Daily

daily@lists.cert.at

1 participants
3252 discussions

Tageszusammenfassung - 23.03.2022
by Daily end-of-shift report 23 Mar '22

23 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-03-2022 18:00 − Mittwoch 23-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Okta confirms 2.5% customers impacted by hack in January ∗∗∗ --------------------------------------------- Okta, a major provider of access management systems, says that 2.5%, or approximately 375 customers, were impacted by a cyberattack claimed by the Lapsus$ data extortion group. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-cus… ∗∗∗ Raccoon Stealer – An Insight into Victim “Gates” ∗∗∗ --------------------------------------------- Raccoon Stealer is an information stealer sold to ‘affiliates’ as a Malware-as-a-Service (MaaS) on multiple underground forums. Affiliates are provided access to a control panel hosted on the Tor network as an onion site, where they can generate new malware builds and review data collected from infected hosts. --------------------------------------------- https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-vict… ∗∗∗ Ransomware: Microsoft bestätigt Hack durch Lapsus$ ∗∗∗ --------------------------------------------- Nach der Veröffentlichung von Code durch Lapsus$ bestätigt Microsoft nun den Hack. Der sei aber sehr begrenzt gewesen. --------------------------------------------- https://www.golem.de/news/ransomware-microsoft-bestaetigt-hack-durch-lapsus… ∗∗∗ DEV-0537 criminal actor targeting organizations for data exfiltration and destruction ∗∗∗ --------------------------------------------- The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. --------------------------------------------- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-… ∗∗∗ Exploring a New Class of Kernel Exploit Primitive ∗∗∗ --------------------------------------------- MSRC receives a wide variety of cases spanning different products, bug types and exploit primitives. One particularly interesting primitive we see is an arbitrary kernel pointer read. --------------------------------------------- https://msrc-blog.microsoft.com/2022/03/22/exploring-a-new-class-of-kernel-… ∗∗∗ Arkei Variants: From Vidar to Mars Stealer, (Wed, Mar 23rd) ∗∗∗ --------------------------------------------- Sometime in 2018, a new information stealer named Vidar appeared. Analysis revealed Vidar is an information stealer that is a copycat or fork of Arkei malware. Since that time, Vidar has led to other Arkei-based variants. --------------------------------------------- https://isc.sans.edu/diary/rss/28468 ∗∗∗ Dissecting a Phishing Campaign with a Captcha-based URL ∗∗∗ --------------------------------------------- In today’s environment, much of the population are doing their bank or financial transactions online and online banking or wire transfers have become a huge necessity. Recently, we received a phishing email that is targeting PayPal accounts. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dissecting-… ∗∗∗ A journey into IoT – Unknown Chinese alarm – Part 1 – Discover components and ports ∗∗∗ --------------------------------------------- So, after a couple of introductory articles, let’s start with a series of articles on an analysis executed on an unknown device. I received a Chinese smart alarm, clone of the Xiaomi Smart Home system, and it seemed perfect for the purpose. --------------------------------------------- https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-… ∗∗∗ Alte Tricks, neue Korplug‑Variante: Hodur von Mustang Panda ∗∗∗ --------------------------------------------- ESET-Forscher haben eine zuvor undokumentierte Korplug-Variante namens Hodur entdeckt, die von Mustang Panda verbreitet wird. Sie nutzt Phishing-Köder, die auf aktuelle Ereignisse in Europa anspielen, einschließlich der Invasion in der Ukraine. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/03/23/alte-tricks-neue-korplug-… ∗∗∗ Fake-Shop auf idealo.com.de! ∗∗∗ --------------------------------------------- Kriminelle haben die Website der Preisvergleichsplattformen idealo.at und idealo.de nachgebaut. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-auf-idealocomde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Netatalk < 3.1.13: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Netatalk 3.1.13 behebt die folgenden Schwachstellen: CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, CVE-2022-0194 --------------------------------------------- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (cyrus-sasl, openssl, sphinx, and swtpm), openSUSE (qemu), Red Hat (expat, rh-mariadb103-mariadb, and rh-mariadb105-mariadb), SUSE (apache2, binutils, java-1_7_0-ibm, kernel-firmware, nodejs12, qemu, and xen), and Ubuntu (ckeditor and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/888994/ ∗∗∗ Bosch Fire Monitoring System (FSM) affected by log4net Vulnerability ∗∗∗ --------------------------------------------- A vulnerability has been discovered affecting the Bosch Fire Monitoring System (FSM-2500, FSM-5000, FSM-10k and obsolete FSM-10000). The issue applies to FSM server with version 5.6.630 and lower, and FSM client with version 5.6.2131 and lower. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-479793-bt.html ∗∗∗ ZDI-22-524: (Pwn2Own) NETGEAR R6700v3 libreadycloud.so Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-524/ ∗∗∗ ZDI-22-523: (Pwn2Own) NETGEAR R6700v3 circled Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-523/ ∗∗∗ ZDI-22-522: (Pwn2Own) NETGEAR R6700v3 readycloud_control.cgi Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-522/ ∗∗∗ ZDI-22-521: (Pwn2Own) NETGEAR R6700v3 Missing Authentication for Critical Function Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-521/ ∗∗∗ ZDI-22-520: (Pwn2Own) NETGEAR R6700v3 Improper Certificate Validation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-520/ ∗∗∗ ZDI-22-519: (Pwn2Own) NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-519/ ∗∗∗ ZDI-22-518: (Pwn2Own) NETGEAR R6700v3 httpd Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-518/ ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Service Registry and Repository in packages such as Apache Struts and Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Service Registry and Repository due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Db2 Big SQL is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-is-vulner… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Vulnerability in Apache log4j affects WebSphere Service Registry and Repository (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to LDAP injection due to WebSphere Application Server Liberty (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Cloudera Data Platform Private Cloud Base with IBM products have log messages vulnerable to arbitrary code execution, denial of service, remote code execution, and SQL injection due to Apache Log4j vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-pr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2022-22316) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM WebSphere eXtreme Scale is vulnerable to arbitrary code execution due to Apache Log4j v1.x (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-extreme-sca… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Elastic Storage System (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ VMSA-2022-0008 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0008.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2022
by Daily end-of-shift report 22 Mar '22

22 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-03-2022 18:00 − Dienstag 22-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Serpent malware campaign abuses Chocolatey Windows package manager ∗∗∗ --------------------------------------------- Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new Serpent backdoor malware on systems of French government agencies and large construction firms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abu… ∗∗∗ Conti Ransomware V. 3, Including Decryptor, Leaked ∗∗∗ --------------------------------------------- The latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it’s reportedly clunkier code. Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously released – specifically, the source code for Conti Ransomware V3.0 – to VirusTotal. --------------------------------------------- https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/1790… ∗∗∗ CryptoRom Crypto Scam Abusing iPhone Features to Target Mobile Users ∗∗∗ --------------------------------------------- Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been deceiving unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips. --------------------------------------------- https://thehackernews.com/2022/03/cryptorom-crypto-scam-abusing-iphone.html ∗∗∗ Microsoft und Okta: Hacker-Gruppe Lapsus$ hat offenbar erneut zugeschlagen ∗∗∗ --------------------------------------------- Derzeit untersuchen Microsoft bei Azure DevOps und der Zugriffsmanagement-Dienstleister Okta unberechtigte Server-Zugriffe. --------------------------------------------- https://heise.de/-6603364 ∗∗∗ Ausgesperrt? Vorsicht vor unseriösen Schlüsseldiensten ∗∗∗ --------------------------------------------- Sie haben sich ausgesperrt und benötigen einen Schlüsseldienst, um wieder in Ihre Wohnung zu kommen? Bleiben Sie ruhig, recherchieren Sie sorgfältig und überprüfen Sie das Unternehmen genau! Bedenken Sie: Die ersten Google-Suchergebnisse sind nicht immer die besten. Im Gegenteil: Wie Erfahrungen und Analysen zeigen, sind viele beworbene Schlüsseldienste unseriös! --------------------------------------------- https://www.watchlist-internet.at/news/ausgesperrt-vorsicht-vor-unserioesen… ∗∗∗ Sandworm: A tale of disruption told anew ∗∗∗ --------------------------------------------- [..] BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group – Sandworm. Who is Sandworm? --------------------------------------------- https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-ane… ∗∗∗ FBI and FinCEN Release Advisory on AvosLocker Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/22/fbi-and-fincen-re… ∗∗∗ Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS ∗∗∗ --------------------------------------------- In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. --------------------------------------------- https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick… ∗∗∗ Facestealer-Trojaner aus der Google Play Store-App Craftsart Cartoon Photo Tools klaut Facebook-Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Pradeo haben eine Android-App Craftsart Cartoon Photo Tools im Google Play Store entdeckt. Diese ist mit dem bekannten Facestealer-Trojaner verseucht und 100.000 Leute haben die App auf ihre Geräte gezogen. --------------------------------------------- https://www.borncity.com/blog/2022/03/22/facestealer-trojaner-aus-der-googl… ∗∗∗ Cobalt Strike: Overview – Part 7 ∗∗∗ --------------------------------------------- This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. --------------------------------------------- https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/ ∗∗∗ Detecting shadow credentials ∗∗∗ --------------------------------------------- This article is about my journey into tracing changes to the msDS-KeyCredentialLink attribute to verify if their origin is legitimate or a potential attack (aka. Shadow Credentials). --------------------------------------------- https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ ∗∗∗ 8 Tips for Securing Networks When Time Is Scarce ∗∗∗ --------------------------------------------- In light of increased cyber risk surrounding the Russia-Ukraine conflict, we’ve put together 8 tips that defenders can take right now to prepare. --------------------------------------------- https://www.rapid7.com/blog/post/2022/03/22/8-tips-for-securing-networks-wh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006 ∗∗∗ --------------------------------------------- Security risk: Moderately critical Vulnerability: Third-party libraries CVE IDs: CVE-2022-24775 Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. --------------------------------------------- https://www.drupal.org/sa-core-2022-006 ∗∗∗ Multiple Vulnerabilities in GARO Wallbox ∗∗∗ --------------------------------------------- 1. Without Authentication(CVE-2021-45878) 2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877) 3. Unauthenticated Command Injection(CVE-2021-45876) --------------------------------------------- https://github.com/delikely/advisory/tree/main/GARO ∗∗∗ Kritische Sicherheitslücken in mehr als 200 HP-Drucker-Modellen ∗∗∗ --------------------------------------------- Zahlreiche HP-Drucker haben Sicherheitslücken, durch die Angreifer Schadcode einschleusen und ausführen könnten. Firmware-Updates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6605306 ∗∗∗ Sophos schließt Sicherheitslücken in Unified Threat Management-Firmware ∗∗∗ --------------------------------------------- Eine neue Firmware-Version schließt unter anderem Sicherheitslücken, durch die angemeldete Nutzer Schadcode hätten ausführen können. --------------------------------------------- https://heise.de/-6602749 ∗∗∗ Cyclops-Blink-Botnet: Asus-Router im Fokus, Firmware-Updates verfügbar ∗∗∗ --------------------------------------------- Die Cybergang Sandworm hat ihr Cyclops-Blink-Botnet inzwischen auf Asus-Router angesetzt. Firmware-Updates sollen dem Befall vorbeugen. --------------------------------------------- https://heise.de/-6604576 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/888859/ ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-23192) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2124) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K31323265: OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31323265?utm_source=f5support&utm_mediu… ∗∗∗ PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-007/ ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2022
by Daily end-of-shift report 21 Mar '22

21 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-03-2022 18:00 − Montag 21-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Elden Ring: Hacker zerstören Spielstände ∗∗∗ --------------------------------------------- Invasionen feindlicher Spieler sind noch gefährlicher geworden, denn eine Sicherheitslücke kann Elden Ring zum Absturz zu bringen. --------------------------------------------- https://www.golem.de/news/elden-ring-hacker-zerstoeren-spielstaende-2203-16… ∗∗∗ Sicherheitsanalyse zum Industrieprotokoll OPC UA aktualisiert ∗∗∗ --------------------------------------------- Die Studie des BSI liefert eine Bewertung der spezifizierten und realisierten Sicherheitsfunktionen von OPC UA. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Willhaben-VerkäuferInnen aufgepasst: Kurierdienst von Willhaben ist Betrug ∗∗∗ --------------------------------------------- Auf willhaben.at inseriert? Dann nehmen Sie sich vor betrügerischen KäuferInnen in Acht! Betrügerische KäuferInnen schlagen Ihnen vor, die Zahlung und Übergabe der Ware über den „Kurierdienst PayLivery AG“ vorzunehmen. Der Link zur Webseite, auf der dieser „Kurierdienst“ beschrieben wird, wird gleich mitgesendet. Vorsicht: Diesen Kurierdienst gibt es gar nicht. Die Webseite willhaben-at.shop/help.html ist gefälscht und gehört nicht zu willhaben.at! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-verkaeuferinnen-aufgepasst… ∗∗∗ Free decryptor released for TrickBot gangs Diavol ransomware ∗∗∗ --------------------------------------------- Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ New Phishing toolkit lets anyone create fake Chrome browser windows ∗∗∗ --------------------------------------------- A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-lets-an… ∗∗∗ Meet Exotic Lily, access broker for ransomware and other malware peddlers ∗∗∗ --------------------------------------------- Exotic Lily is the name given to a group of cybercriminals that specialized as an initial access broker, serving groups like Conti and Diavol ransomware. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-acc… ∗∗∗ APT35 Automates Initial Access Using ProxyShell ∗∗∗ --------------------------------------------- In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks [...] --------------------------------------------- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Western Digital EdgeRover geschlossen ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate für Western Digitals Datenverwaltungsanwendung EdgeRover sperrt Angreifer aus. --------------------------------------------- https://heise.de/-6594172 ∗∗∗ A Bug That Doesnt Want To Die (CVE-2021-34484) ∗∗∗ --------------------------------------------- In November we issued a micropatch for a local privilege escalation in User Profile Service. This vulnerability was found and reported to Microsoft by security researcher Abdelhamid Naceri and assigned CVE-2021-34484 when initially fixed. Abdelhamid subsequently noticed that Microsofts patch was incomplete and wrote a POC to bypass it. Based on that information, we were able to create a micropatch for what was then considered a 0day [...] --------------------------------------------- https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html ∗∗∗ Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) ∗∗∗ --------------------------------------------- Update 3/21/2022: Microsofts fix for this issue turned out to be flawed. We ported our micropatches to all affected Windows versions and made them all FREE for everyone again. --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, libgit2, libpano13, paramiko, usbredir, and wordpress), Fedora (expat, kernel, openexr, thunderbird, and wordpress), openSUSE (chromium, frr, and weechat), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), SUSE (frr), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/888686/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0332 ∗∗∗ MISP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0331 ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities fixed in IBM Maximo Application Suite Monitor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Answer Retrieval for Watson Discovery is vulnerable to phishing attacks due to Swagger UI (CVE number(s) 221508) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-answer-retrieval-for-… ∗∗∗ Security Bulletin: urllib upgrade CVE-2021-33503, CVE-2021-28363 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urllib-upgrade-cve-2021-3… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Protect 8.1.14.000 Server is vulnerable to bypass of security restrictions (CVE-2022-22394) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-8-1-… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-2369) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE related to the Libraries component affects IBM Control Center (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: Vulnerabilities in Java SE and Eclipse OpenJ9 affect IBM Control Center (CVE-2020-14803 & CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2022
by Daily end-of-shift report 18 Mar '22

18 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-03-2022 18:00 − Freitag 18-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Unix rootkit used to steal ATM banking data ∗∗∗ --------------------------------------------- Threat analysts following the activity of LightBasin, a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unix-rootkit-used-to-ste… ∗∗∗ Open Source: NPM-Paket löscht Dateien aus Protest gegen Ukrainekrieg ∗∗∗ --------------------------------------------- Ein weitverbreitetes NPM-Paket löscht die Dateien von russischen Entwicklern und vervielfältigt Anti-Kriegsbotschaften. --------------------------------------------- https://www.golem.de/news/open-source-npm-paket-loescht-dateien-aus-protest… ∗∗∗ Scans for Movable Type Vulnerability (CVE-2021-20837), (Fri, Mar 18th) ∗∗∗ --------------------------------------------- Yesterday, our honeypots started seeing many requests scanning for the Movable Type API. Movable Type is a content management system comparable to WordPress or Drupal. --------------------------------------------- https://isc.sans.edu/diary/rss/28454 ∗∗∗ New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers ∗∗∗ --------------------------------------------- ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks. --------------------------------------------- https://thehackernews.com/2022/03/new-variant-of-russian-cyclops-blink.html ∗∗∗ Neue Phishing-Methode kombiniert Fax und Captchas ∗∗∗ --------------------------------------------- Um den Anti-Phishing-Filter auszutricksen, packt eine neue Angriffsmethode Links in Fax-PDFs und versteckt die gefälschte Webseite hinter einem Google-Captcha. --------------------------------------------- https://heise.de/-6587105 ∗∗∗ How to protect RDP ∗∗∗ --------------------------------------------- RDP is still a popular target for attackers, so how do you keep your remote desktops safe? --------------------------------------------- https://blog.malwarebytes.com/security-world/business-security-world/2022/0… ∗∗∗ Diese Betrugsmaschen sollten LinkedIn-NutzerInnen kennen ∗∗∗ --------------------------------------------- LinkedIn wird vor allem mit Professionalität verbunden. Das ist wohl auch ein Grund, wieso LinkedIn weniger mit Betrug in Zusammenhang gebracht wird. Das spielt Kriminellen in die Hände, die mit Fake-Profilen Schadsoftware verbreiten können, betrügerische Jobs anbieten oder mit Hilfe von Phishing-Mails versuchen an sensible Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/diese-betrugsmaschen-sollten-linkedi… ∗∗∗ Strengthening Cybersecurity of SATCOM Network Providers and Customers ∗∗∗ --------------------------------------------- CISA and FBI strongly encourage critical infrastructure organizations and, specifically, organizations that are SATCOM network providers or customers to review the joint CSA and implement the mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/strengthening-cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-treq), Fedora (openvpn, pesign, rust-regex, and thunderbird), Oracle (expat), Red Hat (kpatch-patch-4_18_0-147_58_1), Slackware (bind and openssl), SUSE (python-lxml), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/888412/ ∗∗∗ CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable ∗∗∗ --------------------------------------------- CVE-2021-28372, a vulnerability in third-party software commonly built into many IP cameras, highlights issues in IoT supply chain security. --------------------------------------------- https://unit42.paloaltonetworks.com/iot-supply-chain-cve-2021-28372/ ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect IBM Decision Optimization Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ may affect IBM ILOG CPLEX Optimization Studio (CVE-2022-21360, CVE-2022-21365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-4104, CVE-2021-29469, CVE-2021-44531, CVE-2021-44531, CVE-2022-21824, CVE-2021-29899, CVE-2021-27290 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Information disclosure vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-CVE-2021-39046 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect IBM Decision Optimization Center (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ Runtime may affect IBM Decision Optimization Center (CVE-2022-21360, CVE-2022-21365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K08173228: Multiple Intel CPU vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08173228 ∗∗∗ Synology-SA-22:04 OpenSSL ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_04 ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0329 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2022
by Daily end-of-shift report 17 Mar '22

17 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-03-2022 18:00 − Donnerstag 17-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SolarWinds warns of attacks targeting Web Help Desk instances ∗∗∗ --------------------------------------------- SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-attacks-… ∗∗∗ Microsoft creates tool to scan MikroTik routers for TrickBot infections ∗∗∗ --------------------------------------------- The TrickBot trojan has just added one more trick up its sleeve, now using vulnerable IoT (internet of things) devices like modem routers as proxies for its C2 (command and control) server communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-sc… ∗∗∗ CISA: US-Behörde warnt vor 15 aktiv ausgenutzten Sicherheitslücken ∗∗∗ --------------------------------------------- Die US-Sicherheitsbehörde CISA warnt Unternehmen und Behörden vor 15 älteren Sicherheitslücken, die aktiv für Angriffe ausgenutzt werden. --------------------------------------------- https://www.golem.de/news/cisa-us-behoerde-warnt-vor-15-aktiv-ausgenutzten-… ∗∗∗ DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly ∗∗∗ --------------------------------------------- The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation," Avast researcher Martin Chlumecký said in a report published Wednesday. --------------------------------------------- https://thehackernews.com/2022/03/dirtymoe-botnet-gains-new-exploits-in.html ∗∗∗ LokiLocker ransomware family spotted with built-in wiper ∗∗∗ --------------------------------------------- BlackBerry says extortionists erase documents if ransom unpaid BlackBerry security researchers have identified a ransomware family targeting English-speaking victims that is capable of erasing all non-system files from infected Windows PCs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/03/16/blackberry_l… ∗∗∗ Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks ∗∗∗ --------------------------------------------- What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives. --------------------------------------------- https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-esc… ∗∗∗ From BlackMatter to BlackCat: Analyzing two attacks from one affiliate ∗∗∗ --------------------------------------------- While researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP addresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter attack in September 2021. Further analysis revealed more commonalities, such as tools, file names and techniques that were common to both ransomware variants. --------------------------------------------- http://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-anal… ===================== = Vulnerabilities = ===================== ∗∗∗ New Vulnerability in CRI-O Engine Lets Attackers Escape Kubernetes Containers ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host. "Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," [..] --------------------------------------------- https://thehackernews.com/2022/03/new-vulnerability-in-cri-o-engine-lets.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db). --------------------------------------------- https://lwn.net/Articles/888288/ ∗∗∗ Red Hat Virtualization: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Virtualization ausnutzen, um Dateien zu manipulieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0328 ∗∗∗ ISC Releases Security Advisories for BIND ∗∗∗ --------------------------------------------- Original release date: March 17, 2022The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/isc-releases-secu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of IBM Websphere Liberty (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-0235) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A security vulnerability in log4j v1.2 affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2022
by Daily end-of-shift report 16 Mar '22

16 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-03-2022 18:00 − Mittwoch 16-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Android trojan persists on the Google Play Store since January ∗∗∗ --------------------------------------------- Security researchers tracking the mobile app ecosystem have noticed a recent spike in trojan infiltration on the Google Play Store, with one of the apps having over 500,000 installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-trojan-persists-on-t… ∗∗∗ Qakbot infection with Cobalt Strike and VNC activity, (Wed, Mar 16th) ∗∗∗ --------------------------------------------- On Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot (Qbot) malware. Today's diary provides a quick review of the infection activity. --------------------------------------------- https://isc.sans.edu/diary/rss/28448 ∗∗∗ The Attack of the Chameleon Phishing Page ∗∗∗ --------------------------------------------- Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-… ∗∗∗ Werbe-SMS „Bewerbung erhalten“ führt zu Investment-Betrug ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle SMS, in denen von einer angeblichen Bewerbung durch die EmpfängerInnen die Rede ist. Wie die Kriminellen an Namen und Telefonnummer der Betroffenen gelangen, ist unklar. Klar hingegen ist, dass der enthaltene Link auf eine betrügerische Investment-Werbung führt. --------------------------------------------- https://www.watchlist-internet.at/news/werbe-sms-bewerbung-erhalten-fuehrt-… ∗∗∗ Gh0stCringe RAT Being Distributed to Vulnerable Database Servers ∗∗∗ --------------------------------------------- This blog will explain the RAT malware named Gh0stCringe. Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. --------------------------------------------- https://asec.ahnlab.com/en/32572/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters ∗∗∗ --------------------------------------------- Researchers have disclosed an unpatched security vulnerability in "dompdf," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations. --------------------------------------------- https://thehackernews.com/2022/03/unpatched-rce-bug-in-dompdf-project.html ∗∗∗ 7 RCE and DoS vulnerabilities Found in ClickHouse DBMS ∗∗∗ --------------------------------------------- The vulnerabilities require authentication, but can be triggered by any user with read permissions. This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. --------------------------------------------- https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-db… ∗∗∗ Sicherheitslücke: Präparierte TLS-Zertifikate können OpenSSL-Systeme gefährden ∗∗∗ --------------------------------------------- Angreifer könnten Clients und Server mit präparierten TLS-Zertifikaten auf Basis von elliptischen Kurven lahmlegen. --------------------------------------------- https://heise.de/-6550820 ∗∗∗ Sicherheitsupdates: Angreifer könnten Schadcode durch pfSense-Firewall schieben ∗∗∗ --------------------------------------------- Mehrere Schwachstellen gefährden Systeme mit der Firewall-Distribution pfSense. --------------------------------------------- https://heise.de/-6577971 ∗∗∗ Sicherheitsupdates: Schadcode-Schlupflöcher in Dell-BIOS ∗∗∗ --------------------------------------------- Angreifer könnten Dell-Computer attackieren und im schlimmsten Fall die volle Kontrolle über Geräte erlangen. --------------------------------------------- https://heise.de/-6550647 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, [...] --------------------------------------------- https://lwn.net/Articles/888093/ ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-005 ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js follow-redirects module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Network Automation (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform upgrade from Log4j 2.17 to 2.17.1 to protect from infinite recursion in lookup evaluation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2021-33198 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Improper Restriction of XML External Entity Reference in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-506619-bt.html ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/16/google-releases-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2022
by Daily end-of-shift report 15 Mar '22

15 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-03-2022 18:00 − Dienstag 15-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Massive phishing campaign uses 500+ domains leading to fake login pages ∗∗∗ --------------------------------------------- Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-phishing-campaign-us… ∗∗∗ Sicherheitslücke in Druckern: Über 300 Jahre alter Algorithmus knackt RSA-Keys ∗∗∗ --------------------------------------------- Drucker von Canon und Fujifilm erzeugen schwache RSA-Schlüssel, die sich mit dem Faktorisierungsalgorithmus von Fermat angreifen lassen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-in-druckern-ueber-300-jahre-alt… ∗∗∗ New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel ∗∗∗ --------------------------------------------- Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J vulnerability. What stands out is that the network traffic generated by this sample triggered a DNS Tunnel alert in our system, We decided to take a close look, and indeed, it is a new botnet family, which we named B1txor20 based on its propagation using the file name "b1t", the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes. --------------------------------------------- https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ ∗∗∗ Clean Binaries with Suspicious Behaviour, (Tue, Mar 15th) ∗∗∗ --------------------------------------------- EDR or "Endpoint Detection & Response" is a key element of many networks today. An agent is installed on all endpoints to track suspicious/malicious activity and (try to) block it. Behavioral monitoring is also a key element in modern SIEM infrastructure: To see a word.exe running is definitively not malicious, same with a Powershell script being launched. But if you monitor parent/child relations, to see a Powershell script launched from a Word process, that is suspicious! --------------------------------------------- https://isc.sans.edu/diary/rss/28444 ∗∗∗ A Simple Guide to Getting CVEs Published ∗∗∗ --------------------------------------------- This guide will, hopefully, let you skip the headaches and guesswork that we endured learning this process when you try to get a CVE published. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-simple-gu… ∗∗∗ Can an HTTPS Website be Hacked? ∗∗∗ --------------------------------------------- It should be no shock by now that a professional can break through anything. These days, zero-days are a dime a dozen, so it’s important to ensure your site is hardened and protected as much as possible. While an SSL certificate can certainly be an important factor, it’s only one slice of the pie. In this article, we’ll be elaborating on the myths of SSL, the kinds of hacks that still have the potential to occur, and how you can improve an HTTPS site beyond installing an SSL certificate. --------------------------------------------- https://blog.sucuri.net/2022/03/can-an-https-website-be-hacked.html ∗∗∗ Ukraine-Krieg: BSI warnt vor Kasperskys Sicherheits- und Antiviren-Software ∗∗∗ --------------------------------------------- Wer Antiviren-Software des russischen Herstellers einsetzt, sollte auf alternative Produkte ausweichen, heißt es der offizellen BSI-Warnung. --------------------------------------------- https://heise.de/-6549515 ∗∗∗ Vorsicht vor Anrufe und E-Mails von „Besser-Gefunden“ ∗∗∗ --------------------------------------------- Momentan werden Unternehmen telefonisch von „Besser-Gefunden“ kontaktiert. Die Person am Telefon erklärt Ihnen, dass Ihr Unternehmen einen Vertrag für die Schaltung von kostenpflichtigen Anzeigen im Firmenverzeichnis von „Besser-Gefunden“ abgeschlossen hat und die Gebühren bald fällig werden. Dieser Vertrag verlängert sich automatisch, wenn er nicht sofort schriftlich storniert wird. Vorsicht: Dabei handelt es sich um eine betrügerische Masche zur Kundengewinnung! Legen Sie auf und unterschreiben Sie nichts. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufe-und-e-mails-von-… ∗∗∗ Updated: Kubernetes Hardening Guide ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have updated their joint Cybersecurity Technical Report (CTR): Kubernetes Hardening Guide, originally released in August 2021, based on valuable feedback and inputs from the cybersecurity community. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/updated-kubernete… ∗∗∗ Investigating an engineering workstation – Part 1 ∗∗∗ --------------------------------------------- In this series of blog posts we will deal with the investigation of an engineering workstation running Windows 10 with the Siemens TIA Portal Version 15.1 installed. In this first part we will cover some selected classic Windows-based evidence sources, and how they behave with regards to the execution of the TIA Portal and interaction with it. --------------------------------------------- https://blog.nviso.eu/2022/03/15/investigating-an-engineering-workstation-p… ∗∗∗ Threat Advisory: CaddyWiper ∗∗∗ --------------------------------------------- Overview Cybersecurity company ESET disclosed another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. [..] Analysis: The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Our analysis didn't show any indications of persistency, self-propagation or exploitation code. Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html ∗∗∗ OpenSSL security releases may require Node.js security releases ∗∗∗ --------------------------------------------- The Node.js project may be releasing new versions across all of its supportedrelease lines late this week to incorporate upstream patches from OpenSSL. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/mar-2022-security-releases ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: MacOS 12.3, XCode 13.3, tvOS 15.4, watchOS 8.5, iPadOS 15.4 and more, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- Apple today released one of its massive "surprise" updates for all of its operating systems. This includes updates for Safari as well as stand-alone security updates for older operating systems like macOS Big Sur and Catalina. As so often, this also includes feature updates for the respective operating systems. --------------------------------------------- https://isc.sans.edu/diary/rss/28438 ∗∗∗ Sicherheitsupdate für IBM Spectrum Protect: Fremdzugriff auf Datenbanken möglich ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für IBMs Backup-Lösung Spectrum Protect. Angreifer könnten unter anderem auf eigentlich verschlüsselte Informationen zugreifen. --------------------------------------------- https://heise.de/-6548621 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Fedora (chromium), Mageia (chromium-browser-stable, kernel, kernel-linus, and ruby), openSUSE (firefox, flac, java-11-openjdk, protobuf, tomcat, and xstream), Oracle (thunderbird), Red Hat (kpatch-patch and thunderbird), Scientific Linux (thunderbird), Slackware (httpd), SUSE (firefox, flac, glib2, glibc, java-11-openjdk, libcaca, SDL2, squid, sssd, tomcat, xstream, and zsh), and Ubuntu (zsh). --------------------------------------------- https://lwn.net/Articles/887914/ ∗∗∗ Belden Security Bulletin – Industrial IT BSECV-2021-16 ∗∗∗ --------------------------------------------- CVEs: CVE-2020-24588, CVE-2020-26144, CVE-2020-26146 and CVE-2020-26147. FragAttacks 2 (fragmentation and aggregation attacks) is a collection of security vulnerabilities that affect Wi-Fi devices. An adversary that is within range of a victim's Wi-Fi network can exploit these vulnerabilities to steal user information or attack devices. Affected products: Hirschmann OpenBAT, WLC, BAT450 --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14146&mediaformat… ∗∗∗ Dirty Pipe Linux Flaw Affects a Wide Range of QNAP NAS Devices ∗∗∗ --------------------------------------------- https://thehackernews.com/2022/03/dirty-pipe-linux-flaw-affects-wide.html ∗∗∗ Security Bulletin: CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-deferred-fr… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: A Vulnerability In Apache Commons IO Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Workstations Central Administration Console (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Mobilefirst is affected by a log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mobilefirst-is-affected-b… ∗∗∗ Security Bulletin: Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-1-2-reached-… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j affects IBM Tivoli Composite Application Manager for Application Diagnostics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect Operations Center (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ ABB OPC Server for AC 800M ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-074-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2022
by Daily end-of-shift report 14 Mar '22

14 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-03-2022 18:00 − Montag 14-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Android malware Escobar steals your Google Authenticator MFA codes ∗∗∗ --------------------------------------------- The Aberebot banking trojan appears to have returned, as its author is actively promoting a new version of the tool on dark web markets and forums. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-escobar-stea… ∗∗∗ Curl on Windows, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- It's about 2 years ago that Xavier wrote a diary entry ("Keep an Eye on Command-Line Browsers") mentioning that curl was now build into Windows. [...] So with this particular malicious script, it's rather easy to detect (especially if you are in a network environment without Linux machines): search for curl UAS. If you are in a corporate environment, there's something else to know about curl on Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/28436 ∗∗∗ New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access ∗∗∗ --------------------------------------------- Tracked as CVE-2022-25636 (CVSS score: 7.8), the vulnerability impacts Linux kernel versions 5.4 through 5.6.10 and is a result of a heap out-of-bounds write in the netfilter subcomponent in the kernel. [..] "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat said in an advisory published on February 22, 2022. Similar alerts have been released by Debian, Oracle Linux, SUSE, and Ubuntu. --------------------------------------------- https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html ∗∗∗ Reverse Engineering a Netgear Nday ∗∗∗ --------------------------------------------- This post will detail how I went about developing a proof of concept for a Netgear Nday vulnerability. --------------------------------------------- https://nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-net… ∗∗∗ Making Sense of the Dirty Pipe Vulnerability (CVE-2022-0847) ∗∗∗ --------------------------------------------- [..] the flaw could allow anyone with read access on a system to write arbitrary data into arbitrary files. In this blog post, we analyze the vulnerability details in-depth and demonstrate how the exploit works to successfully escalate privileges. --------------------------------------------- https://redhuntlabs.com/blog/the-dirty-pipe-vulnerability.html ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Following responsible disclosure on September 9, 2021, fixes have been released to address the issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all three of which are affected by the untrusted search path flaw, have opted not to address the bug. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Shodan: Introducing the InternetDB API ∗∗∗ --------------------------------------------- The major differences between the InternetDB API and the main Shodan API are: - No API key required - Much higher rate limit - Weekly updates - Minimal port/ service information - Non-commercial use only --------------------------------------------- https://blog.shodan.io/introducing-the-internetdb-api/ ∗∗∗ Diskrepanz zwischen erwarteten und tatsächlichen Cyberattacken im Ukraine-Krieg ∗∗∗ --------------------------------------------- c’t: Ukrainische Behörden haben Freiwillige in aller Welt aufgerufen, sich an Cyberattacken gegen Russland zu beteiligen. Halten Sie es für sinnvoll, dabei mitzumachen? Dr. Sven Herpig: Nein. Natürlich könnten Freiwillige irgendwelche Ziele in Russland ärgern, aber das wird weit weg sein von kriegsentscheidend. Gleichzeitig ist es aus drei Gründen ziemlich gefährlich. --------------------------------------------- https://heise.de/-6540223 ∗∗∗ Gefälschte Otto-Shops werben auf Facebook ∗∗∗ --------------------------------------------- ottot.shop, otto.us.com und ghrh.shop sind betrügerische Online-Shops. Diese Shops imitieren das deutsche Handelsunternehmen „OTTO“ und bieten Produkte zu sehr günstigen Preisen an. Aber: Ware, die dort bestellt und bezahlt wird, wird nicht geliefert. Geschädigte können versuchen ihr Geld über den Käuferschutz von PayPal zurückzubekommen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-otto-shops-werben-auf-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup & Replication - CVE-2022-26500 | CVE-2022-26501 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. CVSS v3 score: 9.8 --------------------------------------------- https://www.veeam.com/kb4288 ∗∗∗ High-Severity Vulnerabilities Patched in Omron PLC Programming Software ∗∗∗ --------------------------------------------- Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron. An advisory released earlier this month by Japan’s JPCERT/CC revealed that the product is affected by five use-after-free and out-of-bounds vulnerabilities, all with a CVSS score of 7.8. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-pl… ∗∗∗ Riverbed spinoff Aternity ships emergency software patch ∗∗∗ --------------------------------------------- Riverbed’s performance monitoring spinoff Aternity has published seven security advisories describing now-patched vulnerabilities in its AppInternals monitoring agent software. The most serious of the bugs gave attackers remote code execution with system-level privilege. [..] Riverbed has shipped AppInternals Agent versions 11.8.8 and 12.14.0, which include patches for the bugs. --------------------------------------------- https://www.itnews.com.au/news/riverbed-spinoff-aternity-ships-emergency-so… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, haproxy, libphp-adodb, nbd, and vim), Fedora (chromium, cobbler, firefox, gnutls, linux-firmware, radare2, thunderbird, and usbguard), Mageia (gnutls), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, and kernel), SUSE (firefox, tomcat, and webkit2gtk3), and Ubuntu (libxml2 and nbd). --------------------------------------------- https://lwn.net/Articles/887807/ ∗∗∗ Dell BIOS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, CVE-2022-24421 Ein lokaler Angreifer kann mehrere Schwachstellen in Dell BIOS und Dell Computer ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0308 ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943 Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache HTTP Server ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0306 ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus is vulnerable to PostgreSQL Man-in-the-Middle and Slowloris Denial of Service attacks (CVE-2021-23222, CVE-2022-22354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Analytical Decision Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects SPSS Collaboration and Deployment Services (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Big SQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Vulnerabilities in the Linux Kernel, Samba, Sudo, Python, and tcmu-runner affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-li… ∗∗∗ Security Bulletin: IBM Spectrum Copy Data Management is vulnerable to Slowloris, HTTP header injection, XSS, and CSRF (CVE-2022-22354, CVE-2022-22344, CVE-2021-39055, CVE-2021-39051) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-copy-data-ma… ∗∗∗ Security Bulletin: Vulnerabilities in Celery, Golang Go, and Python affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-celery… ∗∗∗ Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-flask-an… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, PostgreSQL, OpenSSL, OpenSSH, and jQuery affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and IBM WebSphere Application Server Liberty affect IBM Operations Center and Client Management Service (CVE-2021-35578, CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, Node.js, OpenSSH, and Golang Go affect IBM Spectrum Protect Plus (CVE-2021-4034, CVE-2022-21681, CVE-2022-21680, CVE-2022-0235, CVE-2021-41617, CVE-2021-44716, CVE-2021-44717, 218243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Reverse Tabnabbing and Cross-Site Request Forgery vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-22348, CVE-2020-22346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-reverse-tabnabbing-and-cr… ∗∗∗ K63603485: Linux kernel vulnerability CVE-2022-0847 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63603485 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2022
by Daily end-of-shift report 11 Mar '22

11 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-03-2022 18:00 − Freitag 11-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Raccoon Stealer Crawls Into Telegram ∗∗∗ --------------------------------------------- The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware. --------------------------------------------- https://threatpost.com/raccoon-stealer-telegram/178881/ ∗∗∗ Keep an Eye on WebSockets, (Fri, Mar 11th) ∗∗∗ --------------------------------------------- It has been a while that I did not spot WebSockets used by malware. Yesterday I discovered an interesting piece of Powershell. Very small and almost undetected according to its Virustotal score (2/54)[1]. A quick reminder for those that don't know what a "WebSocket" is. --------------------------------------------- https://isc.sans.edu/diary/rss/28430 ∗∗∗ Bypassing MFA: A Pentest Case Study ∗∗∗ --------------------------------------------- When a company implements multifactor authentication, the organization is usually confident that it’s using the best system possible. However, not all MFA is built the same and there are times when the MFA solution being implemented is not delivering the protection required. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bypassing-m… ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines. Its, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Whats up with in-the-wild exploits? Plus, what were doing about it. ∗∗∗ --------------------------------------------- If you are a regular reader of our Chrome release blog, you may have noticed that phrases like exploit for CVE-1234-567 exists in the wild have been appearing more often recently. In this post well explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. Well then share how Chrome is continuing to make it harder for attackers to achieve their goals. --------------------------------------------- http://security.googleblog.com/2022/03/whats-up-with-in-wild-exploits-plus.… ∗∗∗ WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities ∗∗∗ --------------------------------------------- Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. --------------------------------------------- https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixe… ∗∗∗ Cobalt Strike: Memory Dumps – Part 6 ∗∗∗ --------------------------------------------- This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/ ∗∗∗ Infostealer Being Distributed via YouTube ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post. --------------------------------------------- https://asec.ahnlab.com/en/32499/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-503: MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-503/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion). --------------------------------------------- https://lwn.net/Articles/887635/ ∗∗∗ Mattermost security updates 6.4.2, 6.3.5, 6.2.5, 5.37.9 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.4.2, 6.3.5 (Extended Support Release), 6.2.5, 5.37.9 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-4-2-6-3-5-6-2-5-5… ∗∗∗ Siemens Solid Edge, JT2Go, and Teamcenter Visualization ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization that was published February 10, 2022, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-041-07 ∗∗∗ Mehrere Schwachstellen in PONTON X/P Messenger (SYSS-2021-077/-078/-079/-080) ∗∗∗ --------------------------------------------- Der PONTON X/P Messenger der PONTON GmbH ist in den Versionen 3.8.0 und 3.10.0 unter eingeschränkten Voraussetzungen anfällig für mehrere Schwachstellen. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-ponton-x/p-messe… ∗∗∗ CERT-EU warnt vor SMBv3-Schwachstelle CVE-2022-24508, Fix durch Windows März 2022-Updates ∗∗∗ --------------------------------------------- Mit den Sicherheitsupdates vom 8. März 2022 für Windows hat Microsoft eine Reihe Schwachstellen geschlossen. Darunter ist auch eine als wichtig eingestufte Remote Code Execution-Schwachstelle (REC) im Windows SMBv3 Client/Server. CERT-EU warnt in einer aktuellen Mitteilung vor dieser SMBv3-Schwachstelle CVE-2022-24508 [...] --------------------------------------------- https://www.borncity.com/blog/2022/03/11/cert-eu-warnt-vor-smbv3-schwachste… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 10 March 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0299 ∗∗∗ phpMyAdmin: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0304 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0302 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has a vulnerability (CVE-2021-39022), related to hazardous input. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A Python Issue Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-python-issue-affects-ib… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to an attacker obtaining sensitive information (CVE-2021-35550, CVE-2021-35603) and denial of service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Cloud Pak for Automation Workflow Process Service (CVE-2021-38893 CVE-2021-38966) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2022
by Daily end-of-shift report 10 Mar '22

10 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-03-2022 18:00 − Donnerstag 10-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Nearly 30% of critical WordPress plugin bugs dont get a patch ∗∗∗ --------------------------------------------- Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nearly-30-percent-of-critica… ∗∗∗ What Security Controls Do I Need for My Kubernetes Cluster? ∗∗∗ --------------------------------------------- This Tech Tip offers some security controls to embed in your organizations CI/CD pipeline to protect Kubernetes clusters and corporate networks. --------------------------------------------- https://www.darkreading.com/dr-tech/what-security-controls-do-i-need-for-my… ∗∗∗ Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads ∗∗∗ --------------------------------------------- The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things. --------------------------------------------- https://threatpost.com/qakbot-botnet-sprouts-fangs-injects-malware-into-ema… ∗∗∗ Credentials Leaks on VirusTotal, (Thu, Mar 10th) ∗∗∗ --------------------------------------------- A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. Im keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform. --------------------------------------------- https://isc.sans.edu/diary/rss/28426 ∗∗∗ Demystifying E-Commerce Website Security ∗∗∗ --------------------------------------------- Here we’ll be discussing the main aspects that are important to an E-Commerce website, the kinds of vulnerabilities that can impact your business, and how to take better preventative measures. --------------------------------------------- https://blog.sucuri.net/2022/03/demystifying-e-commerce-website-security.ht… ∗∗∗ Pre-announcement of 4 BIND security issues scheduled for disclosure 16 March 2022 ∗∗∗ --------------------------------------------- As part of our policy of pre-notification of upcoming security releases, we are writing to inform you that the March 2022 BIND maintenance releases that will be released on Wednesday, 16 March, will contain a patches for a security vulnerabilities affecting the BIND 9.11.x, 9.16.x and 9.18.x release branches. Further details about those vulnerabilities will be publicly disclosed at the time the releases are published. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2022-March/001211.html ∗∗∗ Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers ∗∗∗ --------------------------------------------- In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EUs digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation (GDPR) and the Network and Information Systems Directive (NISD) --------------------------------------------- https://arxiv.org/abs/2203.04887 ∗∗∗ The Conti Leaks: Insight into a Ransomware Unicorn ∗∗∗ --------------------------------------------- In late February 2022, the internal chat logs of the Conti ransomware group were disclosed. This blog dissects the internal chat logs that illuminate how Conti’s organizational infrastructure is run, details key figureheads, tooling as well as bitcoin transactions. --------------------------------------------- https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/ ∗∗∗ Spectre V2 ist auch bei ARM und Intel zurück: Angriff auf Branch History Buffer ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen von Intel-Prozessoren und ARM-Kernen gegen Seitenkanalangriffe vom Typ Spectre V2 reichen nicht aus. --------------------------------------------- https://heise.de/-6545263 ∗∗∗ „Ihr ID-Betriebssystem wird gesperrt“ – Apple E-Mail ist Fake! ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail, das angeblich von Apple versendet wird, werden Sie aufgefordert Ihre Apple ID zu überprüfen. Doch Vorsicht – es handelt sich um Phishing! Hier sind Kriminelle auf Ihre Daten aus! Am besten ignorieren Sie das E-Mail. --------------------------------------------- https://www.watchlist-internet.at/news/ihr-id-betriebssystem-wird-gesperrt-… ∗∗∗ Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools ∗∗∗ --------------------------------------------- Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ [webapps] Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- # note : this is blind RCE so don't expect to see results on the site # this exploit is tested against Zabbix 5.0.17 only --------------------------------------------- https://www.exploit-db.com/exploits/50816 ∗∗∗ XSA-396 ∗∗∗ --------------------------------------------- CVEs: CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends --------------------------------------------- https://xenbits.xen.org/xsa/advisory-396.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat). --------------------------------------------- https://lwn.net/Articles/887484/ ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- - SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028 - Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0298 ∗∗∗ CVE-2022-0022 PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes (Severity: MEDIUM) ∗∗∗ --------------------------------------------- Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. [..] Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0022 ∗∗∗ UNIVERGE WA Series vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN72801744/ ∗∗∗ [remote] Siemens S7-1200 - Unauthenticated Start/Stop Command ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50820 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-23450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to cross-site scripting (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM DataPower Gateway permits reflected JSON injection (CVE-2021-38910) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-per… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily