Daily

daily@lists.cert.at

1 participants
3182 discussions

Tageszusammenfassung - 06.04.2022
by Daily end-of-shift report 06 Apr '22

06 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-04-2022 18:00 − Mittwoch 06-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft detects Spring4Shell attacks across its cloud services ∗∗∗ --------------------------------------------- Microsoft said that its currently tracking a "low volume of exploit attempts" targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability across its cloud services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-detects-spring4she… ∗∗∗ Windows MetaStealer Malware, (Wed, Apr 6th) ∗∗∗ --------------------------------------------- The malware abuses legitimate services by Github and transfer.sh to host these data binaries. All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary. --------------------------------------------- https://isc.sans.edu/diary/rss/28522 ∗∗∗ Zero-Day-Lücken: Ältere macOS- und iOS-Versionen weiter angreifbar ∗∗∗ --------------------------------------------- Aktiv ausgenutzte Lücken hat Apple nur in iOS 15 und macOS 12 gestopft. Sicherheitsforschern zufolge sind aber auch ältere Betriebssystemversionen verwundbar. --------------------------------------------- https://heise.de/-6664730 ∗∗∗ Wenn der PC plötzlich steckenbleibt, nicht bei Microsoft anrufen! ∗∗∗ --------------------------------------------- Die Betrugsmasche, bei der sich Kriminelle als Microsoft-Angestellte ausgeben und ihre Opfer telefonisch kontaktieren, ist weitläufig bekannt. Aktuell erhalten Betroffene vermehrt keinen Anruf, sondern werden durch Pop-ups auf ihren Bildschirmen, die die Nutzung des Computers einschränken, zu Anrufen bewegt. Achtung: Nicht anrufen, sonst drohen Geld- und Datenverluste! --------------------------------------------- https://www.watchlist-internet.at/news/wenn-der-pc-ploetzlich-steckenbleibt… ∗∗∗ Fake e‑shops on the prowl for banking credentials using Android malware ∗∗∗ --------------------------------------------- This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans attributed to this campaign. --------------------------------------------- https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credent… ∗∗∗ Analyzing a “multilayer” Maldoc: A Beginner’s Guide ∗∗∗ --------------------------------------------- In this blog post, we will not only analyze an interesting malicious document, but we will also demonstrate the steps required to get you up and running with the necessary analysis tools. There is also a howto video for this blog post. --------------------------------------------- https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories (FortiClient, FortiEDR, FortiWAN) ∗∗∗ --------------------------------------------- * FortiClient (Linux) - Improper directories permissions * FortiClient (Linux) - external access to confighandler webserver * FortiClient (Windows) - privilege escalation in online installer due to incorrect working directory * FortiEDR - Denial of service due to folder access permission change * FortiEDR - Hardcoded AES key enable disabling local Collector * FortiEDR - Insecure RSA key transport * FortiWAN - Improper cryptographic operations in Dynamic Tunnel Protocol * FortiWAN - Pervasive OS command --------------------------------------------- https://www.fortiguard.com/psirt?date=04-2022 ∗∗∗ VMSA-2022-0011 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-9.8 CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0011.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (rizin), Fedora (fish, gdal, mingw-fribidi, mingw-gdal, mingw-openexr, mingw-python-pillow, mingw-python3, and python-pillow), Mageia (chromium-browser-stable), Oracle (Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel and kernel), Red Hat (kernel, kernel-rt, and Red Hat OpenStack Platform 16.2 (python-waitress)), Scientific Linux (kernel), Slackware (mozilla), SUSE (mozilla-nss), and Ubuntu (h2database). --------------------------------------------- https://lwn.net/Articles/890404/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.8 ∗∗∗ --------------------------------------------- CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, CVE-2022-28289 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/ ∗∗∗ Spring Cloud Data Flow 2.9.4 Released ∗∗∗ --------------------------------------------- On behalf of the team and everyone who has contributed, I’m happy to announce that Spring Cloud Dataflow 2.9.4 has been released and is now available from Maven Central. This release contains an update of the Spring Boot version and addresses a couple of CVEs. Notable Changes in 2.9.4: * Update to Spring Boot 2.5.12 * Resolves CVE-2022-22965 * Resolves CVE-2021-29425 --------------------------------------------- https://spring.io/blog/2022/04/05/spring-cloud-data-flow-2-9-4-released ∗∗∗ Improper Authentication Management Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220406-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Watson Query potentially exposes adminstrator's key under some conditions due to CVE-2022-22410 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-query-potentially-… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Vulnerabilities with Apache HTTP Server affect IBM Cloud Object Storage Systems (Apr 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-apac… ∗∗∗ K49419538: libxml2 vulnerability CVE 2016-4658 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49419538?utm_source=f5support&utm_mediu… ∗∗∗ WAGO: Multiple Products affected by Linux Kernel Vulnerability Dirty Pipe ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-009/ ∗∗∗ LifePoint Informatics Patient Portal ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-095-01 ∗∗∗ Rockwell Automation ISaGRAF ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-095-01 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2022
by Daily end-of-shift report 05 Apr '22

05 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-04-2022 18:00 − Dienstag 05-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ WhatsApp voice message phishing emails push info-stealing malware ∗∗∗ --------------------------------------------- A new WhatsApp phishing campaign impersonating WhatsApps voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whatsapp-voice-message-phish… ∗∗∗ SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 ∗∗∗ --------------------------------------------- Microsoft provides guidance for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability CVE-2022-22965, also known as SpringShell or Spring4Shell. --------------------------------------------- https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerab… ∗∗∗ WebLogic Crypto Miner Malware Disabling Alibaba Cloud Monitoring Tools, (Tue, Apr 5th) ∗∗∗ --------------------------------------------- Looking through my honeypot logs for some Spring4Shell exploits (I didn't find anything interesting), I came across this attempt to exploit an older WebLogic vulnerability (likely %%cve:2020-14882%% or %%cve:2020-14883%%). The exploit itself is "run of the mill," but the script downloaded is going through an excessively long list of competitors to disable and disabled cloud monitoring tools, likely to make detecting and response more difficult. --------------------------------------------- https://isc.sans.edu/diary/rss/28520 ∗∗∗ ZDI-22-547: (0Day) (Pwn2Own) Samsung Galaxy S21 Exposed Dangerous Method Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on affected installations of Samsung Galaxy S21 phones. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-547/ ∗∗∗ Phishing-Angriffe auf Kryptowährungssektor nach Einbruch bei MailChimp ∗∗∗ --------------------------------------------- Nach einem Einbruch beim Marketing-Mail-Anbieter MailChimp haben Cyberkriminelle versucht, per Phishing an Kryptowährungen von Krypto-Wallet-Kunden zu gelangen. --------------------------------------------- https://heise.de/-6662971 ∗∗∗ CISA advises D-Link users to take vulnerable routers offline ∗∗∗ --------------------------------------------- CISA has advised users to take certain vulnerable D-Link routers offline since the existing vulnerabilities are know to be actively exploited and the models have reached EOL and will not get patched. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-adv… ∗∗∗ Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter ∗∗∗ --------------------------------------------- Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.The infections leverage process injection to evade detection by endpoint security software. --------------------------------------------- http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin—April 2022 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-04-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2022-04-01 ∗∗∗ Xen Security Advisory CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 / XSA-400 ∗∗∗ --------------------------------------------- IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues. The precise impact is system specific, but would likely be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-400.html ∗∗∗ Xen Security Advisory CVE-2022-26357 / XSA-399 ∗∗∗ --------------------------------------------- race in VT-d domain ID cleanup. The precise impact is system specific, but would typically be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-399.html ∗∗∗ Xen Security Advisory CVE-2022-26356 / XSA-397 ∗∗∗ --------------------------------------------- Racy interactions between dirty vram tracking and paging log dirty hypercalls. An attacker can cause Xen to leak memory, eventually leading to a Denial of Service (DoS) affecting the entire host. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-397.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (polkit, postgresql, and zlib), openSUSE (389-ds and opera), Red Hat (kpatch-patch), SUSE (389-ds and util-linux), and Ubuntu (waitress). --------------------------------------------- https://lwn.net/Articles/890258/ ∗∗∗ Kyocera Printer: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Kyocera Printer ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0391 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- This issue may allow privileged code in a guest VM to cause the host to crash or become unresponsive. The issue only affects systems with Intel CPUs where the malicious guest VM has had a physical PCI device assigned to it by the host administrator using the PCI passthrough feature. The issue has the following identifier: CVE-2022-26357 Customers who have not assigned a physical PCI device to a guest VM are not affected by this issue. Customers who are running on systems with only AMD CPUs are also not affected by this issue. --------------------------------------------- https://support.citrix.com/article/CTX390511 ∗∗∗ Sicherheitsupdate für Webbrowser Google Chrome ∗∗∗ --------------------------------------------- https://heise.de/-6662814 ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple issues within Red Hat UBI packages and the IBM WebSphere Application Server Liberty shipped with IBM MQ Operator v1.7 CD Release ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Dojo Toolkil shipped with IBM Tivoli Netcool Impact (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by account enumeration and denial of service vulnerabilities (CVE-2022-22356 and CVE-2022-22355) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by gson vulnerability (C2021-0419) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ K29855410: Vim vulnerabilities CVE-2022-0261, CVE-2022-0318, CVE-2022-0361, CVE-2022-0392, and CVE-2022-0413 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29855410?utm_source=f5support&utm_mediu… ∗∗∗ K08827426: Vim vulnerability CVE-2022-0359 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08827426?utm_source=f5support&utm_mediu… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 91.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/ ∗∗∗ Security Vulnerabilities fixed in Firefox 99 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2022
by Daily end-of-shift report 04 Apr '22

04 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-04-2022 18:00 − Montag 04-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Einkauf von Markenware! ∗∗∗ --------------------------------------------- Wer Markenkleidung oder -schuhe online kaufen will, sollte sich vergewissern, dass das Angebot seriös ist. Denn derzeit tauchen zahlreiche Fake-Shops auf, die angeben, beliebte Markenware zu verkaufen. Keine dieser betrügerischen Shops hat ein Impressum auf der Seite, die Webadresse hat außerdem nichts mit den angebotenen Waren zu tun. Das sind typische Merkmale für Fake-Shops und gute Gründe, hier nicht einzukaufen! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Explaining Spring4Shell: The Internet security disaster that wasn’t ∗∗∗ --------------------------------------------- Vulnerability in the Spring Java Framework is important, but its no Log4Shell. --------------------------------------------- https://arstechnica.com/?p=1845362 ∗∗∗ Beastmode botnet boosts DDoS power with new router exploits ∗∗∗ --------------------------------------------- A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos… ∗∗∗ Emptying the Phishtank: Are WordPress sites the Mosquitoes of the Internet?, (Mon, Apr 4th) ∗∗∗ --------------------------------------------- In November, an accountant working for a construction company received an innocent enough-looking email: An update on the terms to submit bills to a local county. Seeing the email, the accountant clicked on the link and quickly downloaded the new document after entering their Outlook 365 credentials. The PDF looked all right but was something the accountant had already downloaded a couple of weeks ago from the county’s official website. [...] This, turns out, was a typical case of “business email compromise.” --------------------------------------------- https://isc.sans.edu/diary/rss/28516 ∗∗∗ WordPress Popunder Malware Redirects to Scam Sites ∗∗∗ --------------------------------------------- Over the last year we’ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected over 3,000 websites infected with this injection this year and over 17,000 in total since we first detected it in March of 2021. The reported behaviour is always the same: After a few seconds of loading, the website will redirect to a dodgy scam site. --------------------------------------------- https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-sca… ∗∗∗ Brokenwire Hack Could Let Remote Attackers Disrupt Charging for Electric Vehicles ∗∗∗ --------------------------------------------- A group of academics from the University of Oxford and Armasuisse S+T has disclosed details of a new attack technique against the popular Combined Charging System (CCS) that could potentially disrupt the ability to charge electric vehicles at scale. Dubbed "Brokenwire," the method interferes with the control communications that transpire between the vehicle and charger to wirelessly abort the abort the charging sessions from a distance of as far as 47m (151ft). --------------------------------------------- https://thehackernews.com/2022/04/brokenwire-hack-could-let-remote.html ∗∗∗ Deep Dive Analysis - Borat RAT ∗∗∗ --------------------------------------------- [...] During our regular OSINT research, Cyble Research Labs came across a new Remote Access Trojan (RAT) named Borat. Unlike other RATs, the Borat provides Ransomware, DDOS services, etc., to Threat Actors along with usual RAT features, further expanding the malware capabilities. --------------------------------------------- https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/ ∗∗∗ FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 ∗∗∗ --------------------------------------------- Recent public research asserts threat groups sharing overlaps with FIN7 transitioned to targeted ransomware operations involving REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware. With the purported shift to ransomware operations, Mandiant is publishing our research on the evolution of FIN7 which we haven’t publicly written about since Mahalo FIN7, published in 2019. --------------------------------------------- https://www.mandiant.com/resources/evolution-of-fin7 ∗∗∗ Hacker accessed 319 crypto- and finance-related Mailchimp accounts, company said ∗∗∗ --------------------------------------------- Email marketing firm Mailchimp announced on Monday that a hacker breached its internal tools and managed to gain access to 319 Mailchimp accounts for companies in the cryptocurrency and finance industries. --------------------------------------------- https://therecord.media/hacker-accessed-319-crypto-and-finance-related-mail… ∗∗∗ Kaseya Full Disclosure ∗∗∗ --------------------------------------------- In honor of our appearance on the Ransomware Files podcast episode #5 we are releasing the full details of the vulnerabilities we found during our research into Kaseya VSA of which some were used by REvil to attack Kaseya’s customers. The details can be found in our CVE entries: [...] --------------------------------------------- https://csirt.divd.nl/2022/04/04/Kaseya-VSA-Full-Disclosure/ ===================== = Vulnerabilities = ===================== ∗∗∗ 15-Year-Old Bug in PEAR PHP Repository Couldve Enabled Supply Chain Attacks ∗∗∗ --------------------------------------------- A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code. --------------------------------------------- https://thehackernews.com/2022/04/15-year-old-bug-in-pear-php-repository.ht… ∗∗∗ FG-IR-22-059: Vulnerability in OpenSSL library ∗∗∗ --------------------------------------------- A security advisory was released affecting the version of OpenSSL library used in some Fortinet products. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-059 ∗∗∗ VMSA-2022-0010 ∗∗∗ --------------------------------------------- A critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0010.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, qemu, and zlib), Fedora (389-ds-base, ghc-cmark-gfm, ghc-hakyll, gitit, libkiwix, openssl, pandoc, pandoc-citeproc, patat, phoronix-test-suite, seamonkey, and skopeo), Mageia (libtiff, openjpeg2, and php-smarty), openSUSE (python), Oracle (httpd), Red Hat (httpd), and SUSE (libreoffice, python, and python36). --------------------------------------------- https://lwn.net/Articles/890187/ ∗∗∗ Microsoft Edge 100.0.1185.29 fixt Schwachstellen ∗∗∗ --------------------------------------------- Microsoft hat zum 1. April 2022 (kein April-Scherz) den Chromium-Edge Browser auf die Version Edge 100.0.1185.29 aktualisiert. Es handelt sich um ein Wartungsupdate, das eine Reihe Schwachstellen schließt und den 100er-Entwicklungszweig einleitet. --------------------------------------------- https://www.borncity.com/blog/2022/04/02/microsoft-edge-100-0-1185-29-fixt-… ∗∗∗ Kaspersky Anti-Virus: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0384 ∗∗∗ Vulnerability in Spring Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Netty – CVE-2021-43797 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-cv… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Cloud Pak for Security contains packages that have multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-co… ∗∗∗ Security Bulletin: Cross-Site Scripting and information disclosure vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2022 (CVE-2021-29835, CVE-39046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server in Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2022
by Daily end-of-shift report 01 Apr '22

01 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-03-2022 18:00 − Freitag 01-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New BlackGuard password-stealing malware sold on hacker forums ∗∗∗ --------------------------------------------- A new information-stealing malware named BlackGuard is winning the attention of the cybercrime community, now sold on numerous darknet markets and forums for a lifetime price of $700 or a subscription of $200 per month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blackguard-password-stea… ∗∗∗ Viasat confirms satellite modems were wiped with AcidRain malware ∗∗∗ --------------------------------------------- A newly discovered data wiper malware that wipes routers and modems has been deployed in the cyberattack that targeted the KA-SAT satellite broadband service to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens of thousands more across Europe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-mo… ∗∗∗ Phishing uses Azure Static Web Pages to impersonate Microsoft ∗∗∗ --------------------------------------------- Phishing attacks are abusing Microsoft Azures Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/phishing-uses-azure-static-… ∗∗∗ FORCEDENTRY: Sandbox Escape ∗∗∗ --------------------------------------------- In this post we'll take a look at that sandbox escape. It's notable for using only logic bugs. In fact it's unclear where the features that it uses end and the vulnerabilities which it abuses begin. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.h… ∗∗∗ iOS-Updates: Automatik braucht mehrere Wochen ∗∗∗ --------------------------------------------- Wer will, dass sein iPhone auf aktuellem Stand ist, sollte händisch aktualisieren. Die automatische Verteilung braucht lange, bestätigt Apples Softwarechef. --------------------------------------------- https://heise.de/-6657879 ∗∗∗ CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) ∗∗∗ --------------------------------------------- CVE-2022-22965, aka SpringShell, is a remote code execution vulnerability in the Spring Framework. We provide a root cause analysis and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/ ∗∗∗ The spectre of Stuxnet: CISA issues alert on Rockwell Automation ICS vulnerabilities ∗∗∗ --------------------------------------------- The flaws can be exploited to execute code on vulnerable controllers and workstations. --------------------------------------------- https://www.zdnet.com/article/cisa-issues-alert-on-critical-ics-vulnerabili… ∗∗∗ Spring Framework RCE, Mitigation Alternative ∗∗∗ --------------------------------------------- Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection. --------------------------------------------- https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternati… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-03-31 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM Sterling Partner Engagement Manager, IBM QRadar Network Security, IBM Security Access Manager for Enterprise, IBM Urbancode Deploy, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Netcool Impact, Watson Knowledge Catalog InstaScan --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Kritische Sicherheitslücke: Gitlab-Update außer der Reihe ∗∗∗ --------------------------------------------- Die Gitlab-Entwickler haben ein Update veröffentlicht, um Sicherheitslücken zu schließen. Eine kritische Lücke könnte Angreifern die Kontoübernahme ermöglichen. --------------------------------------------- https://heise.de/-6660080 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (wireshark), Fedora (389-ds-base), Mageia (golang, wavpack, and zlib), openSUSE (yaml-cpp), SUSE (expat and yaml-cpp), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.13, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-aws-hwe, linux-gcp-4.15, linux-oracle, linux-intel-5.13, and tomcat9). --------------------------------------------- https://lwn.net/Articles/889983/ ∗∗∗ Sicherheitsupdates: iOS 15.4.1 und macOS Monterey 12.3.1 ∗∗∗ --------------------------------------------- Apple hat zum 31. März 2022 zwei Sicherheitsupdates für macOS 12.3.1 (Monterey) und iOS/iPad OS 15.4.1 freigegeben. Diese schließen die Schwachstellen CVE-2022-22675 (in AppleAVD für iOS und macOS) und CVE-2022-22674 im macOS Intel Grafiktreiber. --------------------------------------------- https://www.borncity.com/blog/2022/04/01/sicherheitsupdates-ios-15-4-1-und-… ∗∗∗ K56241216: OpenLDAP vulnerabilities CVE-2020-25709 and CVE-2020-25710 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56241216 ∗∗∗ K44994972: Linux kernel vulnerability CVE-2020-25704 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44994972 ∗∗∗ Schneider Electric SCADAPack Workbench ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-01 ∗∗∗ Hitachi Energy e-mesh EMS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-02 ∗∗∗ Fuji Electric Alpha5 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-03 ∗∗∗ Mitsubishi Electric FA Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-04 ∗∗∗ General Electric Renewable Energy MDS Radios ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-06 ∗∗∗ CISA Adds Seven Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/31/cisa-adds-seven-k… ∗∗∗ Mehrere Schwachstellen in ZA|ARC (SYSS-2021-063/-064/-065/-066/-067) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-zaarc-syss-2021-… ∗∗∗ SA45100 - CVE-2022-0778-OpenSSL-Vulnerability may lead to DoS attack ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-0778… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2022
by Daily end-of-shift report 31 Mar '22

31 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-03-2022 18:00 − Donnerstag 31-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spring patches leaked Spring4Shell zero-day RCE vulnerability ∗∗∗ --------------------------------------------- Spring released emergency updates to fix the Spring4Shell zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring… ∗∗∗ Java: Exploit für RCE-Lücke in Spring geleakt ∗∗∗ --------------------------------------------- Unter Umständen reicht ein HTTP-Request, um Spring-Anwendungen eine Webshell unterzujubeln. Die Lücke wird wohl bereits ausgenutzt. --------------------------------------------- https://www.golem.de/news/java-exploit-fuer-rce-luecke-in-spring-geleakt-22… ∗∗∗ SpringShell Detector - searches compiled code (JAR/WAR binaries) for potentially vulnerable web apps ∗∗∗ --------------------------------------------- The SpringShell vulnerability may affect some web applications using Spring Framework, but requires a number of conditions to be exploitable. One specific condition which may be rather rare (and therefore render most applications non-exploitable in practice) is the existence of Spring endpoints which bind request parameters to a non-primitive (Java Bean) type. This tool can be used to scan compiled code and verify whether such endpoints exist in the codebase. --------------------------------------------- https://github.com/jfrog/jfrog-spring-tools ∗∗∗ Simple local Spring vulnerability scanner ∗∗∗ --------------------------------------------- This is a simple tool that can be used to find instances of Spring vulnerable to CVE-2022-22965 ("SpringShell") in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged. --------------------------------------------- https://github.com/hillu/local-spring-vuln-scanner ∗∗∗ Spring4Shell: Security Analysis of the latest Java RCE 0-day vulnerabilities in Spring ∗∗∗ --------------------------------------------- Weve been taking a look at the new zero-day exploit, dubbed Spring4Shell, supposedly discovered in Spring Core to determine if its a problem or not, as well as explained another RCE vulnerability found in Spring. --------------------------------------------- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities ∗∗∗ Calendly actively abused in Microsoft credentials phishing ∗∗∗ --------------------------------------------- Phishing actors are actively abusing Calendly to kick off a clever sequence to trick targets into entering their email account credentials on the phishing page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/calendly-actively-abused-in-… ∗∗∗ Lazarus Trojanized DeFi app for delivering malware ∗∗∗ --------------------------------------------- We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. --------------------------------------------- https://securelist.com/lazarus-trojanized-defi-app/106195/ ∗∗∗ Conti-nuation: methods and techniques observed in operations post the leaks ∗∗∗ --------------------------------------------- This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks. --------------------------------------------- https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniqu… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns severe OpenSSL bug affects most of its NAS devices ∗∗∗ --------------------------------------------- Taiwan-based network-attached storage (NAS) maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-severe-openssl-bu… ∗∗∗ “VMware Spring Cloud” Java bug gives instant remote code execution – update now! ∗∗∗ --------------------------------------------- Easy unauthenticated remote code execution - PoC code already out --------------------------------------------- https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gi… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgc and pjproject), Fedora (cobbler, mingw-openjpeg2, and openjpeg2), Mageia (openvpn), openSUSE (abcm2ps, fish3, icingaweb2, kernel-firmware, nextcloud, openSUSE-build-key, python2-numpy, salt, and zlib), Slackware (vim), SUSE (kernel-firmware, opensc, python2-numpy, python3, salt, and zlib), and Ubuntu (dosbox, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.13, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/889852/ ∗∗∗ The Old Switcheroo: Hiding Code on Rockwell Automation PLCs ∗∗∗ --------------------------------------------- CVE-2022-1161 affects numerous versions of Rockwell’s Logix Controllers and has a CVSS score of 10, the highest criticality. CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity. --------------------------------------------- https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automa… ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42543427/ ∗∗∗ Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-032 ∗∗∗ Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-web-query-for-i-i… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in NumPy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to HTTP request smuggling due to Netty (CVE-2021-43797) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-omnibu… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by Wget vulnerability (CVE-2021-31879) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Security Verify Access is vulnerable to obtaining sensitive information due to improper validation of JWT tokens. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces… ∗∗∗ CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0778 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2022
by Daily end-of-shift report 30 Mar '22

30 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-03-2022 18:00 − Mittwoch 30-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Mars Stealer malware pushed via OpenOffice ads on Google ∗∗∗ --------------------------------------------- A newly launched information-stealing malware variant called Mars Stealer is rising in popularity, and threat analysts are now spotting the first notable large-scale campaigns employing it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mars-stealer-malware-pushed-… ∗∗∗ Viasat shares details on KA-SAT satellite service cyberattack ∗∗∗ --------------------------------------------- US satellite communications provider Viasat has shared an incident report regarding the cyberattack that affected its KA-SAT consumer-oriented satellite broadband service on February 24, the day Russia invaded Ukraine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/viasat-shares-details-on-ka-… ∗∗∗ Angriff auf Schnellllader: Forscher können Ladevorgänge per Funk unterbrechen ∗∗∗ --------------------------------------------- CCS hat sich als Standard beim Schnellladen von Elektroautos etabliert. Doch der Ladevorgang lässt sich durch Funksignale zum Absturz bringen. --------------------------------------------- https://www.golem.de/news/schnelllladen-forscher-bringen-ccs-ladevorgaenge-… ∗∗∗ Threat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks ∗∗∗ --------------------------------------------- Team Nautilus has uncovered a Python-based ransomware attack that, for the first time, was targeting Jupyter Notebook, a popular tool used by data practitioners. The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack. --------------------------------------------- https://blog.aquasec.com/python-ransomware-jupyter-notebook ∗∗∗ Kostenlose Webinar-Reihe: So schützen Sie sich im Internet ∗∗∗ --------------------------------------------- Mit Unterstützung der Arbeiterkammer Burgenland veranstalten unsere KollegInnen von saferinternet.at ab 5. April eine Webinar-Reihe. Die kostenlosen Webinare sind für alle interessierten Erwachsenen offen und beschäftigen sich mit dem sicheren und verantwortungsvollen Umgang mit digitalen Medien. Mit dabei sind auch ExpertInnen der Watchlist Internet. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-so-schuetze… ∗∗∗ Investigating an engineering workstation – Part 2 ∗∗∗ --------------------------------------------- In this second post we will focus on specific evidence written by the TIA Portal. As you might remember, in the first part we covered standard Windows-based artefacts regarding execution of the TIA Portal and usage of projects. --------------------------------------------- https://blog.nviso.eu/2022/03/30/investigating-an-engineering-workstation-p… ∗∗∗ Advanced warning: probable remote code execution (RCE) in Spring, an extremely popular Java framework ∗∗∗ --------------------------------------------- This notice is intended to alert you that there may be a significant issue with Spring which, if confirmed, would require immediate attention.In the morning (New York time) on Wednesday, March 29th, 2022, a member of the security research team KnownSec posted a now-removed screenshot to Twitter purporting to show a trivially-exploited remote code execution vulnerability against Spring core, the most popular Java framework in use on the Internet. The researcher did not provide a proof-of-concept or public details. --------------------------------------------- https://bugalert.org/content/notices/2022-03-29-spring.html ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Angriffe auf Sicherheitslücke in Trend Micro Apex Central ∗∗∗ --------------------------------------------- Trend Micro warnt vor Angriffen auf eine Sicherheitslücke in zentralen Verwaltungssoftware Apex Central. Zum Abdichten des Lecks stehen Updates bereit. --------------------------------------------- https://heise.de/-6656849 ∗∗∗ VMSA-2022-0009 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.5 CVE(s): CVE-2022-22948 Synopsis: VMware vCenter Server updates address an information disclosure vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0009.html ∗∗∗ Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk ∗∗∗ --------------------------------------------- On February 15, 2022, the Wordfence Threat Intelligence team finished research on two separate vulnerabilities in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin with over 100,000 installations. [...] A patched version, 5.174.1, was made available on March 25, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/03/reflected-xss-in-spam-protection-ant… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (expat, firefox, httpd, openssl, and thunderbird), Debian (cacti), Fedora (kernel, rsh, unrealircd, and xen), Mageia (kernel and kernel-linus), openSUSE (apache2, java-1_8_0-ibm, kernel, openvpn, and protobuf), Oracle (openssl), Red Hat (httpd:2.4, kernel, kpatch-patch, and openssl), SUSE (apache2, java-1_7_1-ibm, java-1_8_0-ibm, kernel, openvpn, protobuf, and zlib), and Ubuntu (chromium-browser and paramiko). --------------------------------------------- https://lwn.net/Articles/889682/ ∗∗∗ SaltStack Salt: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SaltStack Salt ausnutzen, um Dateien zu manipulieren, einen Denial of Service Zustand herbeizuführen, Privilegien zu erweitern oder beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0371 ∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro AntiVirus für Mac ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0370 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 100.0.4896.60 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/30/google-releases-s… ∗∗∗ Password-Hash-Preisgabe im CMS Statamic (SYSS-2022-022) ∗∗∗ --------------------------------------------- Im CMS Statamic können in der REST-API Passwort-Hash-Werte aller Benutzer:innen ausgelesen werden. Dies kann zur Übernahme der Website führen. --------------------------------------------- https://www.syss.de/pentest-blog/password-hash-preisgabe-in-statamic-cms-sy… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021and Jan 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ PHOENIX CONTACT: Vulnerabilities in XML parser library Expat (libexpat) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-005/ ∗∗∗ Buffer Overflow Vulnerability in Recovery Image ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-446276-bt.html ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2022
by Daily end-of-shift report 29 Mar '22

29 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-03-2022 18:00 − Dienstag 29-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sophos warns critical firewall bug is being actively exploited ∗∗∗ --------------------------------------------- British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/sophos-warns-critical-firewall-… ∗∗∗ Triton Malware Still Targeting Energy Firms ∗∗∗ --------------------------------------------- The FBIs latest Private Industry Notification warns the energy sector that the group behind Triton is still up to no good. --------------------------------------------- https://www.darkreading.com/attacks-breaches/triton-malware-still-targeting… ∗∗∗ Linux-Kernel: Netfilter-Bug gibt Nutzern Root-Rechte ∗∗∗ --------------------------------------------- Im Linux-Kernel sind mehrere Fehler im Netfilter-Code gefunden worden, die es einem Nutzer ermöglichen, Root-Rechte zu erlangen. Das Kernel-Team hat für alle unterstützten Versionszweige Updates veröffentlicht. CVE-2022-1015, CVE-2022-1016). --------------------------------------------- https://www.golem.de/news/linux-kernel-netfilter-bug-gibt-nutzern-root-rech… ∗∗∗ A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages ∗∗∗ --------------------------------------------- A threat actor dubbed "RED-LILI" has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules. --------------------------------------------- https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.h… ∗∗∗ Betrügerische SMS im Namen der Volksbank ∗∗∗ --------------------------------------------- Aktuell kursieren betrügerische SMS im Namen der Volksbank. EmpfängerInnen werden dringlich aufgefordert, auf einen Link zu klicken – angeblich, weil das Konto gesperrt wurde. Achtung: Dabei handelt es sich um Betrug. Wer den Link anklickt, landet auf einer gefälschten Login-Seite der Volksbank. Dort werden Zugangsdaten gestohlen! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-sms-im-namen-der-volk… ∗∗∗ Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners ∗∗∗ --------------------------------------------- A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated. According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. --------------------------------------------- https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-… ∗∗∗ Verblecon: Sophisticated New Loader Used in Low-level Attacks ∗∗∗ --------------------------------------------- Indications the attacker may not realize the potential capabilities of the malware they are using. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ve… ∗∗∗ Mitigating Attacks Against Uninterruptable Power Supply Devices ∗∗∗ --------------------------------------------- CISA and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/29/mitigating-attack… ===================== = Vulnerabilities = ===================== ∗∗∗ Wyze Cam flaw lets hackers remotely access your saved videos ∗∗∗ --------------------------------------------- The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019. The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery. The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-r… ∗∗∗ ZDI-22-545: (0Day) Siemens Simcenter Femap NEU File Parsing Out-Of-Bounds Write Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Siemens Simcenter Femap. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-545/ ∗∗∗ Kritische Schadcode-Lücke in In-Memory-Datenbank Redis geschlossen ∗∗∗ --------------------------------------------- Das Zusammenspiel von Debian-Systemen und Redis kann zu ernsten Sicherheitsproblemen führen. Dagegen abgesicherte Versionen schaffen Abhilfe. --------------------------------------------- https://heise.de/-6655726 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl, pjproject, and tzdata), Mageia (chromium-browser-stable, docker, graphicsmagick, and libtiff), Oracle (expat), Red Hat (expat, httpd:2.4, openssl, and screen), Scientific Linux (expat and openssl), and Ubuntu (libtasn1-6, linux-oem-5.14, openjdk-lts, and paramiko). --------------------------------------------- https://lwn.net/Articles/889571/ ∗∗∗ Sicherheitswarnung: Authentifizierungsschwachstelle CVE-2022-0342 in Zyxel USG/ZyWALL ∗∗∗ --------------------------------------------- In verschiedenen Zyxel Firewall-Produkten gibt es eine kritische Authentifizierungs-Schwachstelle (CVE-2022-0342). Durch diese Sicherheitslücke wird eine Übernahme der Firewall möglich. Zyxel stellt zwar für Geräte, die noch im Support sind, Firmware-Updates bereits. --------------------------------------------- https://www.borncity.com/blog/2022/03/29/sicherheitswarnung-authentifizieru… ∗∗∗ CVE-2018-25032: Zlib Memory Corruption Vulnerability ∗∗∗ --------------------------------------------- You may be thinking: ‘Wait, this new CVE starts with 2018.., this must be a mistake?’. In fact, it is not a mistake. This is about a CVE that everyone thought was patched years ago but now appears to be alive and well. [...] Linux distributions such as Ubuntu and Alpine have already implemented the fix in their latest releases, so you may want to update Zlib to your platform’s release of version 1.2.12, and re-compile any programs with the updated library. --------------------------------------------- https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-c… ∗∗∗ Security Bulletin: CVE-2021-44228 log4j affects MAS Monitor 8.4, 8.5 and 8.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-44228-log4j-affe… ∗∗∗ Security Bulletin: MAS Monitor 8.4, 8.5, and 8.6 log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mas-monitor-8-4-8-5-and-8… ∗∗∗ Security Bulletin: Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-critical-vulnerabilities-… ∗∗∗ K33548065: Eclipse Jetty vulnerability CVE-2018-12536 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33548065?utm_source=f5support&utm_mediu… ∗∗∗ K03674368: Linux kernel vulnerability CVE-2021-3715 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03674368?utm_source=f5support&utm_mediu… ∗∗∗ Philips e-Alert ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-088-01 ∗∗∗ Rockwell Automation ISaGRAF ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-01 ∗∗∗ Omron CX-Position ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-02 ∗∗∗ Hitachi Energy LinkOne WebView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-03 ∗∗∗ Modbus Tools Modbus Slave ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2022
by Daily end-of-shift report 28 Mar '22

28 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-03-2022 18:00 − Montag 28-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Webbrowser: Notfallupdate für Google Chrome ∗∗∗ --------------------------------------------- Google hat neue Versionen vom Webbrowser Chrome veröffentlicht, die eine Sicherheitslücke schließen, für die bereits Exploit-Code existiert. --------------------------------------------- https://heise.de/-6638415 ∗∗∗ PayPal Funktion „Geld an Freunde senden“ nicht als Zahlungsmittel auf Online-Marktplätzen verwenden ∗∗∗ --------------------------------------------- Momentan melden uns Facebook-NutzerInnen betrügerische Inserate im Facebook Marketplace. Darin werden beispielsweise Gaming-Stühle zum Verschenken angeboten. Die Person verlangt nur 15 Euro für den Versand. Der Betrag sollte mit der PayPal-Funktion „Geld an Freunde senden“ übermittelt werden. Achtung: Dabei handelt es sich um Betrug! Sie verlieren Ihr Geld und erhalten kein Produkt! --------------------------------------------- https://www.watchlist-internet.at/news/paypal-funktion-geld-an-freunde-send… ∗∗∗ Public Redis exploit used by malware gang to grow botnet ∗∗∗ --------------------------------------------- Threat analysts report having spotted a change in the operations of the Muhstik threat group, which has now switched to actively exploiting a Lua sandbox escape flaw in Redis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/public-redis-exploit-used-by… ∗∗∗ Hive ransomware ports its Linux VMware ESXi encryptor to Rust ∗∗∗ --------------------------------------------- The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victims ransom negotiations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-li… ∗∗∗ The Mystery Admin User ∗∗∗ --------------------------------------------- One of our clients recently submitted a malware removal request with a curious problem: A mystery admin user kept getting re-created on their website. Try as they might, nothing they did would get rid of this user; it just kept coming back. --------------------------------------------- https://blog.sucuri.net/2022/03/the-mystery-admin-user.html ∗∗∗ Purple Fox Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks ∗∗∗ --------------------------------------------- The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software. "Users machines are targeted via trojanized software packages masquerading as legitimate application installers," Trend Micro researchers said in a report [...] --------------------------------------------- https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html ∗∗∗ Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware ∗∗∗ --------------------------------------------- A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report [...] --------------------------------------------- https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html ∗∗∗ Under the hood of Wslink’s multilayered virtual machine ∗∗∗ --------------------------------------------- ESET researchers describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through its obfuscation techniques --------------------------------------------- https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-vi… ∗∗∗ Vulnerability Management in a nutshell ∗∗∗ --------------------------------------------- Vulnerability Management plays an important role in an organization’s line of defense. However, setting up a Vulnerability Management process can be very time consuming. This blogpost will briefly cover the core principles of Vulnerability Management and how it can help protect your organization against threats and adversaries looking to abuse weaknesses. --------------------------------------------- https://blog.nviso.eu/2022/03/28/vulnerability-management-in-a-nutshell/ ∗∗∗ Ransomware profile: RansomExx ∗∗∗ --------------------------------------------- A comprehensive profile of the RansomExx ransomware strain. --------------------------------------------- https://blog.emsisoft.com/en/41027/ransomware-profile-ransomexx/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Sophos Firewall könnte Schadcode passieren lassen ∗∗∗ --------------------------------------------- Die Firewall von Sophos ist löchrig. Aktualisierte Versionen lösen das Sicherheitsproblem. --------------------------------------------- https://heise.de/-6653493 ∗∗∗ Whitepaper – Double Fetch Vulnerabilities in C and C++ ∗∗∗ --------------------------------------------- Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes. As much of this information is spread across various sources, this whitepaper, draws the knowledge together into a single place, in order to better describe the different [...] --------------------------------------------- https://research.nccgroup.com/2022/03/28/whitepaper-double-fetch-vulnerabil… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and faad2), Fedora (dotnet3.1, libass, linux-firmware, python-paramiko, seamonkey, and xen), openSUSE (perl-DBD-SQLite and wavpack), Slackware (seamonkey), SUSE (perl-DBD-SQLite and wavpack), and Ubuntu (binutils, python2.7, python3.4, python3.5, python3.6, python3.8, and smarty3). --------------------------------------------- https://lwn.net/Articles/889423/ ∗∗∗ CISA Adds 66 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/25/cisa-adds-66-know… ∗∗∗ Microsoft Security Update Revisions (25. März 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 25. März 2022 noch einige Revisionen für Sicherheitsupdates veröffentlicht. In den Revisionen werden geänderte Einschätzungen zu Schwachstellen thematisiert. Hier eine unkommentierte Übersicht. --------------------------------------------- https://www.borncity.com/blog/2022/03/28/microsoft-security-update-revision… ∗∗∗ SonicWall SonicOS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0348 ∗∗∗ PowerDNS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0358 ∗∗∗ Cross-Site Scripting-Schwachstelle in DHC Vision (SYSS-2022-019) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-dhc-… ∗∗∗ SQL Injection in der B2B Suite des Shopware e-Commerce Frameworks (SYSS-2022-018) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/sql-injection-in-der-b2b-suite-des-shopwar… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35550, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2022-23181 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-42340 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2022
by Daily end-of-shift report 25 Mar '22

25 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-03-2022 18:00 − Freitag 25-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing kits constantly evolve to evade security software ∗∗∗ --------------------------------------------- Modern phishing kits sold on cybercrime forums as off-the-shelve packages feature multiple and sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions wont mark them as a threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-kits-constantly-evo… ∗∗∗ Malicious Microsoft Excel add-ins used to deliver RAT malware ∗∗∗ --------------------------------------------- Researchers report a new version of the JSSLoader remote access trojan being distributed via malicious Microsoft Excel addins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-ad… ∗∗∗ Racing against the clock -- hitting a tiny kernel race window ∗∗∗ --------------------------------------------- This is a writeup of how I managed to hit the race on a normal Linux desktop kernel, with a hit rate somewhere around 30% if the proof of concept has been tuned for the specific machine. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting… ∗∗∗ XLSB Files: Because Binary is Stealthier Than XML, (Fri, Mar 25th) ∗∗∗ --------------------------------------------- In one of his last diaries, Brad mentioned an Excel sheet named with a .xlsb extension. Now, it was my turn to find one... --------------------------------------------- https://isc.sans.edu/diary/rss/28476 ∗∗∗ Linux-Malware bedroht Windows ∗∗∗ --------------------------------------------- Es taucht immer mehr Malware auf, die das Windows Subsytem for Linux (WSL) als Einfallstor nutzen. Die Gefahr steigt, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-6631700 ∗∗∗ Mining data from Cobalt Strike beacons ∗∗∗ --------------------------------------------- Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. --------------------------------------------- https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-bea… ∗∗∗ E-Mails mit Anschuldigungen der Polizei sind Fake! ∗∗∗ --------------------------------------------- Auch Sie haben ein E-Mail von der Polizei oder dem Bundeskriminalamt erhalten, das Sie der Kinderpornografie, Pädophilie und des Exhibitionismus beschuldigt? Das E-Mail ist fake, die Anschuldigungen frei erfunden. Antworten Sie nicht und löschen Sie die Nachricht am besten. --------------------------------------------- https://www.watchlist-internet.at/news/e-mails-mit-anschuldigungen-der-poli… ∗∗∗ Crypto malware in patched wallets targeting Android and iOS devices ∗∗∗ --------------------------------------------- ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets. --------------------------------------------- https://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-ta… ===================== = Vulnerabilities = ===================== ∗∗∗ URL rendering trick enabled WhatsApp, Signal, iMessage phishing ∗∗∗ --------------------------------------------- A set of flaws affecting the worlds leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, has allowed threat actors to create legitimate-looking phishing URLs for the past three years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-… ∗∗∗ Western Digital schließt Root-Schadcode-Lücke in My-Cloud-Netzwerkspeichern ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für verschiedene NAS-Modelle von Western Digital. --------------------------------------------- https://heise.de/-6630582 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (nicotine+ and openvpn), openSUSE (bind, libarchive, python3, and slirp4netns), Oracle (cyrus-sasl, httpd, httpd:2.4, and openssl), Red Hat (httpd and httpd:2.4), Scientific Linux (httpd), SUSE (bind, libarchive, python3, and slirp4netns), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/889265/ ∗∗∗ ZDI-22-538: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-538/ ∗∗∗ ZDI-22-537: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-537/ ∗∗∗ ZDI-22-536: (0Day) Electronic Arts Origin Web Helper Service Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-536/ ∗∗∗ ZDI-22-541: (0Day) Array Networks MotionPro Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-541/ ∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nims… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by denial of service vulnerabilities in OpenSSL (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by an OpenSSL vulnerability (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0342 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2022
by Daily end-of-shift report 24 Mar '22

24 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-03-2022 18:00 − Donnerstag 24-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns ∗∗∗ --------------------------------------------- Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years. According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. --------------------------------------------- https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.ht… ∗∗∗ Doppelter Betrug: Phishing-Konzept mit Browser-In-The-Browser-Attacke ausgebaut ∗∗∗ --------------------------------------------- In seinem Beispiel macht sich der Sicherheitsforscher das OAuth-Fenster zunutze. In seiner Demo baut er es via HTML/CSS exakt nach und versieht es mit einer legitimen Google-URL inklusive HTTPS-Schloss-Symbol. Dadurch fällt es Opfern schwerer, den Betrug aufzudecken und eingegebene Passwörter landen bei Betrügern. Einen Schwachpunkt hat dieser Ansatz aber: Der Ausgangspunkt von einer BITB-Attacke ist eine Phishing-Website, die das OAuth-Anmeldeverfahren mit dem Fake-Fenster anbietet. Dahin müssen Betrüger Opfer erst mal locken, ohne dass Verdacht aufkommt. --------------------------------------------- https://heise.de/-6621914 ∗∗∗ A Closer Look at the LAPSUS$ Data Extortion Group ∗∗∗ --------------------------------------------- Microsoft and identity management platform Okta both disclosed this week breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish the information unless a ransom demand is paid. Heres a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations. --------------------------------------------- https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extort… ===================== = Vulnerabilities = ===================== ∗∗∗ Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-031 ∗∗∗ Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030 ∗∗∗ --------------------------------------------- Security risk: Critical The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-030 ∗∗∗ Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) ∗∗∗ --------------------------------------------- Western Digital published a firmware update (5.19.117) which entirely removed support for the open source third party vulnerable service "Depreciated Netatalk Service". As this vulnerability was addressed in the upstream Netatalk code, CVE-2022-23121 was assigned and a ZDI advisory published together with a new Netatalk release 3.1.13 distributed which fixed this vulnerability together with a number of others. --------------------------------------------- https://research.nccgroup.com/2022/03/24/remote-code-execution-on-western-d… ∗∗∗ Splunk: SVD-2022-0301 Indexer denial-of-service via malformed S2S request ∗∗∗ --------------------------------------------- CVSSv3.1 Score: 7.5, High CVE ID: CVE-2021-3422 The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. --------------------------------------------- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.h… ∗∗∗ VMware Carbon App Control: Angreifer könnten Schadcode auf Server schieben ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen zwei kritische Lücken in Carbon App Control für Windows. --------------------------------------------- https://heise.de/-6619596 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-twig), Mageia (abcm2ps, libpano13, and pesign), openSUSE (nextcloud and xen), Oracle (kernel, kernel-container, and openssl), SUSE (java-1_7_1-ibm and xen), and Ubuntu (linux-oem-5.14, openvpn, and thunderbird). --------------------------------------------- https://lwn.net/Articles/889120/ ∗∗∗ Schwachstelle in Windows 3CX-Telefonanlagen, Patchen ist angesagt ∗∗∗ --------------------------------------------- Wer unter Windows ein 3CX-System (Telefonanlage) in einer Version unterhalb v18 Update 3 (Build 450) betreibt, sollte reagieren. Der Hersteller hat ein Sicherheitsupdate für dieses Produkt in Form der v18 Update 3 (Build 450) veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/03/24/schwachstelle-in-windows-3cx-telef… ∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-manage… ∗∗∗ Security Bulletin: IBM Security Verify Governance, Identity Manager virtual appliance component is vulnerable to denial of service (CVE-2021-38951) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35550). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 affects IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-sdk-java-technology-ed… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35603). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Vulnerabilities with Expat affect IBM Cloud Object Storage Systems (Mar 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expa… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-manage… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2022-22374 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35578). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-006/ ∗∗∗ Yokogawa CENTUM and Exaopc ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-083-01 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-083-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily