Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 10.01.2022
by Daily end-of-shift report 10 Jan '22

10 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-01-2022 18:00 − Montag 10-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI-Warnung: FIN7-Bande verschickt USB-Sticks mit Ransomware ∗∗∗ --------------------------------------------- Die Speichermedien mit der Malware erreichen US-Firmen etwa in der Rüstungsindustrie laut dem FBI getarnt als Geschenkbox oder Covid-19-Leitlinien. --------------------------------------------- https://heise.de/-6321079 ∗∗∗ FluBot malware now targets Europe posing as Flash Player app ∗∗∗ --------------------------------------------- The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-e… ∗∗∗ Trojanized dnSpy app drops malware cocktail on researchers, devs ∗∗∗ --------------------------------------------- Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-m… ∗∗∗ Wheres the Interpreter!? ∗∗∗ --------------------------------------------- CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why! --------------------------------------------- https://objective-see.com/blog/blog_0x6A.html ∗∗∗ TShark & jq, (Sat, Jan 8th) ∗∗∗ --------------------------------------------- TShark (Wireshark's command-line version) can output JSON data, as shown in diary entry "Quicktip: TShark's Options -e and -T". --------------------------------------------- https://isc.sans.edu/diary/rss/28194 ∗∗∗ Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th) ∗∗∗ --------------------------------------------- There is also a video of this analysis. --------------------------------------------- https://isc.sans.edu/diary/rss/28200 ∗∗∗ BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks ∗∗∗ --------------------------------------------- Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science. --------------------------------------------- https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.h… ∗∗∗ Sophisticated phishing scheme spent years robbing authors of their unpublished work ∗∗∗ --------------------------------------------- The FBI says a multi-year phishing attack targeting authors and book publishers, and stole unpublished novels, manuscripts and other books. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/01/sophisticated-phishing-scheme-s… ∗∗∗ Tool Release - insject: A Linux Namespace Injector ∗∗∗ --------------------------------------------- tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. --------------------------------------------- https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-names… ∗∗∗ U.S. Government Issues Warning Over Commercial Surveillance Tools ∗∗∗ --------------------------------------------- The U.S. State Department and the National Counterintelligence and Security Center (NCSC) on Friday issued a warning over the use of commercial surveillance tools. --------------------------------------------- https://www.securityweek.com/us-government-issues-warning-over-commercial-s… ∗∗∗ Abcbot botnet is linked to Xanthe cryptojacking group ∗∗∗ --------------------------------------------- Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks. --------------------------------------------- https://www.zdnet.com/article/abcbot-botnet-has-now-been-linked-to-xanthe-c… ∗∗∗ Kernel Karnage - Part 8 (Getting Around DSE) ∗∗∗ --------------------------------------------- When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar. --------------------------------------------- https://blog.nviso.eu/2022/01/10/kernel-karnage-part-8-getting-around-dse/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities ∗∗∗ --------------------------------------------- Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications. --------------------------------------------- https://kb.cert.org/vuls/id/142629 ∗∗∗ Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries ∗∗∗ --------------------------------------------- A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, [...] --------------------------------------------- https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html ∗∗∗ Qnap warnt vor Ransomware-Attacken auf Netzwerkspeicher ∗∗∗ --------------------------------------------- Es gibt wichtige Tipps zur Absicherung von NAS-Geräten von Qnap und aktuelle Sicherheitsupdates. --------------------------------------------- https://heise.de/-6321485 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/880807/ ∗∗∗ SonicWall Patches Y2K22 Bug in Email Security, Firewall Products ∗∗∗ --------------------------------------------- Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates. --------------------------------------------- https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-fir… ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. Chitubox is 3-D printing software for users to download and process models and send them [...] --------------------------------------------- http://blog.talosintelligence.com/2022/01/vulnerability-spotlight-buffer-ov… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2022
by Daily end-of-shift report 07 Jan '22

07 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-01-2022 18:00 − Freitag 07-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Docs commenting feature exploited for spear-phishing ∗∗∗ --------------------------------------------- A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-docs-commenting-featu… ∗∗∗ Night Sky is the latest ransomware targeting corporate networks ∗∗∗ --------------------------------------------- Its a new year, and with it comes a new ransomware to keep an eye on called Night Sky that targets corporate networks and steals data in double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-rans… ∗∗∗ New Mac Malware Samples Underscore Growing Threat ∗∗∗ --------------------------------------------- A handful of malicious tools that emerged last year showed threat actors may be getting more serious about attacking Apple macOS and iOS environments. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/new-mac-malware-samples… ∗∗∗ Custom Python RAT Builder, (Fri, Jan 7th) ∗∗∗ --------------------------------------------- This week I already wrote a diary about "code reuse" in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. --------------------------------------------- https://isc.sans.edu/diary/rss/28224 ∗∗∗ NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance ∗∗∗ --------------------------------------------- When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point. --------------------------------------------- https://thehackernews.com/2022/01/nist-cybersecurity-framework-quick.html ∗∗∗ iPhone-Angriff: Hacker könnten Reboot verunmöglichen ∗∗∗ --------------------------------------------- Malware wie die iOS-Version der Spyware Pegasus gehen nach einem Neustart verloren. Dieser lässt sich allerdings unterbinden, wie eine Sicherheitsfirma zeigt. --------------------------------------------- https://heise.de/-6319430 ∗∗∗ Patchday Android: Angreifer könnten sich weitreichende Berechtigungen aneignen ∗∗∗ --------------------------------------------- Google und weitere Smartphone-Hersteller haben wichtige Sicherheitsupdates für Android 9, 10, 11 und 12 veröffentlicht. --------------------------------------------- https://heise.de/-6320248 ∗∗∗ Vermeintlicher Amazon-Kundendienst verschickt betrügerische Mails zu Kundenprämienprogramm ∗∗∗ --------------------------------------------- LeserInnen melden uns derzeit eine E-Mail, die angeblich vom Amazon-Kundendienst stammt. Tatsächlich stecken Kriminelle dahinter. --------------------------------------------- https://www.watchlist-internet.at/news/vermeintlicher-amazon-kundendienst-v… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns of ransomware targeting Internet-exposed NAS devices ∗∗∗ --------------------------------------------- QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-tar… ∗∗∗ NHS warns of hackers exploiting Log4Shell in VMware Horizon ∗∗∗ --------------------------------------------- UKs National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploit… ∗∗∗ Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console ∗∗∗ --------------------------------------------- Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month. --------------------------------------------- https://thehackernews.com/2022/01/log4shell-like-critical-rce-flaw.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 36 Security Bulletins veröffentlicht --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten sich auf WordPress-Websites einnisten ∗∗∗ --------------------------------------------- In der aktuellen Version des Content Management System WordPress haben die Entwickler vier Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6320363 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, [...] --------------------------------------------- https://lwn.net/Articles/880564/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sphinxsearch), Fedora (chromium and vim), Red Hat (rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and Ubuntu (apache2 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/880672/ ∗∗∗ January 5, 2022 TNS-2022-01 [R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-01 ∗∗∗ January 5, 2022 TNS-2022-02 [R1] Nessus Network Monitor 6.0.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-02 ∗∗∗ VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Log-Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0006 ∗∗∗ Drupal Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0014 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-01 ∗∗∗ Fernhill SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-02 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03 ∗∗∗ Philips Engage Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-006-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2022
by Daily end-of-shift report 05 Jan '22

05 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-01-2022 18:00 − Mittwoch 05-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iOS malware can fake iPhone shut downs to snoop on camera, microphone ∗∗∗ --------------------------------------------- Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ios-malware-can-fake-iphone-… ∗∗∗ Code Reuse In the Malware Landscape, (Wed, Jan 5th) ∗∗∗ --------------------------------------------- Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? --------------------------------------------- https://isc.sans.edu/diary/rss/28216 ∗∗∗ New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification ∗∗∗ --------------------------------------------- An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsofts digital signature verification to siphon user credentials and sensitive information. --------------------------------------------- https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html ∗∗∗ Elephant Beetle: Uncovering an organized financial-theft operation ∗∗∗ --------------------------------------------- Using an arsenal of over 80 unique tools & scripts, the group executes its attacks patiently over long periods of time, blending in with the target’s environment and going completely undetected while it quietly liberates organizations of large amounts of money. --------------------------------------------- https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operati… ∗∗∗ „Media Markt Exclusive Giveaway“ Aktion ist Fake! ∗∗∗ --------------------------------------------- Auf Facebook werden derzeit Links zu einer nachgeahmten Media Markt Seite verbreitet. Dort heißt es, dass Media Markt landesweit Filialen schließt und daher eine „Online-Aktion“ durchführt. KonsumentInnen hätten so die Chance, Produkte wie iPhones, Macbooks, Playstations und mehr günstig zu kaufen. Wer bei dieser Aktion mitmacht, verliert jedoch Geld und erhält keine der versprochenen Produkte. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-exclusive-giveaway-aktio… ∗∗∗ Malware Reverse Engineering for Beginners – Part 1: From 0x0 ∗∗∗ --------------------------------------------- Malware researchers require a diverse skill set usually gained over time through experience and self-training. Reverse engineering (RE) is an integral part of malware analysis and research but it is also one of the most advanced skills a researcher can have. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/malware-reverse-engineering-b… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-01-05 ∗∗∗ --------------------------------------------- IBM hat 26 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ VMware-Sicherheitsupdates: Virtuelles CD-ROM-Laufwerk als Angreifer-Schlupfloch ∗∗∗ --------------------------------------------- VMware warnt vor einer Lücke in seinen Anwendungen für virtuelle Maschinen Cloud Foundation, ESXi, Fusion und Workstation. Einige Patches fehlen noch. --------------------------------------------- https://heise.de/-6318269 ∗∗∗ Sicherheitspatches: Angreifer könnten Datenbanken in IBM Db2 manipulieren ∗∗∗ --------------------------------------------- IBM hat Sicherheitslücken in mehreren Anwendungen wie Cloud Private, Db2 und Elastic Search geschlossen. Außerdem gibt es Neuigkeiten zu Log4j-Anfälligkeiten. --------------------------------------------- https://heise.de/-6318740 ∗∗∗ Entwickler schließen 37 Sicherheitslücken in Chrome 97 ∗∗∗ --------------------------------------------- Die Vorgängerversion von Chrome 97 enthielt mindestens eine kritische Sicherheitslücke. Angreifer hätten vermutlich eingeschleusten Code ausführen können. --------------------------------------------- https://heise.de/-6318885 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xorg-x11-server), Debian (apache2), openSUSE (libvirt), Oracle (grafana, qemu, and xorg-x11-server), Red Hat (idm:DL1, samba, and telnet), SUSE (libvirt), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/880454/ ∗∗∗ Google Patches 48 Vulnerabilities With First Set of 2022 Android Updates ∗∗∗ --------------------------------------------- Google this week published information on the first set of 2022 security updates for Android, describing a total of 48 vulnerabilities that were addressed across Android OS, Pixel devices, and Android Automotive OS. --------------------------------------------- https://www.securityweek.com/google-patches-48-vulnerabilities-first-set-20… ∗∗∗ K10396196: Linux RPM vulnerability CVE-2021-20271 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10396196 ∗∗∗ WAGO: Smart Script affected by Log4Shell Vulnerability ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2022
by Daily end-of-shift report 04 Jan '22

04 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 03-01-2022 18:00 − Dienstag 04-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A Simple Batch File That Blocks People, (Tue, Jan 4th) ∗∗∗ --------------------------------------------- I found another script that performs malicious actions. Its a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). --------------------------------------------- https://isc.sans.edu/diary/rss/28212 ∗∗∗ Purple Fox rootkit now bundled with Telegram installer ∗∗∗ --------------------------------------------- The Purple Fox malware family has been found to combine its payload with trusted apps in an interesting way. --------------------------------------------- https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundle… ∗∗∗ Mails zu Hacks von einer Telefonnummer? Nicht zurückrufen! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell E-Mails, bei denen als Absender eine Telefonnummer angezeigt wird. Angeblich wurden die Systeme der EmpfängerInnen gehackt und mit Viren infiziert. Deshalb müsse dringend die Nummer zurückgerufen werden. Achtung: Hier lauert eine Falle und die E-Mail kann ignoriert werden. --------------------------------------------- https://www.watchlist-internet.at/news/mails-zu-hacks-von-einer-telefonnumm… ∗∗∗ A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain ∗∗∗ --------------------------------------------- A supply chain attack leveraging a cloud video platform to distribute web skimmer campaigns compromised more than 100 real estate sites. --------------------------------------------- https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/ ∗∗∗ Log4j flaw attack levels remain high, Microsoft warns ∗∗∗ --------------------------------------------- Organizations mights not realize their environments are already compromised. --------------------------------------------- https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-proble… ∗∗∗ State-of-the-art EDRs are not perfect, fail to detect common attacks ∗∗∗ --------------------------------------------- A team of Greek academics has tested endpoint detection & response (EDR) software from 11 of todays top cybersecurity firms and found that many fail to detect some of the most common attack techniques used by advanced persistent threat actors, such as state-sponsored espionage groups and ransomware gangs. --------------------------------------------- https://therecord.media/state-of-the-art-edrs-are-not-perfect-fail-to-detec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (salt and thunderbird), Red Hat (xorg-x11-server), and Scientific Linux (xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/880327/ ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Copy Data Management (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Apache Log4j vulnerabilities impact IBM Sterling Connect:Direct for UNIX (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ VMSA-2022-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0001.html ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2022
by Daily end-of-shift report 03 Jan '22

03 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-12-2021 18:00 − Montag 03-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dont copy-paste commands from webpages — you can get hacked ∗∗∗ --------------------------------------------- Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal risk having their system compromised. Wizers Gabriel Friedlander demonstrates an obvious, simple yet stunning trick that'll make you think twice before copying-pasting text from web pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-fro… ∗∗∗ Do you want your Agent Tesla in the 300 MB or 8 kB package?, (Fri, Dec 31st) ∗∗∗ --------------------------------------------- Since today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over the course of the year. --------------------------------------------- https://isc.sans.edu/diary/rss/28202 ∗∗∗ McAfee Phishing Campaign with a Nice Fake Scan, (Mon, Jan 3rd) ∗∗∗ --------------------------------------------- I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared. --------------------------------------------- https://isc.sans.edu/diary/rss/28208 ∗∗∗ Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations ∗∗∗ --------------------------------------------- Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis. --------------------------------------------- https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html ∗∗∗ Nach Ransomware-Angriff: Webseiten mehrerer Medien aus Portugal offline ∗∗∗ --------------------------------------------- Eine neue Ransomware-Gruppe hat den portugiesischen Medienkonzern Impresa angegriffen. Mehrere Medien können aktuell nur über Social Media Meldungen verbreiten. --------------------------------------------- https://heise.de/-6316020 ∗∗∗ Y2K22-Bug stoppt Exchange-Mailzustellung: Antimalware-Engine stolpert über 2022 ∗∗∗ --------------------------------------------- Zum Jahreswechsel streiken weltweit zahlreiche Exchange-Server, weil die FIP-FS-Scan-Engine sich an der Jahreszahl verhebt. Immerhin gibt es temporäre Abhilfe. --------------------------------------------- https://heise.de/-6315605 ∗∗∗ On the malicious use of large language models like GPT-3 ∗∗∗ --------------------------------------------- Or, “Can large language models generate exploits?” --------------------------------------------- https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-lang… ∗∗∗ Detecting anomalous Vectored Exception Handlers on Windows ∗∗∗ --------------------------------------------- We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous. --------------------------------------------- https://research.nccgroup.com/2022/01/03/detecting-anomalous-vectored-excep… ∗∗∗ Shodan Verified Vulns 2022-01-01 ∗∗∗ --------------------------------------------- Auch dieses Monat sehen wir wieder einen deutlichen Rückgang der verwundbaren Exchange-Server. Neu hinzugekommen ist die Grafana Path Traversal Schwachstelle CVE-2021-43798, welche am 7. Dezember veröffentlicht wurde. --------------------------------------------- https://cert.at/de/aktuelles/2022/1/shodan-verified-vulns-2022-01-01 ∗∗∗ Log4j Scanners ∗∗∗ --------------------------------------------- There are 19 tools, and each has certain stipulations with it. I would suggest take a look. --------------------------------------------- https://securitythreatnews.com/2022/01/03/log4j-scanners/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple: Sicherheitslücke kann iPhones und iPads unbenutzbar machen ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke in Apples Homekit lassen sich iPhones erst nach einem Reset wieder nutzen. Ein Update hat Apple verschoben. --------------------------------------------- https://www.golem.de/news/apple-sicherheitsluecke-kann-iphones-und-ipads-un… ∗∗∗ Rootkit schlüpft durch Lücke in HPEs Fernwartung iLO ∗∗∗ --------------------------------------------- Eine Iranische Security-Firma hat ein Rootkit entdeckt, das sich in Hewlett Packards Fernwartungstechnik "Integrated Lights-Out" (iLO) eingenistet hat. --------------------------------------------- https://heise.de/-6315714 ∗∗∗ Jetzt patchen: Netgear-Router Nighthawk R6700v3 könnte Passwörter leaken ∗∗∗ --------------------------------------------- Angreifer könnten Nighthawk-Router von Netgear attackieren. Es könnten noch weitere Modelle betroffen sein. Aktuelle Firmware-Versionen sollen Abhilfe schaffen. --------------------------------------------- https://heise.de/-6316037 ∗∗∗ Trend Micro Apex One und Worry-Free Business Security gefährden Windows-PCs ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Schutzlösungen Apex One und Worry-Free Business Security von Trend Micro erschienen. --------------------------------------------- https://heise.de/-6316263 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (agg, aria2, fort-validator, and lxml), Fedora (libgda, pgbouncer, and xorg-x11-server-Xwayland), Mageia (calibre, e2guardian, eclipse, libtpms/swtpm, nodejs, python-lxml, and toxcore), openSUSE (c-toxcore, gegl, getdata, kernel-firmware, log4j, postrsd, and privoxy), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/880100/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (kernel, libopenmpt, and xorg-x11-server), Mageia (gegl, libgda5.0, log4j, ntfs-3g, and wireshark), openSUSE (log4j), and Red Hat (grafana). --------------------------------------------- https://lwn.net/Articles/880232/ ∗∗∗ Security Bulletin: IBM Insurance Information Warehouse is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-insurance-information… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Banking and Financial Markets Data Warehouse (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Unified Data Model for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-unified-data-model-fo… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Data Model for Energy and Utilities is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-model-for-energy… ∗∗∗ Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-apac… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-ibm-i2… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale for IBM Elastic Storage Server (CVE-2021-45105,CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Elastic Storage System (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus (CVE-2021-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2021
by Daily end-of-shift report 30 Dec '21

30 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-12-2021 18:00 − Donnerstag 30-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hiding malware inside the flex capacity space on modern SSDs ∗∗∗ --------------------------------------------- Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location thats beyond the reach of the user and security solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hiding-malware-inside-the-fl… ∗∗∗ Agent Tesla Updates SMTP Data Exfiltration Technique, (Thu, Dec 30th) ∗∗∗ --------------------------------------------- Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data. This malware has been around since 2014, and SMTP is its most common method for data exfiltration. --------------------------------------------- https://isc.sans.edu/diary/rss/28190 ∗∗∗ LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ∗∗∗ --------------------------------------------- Users of the popular LastPass password manager are being targeted in so-called “credential stuffing” attacks that use email addresses and passwords obtained from third-party breaches. --------------------------------------------- https://www.securityweek.com/lastpass-automated-warnings-linked-%E2%80%98cr… ∗∗∗ Android 12: Samsung überrascht zum Jahresende mit regelrechter Update-Flut ∗∗∗ --------------------------------------------- Updates für praktisch alle High-End-Smartphones der vergangenen drei Jahre veröffentlicht. Selbst erste Tablets werden schon bedient. --------------------------------------------- https://www.derstandard.at/story/2000132240383/android-12-samsung-ueberrasc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (advancecomp, apache-log4j2, postgis, spip, uw-imap, and xorg-server), Mageia (kernel and kernel-linus), Scientific Linux (log4j), and SUSE (kernel-firmware and mariadb). --------------------------------------------- https://lwn.net/Articles/880039/ ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Guardium Data Encryption (GDE) (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Trend Micro Apex One und Trend Micro Worry-Free Business Security: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1320 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2021
by Daily end-of-shift report 29 Dec '21

29 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-12-2021 18:00 − Mittwoch 29-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ RedLine malware shows why passwords shouldnt be saved in browsers ∗∗∗ --------------------------------------------- The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-pa… ∗∗∗ Microsoft Defender Log4j scanner triggers false positive alerts ∗∗∗ --------------------------------------------- Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the companys newly deployed Microsoft 365 Defender scanner for Log4j processes. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-sc… ∗∗∗ Wieder Sicherheitslücken in Herzschrittmachern gefunden ∗∗∗ --------------------------------------------- Auf der Online-Konferenz RC3 zeigten zwei Sicherheitsforscher, wie sie Cardio-Geräte unter die Lupe genommen haben. --------------------------------------------- https://futurezone.at/digital-life/herzschrittmacher-sicherheitsluecken-rc3… ∗∗∗ Responsible Disclosure: Deine Software, die Sicherheitslücken und ich ∗∗∗ --------------------------------------------- Wie meldet man Sicherheitslücken eigentlich richtig? Und wie sollten Unternehmen damit umgehen? Zerforschung und CCC klären auf. Ein Bericht von Moritz Tremmel (rC3, API) --------------------------------------------- https://www.golem.de/news/responsible-disclosure-deine-software-die-sicherh… ∗∗∗ LotL Classifier tests for shells, exfil, and miners, (Tue, Dec 28th) ∗∗∗ --------------------------------------------- A supervised learning approach to Living off the Land attack classification from Adobe SI --------------------------------------------- https://isc.sans.edu/diary/rss/28184 ∗∗∗ Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics ∗∗∗ --------------------------------------------- An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed. [...] Initial attacks involved executing a malicious command upon running a vanilla image named "alpine:latest" that resulted in the download of a shell script named "autom.sh." "Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," --------------------------------------------- https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html ∗∗∗ Turning bad SSRF to good SSRF: Websphere Portal ∗∗∗ --------------------------------------------- In this blog post, we will explain how we discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how we turned a restrictive, bad SSRF to a good SSRF. --------------------------------------------- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/ ∗∗∗ Storage Devices of Major Vendors Impacted by Encryption Software Flaws ∗∗∗ --------------------------------------------- Earlier this month, SecurityWeek reported that Western Digital had updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks. SanDisk SecureAccess, recently rebranded SanDisk PrivateAccess, is a piece of software that allows users to encrypt files and folders stored in a protected vault on SanDisk USB flash drives.[...] Pelissier detailed his findings this week at the Chaos Computer Club’s Remote Chaos Experience (rC3) virtual conference, where he revealed that the vulnerabilities were actually discovered in the DataVault encryption software made by ENC Security. --------------------------------------------- https://www.securityweek.com/storage-devices-major-vendors-impacted-encrypt… ∗∗∗ Sicher kaufen auf Willhaben, Shpock & Co. ∗∗∗ --------------------------------------------- Sie sind auf der Suche nach gebrauchten Schnäppchen? Mit Kleinanzeigenplattformen wie willhaben, Shpock oder den Facebook Marketplace gibt es zahlreiche Möglichkeiten, um zu stöbern und das perfekte Schnäppchen zu finden. Allerdings sollten Sie beim Shoppen auf solchen Plattformen einige Punkte beachten. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-kaufen-auf-willhaben-shpock-c… ∗∗∗ Threat actor uses HP iLO rootkit to wipe servers ∗∗∗ --------------------------------------------- An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations. --------------------------------------------- https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Log4Shell vulnerability Number Four: “Much ado about something” ∗∗∗ --------------------------------------------- CVE-2021-44832; Its a Log4j bug, and you ought to patch it. But we dont think its a critical crisis like the last one. --------------------------------------------- https://nakedsecurity.sophos.com/2021/12/29/log4shell-vulnerability-number-… ∗∗∗ SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products ∗∗∗ --------------------------------------------- This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities, the impact of which is documented in SSA-661247. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-784507.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, python-gnupg, resiprocate, and ruby-haml), Fedora (mod_auth_mellon), openSUSE (thunderbird), Slackware (wpa_supplicant), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/879995/ ∗∗∗ D-LINK Router (DIR-2640 <= 1.11B02): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen und beliebigen Code als root auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1313 ∗∗∗ Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. ∗∗∗ --------------------------------------------- Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. - Citrix Endpoint Management (Citrix XenMobile Server): Impacted – Customers are advised to apply the latest CEM rolling patch updates - Citrix Virtual Apps and Desktops (XenApp & XenDesktop): Impacted - Linux VDA (non-LTSR versions only) --------------------------------------------- https://support.citrix.com/article/CTX335705 ∗∗∗ Exposure of Sensitive Information in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- CVE identifier: CVE-2021-34347 Affected products: All QNAP NAS A vulnerability involving exposure of sensitive information has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-53 ∗∗∗ Security Advisory - Cross-Site Scripting(XSS) Vulnerability in Huawei WS318n Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211229-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM SANnav software used by IBM b-type SAN directors and switches (CVE-2021-45105 and CV-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2021
by Daily end-of-shift report 28 Dec '21

28 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Montag 27-12-2021 18:00 − Dienstag 28-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature thats dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group. --------------------------------------------- https://thehackernews.com/2021/12/experts-detail-logging-tool-of.html ∗∗∗ V8 Heap pwn and /dev/memes - WebOS Root LPE ∗∗∗ --------------------------------------------- This is a writeup for my latest WebOS local root exploit chain, which Im calling WAMpage. ... This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want RootMyTV, which offers a reliable 1-click persistent root. --------------------------------------------- https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html ∗∗∗ Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution ∗∗∗ --------------------------------------------- Recently observed malicious campaigns have abused Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines. [...] The threat actors typically gain access to the target environment using a valid remote desktop protocol (RDP) account, leverage remote Windows Services (SCM) for lateral movement, and abuse MSBuild to execute the Cobalt Strike Beacon payload. --------------------------------------------- https://www.securityweek.com/threat-actors-abuse-msbuild-cobalt-strike-beac… ===================== = Vulnerabilities = ===================== ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- Update December 28, 10:01am The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated. --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (djvulibre, libzip, monit, novnc, okular, paramiko, postgis, rdflib, ruby2.3, and zziplib), openSUSE (chromium, kafka, and permissions), and SUSE (net-snmp and permissions). --------------------------------------------- https://lwn.net/Articles/879952/ ∗∗∗ Security Bulletin:IBM SPSS Modeler is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-spss-modeler-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SSA-661247 V2.0 (Last Update: 2021-12-27): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2021
by Daily end-of-shift report 27 Dec '21

27 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-12-2021 18:00 − Montag 27-12-2021 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rook ransomware is yet another spawn of the leaked Babuk code ∗∗∗ --------------------------------------------- A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make "a lot of money" by breaching corporate networks and encrypting devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rook-ransomware-is-yet-anoth… ∗∗∗ QNAP NAS devices hit in surge of ech0raix ransomware attacks ∗∗∗ --------------------------------------------- Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-nas-devices-hit-in-surg… ∗∗∗ Example of how attackers are trying to push crypto miners via Log4Shell, (Fri, Dec 24th) ∗∗∗ --------------------------------------------- While following Log4Shell's exploit attempts hitting our honeypots, I came across another campaign trying to push a crypto miner on the victims machines. --------------------------------------------- https://isc.sans.edu/diary/rss/28172 ∗∗∗ More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild ∗∗∗ --------------------------------------------- A team of academics said it found more than 1,200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. --------------------------------------------- https://therecord.media/more-than-1200-phishing-toolkits-capable-of-interce… ∗∗∗ QNAP Firmware-Update Version QTS 5.0.0.1891 build 20211221 und log4j-Schwachstelle ∗∗∗ --------------------------------------------- Der Hersteller QNAP hat kurz vor Weihnachten ein Firmware-Update für sein QTS 5 freigegeben. Das Update schließt einige Schwachstellen. Zudem wurde eine log4j-Schwachstelle in QNAP-Software gemeldet. --------------------------------------------- https://www.borncity.com/blog/2021/12/26/qnap-firmware-update-version-qts-5… ===================== = Vulnerabilities = ===================== ∗∗∗ Garrett Walk-Through Metal Detectors Can Be Hacked Remotely ∗∗∗ --------------------------------------------- A number of security flaws have been uncovered in a networking component in Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, tamper with metal detector configurations, and even execute arbitrary code on the devices. --------------------------------------------- https://thehackernews.com/2021/12/garrett-walk-through-metal-detectors.html ∗∗∗ Remote Code Execution Vulnerabilities in Veritas Enterprise Vault ∗∗∗ --------------------------------------------- Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault Server. CVSS v3.1 Base Score 9.8 CVEs: CVE-2021-44679, CVE-2021-44680, CVE-2021-44678, CVE-2021-44677, CVE-2021-44682, CVE-2021-44681 --------------------------------------------- https://www.veritas.com/content/support/en_US/security/VTS21-003 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 33 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (httpd and singularity), Mageia (ldns, netcdf, php, ruby, thrift/golang-github-apache-thrift, thunderbird, and webkit2), openSUSE (go1.16, go1.17, libaom, and p11-kit), and SUSE (go1.16, go1.17, htmldoc, libaom, libvpx, logstash, openssh-openssl1, python3, and runc). --------------------------------------------- https://lwn.net/Articles/879791/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j2, libextractor, libpcap, and wireshark), Fedora (grub2, kernel, libopenmpt, log4j, mingw-binutils, mingw-python-lxml, and seamonkey), Mageia (golang, lapack/openblas, and samba), and openSUSE (go1.16, libaom, log4j12, logback, and runc). --------------------------------------------- https://lwn.net/Articles/879891/ ∗∗∗ SolarWinds - multiple advisories ∗∗∗ --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ K16090693: Apache HTTP server vulnerability CVE-2021-44224 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16090693 ∗∗∗ Moxa MGate Protocol Gateways ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-357-01 ∗∗∗ Johnson Controls exacq Enterprise Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-357-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2021
by Daily end-of-shift report 23 Dec '21

23 Dec '21

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-12-2021 18:00 − Donnerstag 23-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Dridex malware trolls employees with fake job termination emails ∗∗∗ --------------------------------------------- A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a seasons greeting message. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employ… ∗∗∗ Microsoft Azure App Service flaw exposed customer source code ∗∗∗ --------------------------------------------- A security flaw found in Azure App Service, a Microsoft-managed platform for building and hosting web apps, led to the exposure of PHP, Node, Python, Ruby, or Java customer source code for at least four years, since 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-azure-app-service-… ∗∗∗ Honeypot experiment reveals what hackers want from IoT devices ∗∗∗ --------------------------------------------- A three-year-long honeypot experiment featuring simulated low-interaction IoT devices of various types and locations gives a clear idea of why actors target specific devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/honeypot-experiment-reveals-… ∗∗∗ Attackers, CSIRTs and Individual Rights: Clarified ∗∗∗ --------------------------------------------- A few years ago I wrote a post on how the GDPR copes with situations when there was a conflict between the obligation to prevent, detect and investigate incidents and the obligation to inform all those whose personal data you process. GDPR Article 14(5) provides a general tool for resolving that conflict: you don’t need to inform if doing so “is likely to render impossible or seriously impair the achievement of the objectives of that processing”. --------------------------------------------- https://regulatorydevelopments.jiscinvolve.org/wp/2021/12/22/attackers-csir… ∗∗∗ Microsoft Teams blockiert Notrufe mit Android-Handys – Update einspielen ∗∗∗ --------------------------------------------- Die Android-App für Microsoft Teams kann unter Umständen Notrufe vom Handy verhindern. Die aktuelle Version soll das unterlassen. [...] Wie es überhaupt dazu kommen kann, dass eine App ohne Root-Rechte die wichtigste Funktion des Telefons sabotieren kann, verraten weder Google noch Microsoft. [...] Das zugrundeliegende Sicherheitsproblem in Android möchte Google mit dem ersten Android-Sicherheitsupdate im neuen Jahr beheben. --------------------------------------------- https://heise.de/-6306221 ∗∗∗ Audio bugging with the Fisher Price Chatter Bluetooth Telephone ∗∗∗ --------------------------------------------- The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute! Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances. --------------------------------------------- https://www.pentestpartners.com/security-blog/audio-bugging-with-the-fisher… ∗∗∗ This new ransomware has simple but very clever tricks to evade PC defenses ∗∗∗ --------------------------------------------- One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target's intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe. --------------------------------------------- https://www.zdnet.com/article/this-new-ransomware-has-simple-but-very-cleve… ∗∗∗ Log4j Vulnerabilities: Attack Insights ∗∗∗ --------------------------------------------- Symantec [..] has observed numerous variations in attack requests primarily aimed at evading detection. [..] Attackers are predominantly using the LDAP and RMI protocols to download malicious payloads. We have also recorded vulnerability scans using protocols such as IIOP, DNS, HTTP, NIS etc. Payloads: Muhstik Botnet, XMRig miner, Malicious class file backdoor, Reverse Bash shell. Other publicly reported payloads include the Khonsari and Conti ransomware threats, the Orcus remote access Trojan (RAT), and the Dridex malware, among others. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ===================== = Vulnerabilities = ===================== ∗∗∗ Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047 ∗∗∗ --------------------------------------------- Project: Mail Login Security risk: Moderately critical Description: This modules enables users to login via email address.This module does not sufficiently check user status when authenticating.Solution: Install the latest version If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5 --------------------------------------------- https://www.drupal.org/sa-contrib-2021-047 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 46 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ CVE-2021-44790: Apache HTTP Server / mod_lua ∗∗∗ --------------------------------------------- A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. --------------------------------------------- https://www.openwall.com/lists/oss-security/2021/12/20/4 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-11), Fedora (keepalived and tang), openSUSE (openssh, p11-kit, runc, and thunderbird), Oracle (postgresql:12, postgresql:13, and virt:ol and virt-devel:ol), Red Hat (rh-maven36-log4j12), and SUSE (ansible, chrony, logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh, openssh, p11-kit, python-Babel, and thunderbird). --------------------------------------------- https://lwn.net/Articles/879675/ ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- A malicious privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K21-1304 ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ SSA-661247 V1.8 (Last Update: 2021-12-22): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily