis integration, which can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk.
---------------------------------------------
https://blog.sonarsource.com/checkmk-rce-chain-3/
∗∗∗ Organizations Warned of Critical Vulnerability in Backstage Developer Portal Platform ∗∗∗
---------------------------------------------
Backstage is affected by a critical vulnerability related to a security hole found earlier this year by Oxeye in the popular sandbox library VM2. The VM2 flaw, dubbed SandBreak and tracked as CVE-2022-36067, can allow a remote attacker to escape the sandbox and execute arbitrary code on the host.
Backstage has been using VM2 and Oxeye researchers discovered that CVE-2022-36067 can be exploited for unauthenticated remote code execution in Backstage by abusing its software templates.
---------------------------------------------
https://www.securityweek.com/organizations-warned-critical-vulnerability-ba…
∗∗∗ Kreditbetrug: Vorsicht vor darlehenexpert.com ∗∗∗
---------------------------------------------
darlehenexpert.com gibt sich als Kreditgeber aus und ermöglicht angeblich Privat- und Autokredite, Hypotheken sowie Darlehen. Interessierte füllen online ein Kreditantragsformular aus und erhalten nach kurzer Zeit eine Zusage. Doch Vorsicht: darlehenexpert.com ist betrügerisch. Sie werden aufgefordert, vorab unterschiedliche Gebühren zu überweisen. Wenn Sie überweisen, verlieren Sie Ihr Geld und erhalten keinen Kredit!
---------------------------------------------
https://www.watchlist-internet.at/news/kreditbetrug-vorsicht-vor-darlehenex…
∗∗∗ Android malware: A million people downloaded these malicious apps before they were finally removed from Google Play ∗∗∗
---------------------------------------------
Cybersecurity researchers identify an aggressive adware campaign. The developer is now banned from Google Play - but if youve not uninstalled the apps, youre still infected. [..] The four apps that have been identified as malicious were from a developer called Mobile apps Group and were called 'Bluetooth Auto Connect', 'Bluetooth App Sender', 'Mobile transfer: smart switch', and 'Driver: Bluetooth, Wi-Fi, USB'.
---------------------------------------------
https://www.zdnet.com/article/android-warning-these-malicious-apps-had-over…
∗∗∗ Windows Server 2012 R2: Sophos User-Authentifizierung mittels Heartbeat auf RDS-Servern abgeschaltet ∗∗∗
---------------------------------------------
Kurzer Hinweis für Administratoren, die Windows Server 2012 R2 einsetzen und sich auf die Sophos User-Authentifizierung per Sophos Security Heartbeats verlassen. Sophos hat ein Update verteilt, welches die Funktion auf Windows Server 2012 R2 stillschweigend außer Kraft setzt.
---------------------------------------------
https://www.borncity.com/blog/2022/11/15/windows-server-2012-r2-sophos-user…
∗∗∗ LKA warnt vor Betrugsmasche mit digitalen Kreditkarten (Nov. 2022) ∗∗∗
---------------------------------------------
Das LKA Niedersachsen warnt vor einer neue Betrugsmasche, die Cyber-Kriminelle erdacht haben. Mittels Phishing-E-Mails, gefälschten Webseiten und digitalen Kreditkarten versuchen sie an Zahlungsdaten der Opfer heranzukommen. Die Daten der digitalen Kreditkarte werden dann für eigene Einkäufe auf Kosten des Opfers missbraucht.
---------------------------------------------
https://www.borncity.com/blog/2022/11/15/lka-warnt-vor-betrugsmasche-mit-di…
∗∗∗ Firmware- und BIOS-Updates: AMD, Intel, Lenovo, HP (Nov. 2022) ∗∗∗
---------------------------------------------
Die Hersteller Lenovo und HP stopfen mit Firmware-Updates entdeckte Schwachstellen im BIOS (und in der Software) ihrer Systeme. Und die Prozessorhersteller AMD sowie Intel haben ebenfalls Sicherheitslücken in ihrer Firmware per Update im November 2022 geschlossen. Hier ein kompakter Überblick über diese Updates.
---------------------------------------------
https://www.borncity.com/blog/2022/11/15/firmware-und-bios-updates-amd-inte…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (kernel and webkit2gtk3), Red Hat (dhcp, dovecot, flac, freetype, fribidi, frr, gimp, grafana, guestfs-tools, httpd, kernel-rt, libtirpc, mingw-gcc, mingw-glib2, pcs, php, protobuf, python3.9, qemu-kvm, redis, speex, and swtpm), SUSE (chromium, containerized-data-importer, jhead, kubevirt stack, nodejs14, nodejs16, python-Werkzeug, and xen), and Ubuntu (golang-1.13, nginx, and vim).
---------------------------------------------
https://lwn.net/Articles/914952/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.5 ∗∗∗
---------------------------------------------
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.5 ∗∗∗
---------------------------------------------
CVE-2022-45403: Service Workers might have learned size of cross-origin media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/
∗∗∗ Security Vulnerabilities fixed in Firefox 107 ∗∗∗
---------------------------------------------
CVE-2022-45407: Loading fonts on workers was not thread-safe
CVE-2022-45403: Service Workers might have learned size of cross-origin media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/
∗∗∗ TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN54728399/
∗∗∗ ZDI-22-1592: Parse Server _expandResultOnKeyPath Prototype Pollution Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1592/
∗∗∗ ZDI-22-1591: Parse Server buildUpdatedObject Prototype Pollution Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1591/
∗∗∗ ZDI-22-1590: Parse Server transformUpdate Prototype Pollution Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1590/
∗∗∗ ABB PCM600 Cleartext Credentials Vulnerability ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001518
∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulner…
∗∗∗ Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics – Log Analysis (CVE-2021-38153) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache…
∗∗∗ PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-051/
∗∗∗ Mitsubishi Electric GT SoftGOT2000 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-319-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 11-11-2022 18:00 − Montag 14-11-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Jetzt deinstallieren! Sicherheitslücken, aber keine Patches für VMware Hyperic ∗∗∗
---------------------------------------------
Der Support für die IT-Managementsoftware VMware Hyperic ist ausgelaufen. Admins sollten umsteigen.
---------------------------------------------
https://heise.de/-7339160
∗∗∗ Neue Betrugsmasche auf Amazon: Betrügerische Marketplace-Händler stornieren Bestellungen und empfehlen Kauf bei „Amazon-Partnershops“ ∗∗∗
---------------------------------------------
Sabine sucht auf Amazon nach einer Kaffeemaschine. Bei einem Marketplace-Händler findet sie ein günstiges Angebot. Sie bestellt und wartet nun auf die Lieferung. Kurz nach der Bestellung wird der Kauf aber vom Händler storniert. Sie bekommt ein Mail, indem sich der Händler entschuldigt und ihr einen Shop nennt, bei dem sie die Kaffeemaschine zum gleichen Preis bestellen kann. Vorsicht: Dabei handelt es sich um Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-amazon-betrue…
∗∗∗ Extracting HTTP CONNECT Requests with Python, (Mon, Nov 14th) ∗∗∗
---------------------------------------------
Seeing abnormal Suricata alerts isnt too unusual in my home environment. In many cases it may be a TLD being resolved that at one point in time was very suspicious. With the increased legitimate adoption of some of these domains, these alerts have been less useful, although still interesting to investigate. I ran into a few of these alerts one night and when diving deeper there was an unusual amount, frequency, and source of the alerts.
---------------------------------------------
https://isc.sans.edu/diary/rss/29246
∗∗∗ Extracting Information From "logfmt" Files With CyberChef, (Sat, Nov 12th) ∗∗∗
---------------------------------------------
https://isc.sans.edu/diary/rss/29244
∗∗∗ KmsdBot: The Attack and Mine Malware ∗∗∗
---------------------------------------------
Akamai Security Research has observed a new malware that infected our honeypot, which we have dubbed KmsdBot. The botnet infects systems via an SSH connection that uses weak login credentials.
---------------------------------------------
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-m…
∗∗∗ Discover 2022’s Nastiest Malware ∗∗∗
---------------------------------------------
For the past year, hackers have been following close behind businesses and families just waiting for the right time to strike. In other words, 2022 has been an eventful year in the threat landscape, with malware continuing to take center stage. The 6 Nastiest Malware of 2022 Since the mainstreaming of ransomware payloads and the [...]
---------------------------------------------
https://www.webroot.com/blog/2022/10/14/discover-2022s-nastiest-malware/
∗∗∗ Typhon Reborn With New Capabilities ∗∗∗
---------------------------------------------
Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn.
---------------------------------------------
https://unit42.paloaltonetworks.com/typhon-reborn-stealer/
∗∗∗ BumbleBee Zeros in on Meterpreter ∗∗∗
---------------------------------------------
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign.
---------------------------------------------
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
∗∗∗ Stories from the SOC: Fortinet authentication bypass observed in the wild ∗∗∗
---------------------------------------------
Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, is put a big target on the back’s of unpatched and exposed Fortinet devices.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so…
=====================
= Vulnerabilities =
=====================
∗∗∗ HP-BIOS: Pufferüberlauf ermöglicht Rechteausweitung, Update ist verfügbar ∗∗∗
---------------------------------------------
HP warnt vor einer Sicherheitslücke im BIOS zahlreicher Notebooks und PC. Angreifer könnten dadurch ihre Rechte ausweiten oder beliebigen Code ausführen.
---------------------------------------------
https://heise.de/-7339122
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dropbear, php7.4, pixman, sysstat, and xorg-server), Fedora (mingw-expat, mingw-libtasn1, and mingw-pixman), Mageia (binutils/gdb, chromium-browser-stable, exiv2, libtiff, nodejs, pcre, pixman, wayland, and webkit2), Red Hat (device-mapper-multipath and libksba), SUSE (autotrace, busybox, libmodbus, php72, python-numpy, rustup, samba, varnish, xen, and xterm), and Ubuntu (thunderbird).
---------------------------------------------
https://lwn.net/Articles/914811/
∗∗∗ Path Traversal Schwachstelle in Payara Platform ∗∗∗
---------------------------------------------
Aufgrund einer fehlerhaften Pfadüberprüfung in der Payara Software ist es möglich, die Konfigurations- oder Sourcecode-Dateien von Webanwendungen in den Verzeichnissen WEB-INF und META-INF über eine Path Traversal Schwachstelle zu lesen.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/path-traversal-vulner…
∗∗∗ Vielfältige Schwachstellen in BACKCLICK Professional (SYSS-2022-026 bis -037) ∗∗∗
---------------------------------------------
https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-p…
∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec…
∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache…
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-…
∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec…
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-…
∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru traces sensitive data (CVE-2022-35719) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily