Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 17.06.2022
by Daily end-of-shift report 17 Jun '22

17 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-06-2022 18:00 − Freitag 17-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Security: Github informiert über Malware im Open-Source-Ökosystem ∗∗∗ --------------------------------------------- Nicht nur Sicherheitslücken machen Open-Source-Software anfällig. Auch Malware bereitet viele Probleme, die Github jetzt sammeln möchte. --------------------------------------------- https://www.golem.de/news/security-github-informiert-ueber-malware-im-open-… ∗∗∗ Zügig aktualisieren: Angreifer könnten Citrix ADM übernehmen ∗∗∗ --------------------------------------------- In Citrix Application Delivery Management-Software könnten Angreifer aus dem Netz eine Sicherheitslücke ausnutzen. Sie können damit volle Kontrolle erlangen. --------------------------------------------- https://heise.de/-7142301 ∗∗∗ NAS: Qnap warnt vor Angriffswelle mit DeadBolt-Ransomware ∗∗∗ --------------------------------------------- Der Hersteller Qnap warnt vor derzeit laufenden Angriffen auf die NAS-Systeme mit der DeadBolt-Ransomware. Administratoren sollen den Update-Stand überprüfen. --------------------------------------------- https://heise.de/-7144383 ∗∗∗ Kritische Sicherheitslücke in WordPress-Plug-in Ninja Forms behoben ∗∗∗ --------------------------------------------- WordPress-Admins, die das Plug-in Ninja Forms einsetzen, sollten unverzüglich dessen Aktualität sicherstellen. Angreifer könnten sonst eigenen Code ausführen. --------------------------------------------- https://heise.de/-7143515 ∗∗∗ Zahlreiche betrügerische Nachrichten im Namen der Post im Umlauf! ∗∗∗ --------------------------------------------- Sie warten auf ein Paket. Plötzlich werden Sie per SMS oder E-Mail benachrichtigt, dass es ein Problem mit Ihrer Lieferung gäbe. Immer wieder berichten wir von dieser Betrugsmasche, bei der Kriminelle willkürlich Nachrichten versenden und behaupten, dass ein Paket nicht geliefert werden könnte. Wer tatsächlich gerade auf ein Paket wartet, kann leicht in diese Falle tappen. Meist wollen die Kriminellen an Ihre Kreditkartendaten oder an Ihr Geld. Dieses Mal wird aber auch versucht Ihr Post-Konto zu kapern. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-nachrichte… ∗∗∗ Anatomie eines Hive Ransomware-Angriffs auf Exchange per ProxyShell ∗∗∗ --------------------------------------------- Häufig bleiben ja die Details einer Ransomware-Infektion für Außenstehende im Dunkeln. Mir ist diese Woche eine Information vom Sicherheitsdienstleister Varonis zugegangen, deren Sicherheitsteam den Ablauf eines Angriffs mit der Hive-Ransomware aufbereitet haben. --------------------------------------------- https://www.borncity.com/blog/2022/06/17/anatomie-eines-hive-ransomware-ang… ∗∗∗ Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike ∗∗∗ --------------------------------------------- The threat actor known as Blue Mockingbird has been observed by analysts targeting Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-three-year-o… ∗∗∗ New MaliBot Android banking malware spreads as a crypto miner ∗∗∗ --------------------------------------------- Threat analysts have discovered a new Android malware strain named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malibot-android-banking-… ∗∗∗ Facebook Messenger Scam Duped Millions ∗∗∗ --------------------------------------------- One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting. --------------------------------------------- https://threatpost.com/acebook-messenger-scam/179977/ ∗∗∗ WooCommerce Credit Card Skimmer Uses Telegram Bot to Exfiltrate Stolen Data ∗∗∗ --------------------------------------------- Our story starts like many others told on this blog: A new client came to us with reported cases of credit card theft on their eCommerce website. The website owner had received complaints from several customers who reported bogus transactions on their cards shortly after purchasing from their webstore, so the webmaster suspected that something could be amiss. --------------------------------------------- https://blog.sucuri.net/2022/06/woocommerce-credit-card-skimmer-uses-telegr… ∗∗∗ Difference Between Agent-Based and Network-Based Internal Vulnerability Scanning ∗∗∗ --------------------------------------------- For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear. However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra. --------------------------------------------- https://thehackernews.com/2022/06/difference-between-agent-based-and.html ∗∗∗ Details of Twice-Patched Windows RDP Vulnerability Disclosed ∗∗∗ --------------------------------------------- Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches. --------------------------------------------- https://www.securityweek.com/details-twice-patched-windows-rdp-vulnerabilit… ∗∗∗ DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach ∗∗∗ --------------------------------------------- [...] This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature. --------------------------------------------- https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-fire… ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Vulnerability Reported in Popular Fastjson Library ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType." --------------------------------------------- https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html ∗∗∗ IBM Security Bulletins 2022-06-15 - 2022-06-16 ∗∗∗ --------------------------------------------- IBM Spectrum Protect Server, IBM Disconnected Log Collector, IBM Cloud Application Business Insights, IBM Tivoli Application Dependency Discovery Manager, IBM CICS TX Advanced, IBM Analytic Accelerator Framework, IBM Customer and Network Analytics, IBM QRadar SIEM, IBM QRadar Use Case Manager App, Rational Test Virtualization Server and Rational Test Workbench, IBM Robotic Process Automation, IBM Security QRadar Event and Flow Exporter App, IBM WebSphere Application Server Liberty, IBM TXSeries, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Java Runtime, ISC BIND and IBM HTTP Server. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-06-15 ∗∗∗ --------------------------------------------- Cisco published 7 Security Advisories (2 Critical, 1 High, 4 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Kritische Lücke mit Höchstwertung in Smart-Home-Zentrale Anker Eufy Homebase 2 ∗∗∗ --------------------------------------------- Angreifer könnten sich über drei Sicherheitslücken in Eufy Homebase 2 Zugang zum Smart Home verschaffen. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-7143710 ∗∗∗ VMSA-2022-0017 ∗∗∗ --------------------------------------------- VMware HCX update addresses an information disclosure vulnerability (CVE-2022-22953) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/898121/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, [...] --------------------------------------------- https://lwn.net/Articles/898234/ ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerability in Welch Allyn resting electrocardiograph devices. Hillrom Medical. Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-167-01 ∗∗∗ AutomationDirect C-More EA9 HMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Search Path Element, Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-01 ∗∗∗ AutomationDirect DirectLOGIC with Serial Communication ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in DirectLOGIC programmable controllers with serial communication. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-02 ∗∗∗ AutomationDirect DirectLOGIC with Ethernet ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Resource Consumption, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect DirectLOGIC programmable logic Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2022
by Daily end-of-shift report 15 Jun '22

15 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-06-2022 18:00 − Mittwoch 15-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft 365 Apps for enterprise v2206 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2206. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers ∗∗∗ --------------------------------------------- A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. --------------------------------------------- https://thehackernews.com/2022/06/panchan-new-golang-based-peer-to-peer.html ∗∗∗ TPM Sniffing Attacks Against Non-Bitlocker Targets ∗∗∗ --------------------------------------------- Last year, during an uptick in media attention for Trusted Platform Module (TPM) security triggered by a blog post from the Dolos Group describing a sniffing attack on Windows Bitlocker relying on a TPM, a customer asked us to investigate their TPM-based Full Disk Encryption (FDE) set up in light of this type of attack. --------------------------------------------- https://www.secura.com/blog/tpm-sniffing-attacks-against-non-bitlocker-targ… ∗∗∗ Bypassing CSP with dangling iframes ∗∗∗ --------------------------------------------- Our Web Security Academy has a topic on dangling markup injection - a technique for exploiting sites protected by CSP. --------------------------------------------- https://portswigger.net/research/bypassing-csp-with-dangling-iframes ∗∗∗ A tiny botnet launched the largest DDoS attack on record ∗∗∗ --------------------------------------------- A small but powerful army of just 5,000 devices generated a record-breaking web attack. --------------------------------------------- https://www.zdnet.com/article/a-tiny-botnet-launched-the-largest-ddos-attac… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix warns critical bug can let attackers reset admin passwords ∗∗∗ --------------------------------------------- Citrix warned customers to deploy security updates that address a critical Citrix Application Delivery Management (ADM) vulnerability that can let attackers reset admin passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/citrix-warns-critical-bug-ca… ∗∗∗ Patchday: Updates bessern zehn SAP-Schwachstellen aus ∗∗∗ --------------------------------------------- Am Juni-Patchday hat SAP zehn Sicherheitslücken geschlossen. Für zwei ältere Sicherheitsmeldungen aktualisiert der Hersteller die Sicherheitsmeldungen. --------------------------------------------- https://heise.de/-7141579 ∗∗∗ Patchday: Microsoft schließt MSDT-Lücke, die auch ohne Makros funktioniert ∗∗∗ --------------------------------------------- Windows ist unter anderem über Word verwundbar, wobei auch RTF-Formate genutzt werden können. Aber auch Azure, Edge & Co. bekommen wichtige Sicherheitsupdates. --------------------------------------------- https://heise.de/-7141070 ∗∗∗ Patchday Adobe: Schadcode-Lücken in InDesign, Illustrator & Co. geschlossen ∗∗∗ --------------------------------------------- Mehrere Adobe-Anwendungen sind über als kritisch eingestufte Schwachstellen attackierbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-7141175 ∗∗∗ Sicherheitslücke Hertzbleed: x86-Prozessortaktung verrät Geheimnisse ∗∗∗ --------------------------------------------- Ein Forscherteam belauscht kryptografische Berechnungen auf modernen x86-CPUs anhand charakteristischer Taktfrequenzänderungen. --------------------------------------------- https://heise.de/-7141221 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (.NET 6.0 and log4j), SUSE (389-ds, grub2, kernel, openssl-1_1, python-Twisted, webkit2gtk3, and xen), and Ubuntu (php7.2, php7.4, php8.0, php8.1 and util-linux). --------------------------------------------- https://lwn.net/Articles/897992/ ∗∗∗ Critical Code Execution Vulnerability Patched in Splunk Enterprise ∗∗∗ --------------------------------------------- Splunk this week announced the release of out-of-band patches that address multiple vulnerabilities across Splunk Enterprise, including a critical issue that could lead to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/critical-code-execution-vulnerability-patched-… ∗∗∗ Schneider Electric Advisories 2022-06-15 ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Security Bulletin: IBM Financial Transaction Manager for Digital Payments for Multi-Platform is vulnerable to SQL injection. (CVE-2019-4575) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-financial-transaction… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2022-28327 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Netcool Operations Insight v1.6.4 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential Cross-Site Scripting (Reflected) vulnerability (CVE-2020-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights – Quaterly Java update, CVE-2021-35603 and CVE-2021-35550 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2022-24675 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential SQL Injection CVE-2020-4328 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ VMSA-2022-0016 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0016.html ∗∗∗ AUMA: SIMA² Master Station Denial of Service Vulnerability on Automation Runtime Webserver ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-024/ ∗∗∗ Johnson Controls Metasys ADS ADX OAS Servers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-01 ∗∗∗ Hardkodierte Backdoor Benutzer und veraltete Software Komponenten in der Nexans FTTO GigaSwitch Serie ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/nexans-ftto-gigaswitc… ∗∗∗ Synaptics Fingerprint Driver Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500494-SYNAPTICS-FINGERPRINT-D… ∗∗∗ Intel Processors MMIO Stale Data Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500497-INTEL-PROCESSORS-MMIO-S… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2022
by Daily end-of-shift report 14 Jun '22

14 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 13-06-2022 18:00 − Dienstag 14-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ The many lives of BlackCat ransomware ∗∗∗ --------------------------------------------- The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. --------------------------------------------- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackc… ∗∗∗ Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter thats being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers. --------------------------------------------- https://thehackernews.com/2022/06/researchers-detail-purecrypter-loader.html ∗∗∗ Public Travis CI Logs (Still) Expose Users to Cyber Attacks ∗∗∗ --------------------------------------------- In our latest research, we at Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available. --------------------------------------------- https://blog.aquasec.com/travis-ci-security ∗∗∗ Sicherheitslücke im Apple M1 Chip: Pacman-Attacke umgeht Schutzschicht ∗∗∗ --------------------------------------------- Angriffe auf den M1-Prozessor sind durch ein Zusammenspiel von Hard- und Software möglich. Apple sieht allerdings keine unmittelbare Gefahr. --------------------------------------------- https://heise.de/-7140316 ∗∗∗ Vorsicht vor gefälschten Zahlungsaufforderungen per WhatsApp ∗∗∗ --------------------------------------------- Ihre Chefin bittet Sie, eine Rechnung zu begleichen. Sie fragen nach den Details und bekommen die Rechnung mit Zahlungsanweisungen zugesendet. Sie überweisen. Erst später bemerken Sie, dass es gar nicht Ihre Chefin war – sondern Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-zahlungsau… ∗∗∗ Internet Explorer 11 erreicht am 15. Juni 2022 End-of-Life (EOL) ∗∗∗ --------------------------------------------- Noch eine kurze Information an die Blog-Leserschaft, die ggf. noch den Internet Explorer 11 von Microsoft unter Windows im Einsatz haben. Zum heutigen Patchday, 14. Juni 2022, erhält der Browser letztmalig Sicherheitsupdates für verschiedene Windows-Versionen und fällt dann (zum 15. Juni 2022) aus dem Support. --------------------------------------------- https://www.borncity.com/blog/2022/06/14/internet-explorer-11-erreicht-am-1… ∗∗∗ CHM Malware Types with Anti-Sandbox Technique and Targeting Companies ∗∗∗ --------------------------------------------- Among CHM strains that are recently being distributed in Korea, the ASEC analysis team has discovered those applied with the anti-sandbox technique and targeting companies. --------------------------------------------- https://asec.ahnlab.com/en/35268/ ∗∗∗ NPM Replicator Remote Code Execution Deserialization ∗∗∗ --------------------------------------------- NPM, the package manager for Node.js, is an open source project that serves as a critical part of the JavaScript community and helps support one of the largest developer ecosystems. --------------------------------------------- https://checkmarx.com/blog/npm-replicator-remote-code-execution-deserializa… ∗∗∗ Supply Chain Attack: CTX Account Takeover and PHPass Hijack Explained ∗∗∗ --------------------------------------------- A threat actor recently hacked a popular PyPi repo on GitHub, setting off a supply chain attack that could have impacted millions of users. --------------------------------------------- https://orca.security/resources/blog/python-supply-chain-attack-ctx-phpass/ ∗∗∗ SynLapse – Technical Details for Critical Azure Synapse Vulnerability ∗∗∗ --------------------------------------------- Recently, the Orca Security research team discovered SynLapse, a tenant separation violation vulnerability in the Microsoft Azure Synapse environment. --------------------------------------------- https://orca.security/resources/blog/synlapse-critical-azure-synapse-analyt… ===================== = Vulnerabilities = ===================== ∗∗∗ New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials ∗∗∗ --------------------------------------------- A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. --------------------------------------------- https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-docker-libnetwork and moby-engine), Mageia (apache, docker-containerd, kernel, kernel-linus, nats-server, and php-smarty), Slackware (php), SUSE (gimp, grub2, thunderbird, u-boot, and xen), and Ubuntu (firefox, liblouis, ncurses, and rsync). --------------------------------------------- https://lwn.net/Articles/897847/ ∗∗∗ JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5708.php ∗∗∗ SSA-988345 V1.0: Local Privilege Escalation Vulnerability in Xpedition Designer ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-988345.txt ∗∗∗ SSA-911567 V1.0: Missing HTTP headers in SINEMA Remote Connect Server before V3.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-911567.txt ∗∗∗ SSA-740594 V1.0: Privilege Escalation Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-740594.txt ∗∗∗ SSA-712929 V1.0: Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-712929.txt ∗∗∗ SSA-693555 V1.0: Memory Corruption Vulnerability in EN100 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-693555.txt ∗∗∗ SSA-685781 V1.0: Multiple Vulnerabilities in Apache HTTP Server Affecting Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-685781.txt ∗∗∗ SSA-631336 V1.0: Multiple Web Server Vulnerabilities in SICAM GridEdge Software ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-631336.txt ∗∗∗ SSA-484086 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-484086.txt ∗∗∗ SSA-401167 V1.0: Cross-site scripting Vulnerability in Teamcenter Active Workspace ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-401167.txt ∗∗∗ SSA-388239 V1.0: Default Password Leakage affecting the Component Shared HIS used in Spectrum Power Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-388239.txt ∗∗∗ SSA-330556 V1.0: PwnKit Vulnerability in SCALANCE LPE9403 and SINUMERIK Edge Products (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-330556.txt ∗∗∗ SSA-222547 V1.0: Third-Party Component Vulnerabilities in SCALANCE LPE9403 before V2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-222547.txt ∗∗∗ SSA-220589 V1.0: Hard Coded Default Credential Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-220589.txt ∗∗∗ SSA-145224 V1.0: Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-145224.txt ∗∗∗ IBM Security Bulletins 2022-06-13 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ TYPO3 CORE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/typo3-cms ∗∗∗ ABB Security Advisory: Link Following Local Privilege Escalation Vulnerabilities in ABB Automation Builder, Drive Composer and Mint WorkBench ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&Lan… ∗∗∗ Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460016/citrix-application-delivery-ma… ∗∗∗ Meridian Cooperative Meridian ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-02 ∗∗∗ Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2022
by Daily end-of-shift report 13 Jun '22

13 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-06-2022 18:00 − Montag 13-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Krypto-Miner und Verschlüsselungstrojaner schlüpfen durch Confluence-Lücke ∗∗∗ --------------------------------------------- Es häufen sich Attacken auf ungepatchte Instanzen von Confluence und Data Center. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-7138563 ∗∗∗ Buchen Sie Ihr Hotel nicht über hotels-in-tyrol.com ∗∗∗ --------------------------------------------- Die Buchungsplattform hotels-in-tyrol.com vermittelt Unterkünfte in Tirol. Wir raten zur Vorsicht. Auf der Plattform gibt es weder Informationen zum Betreiber noch Kontaktdaten. Im Reiter „Über uns“ wird lediglich ein Unternehmen namens „LocalHotels Ltd“ angeführt. Wir gehen aber davon aus, dass dieses Unternehmen gar nicht existiert. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihr-hotel-nicht-ueber-hot… ∗∗∗ Massenhafte Kontenübernahme bei smarten Yunmai Waagen möglich ∗∗∗ --------------------------------------------- Vom chinesischen Hersteller Yunmai wurden auch in Deutschland smarte Körperfettwaagen angeboten. Diese lassen sich per Bluetooth mit einer App auf dem Smartphone koppeln, so dass die persönlichen Daten mehrerer Personen in persönlichen Profilen gespeichert werden können. Leider hapert es mit der Sicherheit, wie Sicherheitsexperten festgestellt haben. Das Yunmai API ermöglicht die massenhafte Kontenübernahme oder die Umgehung der Hersteller-Restriktionen. --------------------------------------------- https://www.borncity.com/blog/2022/06/11/massenhafte-kontenbernahme-bei-sma… ∗∗∗ PyPI package keep mistakenly included a password stealer ∗∗∗ --------------------------------------------- PyPI packages keep, pyanxdns, api-res-py were found to contain a password-stealer and a backdoor due to the presence of malicious request dependency within some versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly… ∗∗∗ New Syslogk Linux rootkit uses magic packets to trigger backdoor ∗∗∗ --------------------------------------------- A new rootkit malware named Syslogk has been spotted in the wild, and it features advanced process and file hiding techniques that make detection highly unlikely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-syslogk-linux-rootkit-us… ∗∗∗ EPSScall: An Exploit Prediction Scoring System App, (Fri, Jun 10th) ∗∗∗ --------------------------------------------- If you follow Cyentia Institute’s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022). --------------------------------------------- https://isc.sans.edu/diary/rss/28732 ∗∗∗ Translating Saitamas DNS tunneling messages, (Mon, Jun 13th) ∗∗∗ --------------------------------------------- Saitama is a backdoor that uses the DNS protocol to encapsulate its command and control (C2) messages - a technique known as DNS Tunneling (MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordans foreign ministry on an attack [...] --------------------------------------------- https://isc.sans.edu/diary/rss/28738 ∗∗∗ ModBus 101: One Protocol to Rule the OT World ∗∗∗ --------------------------------------------- Ever wondered how large-scale power plants monitor or control the myriad of systems that fill their environment? Have you thought about how some of the world’s greatest industrial hacks were enacted? This post will look to illuminate how one tiny legacy protocol, namely "ModBus" could help to understand just how straight forward this could be. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modbus-101-… ∗∗∗ Smilodon Credit Card Skimming Malware Shifts to WordPress ∗∗∗ --------------------------------------------- WordPress’ massive market share has come with an unsurprising side effect: As more and more site admins turn to popular plugins like WooCommerce to turn a profit on their website and set up online stores we’ve seen a significant increase in the number of attacks targeting WordPress eCommerce sites. What’s more, bad actors are repurposing their old Magento credit card stealing malware for use against WordPress. --------------------------------------------- https://blog.sucuri.net/2022/06/smilodon-credit-card-skimming-malware-shift… ∗∗∗ MIT Researchers Discover New Flaw in Apple M1 CPUs That Cant Be Patched ∗∗∗ --------------------------------------------- A novel hardware attack dubbed PACMAN has been demonstrated against Apples M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems. It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," [...] --------------------------------------------- https://thehackernews.com/2022/06/mit-researchers-discover-new-flaw-in.html ∗∗∗ Extracting Clear-Text Credentials Directly From Chromium’s Memory ∗∗∗ --------------------------------------------- Credential data (URL/username/password) is stored in Chrome’s memory in clear-text format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager (“Login Data” file). --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/extracting-clear-te… ∗∗∗ Researchers: Wi-Fi Probe Requests Expose User Data ∗∗∗ --------------------------------------------- A group of academic researchers from the University of Hamburg in Germany has discovered that mobile devices leak identifying information about their owners via Wi-Fi probe requests. Mobile devices use these probe requests to receive information about nearby Wi-Fi access points and establish connections to them when a probe response is received. --------------------------------------------- https://www.securityweek.com/researchers-wi-fi-probe-requests-expose-user-d… ∗∗∗ Exposing HelloXD Ransomware and x4k ∗∗∗ --------------------------------------------- HelloXD is a ransomware family in its initial stages - but already seeking to impact organizations. We analyze samples and hunt for attribution. --------------------------------------------- https://unit42.paloaltonetworks.com/helloxd-ransomware/ ∗∗∗ GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool ∗∗∗ --------------------------------------------- A new, difficult-to-detect remote access trojan named PingPull is being used by GALLIUM, an advanced persistent threat (APT) group. --------------------------------------------- https://unit42.paloaltonetworks.com/pingpull-gallium/ ∗∗∗ Microsoft Azure Synapse Pwnalytics ∗∗∗ --------------------------------------------- [...] Synapse Analytics utilizes Apache Spark for the underlying provisioning of clusters that user code is run on. User code in these environments is run with intentionally limited privileges because the environments are managed by internal Microsoft subscription IDs, which is generally indicative of a multi-tenant environment. Tenable Research has discovered a privilege escalation flaw that allows a user to escalate privileges to that of the root user within the context of a Spark VM. We have also discovered a flaw that allows a user to poison the hosts file on all nodes in their Spark pool, which allows one to redirect subsets of traffic and snoop on services users generally do not have access to. The full privilege escalation flaw has been adequately addressed. However, the hosts file poisoning flaw remains unpatched at the time of this writing. --------------------------------------------- https://medium.com/tenable-techblog/microsoft-azure-synapse-pwnalytics-87c9… ===================== = Vulnerabilities = ===================== ∗∗∗ QTS 5.0.0-Sicherheitsupdates für QNAP-NAS Geräte (8. Juni 2022) ∗∗∗ --------------------------------------------- Kurzer Hinweis an Leser und Leserinnen, die NAS-Laufwerke von QNAP im Einsatz haben. In der QTS 5.0.0-Software gibt es in älteren Versionen gravierende Schwachstellen, die am 8. Juni 2022 mit einem Update der Firmware auf QTS 5.0.0.2055 build 20220531 beseitigt wurden. --------------------------------------------- https://www.borncity.com/blog/2022/06/11/qts-5-sicherheitsupdates-fr-qnap-n… ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329) ∗∗∗ --------------------------------------------- The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories: [...] --------------------------------------------- https://research.nccgroup.com/2022/06/10/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, containerd, kernel, ntfs-3g, and vlc), Fedora (buildah and logrotate), Red Hat (xz), and SUSE (google-gson, netty3, rubygem-sinatra, and u-boot). --------------------------------------------- https://lwn.net/Articles/897711/ ∗∗∗ Drupal Releases Security Updates ∗∗∗ --------------------------------------------- Drupal has released security updates to address a Guzzle third-party library vulnerability that does not affect Drupal core but may affect some contributed projects or custom code on Drupal sites. Exploitation of this vulnerability could allow a remote attacker to take control of an affected website. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/13/drupal-releases-s… ∗∗∗ Screams of Power vulnerabilities (Powertek-based PDUs) ∗∗∗ --------------------------------------------- Even if the PDUs you use in your data center aren't branded "Powertek", please keep reading. Powertek is a company that makes datacenter class smart PDUs (Power Distribution Units - i.e. heavy duty power cords) for server racks. They sell both directly (or at least used to in the past I think?) and through their resellers. There is one reseller per country and they commonly rebrand their PDUs (e.g. mine has a logo of the Swiss reseller - schneikel). Anyway, in March I've done a quick 3h review of the firmware and found multiple vulnerabilities and weaknesses in Powertek PDU's firmware v3.30.23 and possibly prior (details below). So, if you're using a PDU that is running Powertek firmware, you might want to patch now. --------------------------------------------- https://gynvael.coldwind.pl/?id=748 ∗∗∗ OTRS: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0702 ∗∗∗ Security Bulletin: A vulnerability in OpenSSL affects IBM InfoSphere Information Server (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openss… ∗∗∗ Security Bulletin: A Unspecified Java Vulnerability is affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-unspecified-java-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: Due to use of Spring Framework, IBM Db2 Web Query for i is vulnerable to unprotected fields (CVE-2022-22968), remote code execution (CVE-2022-22965), and denial of service (CVE-2022-22950). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-spring-fram… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service, due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Java XML vulnerability affects Liberty for Java for IBM Cloud due to CVE-2022-21299 deferred from Oracle Jan 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-xml-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2022
by Daily end-of-shift report 10 Jun '22

10 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-06-2022 18:00 − Freitag 10-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cyber Europe 2022 – europaweite Cyber-Sicherheitsübung ∗∗∗ --------------------------------------------- Im Zuge der 2-tägigen Cyber-Sicherheitsübung „Cyber Europe“ arbeiteten Behörden und nationale Computer-Notfallteams in ganz Europa intensiv an Schutz und Abwehr der angegriffenen IT-Bereiche. Über 800 Teilnehmer:innen waren dazu EU-weit an der Übung beteiligt. In Österreich war für die Koordination das Bundeskanzleramt zuständig. Das Gesundheitsministerium, das Innenministerium, das Außenministerium, das Verteidigungsministerium und die zuständigen Computernotfallteams waren in die Übung eingebunden. --------------------------------------------- https://www.ots.at/presseaussendung/OTS_20220609_OTS0200/cyber-europe-2022-… ∗∗∗ Phishing Campaigns featuring Ursnif Trojan on the Rise ∗∗∗ --------------------------------------------- McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-fea… ∗∗∗ Neue Linux-Malware aufgespürt ∗∗∗ --------------------------------------------- Eine gemeinsame Forschungsarbeit hat zur Entdeckung von Symbiote geführt, einer neuen Form von Linux-Malware, die nur schwer zu erkennen ist. Hacker erhalten damit Rootkit-Zugriff. --------------------------------------------- https://www.zdnet.de/88401771/neue-linux-malware-aufgespuert/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-09 - 2022-06-10 ∗∗∗ --------------------------------------------- IBM TXSeries, IBM Connections, IBM Watson, IBM Spectrum, IBM SDK, IBM Cloud Pak, IBM Db2 Mirror for i and IBM StoredIQ. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwachstellen in Infiray IRAY-A8Z3 Wärmebildkamera ∗∗∗ --------------------------------------------- Die IRAY A8Z3 Wärmebildkamera für Industrieapplikationen von Infiray/IRay Technologies ist anfällig auf verschiedene Schwachstellen, welche sich aus unsicherer Programmierung, unsicherer Konfiguration sowie veralteten eingebetteten Softwarekomponenten ergeben. Mehrere Angriffsmöglichkeiten für Remote Code Execution (RCE) wurden gefunden. Der Hersteller hat sich im Zuge unserer Responsible Disclosure nicht mehr gemeldet, weshalb unklar ist, ob Patches verfügbar sind. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/schwachstellen-infira… ∗∗∗ PHP: Updates verhindern Einschleusen von Schadcode ∗∗∗ --------------------------------------------- Fehler in PHP-Modulen zur Verbindung mit SQL-Datenbanken erlauben die Ausführung beliebigen Codes. Admins von Shared-Hosting-Servern sollten schnell updaten. --------------------------------------------- https://heise.de/-7136766 ∗∗∗ Fortinet entfernt hartcodierten Schlüssel und verhindert unberechtigte Zugriffe ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Fortinet. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-7136620 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-bottle), Fedora (grub2 and kernel), Mageia (python-pypdf2, python-ujson, and vim), and SUSE (fribidi, grub2, mozilla-nss, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/897518/ ∗∗∗ Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors ∗∗∗ --------------------------------------------- https://www.securityweek.com/vulnerabilities-hid-mercury-access-controllers… ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-160-01 ∗∗∗ "Undocumented Functionality" (Backdoor) in Mitel Desk Phones (SYSS-2022-021) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/undocumented-functionality-backdoor-in-mit… ∗∗∗ Kritische Schwachstelle in Crypto USB Flash Drive Lepin EP-KP001 (SYSS-2022-024) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstelle-in-crypto-usb-flas… ∗∗∗ Chrome 102.0.5005.115 fixt Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/06/10/chrome-102-0-5005-115-fixt-schwach… ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2022
by Daily end-of-shift report 09 Jun '22

09 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-06-2022 18:00 − Donnerstag 09-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Emotet Variant Stealing Users Credit Card Information from Google Chrome ∗∗∗ --------------------------------------------- The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. --------------------------------------------- https://thehackernews.com/2022/06/new-emotet-variant-stealing-users.html ∗∗∗ MakeMoney malvertising campaign adds fake update template ∗∗∗ --------------------------------------------- We catch up with some old acquaintances that just arent ready to hang up the towel just yet. The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvert… ∗∗∗ ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat ∗∗∗ --------------------------------------------- A review of whats changed in malware in 2022, and what hasnt, based on Adam Kujawas talk at RSAC 2022. The post ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2022/06/asyncrat-surpasses-dr… ∗∗∗ Nebenjob als Betrugshelfer:in – Vorsicht vor europost-eu.biz ∗∗∗ --------------------------------------------- Ein vielversprechender Nebenjob als Paketempfänger:in lockt mit Home-Office und guten Arbeitsbedingungen. Für 25 € pro Stunde müssen Sie Pakete empfangen und weiterversenden. Was nicht erwähnt wird: Nehmen Sie den Job an, beteiligen Sie sich möglicherweise an Bestellbetrug und machen sich strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/nebenjob-als-betrugshelferin-vorsich… ∗∗∗ LockBit 2.0: How This RaaS Operates and How to Protect Against It ∗∗∗ --------------------------------------------- LockBit 2.0 has so far been this years most active ransomware gang on double-extortion leak sites. Learn about their tactics. --------------------------------------------- https://unit42.paloaltonetworks.com/lockbit-2-ransomware/ ∗∗∗ How to audit Node.js modules ∗∗∗ --------------------------------------------- Node.js is one of the best and most widely used Javascript runtimes used for building APIs. But, this popularity status has led to many hackers distributing insecure modules that exploit the Node.js application or provide a weak point for exploitation. --------------------------------------------- https://mattermost.com/blog/how-to-audit-nodejs-modules/ ∗∗∗ Follina-Schwachstelle (CVE-2022-30190): Neue Erkenntnisse, neue Risiken (9.6.2022) ∗∗∗ --------------------------------------------- Die seit Ende Mai 2022 bekannt gewordene Schwachstelle CVE-2022-30190 (Follina) in Windows entwickelt sich langsam zum Problembär. Die von Microsoft und hier im Blog beschriebenen Gegenmaßnahmen erscheinen nicht ausreichend. --------------------------------------------- https://www.borncity.com/blog/2022/06/09/follina-schwachstelle-cve-2022-301… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in veralteten Zyxel-Firewalls: Neukauf als Fix ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Zyxel warnt vor Sicherheitslücken in älteren Firewalls, deren Support ausgelaufen ist. Abhilfe schaffe der Austausch mit neueren Geräten. --------------------------------------------- https://heise.de/-7135405 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mailman and python-bottle), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, subversion:1.14, and xz), Scientific Linux (python-twisted-web), Slackware (httpd), and Ubuntu (ca-certificates, ffmpeg, ghostscript, and varnish). --------------------------------------------- https://lwn.net/Articles/897372/ ∗∗∗ Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat ∗∗∗ --------------------------------------------- Symbiote is a new Linux malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines. --------------------------------------------- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (January 2022) affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is vulnerable to Apache Log4j2 – CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ K13559191: Linux kernel vulnerability CVE-2022-25636 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13559191?utm_source=f5support&utm_mediu… ∗∗∗ Xen Security Advisory CVE-2022-26363, CVE-2022-26364 / XSA-402 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-402.html ∗∗∗ Xen Security Advisory CVE-2022-26362 / XSA-401 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-401.html ∗∗∗ Case opened: DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2021-00037/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2022
by Daily end-of-shift report 08 Jun '22

08 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-06-2022 18:00 − Mittwoch 08-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux version of Black Basta ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines running on enterprise Linux servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-black-basta… ∗∗∗ Poisoned CCleaner search results spread information-stealing malware ∗∗∗ --------------------------------------------- Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poisoned-ccleaner-search-res… ∗∗∗ Cuba ransomware returns to extorting victims with updated encryptor ∗∗∗ --------------------------------------------- The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cuba-ransomware-returns-to-e… ∗∗∗ Targeted phishing past defender ∗∗∗ --------------------------------------------- Signature based detections has shortcomings that matter in real scenarios. Depending only on prevention through an EDR like Defender is not enough in a modern attack scenario. --------------------------------------------- https://www.derant.com/network%20monitoring/2022/06/07/Targetted-phishing-p… ∗∗∗ New Technique Used by Attackers in NPM to Avoid Detection ∗∗∗ --------------------------------------------- Checkmarx SCS team recently detected several malicious NPM packages using a new evasion technique, enhancing dependency confusion attacks to help malicious packages avoid detection. --------------------------------------------- https://checkmarx.com/blog/new-technique-used-by-attackers-in-npm-to-avoid-… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability ∗∗∗ --------------------------------------------- An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. --------------------------------------------- https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html ∗∗∗ Zero-Day-Lücke: Cybergangs missbrauchen MSDT-Leck für Qakbot-Infektionen ∗∗∗ --------------------------------------------- Die Cybergang hinter der Malware Quakbot missbraucht in Phishing-Kampagnen die MSDT-Zero-Day-Lücke. Infizierte Rechner verkauft sie meist an Ransomware-Banden. --------------------------------------------- https://heise.de/-7134949 ∗∗∗ Fehler in Linux-Kernel ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Ein Fehler im Firewall-Code des Linux-Kernels ermöglicht es Nutzern, Befehle als Root auszuführen. Administratoren können einen Workaround anwenden. --------------------------------------------- https://heise.de/-7134791 ∗∗∗ Kritische Schadcode-Lücke bedroht Universal Boot Loader U-Boot ∗∗∗ --------------------------------------------- Die Entwickler von U-Boot haben zwei gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7134785 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi), Fedora (firefox), Oracle (grub2, python-twisted-web, shim, shim-signed, and thunderbird), Red Hat (kernel and python-twisted-web), SUSE (gcc48, go1.17, go1.18, and mariadb), and Ubuntu (e2fsprogs, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, [...] --------------------------------------------- https://lwn.net/Articles/897297/ ∗∗∗ Technical Details Released for Recently Patched Zyxel Firewall Vulnerabilities ∗∗∗ --------------------------------------------- Security researchers with HN Security have published technical details on two vulnerabilities affecting many Zyxel products. --------------------------------------------- https://www.securityweek.com/technical-details-released-recently-patched-zy… ∗∗∗ Owl Labs Patches Severe Vulnerability in Video Conferencing Devices ∗∗∗ --------------------------------------------- Video conferencing company Owl Labs has released patches for a severe vulnerability affecting its Meeting Owl Pro and Whiteboard Owl devices. --------------------------------------------- https://www.securityweek.com/owl-labs-patches-severe-vulnerability-video-co… ∗∗∗ Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer ∗∗∗ --------------------------------------------- Symantec has observed threat actors exploiting remote code execution flaw to drop AsyncRAT and information stealer. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/fo… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Spoofing (CVE-2022-22365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ FESTO: CECC-X-M1 - command injection vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-020/ ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0692 ∗∗∗ Mehrere Schwachstellen in "sicheren" mobilen Festplatten und Crypto-USB-Sticks von Verbatim (SYSS-2022-001/-017) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sicheren-mobilen… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2022
by Daily end-of-shift report 07 Jun '22

07 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-06-2022 18:00 − Dienstag 07-06-2022 18:15 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WatchDog hacking group launches new Docker cryptojacking campaign ∗∗∗ --------------------------------------------- The WatchDog hacking group is conducting a new cryptojacking campaign with advanced techniques for intrusion, worm-like propagation, and evasion of security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/watchdog-hacking-group-launc… ∗∗∗ QBot now pushes Black Basta ransomware in bot-powered attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware gang has partnered with the QBot malware operation to gain spread laterally through hacked corporate environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-now-pushes-black-basta-… ∗∗∗ Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware ∗∗∗ --------------------------------------------- A new wave of phishing campaigns has been observed spreading a previously documented malware called SVCReady. --------------------------------------------- https://thehackernews.com/2022/06/researchers-warn-of-spam-campaign.html ∗∗∗ Neues Phishing-E-Mail der Erste Bank und Sparkasse ∗∗∗ --------------------------------------------- Aktuell kursiert ein neues Phishing-E-Mail im Namen der Erste Bank und Sparkasse. Im Schreiben werden Sie über eine angebliche Abbuchung von 1 259 Euro informiert. --------------------------------------------- https://www.watchlist-internet.at/news/neues-phishing-e-mail-der-erste-bank… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortiguard June 2022 Vulnerability Advisories ∗∗∗ --------------------------------------------- FortiAP-U, FortiDDoS, FortiOS, FortiAnalyzer, FortiManager, FortiSandbox, FortiTokenMobile, FortiAuthenticator, Apache Airflow and FortiClient. --------------------------------------------- https://www.fortiguard.com/psirt-monthly-advisory/june-2022-vulnerability-a… ∗∗∗ Jetzt patchen! Lage um Attacken auf Atlassian Confluence spitzt sich zu ∗∗∗ --------------------------------------------- Aufgrund von öffentlich verfügbarem Exploit-Code steigen die Attacken auf Confluence-Instanzen. Patches sind jetzt verfügbar. --------------------------------------------- https://heise.de/-7132633 ∗∗∗ Patchday: Google schließt Kernel- und Software-Lücken in Android ∗∗∗ --------------------------------------------- Besitzer von Android-Hardware sollte ihre Geräte aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-7133294 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, firefox-esr, pidgin, and thunderbird), Fedora (dotnet3.1, firefox, kernel, vim, and webkit2gtk3), Mageia (firefox/nss/nspr, gimp, logrotate, mariadb, thunderbird, trojita, webkit2, and webmin), Oracle (thunderbird), Red Hat (compat-openssl11, postgresql:10, postgresql:12, and thunderbird), Slackware (pidgin), and SUSE (openvpn). --------------------------------------------- https://lwn.net/Articles/897163/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0, librecad, and php-horde-mime-viewer), Fedora (vim), and Ubuntu (freerdp2, ruby2.3, ruby2.5, ruby2.7, ruby3.0, and vim). --------------------------------------------- https://lwn.net/Articles/897226/ ∗∗∗ Critical U-Boot Vulnerability Allows Rooting of Embedded Systems ∗∗∗ --------------------------------------------- A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group. --------------------------------------------- https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-e… ∗∗∗ Security Advisory -Input Verification Vulnerabilities Involved in Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220608-… ∗∗∗ Security Bulletin: IBM Cognos Controller is affected but not vulnerable to arbitrary code execution and SQL injection due to Apache Log4j v1 vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Public disclosed vulnerability from OpenSSL affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerab… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL Injection (CVE-2022-31768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Apache Commons as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-36090, CVE-2021-35517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-as-used-by… ∗∗∗ Security Bulletin: CP4D Match 360 is vulnerable to remote attacker executing arbitrary code within IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cp4d-match-360-is-vulnera… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MaaS360 Mobile Enterprise Gateway uses Eclipse Jetty with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-mobile-enterp… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN module have multiple vulnerabilities (CVE-2021-22060, CVE-2022-22950, CVE-2022-0547, CVE-2022-0778, CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in NumPy. (CVE-2021-33430). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ K29421535: Intel processor vulnerability CVE-2021-33117 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29421535 ∗∗∗ K95204515: Intel CPU vulnerability CVE-2022-21151 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K95204515 ∗∗∗ Grafana: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0690 ∗∗∗ Case update: DIVD-2022-00032 - Exchange backdoor ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00032/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2022
by Daily end-of-shift report 03 Jun '22

03 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-06-2022 18:00 − Freitag 03-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Chinese LuoYu hackers deploy cyber-espionage malware via app updates ∗∗∗ --------------------------------------------- A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-luoyu-hackers-deploy… ∗∗∗ Evil Corp switches to LockBit ransomware to evade sanctions ∗∗∗ --------------------------------------------- The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets networks to evade sanctions imposed by the U.S. Treasury Departments Office of Foreign Assets Control (OFAC). --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-lockbi… ∗∗∗ Analysis of the Massive NDSW/NDSX Malware Campaign ∗∗∗ --------------------------------------------- Recently, Avast’s researchers Pavel Novák and Jan Rubín posted a detailed writeup about the “Parrot TDS” campaign involving more than 16,500 infected websites. Such massive infections don’t go unnoticed by Sucuri and we immediately recognized that the infection in their writeup belonged to the campaign we internally refer to as “ndsw/ndsx” malware. --------------------------------------------- https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign… ∗∗∗ Reich mit Öl? Vorsicht vor der betrügerischen Investment-Plattform „Öl-Profit“! ∗∗∗ --------------------------------------------- Noch nie war der Online-Ölhandel so einfach wie heute. Jede Person könne hier reich werden – ohne etwas über Öl oder Wirtschaft zu wissen. So heißt es in einem angeblichen Artikel der deutschen Tageszeitung BILD. --------------------------------------------- https://www.watchlist-internet.at/news/reich-mit-oel-vorsicht-vor-der-betru… ∗∗∗ Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor ∗∗∗ --------------------------------------------- We observed a specially crafted DLL hijacking attack used by a previously unknown piece of malware that we dubbed Popping Eagle. --------------------------------------------- https://unit42.paloaltonetworks.com/popping-eagle-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angriffe auf Code-Execution-Lücke bedrohen Confluence-Installationen ∗∗∗ --------------------------------------------- Seit Anfang der Woche installieren Angreifer Backdoors über eine neue Lücke in Confluence. Admins sollten noch vor dem langen Wochenende Maßnahmen ergreifen. --------------------------------------------- https://heise.de/-7131081 ∗∗∗ GitLab Issues Security Patch for Critical Account Takeover Vulnerability ∗∗∗ --------------------------------------------- GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. --------------------------------------------- https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cifs-utils, debian-security-support, and pypdf2), Fedora (fapolicyd, mariadb, openssl, and qt5-qtbase), Oracle (firefox, maven:3.5, maven:3.6, postgresql:10, postgresql:12, and postgresql:13), Red Hat (.NET 6.0, firefox, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, pcs, rsync, subversion, thunderbird, and zlib), Scientific Linux (thunderbird), Slackware (mozilla), SUSE (firefox, hdf5, suse-hpc, kernel-firmware, libarchive, patch, php8, and redis), and Ubuntu (cifs-utils and vim). --------------------------------------------- https://lwn.net/Articles/897016/ ∗∗∗ Security Bulletin: IBM Edge Application Manager is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-edge-application-mana… ∗∗∗ Security Bulletin: IBM DataPower Gateway Virtual Edition uses out of date ICU libraries in open-vm-tools ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vir… ∗∗∗ Security Bulletin: IBM Telco Network Cloud Manager – Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-telco-network-cloud-m… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to improper input validation in Spring Framework (CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in Kerberos ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker obtaining sensitive information and other attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus may disclose sensitive information in virgo log file (CVE-2022-22396) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0682 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2022
by Daily end-of-shift report 02 Jun '22

02 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-06-2022 18:00 − Donnerstag 02-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Conti ransomware targeted Intel firmware for stealthy attacks ∗∗∗ --------------------------------------------- Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-in… ∗∗∗ Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks ∗∗∗ --------------------------------------------- As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. --------------------------------------------- https://thehackernews.com/2022/06/researchers-demonstrate-ransomware-for.ht… ∗∗∗ Europol: FluBot-Infrastruktur unter Kontrolle von Strafverfolgern ∗∗∗ --------------------------------------------- Internationale Strafverfolger konnten die SMS-basierte Android-Spyware FluBot einbremsen. Dies gelang durch die Übernahme der FluBot-Infrastruktur. --------------------------------------------- https://heise.de/-7130270 ∗∗∗ Warnung vor Spoofing mit BSI-Rufnummer ∗∗∗ --------------------------------------------- Das BSI erhält derzeit Meldungen, dass vermehrte Anrufe mit der Rufnummer des BSI und einer zweistelligen Durchwahl erfolgen. Es handelt sich nicht um Anrufe des BSI. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Vorsicht Telefon-Betrug: Tonbandstimme lockt in die Falle! ∗∗∗ --------------------------------------------- Zahlreiche Meldungen berichten von Anrufen einer Tonbandstimme, die dazu auffordert auf die Taste 1 zu drücken. Folgen Sie den Anweisungen nicht! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-telefon-betrug-tonbandstimm… ===================== = Vulnerabilities = ===================== ∗∗∗ SearchNightmare: Windows 10 search-ms: URI Handler 0-day Exploit mit Office 2019 ∗∗∗ --------------------------------------------- Nach der Entdeckung des Missbrauchs der Follina-Schwachstelle (CVE-2022-30190) über das Windows ms-msdt-Protokolls wird diese Bastion "sturmreif" geschossen. Ein Hacker hat sich den search-ms: URI Handler in Windows 10 angesehen und einen ähnlichen Exploit wie Follina entwickelt. --------------------------------------------- https://www.borncity.com/blog/2022/06/02/searchnightmare-windows-10-search-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (thunderbird and vim), Red Hat (firefox, postgresql:10, postgresql:12, and postgresql:13), Scientific Linux (firefox and rsyslog), SUSE (hdf5, hdf5, suse-hpc, postgresql14, rubygem-yajl-ruby, and udisks2), and Ubuntu (imagemagick and influxdb). --------------------------------------------- https://lwn.net/Articles/896896/ ∗∗∗ Millions of Budget Smartphones With UNISOC Chips Vulnerable to Remote DoS Attacks ∗∗∗ --------------------------------------------- Millions of budget smartphones that use UNISOC chipsets could have their communications remotely disrupted by hackers due to a critical vulnerability discovered recently by researchers at cybersecurity firm Check Point. --------------------------------------------- https://www.securityweek.com/millions-budget-smartphones-unisoc-chips-vulne… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability CVE-2021-35550 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework (CVE-2021-22096,CVE-2021-22060,CVE-2022-22950,CVE-2022-22968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Java SE that could allow an unauthenticated attacker to obtain sensitive information affect IBM® Db2®. (CVE-2021-35603, CVE-2021-35550, CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Nginx affects IBM Cloud Private and could allow a remote attacker to obtain sensitive information (177988) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nginx-af… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Watson Machine Learning Accelerator is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-a… ∗∗∗ Security Bulletin: CVE-2022-21299 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2022-21299-may-affect… ∗∗∗ Security Bulletin: HMC is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hmc-is-affected-but-not-c… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities – IBM JDK 8.0.7.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to cross tenant information exposure (CVE-2022-22506) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-35561 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35561-may-affect… ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2022/05/long-term-support-channel-upda… ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 101 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-23/ ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0677 ∗∗∗ Illumina Local Run Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-153-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily