=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 03-02-2022 18:00 − Freitag 04-02-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Schwachstelle in GitOps-Tool: Argo CD über Path Traversal angreifbar ∗∗∗
---------------------------------------------
Angriffe mit manipulierten Helm-Charts ermöglichen Zugriff auf beliebige Verzeichnisse im Repository des Continuous-Delivery-Werkzeugs für Kubernetes.
---------------------------------------------
https://heise.de/-6349810
∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗
---------------------------------------------
- Volexity discovers XSS zero-day vulnerability against Zimbra
- Targeted sectors include European government and media
- Successful exploitation results in theft of email data from users
---------------------------------------------
https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi…
∗∗∗ Cybersecurity for Industrial Control Systems: Part 1 ∗∗∗
---------------------------------------------
In this two-part series, we look into various cybersecurity threats that affected industrial control systems endpoints. We also discuss several insights and recommendations to mitigate such threats.
---------------------------------------------
https://www.iiot-world.com/ics-security/cybersecurity/cybersecurity-for-ind…
∗∗∗ Vulnerabilities that aren’t. ETag headers ∗∗∗
---------------------------------------------
This time we’re looking at the ETag (Entity Tag) header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it.
---------------------------------------------
https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-et…
∗∗∗ Target open-sources its web skimmer detector ∗∗∗
---------------------------------------------
Targets cybersecurity team has open-sourced the code of Merry Maker, the companys internal application that it has used since 2018 to detect if any of its own websites have been compromised with malicious code that can steal payment card details from buyers.
---------------------------------------------
https://therecord.media/target-open-sources-its-web-skimmer-detector/
∗∗∗ An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’ ∗∗∗
---------------------------------------------
Late last year, cybersecurity researchers began to notice a ransomware strain called ALPHV that stood out for being particularly sophisticated and coded in the Rust programming language—a first for ransomware used in real-world attacks.
---------------------------------------------
https://therecord.media/an-alphv-blackcat-representative-discusses-the-grou…
∗∗∗ Special Report: Die Tücken von Active Directory Certificate Services (AD CS) ∗∗∗
---------------------------------------------
Active Directory Certificate Services (ADCS) ist anfällig für Fehlkonfigurationen, mit denen eine komplette Kompromittierung des Netzes trivial möglich ist. Publiziert wurde das Problem im Sommer 2021, jetzt wird diese Methode bei APT-Angriffen benutzt. Kontrollieren Sie mit den bereitgestellten Tools ihr Setup. Stellen Sie mit den angeführten Präventiv-Maßnahmen höhere Sichtbarkeit her. Überprüfen Sie mit den vorgestellen Tools, ob eine Fehlkonfiguration bereits ausgenutzt wurde.
---------------------------------------------
https://cert.at/de/spezielles/2022/2/special-report-die-tucken-von-active-d…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, [...]
---------------------------------------------
https://lwn.net/Articles/883828/
∗∗∗ Mattermost security updates 6.3.3, 6.2.3, 6.1.3, 5.37.8 released ∗∗∗
---------------------------------------------
We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.3.3 (Extended Support Release), 6.2.3, 6.1.3, 5.37.8 (Extended Support Release) for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-6-3-3-6-2-3-6-1-3-5…
∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-kno…
∗∗∗ CSV+ vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN67396225/
∗∗∗ K40508224: Perl vulnerability CVE-2020-10878 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K40508224
∗∗∗ K05295469: Expat vulnerability CVE-2019-15903 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K05295469
∗∗∗ Security Bulletin: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix Dynamic Server in Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2…
∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring installed WebSphere Application Server (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo…
∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an…
∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (October 2021) affects IBM InfoSphere Information Server (CVE-2021-35578 CVE-2021-35564) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 02-02-2022 18:00 − Donnerstag 03-02-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Spam-Anrufe von Wiener Nummer: “This is the police” ∗∗∗
---------------------------------------------
Bei solchen Anrufen gilt es generell, sofort aufzulegen. Ist man sich unsicher, ob der Anruf echt war (im Falle eines englischsprachigen Tonbands ist er das jedenfalls nicht), kann man eigenständig die Polizei (133) anrufen. Die Polizei warnt, dass man nie eine "Polizei"-Telefonnummern zurückrufen soll, wenn das in solchen Anrufen gefordert wird.
Hat man bereits mit der Person gesprochen und Daten herausgegeben, soll man umgehend Anzeige bei der Polizei erstatten.
---------------------------------------------
https://futurezone.at/digital-life/spam-anrufe-wiener-nummer-federal-police…
∗∗∗ WooCommerce Skimmer Uses Fake Fonts and Favicon to Steal CC Details ∗∗∗
---------------------------------------------
Today’s investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December. What first seemed to be a routine case of credit card theft turned out to be a much more interesting infection that leveraged both font, favicon and other less-commonly used files to pilfer credit card details.
---------------------------------------------
https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-fav…
∗∗∗ A comprehensive guide on [NTLM] relaying anno 2022 ∗∗∗
---------------------------------------------
For years now, Internal Penetration Testing teams have been successful in obtaining a foothold or even compromising entire domains through a technique called NTLM relaying. [..] This blog post aims to be a comprehensive resource that will walk through the attack primitives that continue to work today. While most will be well known techniques, some techniques involving Active Directory Certificate Services might be lesser known.
---------------------------------------------
https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
∗∗∗ Tattoo-Giveaways auf Instagram führen in eine Abo-Falle ∗∗∗
---------------------------------------------
Kriminelle versenden Nachrichten von Fake-Accounts und behaupten, dass Instagram-User bei einem Gewinnspiel gewonnen hätten. Doch der angebliche Gewinn führt nicht zu einem neuen Tattoo, sondern in eine gut getarnte Abo-Falle.
---------------------------------------------
https://www.watchlist-internet.at/news/tattoo-giveaways-auf-instagram-fuehr…
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple Vulnerabilities in Sante DICOM Viewer Pro ∗∗∗
---------------------------------------------
* J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
* DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
* DCM File ParsingOut-Of-Bounds Read Information Disclosure Vulnerability
* DCM File Parsing Use-After-Free Information Disclosure Vulnerability
* JP2 File Parsing Use-After-Free Remote Code Execution Vulnerability
* JP2 File Parsing Memory Corruption Remote Code Execution Vulnerability
* J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
---------------------------------------------
https://www.zerodayinitiative.com/advisories/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, samba).
---------------------------------------------
https://lwn.net/Articles/883676/
∗∗∗ Sensormatic PowerManage ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01
∗∗∗ Airspan Networks Mimosa ∗∗∗
---------------------------------------------
This advisory contains mitigations for Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Airspan Networks Mimosa network management software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-034-02
∗∗∗ Zwei Schwachstellen in AudioCodes Session Border Controller (SYSS-2021-068/-075) ∗∗∗
---------------------------------------------
In AudioCodes Session Border Controller (SBC) kann Telefonbetrug begangen werden. Auch wurde eine Rechteeskalation in der Web Management-Konsole gefunden.
---------------------------------------------
https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construct…
∗∗∗ InsydeH2O UEFI System Management Mode (SMM) Vulnerabilities ∗∗∗
---------------------------------------------
Mitigation Strategy for Customers (what you should do to protect yourself): Update system firmware to the version (or newer) indicated for your model in the Product Impact section.
---------------------------------------------
http://support.lenovo.com/product_security/PS500463-INSYDEH2O-UEFI-SYSTEM-M…
∗∗∗ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache…
∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by JWT-Go vulnerability (CVE-2020-26160) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins…
∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Standard is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf…
∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-38960 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-…
∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Enterprise is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf…
∗∗∗ K67416037: Linux kernel vulnerability CVE-2021-23133 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K67416037?utm_source=f5support&utm_mediu…
∗∗∗ Weidmueller: Remote I/O fieldbus couplers (IP20) affected by INFRA:HALT vulnerabilities ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2021-042/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 01-02-2022 18:00 − Mittwoch 02-02-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM ∗∗∗
---------------------------------------------
The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM). UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code.
---------------------------------------------
https://kb.cert.org/vuls/id/796611
∗∗∗ CISA Releases Securing Industrial Control Systems: A Unified Initiative ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. The strategy—developed in collaboration with industry and government partners—lays out CISA's plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure.
---------------------------------------------
https://us-cert.cisa.gov/ics/cisa-releases-securing-industrial-control-syst…
∗∗∗ Kasper: a tool for finding speculative-execution vulnerabilities ∗∗∗
---------------------------------------------
The Systems and Network Security Group at Vrije Universiteit Amsterdam hasannounced a tool calledKasper that is able to scan the kernel source and locatespeculative-execution vulnerabilities: Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels).
---------------------------------------------
https://lwn.net/Articles/883448/
∗∗∗ Post E-Mail „Dein Paket wartet !“ ist fake! ∗∗∗
---------------------------------------------
Kriminelle versenden gehäuft E-Mails im Namen der Post mit dem Betreff „Dein Paket wartet !“. Eine Liefergebühr über 1,69 Euro sei ausständig. Achtung: Die E-Mails sind frei erfunden. Die Kriminellen wenden Spoofing an, um die Mail-Adresse echt aussehen zu lassen und verlinken auf eine nachgebaute Post-Website.
---------------------------------------------
https://www.watchlist-internet.at/news/post-e-mail-dein-paket-wartet-ist-fa…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron).
---------------------------------------------
https://lwn.net/Articles/883541/
∗∗∗ Google Releases Security Updates for Chrome ∗∗∗
---------------------------------------------
Google has released Chrome versions 98.0.4758.80/81/82 for Windows and 98.0.4758.80 for Mac and Linux. These versions address vulnerabilities that an attacker could exploit to take control of an affected system.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/02/02/google-releases-s…
∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Sealevel SeaConnect ∗∗∗
---------------------------------------------
Cisco Talos recently discovered several vulnerabilities in Sealevel Systems Inc.’s SeaConnect internet-of-things edge device — many of which could allow an attacker to conduct a man-in-the-middle attack or execute remote code on the targeted device.
The SeaConnect 370W is a WiFi-connected edge device commonly used in industrial control system (ICS) environments that allow users to remotely monitor and control the status of real-world I/O processes. This device offers remote control via MQTT, Modbus TCP and a manufacturer-specific interface referred to as the "SeaMAX API."
---------------------------------------------
http://blog.talosintelligence.com/2022/02/vuln-spotlight-sea-level-connect.…
∗∗∗ Cisco Prime Service Catalog Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Umbrella Secure Web Gateway File Inspection Bypass Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Small Business RV Series Routers Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ FortiAuthenticator - Improper access control in HA service ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-20-217
∗∗∗ FortiMail - reflected cross-site scripting vulnerability in FortiGuard URI protection ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-185
∗∗∗ FortiExtender - Arbitrary command execution because of missing CLI input sanitization ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-148
∗∗∗ FortiWeb - OS command injection due to unsafe input validation function ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-166
∗∗∗ FortiWeb - Stack-based buffer overflow in command line interpreter ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-132
∗∗∗ FortiWeb - OS command injection due to direct input interpolation in API controllers ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-180
∗∗∗ FortiWeb - arbitrary file/directory deletion ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-158
∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to leaking sensitive information due to CVE-2021-3712 in OpenSSL ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris…
∗∗∗ K74013101: Binutils vulnerability CVE-2021-42574 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K74013101?utm_source=f5support&utm_mediu…
∗∗∗ K28622040: Python vulnerability CVE-2019-9948 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K28622040?utm_source=f5support&utm_mediu…
∗∗∗ Advantech ADAM-3600 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-032-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 31-01-2022 18:00 − Dienstag 01-02-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ BSI-Grundschutz-Kompendium 2022: Neue Bausteine, schlankere Struktur ∗∗∗
---------------------------------------------
Das IT-Grundschutzkompendium in der Edition 2022 wartet mit einigen neuen Bausteinen, aber auch mit strukturellen Änderungen auf.
---------------------------------------------
https://heise.de/-6344956
∗∗∗ SMS der „Bawag“ mit „Ihr Konto wurde gesperrt!“ ist Fake ∗∗∗
---------------------------------------------
Vorsicht: Momentan kursiert ein betrügerisches SMS – angeblich von der Bawag. In der Nachricht werden Sie darüber informiert, dass Ihr Konto gesperrt wurde. Sie werden aufgefordert, auf einen Link zu klicken. Tun Sie das keinesfalls. Der Link führt auf eine gefälschte BAWAG-Login-Seite.
---------------------------------------------
https://www.watchlist-internet.at/news/sms-der-bawag-mit-ihr-konto-wurde-ge…
∗∗∗ Domain Escalation – Machine Accounts ∗∗∗
---------------------------------------------
The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password hash could not be cracked due to complexity or assessment time constraints. However, performing pass the hash with machine accounts instead of local administrators accounts is not very common even though it has been described in an article by Adam Chester years ago and could be used in scenarios where the host is part of an elevated group such as the domain admins.
---------------------------------------------
https://pentestlab.blog/2022/02/01/machine-accounts/
∗∗∗ Updates released for multiple vulnerabilities found in 42 Gears SureMDM products ∗∗∗
---------------------------------------------
42 Gears released an initial set of updates in November and more earlier this month.
---------------------------------------------
https://www.zdnet.com/article/multiple-vulnerabilities-found-in-42-gears-su…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-22-146: Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Esri ArcReader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-146/
∗∗∗ ZDI-22-148: ESET Endpoint Antivirus Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-148/
∗∗∗ Rate - Critical - Unsupported - SA-CONTRIB-2022-010 ∗∗∗
---------------------------------------------
2022-01-31 a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [...]
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-010
∗∗∗ WordPress-Plug-in Essential Addons for Elementor als Schadcode-Schleuder ∗∗∗
---------------------------------------------
In der aktuellen Version von Essential Addons for Elementor haben die Entwickler eine Sicherheitslücke geschlossen.
---------------------------------------------
https://heise.de/-6344583
∗∗∗ VMSA-2022-0003 ∗∗∗
---------------------------------------------
VMware Cloud Foundation contains an information disclosure vulnerability due to the logging of plaintext credentials within some log files.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0003.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba).
---------------------------------------------
https://lwn.net/Articles/883423/
∗∗∗ Ricon Mobile Industrial Cellular Router ∗∗∗
---------------------------------------------
This advisory contains mitigations for an OS Command Injection vulnerability in the Ricon Mobile Industrial Cellular Router mobile network router.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-032-01
∗∗∗ Advantech ADAM-3600 ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Use of Hard-coded Cryptographic Key vulnerability in Advantech ADAM-3600 remote terminal units.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-032-02
∗∗∗ January 31, 2022 TNS-2022-04 [R1] Nessus 10.1.0 Fixes One Third-Party Vulnerability ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2022-04
∗∗∗ K59563964: Apache Log4j Remote Code Execution vulnerability CVE-2022-23302 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K59563964
∗∗∗ K97120268: Apache Log4j SQL injection vulnerability CVE-2022-23305 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K97120268
∗∗∗ K00322972: Apache Log4j Chainsaw vulnerability CVE-2022-23307 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K00322972
∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ Security Bulletin: Publicly disclosed vulnerability (CVE-2021-4034) in Polkit affects IBM Netezza PDA OS Security ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner…
∗∗∗ Security Bulletin: Vulnerabilities in PostgreSQL, Node.js, and Data Tables from Spry Media may affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-postgr…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Vulnerabilities in Golang Go, MinIO, and Python may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golang…
∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may impact IBM Spectrum Protect Plus (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt…
∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring operands and Integration Server operands that use the JDBC connector may be vulnerable to remote code execution due to CVE-2021-44228 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris…
∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris…
∗∗∗ Security Bulletin: IBM Security Verify Access fixed a security vulnerability in the product. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces…
∗∗∗ Security Bulletin: IBM TRIRIGA Indoor Maps, a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to arbitrary code execution due to Apache Log4j library vulnerability (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-indoor-maps-a…
∗∗∗ Security Bulletin: Cross-site scripting and session fixation vulnerability in IBM Financial Transaction Manager for SWIFT Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 28-01-2022 18:00 − Montag 31-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Log4Shell: Eine Bestandsaufnahme ∗∗∗
---------------------------------------------
Nach der Panik wegen der größten Sicherheitslücke aller Zeiten blieb der große Knall aus. Kommt der noch oder haben wir das Gröbste überstanden?
---------------------------------------------
https://heise.de/-6342536
∗∗∗ Unseriöse Umzugsfirmen: Vorsicht bei zu günstigen Angeboten ∗∗∗
---------------------------------------------
Sie ziehen gerade um und sind auf der Suche nach einer Umzugsfirma? Unser Tipp: Lassen Sie sich nicht von Billigangeboten täuschen! Festpreisangebote von „25 Euro pro Stunde für 2 Männer inklusive LKW“ sind vollkommen unrealistisch. Dabei handelt es sich um ein Lockangebot. Bei einer Beauftragung wird Ihnen schlussendlich der 3- bis 4-fache Preis verrechnet!
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-umzugsfirmen-vorsicht-bei…
∗∗∗ 277,000 routers exposed to Eternal Silence attacks via UPnP ∗∗∗
---------------------------------------------
A malicious campaign known as Eternal Silence is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-e…
∗∗∗ Be careful with RPMSG files, (Mon, Jan 31st) ∗∗∗
---------------------------------------------
Not many people are aware of ".rpmsg" files. The file extension means "restricted-permission message". They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email.
---------------------------------------------
https://isc.sans.edu/diary/rss/28292
∗∗∗ Rip Raw - A tool to analyse the memory of compromised Linux systems ∗∗∗
---------------------------------------------
It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory.
---------------------------------------------
https://github.com/cado-security/rip_raw
∗∗∗ TrendNET AC2600 RCE via WAN ∗∗∗
---------------------------------------------
This blog provides a walkthrough of how to gain RCE on the TrendNET AC2600 (model TEW-827DRU specifically) consumer router via the WAN interface. There is currently no publicly available patch for these issues; therefore only a subset of issues disclosed in TRA-2021–54 will be discussed in this post.
---------------------------------------------
https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4
∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in) ∗∗∗
---------------------------------------------
Wir suchen derzeit:
- Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben
- IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung
- Python Entwickler:in zur Weiterentwicklung von bestehenden Open-Source-Projekten, insbesondere IntelMQ und Tuency
Details finden sich auf unserer Jobs-Seite.
---------------------------------------------
https://cert.at/de/blog/2022/1/in-eigener-sache-certat-sucht-verstarkung-ju…
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#119678: Samba vfs_fruit module insecurely handles extended file attributes ∗∗∗
---------------------------------------------
The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.
---------------------------------------------
https://kb.cert.org/vuls/id/119678
∗∗∗ ABB: SECURITY - OPC Server for AC 800M - Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
ABB is aware that OPC Server for AC 800M contains a Remote Code Execution vulnerability. An authenticated remote user with low privileges who successfully exploited this vulnerability could insert and execute arbitrary code in the node running the AC800M OPC Server.
---------------------------------------------
https://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/B0A9E56BA54C9C3AC12587DB002…
∗∗∗ Lenovo Security Advisory: LEN-78122 - Intel Graphics Drivers Advisory Intel Graphics Drivers Advisory ∗∗∗
---------------------------------------------
Intel reported potential security vulnerabilities in some Intel Graphics Drivers that may allow escalation of privilege or denial of service.
---------------------------------------------
https://support.lenovo.com/at/en/product_security/ps500462-intel-graphics-d…
∗∗∗ OpenSSL Security Advisory [28 January 2022] - BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) ∗∗∗
---------------------------------------------
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of theTLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.
---------------------------------------------
https://openssl.org/news/secadv/20220128.txt
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo [...]
---------------------------------------------
https://lwn.net/Articles/883322/
∗∗∗ SBA-ADV-20220127-01: Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery ∗∗∗
---------------------------------------------
Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the `request_uri` parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services.
---------------------------------------------
https://github.com/sbaresearch/advisories/commit/65856734acca54052de34b5206…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology JetWave products ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner…
∗∗∗ K54450124: NSS vulnerability CVE-2021-43527 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K54450124
∗∗∗ K46015513: Polkit pkexec vulnerability CVE-2021-4034 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K46015513
∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-002/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-01-2022 18:00 − Freitag 28-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Lets Encrypt: Was Admins heute tun müssen ∗∗∗
---------------------------------------------
Heute um 17 Uhr werden bei Lets Encrypt Zertifikate zurückgezogen. Wir beschreiben, wie Admins prüfen können, ob sie betroffen sind. Eine Anleitung von Hanno Böck
---------------------------------------------
https://www.golem.de/news/let-s-encrypt-was-admins-heute-tun-muessen-2201-1…
∗∗∗ Fake-Gewinnspiel führt in Abo-Falle: BetrügerInnen geben sich als Ö-Ticket aus! ∗∗∗
---------------------------------------------
Auf Facebook geben sich Kriminelle unter der Seite „Oeticket Österreich“ als Ö-Ticket aus und bewerben das „Gewinnspiel des Jahres“. Zu gewinnen gibt es 2 Tickets für ein Ed Sheeran Konzert. Doch Achtung: Mit dieser Masche versuchen die Kriminellen an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-gewinnspiel-fuehrt-in-abo-falle…
∗∗∗ QNAP probt Zwangsupdate nach 3.600 DeadBolt-Ransomware-Infektionen ∗∗∗
---------------------------------------------
QNAP-Nutzer werden aktuell wohl Opfer der DeadBolt-Ransomware – ich hatte es nicht im Blog, aber binnen einer Woche waren es wohl über 3.600 Opfer. Der NAS-Hersteller greift nun zu drastischen Mitteln und versucht die Firmware betroffener Geräte zwangsweise zu aktualisieren.
---------------------------------------------
https://www.borncity.com/blog/2022/01/28/qnap-probt-zwangsupdate-nach-3-600…
∗∗∗ EU to create pan-European cyber incident coordination framework ∗∗∗
---------------------------------------------
The European Systemic Risk Board (ESRB) proposed a new systemic cyber incident coordination framework that would allow EU relevant authorities to better coordinate when having to respond to major cross-border cyber incidents impacting the Unions financial sector.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/eu-to-create-pan-european-cy…
∗∗∗ Doctor Web’s December 2021 review of virus activity on mobile devices ∗∗∗
---------------------------------------------
According to detection statistics from Dr.Web for Android anti-virus products, adware trojans remained the most active Android threat in December. Another common threat detected on protected devices was malware that downloaded other apps. At the same time, more threats have been found on Google Play, like fake apps from the Android.FakeApp malware family. These are used in various fraudulent schemes.
---------------------------------------------
https://news.drweb.com/show/?i=14408&lng=en&c=9
∗∗∗ Doctor Web’s December 2021 virus activity review ∗∗∗
---------------------------------------------
Our December analysis of Dr.Web’s statistics revealed a 34% increase in the total number of threats compared to the previous month. The number of unique threats decreased by 15%. Nonetheless, adware still made up the majority of detected threats. These threats manifested with different types of malware. A variety of malware, including backdoors, was most often distributed in mail traffic.
---------------------------------------------
https://news.drweb.com/show/?i=14410&lng=en&c=9
∗∗∗ Why are WordPress Websites Targeted by Hackers? ∗∗∗
---------------------------------------------
If you are wondering why your wordpress site keeps getting hacked, or why you’re being targeted by hackers, we’ve compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Currently over 445 million websites are utilizing WordPress. With a make up of over 40% of sites on the web utilizing WordPress to some extent, it’s only expected for bad actors to take advantage of its popularity.
---------------------------------------------
https://blog.sucuri.net/2022/01/why-are-wordpress-sites-targeted-by-hackers…
∗∗∗ Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing ∗∗∗
---------------------------------------------
Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victims network to further propagate spam emails and widen the infection pool. The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target's bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials.
---------------------------------------------
https://thehackernews.com/2022/01/hackers-using-device-registration-trick.h…
∗∗∗ How to avoid an open source security nightmare ∗∗∗
---------------------------------------------
Just as it would be a mistake to say that all closed source projects are bug-free, its a mistake to say that all open source projects are security risks. Different projects have different focuses; some of them are much more concerned with the security of their releases.
---------------------------------------------
https://www.zdnet.com/article/how-to-avoid-an-open-source-security-nightmar…
∗∗∗ Weekly Threat Report 28th January 2022 ∗∗∗
---------------------------------------------
Read about the Mirai-based malware exploiting poor security, CISA updates and New Scanning Made Easy trial service from the NCSC
---------------------------------------------
https://www.ncsc.gov.uk/report/weekly-threat-report-28th-january-2022
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates available in Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1 ∗∗∗
---------------------------------------------
Foxit has released Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1, which address potential security and stability issues. CVE-2018-1285, CVE-2021-40420, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741, CVE-2022-22150
---------------------------------------------
https://www.foxit.com/support/security-bulletins.html
∗∗∗ VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046) ∗∗∗
---------------------------------------------
2022-01-27: VMSA-2022-0028.10 - Revised advisory with updates to multiple products, including vCenter Server.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/883047/
∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗
---------------------------------------------
BOSCH-SA-637429: The ActiveMover with Profinet communication module (Rexroth no. 3842 559 445) sold by Bosch Rexroth contains communication technology from Hilscher (PROFINET IO Device V3) in which a vulnerability with high severity has been discovered. A Denial of Service vulnerability may lead to unexpected loss of cyclic communication or interruption of acyclic communication.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-637429.html
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 26-01-2022 18:00 − Donnerstag 27-01-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ CVE-2020-0696 - Microsoft Outlook Security Feature Bypass Vulnerability ∗∗∗
---------------------------------------------
How are the email security systems bypassed with vulnerability on ''Microsoft Outlook for Mac''? Improper hyperlink translation in ''Microsoft Outlook for Mac'' leads to the complete bypassing of email security systems and sending the malicious link to the victim as clickable. [..] The below investigation was performed with trial accounts provided by multiple vendors and reported responsibly to Microsoft, which has taken action to remedy the problem.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2020-06…
∗∗∗ Update-Reigen: macOS 12.2, watchOS 8.4 und tvOS 15.3 beheben Fehler ∗∗∗
---------------------------------------------
Apple hat neben iOS und iPadOS 15.3 auch alle anderen Betriebssysteme aktualisiert. Zudem gibts ein HomePod-OS-Update.
---------------------------------------------
https://heise.de/-6340079
∗∗∗ Hackers Using New Evasive Technique to Deliver AsyncRAT Malware ∗∗∗
---------------------------------------------
[..] Opening the decoy file redirects the message recipient to a web page prompting the user to save an ISO file. But unlike other attacks that route the victim to a phishing domain set up explicitly for downloading the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process.
---------------------------------------------
https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.ht…
∗∗∗ Configuring Linux auditd for Threat Detection ∗∗∗
---------------------------------------------
The topics I look to cover in this article are
- Quick intro to the Linux Audit System
- Tips when writing audit rules
- Designing a configuration for security monitoring
- What to record with auditd
- Tips on managing noise
---------------------------------------------
https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505
∗∗∗ Financially Motivated Mobile Scamware Exceeds 100M Installations ∗∗∗
---------------------------------------------
In the pursuit of identifying and taking down similar financially motivated scams, zLabs researchers have discovered another premium service abuse campaign with upwards of 105 million victims globally, which we have named Dark Herring. [..] At the time of publishing, the scam services and phishing sites are no longer active, and Google has removed all the malicious applications from Google Play.
---------------------------------------------
https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-insta…
∗∗∗ Jetzt handeln! Erpressungstrojaner DeadBolt hat es auf Qnap NAS abgesehen ∗∗∗
---------------------------------------------
Der Hersteller von Netzwerkspeichern (NAS) Qnap warnt abermals vor Ransomware-Attacken und gibt wichtige Tipps zur Absicherung.
---------------------------------------------
https://heise.de/-6340174
∗∗∗ Betrug mit nachgebautem Käuferschutz auf ebay-kleinanzeigen.de ∗∗∗
---------------------------------------------
eBay-kleinanzeigen.de stellt eine beliebte Kleinanzeigen-Plattform dar. Wie bei einigen anderen bekannten Marktplätzen wird auch hier eine sichere Bezahlmethode direkt auf der Plattform angeboten. Kriminelle nützen dies aus, indem sie die Kommunikation von offizieller Website und App beispielsweise auf WhatsApp verlagern. Später verweisen sie auf nachgebaute Websites und zweigen Zahlungen direkt in die eigenen Taschen ab!
---------------------------------------------
https://www.watchlist-internet.at/news/betrug-mit-nachgebautem-kaeuferschut…
∗∗∗ The January 2022 Security Update Review ∗∗∗
---------------------------------------------
The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
---------------------------------------------
https://www.thezdi.com/blog/2022/1/11/the-january-2022-security-update-revi…
=====================
= Vulnerabilities =
=====================
∗∗∗ Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014 ∗∗∗
---------------------------------------------
Project: Private Taxonomy Terms
Security risk: Critical
Description: This module enables users to create private vocabularies.The module doesnt sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-014
∗∗∗ Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011 ∗∗∗
---------------------------------------------
Project: Navbar
Security risk: Moderately critical
Description: This module provides a very simple, mobile-friendly navigation toolbar.The module doesnt sufficiently check for user-provided input.
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-011
∗∗∗ Xerox Versalink Denial Of Service ∗∗∗
---------------------------------------------
A specifically crafted TIFF payload may be submitted to the printers job queue (in person or over the network) by unauthenticated/unprivileged users or network or internet attackers by means of a JavaScript payload. The device will panic upon attempting to read the submitted file and a physical reboot will be required. Upon reboot, the device will attempt to resume the last-printed job, triggering the panic once more. The process repeats ad-infinitum.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022010119
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim).
---------------------------------------------
https://lwn.net/Articles/882882/
∗∗∗ Synology-SA-22:02 Samba ∗∗∗
---------------------------------------------
A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_02
*** Drupal: Bugs in unsupporteten Sub-Projekten ***
---------------------------------------------
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. [..] If you use this project, you should uninstall it.
- Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022 https://www.drupal.org/sa-contrib-2022-022
- Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021 https://www.drupal.org/sa-contrib-2022-021
- Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020 https://www.drupal.org/sa-contrib-2022-020
- Vendor Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-019 https://www.drupal.org/sa-contrib-2022-019
- Cog - Critical - Unsupported - SA-CONTRIB-2022-018 https://www.drupal.org/sa-contrib-2022-018
- Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017 https://www.drupal.org/sa-contrib-2022-017
- Vocabulary Permissions Per Role - Critical - Unsupported - SA-CONTRIB-2022-016 https://www.drupal.org/sa-contrib-2022-016
- Exif - Critical - Unsupported - SA-CONTRIB-2022-015 https://www.drupal.org/sa-contrib-2022-015
- Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013 https://www.drupal.org/sa-contrib-2022-013
- Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012 https://www.drupal.org/sa-contrib-2022-012
- Rate - Critical - Unsupported - SA-CONTRIB-2022-010 https://www.drupal.org/sa-contrib-2022-010
- Expire reset password link - Critical - Unsupported - SA-CONTRIB-2022-009 https://www.drupal.org/sa-contrib-2022-009
- Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008 https://www.drupal.org/sa-contrib-2022-008
- Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007 https://www.drupal.org/sa-contrib-2022-007
- Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005 https://www.drupal.org/sa-contrib-2022-005
- Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006 https://www.drupal.org/sa-contrib-2022-006
---------------------------------------------
https://www.drupal.org/security/contrib
∗∗∗ Security Bulletin:IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletinibm-db2-on-openshift-and-i…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-22960, CVE-2021-22959 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j…
∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service…
∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in Log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana…
∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 25-01-2022 18:00 − Mittwoch 26-01-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ ALPN: Ein Prozent der Lets-Encrypt-Zertifikate wird zurückgezogen ∗∗∗
---------------------------------------------
Lets Encrypt teilt mit, dass es Probleme bei der ALPN-Validierungsmethode gab und damit ausgestellte Zertifikate zurückgezogen werden.
---------------------------------------------
https://www.golem.de/news/alpn-ein-prozent-der-let-s-encrypt-zertifikate-wi…
∗∗∗ Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW, (Wed, Jan 26th) ∗∗∗
---------------------------------------------
Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration, which is embedded by Hewlett-Packard Enterprise on some of their servers. Besides its use for maintenance, it is often used by administrators for an emergency access to the server when everything "above it" (hypervisor or OS) fails and/or is unreachable. Since these kinds of platforms/interfaces are quite sensitive from the security standpoint, access to them should always be limited to relevant administrator groups only and their firmware should always be kept up to date.
---------------------------------------------
https://isc.sans.edu/diary/rss/28276
∗∗∗ German govt warns of APT27 hackers backdooring business networks ∗∗∗
---------------------------------------------
"It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)." The BfV also published indicators of compromise (IOCs) and YARA rules to help targeted German organizations to check for HyperBro infections and connections to APT27 command-and-control (C2) servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-h…
∗∗∗ Sysdig-Report: Container-Deployments weisen mehrheitlich Schwachstellen auf ∗∗∗
---------------------------------------------
Sysdig beobachtet einen anhaltenden Shift Left bei Container Security, viele Schwachstellen bleiben aber ungepatcht und Rechte-Konfigurationen unzureichend.
---------------------------------------------
https://heise.de/-6336816
∗∗∗ Root-Zugriff unter Linux durch Polkit-Lücke ∗∗∗
---------------------------------------------
Sicherheitsforscher haben eine Schwachstelle in Polkit entdeckt, die Rechteausweitung ermöglicht. Für die viele Distributionen sind bereits Patches verfügbar.
---------------------------------------------
https://heise.de/-6338569
∗∗∗ Fake-Shops geben sich als Shops für Warenhausauflösungen aus ∗∗∗
---------------------------------------------
Derzeit stoßen wir vermehrt auf Fake-Shops, die behaupten auf Warenhausauflösungen spezialisiert zu sein oder Überbestände von Amazon oder von Kaufhäusern zu verkaufen. Damit begründen Sie auch ihre günstigen Preise für Marken-Produkte wie KitchenAid, Weber oder DeLonghi. Doch wer genau hinsieht, erkennt, dass es sich um Fake-Shops handelt.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-geben-sich-als-shops-fuer…
∗∗∗ Vidar Exploiting Social Media Platform (Mastodon) ∗∗∗
---------------------------------------------
The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware.
---------------------------------------------
https://asec.ahnlab.com/en/30875/
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple vulnerabilities in TransmitMail ∗∗∗
---------------------------------------------
TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below.
- Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146
- Cross-site scripting (CWE-79) - CVE-2022-21193
---------------------------------------------
https://jvn.jp/en/jp/JVN70100915/
∗∗∗ Security Update - Fix available for a privilege escalation vulnerability ∗∗∗
---------------------------------------------
This notification is in regard to an elevation of privilege vulnerability (CVE-2022-23863) that was recently identified and fixed in Desktop Central and Desktop Central MSP. [...] A privilege escalation vulnerability that may allow an authenticated user to change passwords of a more privileged account.
---------------------------------------------
https://pitstop.manageengine.com/portal/en/community/topic/security-update-…
∗∗∗ Denial of service & User Enumeration in WAGO 750-8xxx PLC ∗∗∗
---------------------------------------------
The Wago PLC models 750-8xxx are prone to multiple security vulnerabilities. These include a Denial-of-Service (DoS) of the connection to the Codesys service and the enumeration of usernames via a timing sidechannel. By exploiting these vulnerabilities, the remote usage of the Codesys services can be prevented and existing usernames on the device can be identified. [..] WAGO's customers should upgrade the firmware to the latest version available.
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/denial-of-service-user-e…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server).
---------------------------------------------
https://lwn.net/Articles/882724/
∗∗∗ Security Advisory - Laser Command Injection Vulnerability on Huawei Terminals ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220126-…
∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins…
∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-24122 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-…
∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-41079 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-…
∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30639 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-…
∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Jan 2022 V1) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM Cloud Pak for Automationis vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-automat…
∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi…
∗∗∗ Security Bulletin: IBM Observability by Instana and IBM Observability with Instana – Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-observability-by-inst…
∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4…
∗∗∗ Security Bulletin: Tivoli Network Manager IP Edition is vulnerable to a denial of service vulnerability (CVE-2021-30468) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-network-manager-ip…
∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-17527 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-…
∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-13935 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-…
∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30640 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-…
∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-33037 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-…
∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-…
∗∗∗ GE Gas Power ToolBoxST ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-025-01
∗∗∗ Injection of arbitrary HTML code in Bosch Video Security Android App ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-844050-bt.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 24-01-2022 18:00 − Dienstag 25-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Responsible Disclosure: Vom Finden und Melden von Sicherheitslücken ∗∗∗
---------------------------------------------
Im Auftrag eines ISP habe ich mehrere Sicherheitslücken in einem Cisco-Router gefunden. Hier erkläre ich, wie ich vorgegangen bin. Ein Erfahrungsbericht von Marco Wiorek
---------------------------------------------
https://www.golem.de/news/responsible-disclosure-vom-finden-und-melden-von-…
∗∗∗ Analyse: Linux- und ESXi-Varianten der LockBit-Ransomware ∗∗∗
---------------------------------------------
Die Forscher von Trend Micro Research haben das Thema LockBit-Ransomware in einer Analyse aufgegriffen. Denn diese Ransomware bedroht inzwischen nicht mehr nur Windows-Systeme. Es gibt bereits Samples, die auch Linux- und VMware ESXi-Instanzen befallen können.
---------------------------------------------
https://www.borncity.com/blog/2022/01/25/analyse-linux-und-esxi-varianten-d…
∗∗∗ Vollzugriff durch Hintertür in WordPress-Erweiterungen ∗∗∗
---------------------------------------------
Bei einem Servereinbruch landete Hintertür-Schadcode in Plugins und Themes von AccessPress. Angreifer könnten dadurch WordPress-Instanzen übernehmen.
---------------------------------------------
https://heise.de/-6337344
∗∗∗ Jetzt patchen! Attacken auf Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen davor, dass Angreifer derzeit Sonicwall Secure Mobile Access im Visier haben. Dagegen lässt sich etwas tun.
---------------------------------------------
https://heise.de/-6337222
∗∗∗ Verkaufen auf willhaben, ebay & Co: Zahlung und Versand nicht über „Kurierdienst Post“ oder „ebay Selling“ abwickeln ∗∗∗
---------------------------------------------
Auf ebay, willhaben, Shpock und Co. treiben momentan vermehrt betrügerische KäuferInnen ihr Unwesen. Diese können aber rasch entlarvt werden: Betrügerische KäuferInnen wollen die Zahlung und Versendung Ihres Produktes über spezielle Dienstleistungen abwickeln. Dabei handelt es sich um angebliche Kurierdienste der Post oder ebay. Diese sind aber Fake!
---------------------------------------------
https://www.watchlist-internet.at/news/verkaufen-auf-willhaben-ebay-co-zahl…
∗∗∗ BRATA Android Trojan Updated with ‘Kill Switch’ that Wipes Devices ∗∗∗
---------------------------------------------
Researchers identify three new versions of the banking trojan that include various new features, including GPS tracking and novel obfuscation techniques.
---------------------------------------------
https://threatpost.com/brata-android-trojan-kill-switch-wipes/177921/
∗∗∗ TrickBot Malware Using New Techniques to Evade Web Injection Attacks ∗∗∗
---------------------------------------------
The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products.
---------------------------------------------
https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html
∗∗∗ Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks ∗∗∗
---------------------------------------------
A previously undocumented cyber-espionage malware aimed at Apples macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with "strong technical capabilities," [...]
---------------------------------------------
https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.h…
∗∗∗ Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies ∗∗∗
---------------------------------------------
We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent Tesla.The post Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies appeared first on Unit42.
---------------------------------------------
https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent…
∗∗∗ Microsoft warns about this phishing attack that wants to read your emails ∗∗∗
---------------------------------------------
Attackers have targeted hundreds of organisations, says Microsoft security.
---------------------------------------------
https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-th…
∗∗∗ Introducing Scanning Made Easy ∗∗∗
---------------------------------------------
A joint effort between the i100 and the NCSC, Scanning Made Easy (SME) will be a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. In this blog post I want to give you an idea of the motivation behind the project, and its capabilities.
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/introducing-scanning-made-easy
=====================
= Vulnerabilities =
=====================
∗∗∗ PHOENIX CONTACT: FL SWITCH 2xxx series incorrect privilege assignment ∗∗∗
---------------------------------------------
CVE ID: CVE-2022-22509; CVSS 3.1: 8.8 In Phoenix Contact FL SWITCH Series 2xxx an incorrect privilege assignment allows an unprivileged user to enable full access to the device configuration. Solution: Upgrade to firmware 3.10 or higher
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-001/
∗∗∗ Kritische Sicherheitslücke in Unisys Messaging Integration Services ∗∗∗
---------------------------------------------
Unbefugte Nutzer könnten aufgrund fehlerhafter Passwort-Prüfungen in den Messaging Integration Services (NTSI) von Unisys Zugang zu Servern erhalten.
---------------------------------------------
https://heise.de/-6337226
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan).
---------------------------------------------
https://lwn.net/Articles/882552/
∗∗∗ PrinterLogic Patches Code Execution Flaws in Printer Management Suite ∗∗∗
---------------------------------------------
PrinterLogic has released security updates to address a total of nine vulnerabilities in Web Stack and Virtual Appliance, including three security defects that carry "high severity" ratings.
---------------------------------------------
https://www.securityweek.com/printerlogic-patches-code-execution-flaws-prin…
∗∗∗ Trend Micro Worry Free Business Security Critical Patch 2380 und der freie Disk-Speicher ∗∗∗
---------------------------------------------
Der Sicherheitsanbieter Trend Micro hat ein kritisches Update 2380 für seine Worry Free Business Security (WFBS) freigegeben. Der Patch soll ein Sicherheitsproblem in einer Komponente beseitigen, die die Virenschutzlösung angreifbar macht. Was aber nicht verraten wird: Um diesen kritischen Patch zu installieren, müssen mindestens 13 Gigabyte Festplattenspeicher auf dem Systemlaufwerk vorhanden sein.
---------------------------------------------
https://www.borncity.com/blog/2022/01/25/trend-micro-worry-free-business-se…
∗∗∗ XSA-395 ∗∗∗
---------------------------------------------
Insufficient cleanup of passed-through device IRQs
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-395.html
∗∗∗ XSA-394 ∗∗∗
---------------------------------------------
A PV guest could DoS Xen while unmapping a grant
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-394.html
∗∗∗ XSA-393 ∗∗∗
---------------------------------------------
arm: guest_physmap_remove_page not removing the p2m mappings
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-393.html
∗∗∗ GNU libc: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0097
∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0096
∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0094
∗∗∗ Mattermost security updates 6.3.1, 6.2.2, 6.1.2, 5.37.7 released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5…
∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud October 2021 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Studio Client (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson…
∗∗∗ Security Bulletin: IBM Security Guardium Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 21-01-2022 18:00 − Montag 24-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Erfolgreicher Angriff auf Nutzerkonten bei Thalia ∗∗∗
---------------------------------------------
Um Schaden von den Kunden abzuwenden, wurden die Kennwörter der betroffenen Konten von Thalia geändert. Die entsprechenden Kunden wurden per E-Mail darüber informiert. Der Buchhändler ruft in der E-Mail auch dazu auf, das Thalia-Kennwort bei anderen Diensten zu ändern, falls dieses auch bei anderen Anbietern mit dem gleichen Benutzernamen verwendet wird.
---------------------------------------------
https://www.golem.de/news/sicherheit-erfolgreicher-angriff-auf-nutzerkonten…
∗∗∗ Backup-Software: Dell EMC AppSync kompromittierbar ∗∗∗
---------------------------------------------
Durch mehrere Sicherheitslücken in der Backup-Software EMC AppSync von Dell hätten Angreifer in betroffene Systeme eindringen und sie manipulieren können.
---------------------------------------------
https://heise.de/-6334745
∗∗∗ SonicWall explains why firewalls were caught in reboot loops ∗∗∗
---------------------------------------------
In a weekend update, SonicWall said the widespread reboot loops that impacted next-gen firewalls worldwide were caused by signature updates published on Thursday evening not being correctly processed.
---------------------------------------------
https://www.bleepingcomputer.com/news/technology/sonicwall-explains-why-fir…
∗∗∗ Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd) ∗∗∗
---------------------------------------------
Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack.
---------------------------------------------
https://isc.sans.edu/diary/rss/28264
∗∗∗ Microsoft is now disabling Excel 4.0 macros by default ∗∗∗
---------------------------------------------
Microsoft says that all Excel 4.0 (XLM) macros will now be disabled by default. [...] Sometimes good news in the security world comes later than expected. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is making it the default.
---------------------------------------------
https://blog.malwarebytes.com/reports/2022/01/microsoft-is-now-disabling-ex…
∗∗∗ Emotet Now Using Unconventional IP Address Formats to Evade Detection ∗∗∗
---------------------------------------------
Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers, [...]
---------------------------------------------
https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html
∗∗∗ GoWard A robust and rapidly-deployable Red Team proxy ∗∗∗
---------------------------------------------
Generally, Red Teams and adversarys redirect their traffic through proxies to protect their backend infrastructure. GoWard proxies HTTP C2 traffic to specified Red Team servers based on the HTTP header of the traffic. GoWards intent is to help obfuscate Red Team traffic and provide some level of resiliency against Blue Team investigation and mitigation.
---------------------------------------------
https://github.com/chdav/GoWard
∗∗∗ Crime Shop Sells Hacked Logins to Other Crime Shops ∗∗∗
---------------------------------------------
Up for the "Most Meta Cybercrime Offering" award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites.
---------------------------------------------
https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other…
∗∗∗ Dark Souls servers taken offline over hacking fears ∗∗∗
---------------------------------------------
We look at trouble in Dark Souls land after PvP servers were turned off to combat what looked like a nasty exploit. [...] It all begins with a popular streamer playing a Souls game in PvP mode. [...] You’ll also hear the incredibly confused streamer in the background, talking about seeing “powershell.exe” on their screen. This is, it has to be said, not a good sign.
---------------------------------------------
https://blog.malwarebytes.com/hacking-2/2022/01/dark-souls-servers-taken-of…
∗∗∗ Cobalt Strike, a Defender’s Guide – Part 2 ∗∗∗
---------------------------------------------
Our previous article on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this post, we will focus on the network traffic it produced, and [...]
---------------------------------------------
https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
=====================
= Vulnerabilities =
=====================
∗∗∗ High-Severity Rust Programming Bug Could Lead to File, Directory Deletion ∗∗∗
---------------------------------------------
The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldnt otherwise access or delete, [...]
---------------------------------------------
https://thehackernews.com/2022/01/high-severity-rust-programming-bug.html
∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ CVE-2021-45467: CWP CentOS Web Panel – preauth RCE ∗∗∗
---------------------------------------------
CentOS Web Panel or commonly known as CWP is a popular web hosting management software, used by over 200,000 unique servers, that can be found on Shodan or Census. The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities. In this post we hope to cover our vulnerability research journey, and how we approached this particular target.
---------------------------------------------
https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-pre…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/882396/
∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0089
∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio…
∗∗∗ Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netcool-agile-service…
∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent…
∗∗∗ Security Bulletin: Sensitive information in logs vulnerability affects IBM Sterling Gentran:Server for Windows (CVE-2021-39032) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-in-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli…
∗∗∗ Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily