[CERT-daily] Tageszusammenfassung - 14.04.2023

Fri Apr 14 18:36:47 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 13-04-2023 18:00 − Freitag 14-04-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ VoIP-Software von 3CX: Erste Analyse-Ergebnisse ∗∗∗
---------------------------------------------
3CX hat erste Ergebnisse der IT-Sicherheitsspezialisten von Mandiant bezüglich des Einbruchs und Lieferkettenangriffs auf die VoIP-Software herausgegeben.
---------------------------------------------
https://heise.de/-8962595


∗∗∗ Netzwerkausrüster Juniper verteilt viele Sicherheits-Aktualisierungen ∗∗∗
---------------------------------------------
In diversen Produkten des Netzwerkausrüsters Juniper klaffen Sicherheitslücken, die der Hersteller mit Updates schließt. Sie sollten zügig installiert werden.
---------------------------------------------
https://heise.de/-8951334


∗∗∗ Jetzt patchen! QueueJumper-Lücke gefährdet hunderttausende Windows-Systeme ∗∗∗
---------------------------------------------
Sicherheitsforscher haben nach weltweiten Scans über 400.000 potenziell angreifbare Windows-Systeme entdeckt. Sicherheitspatches sind verfügbar.
---------------------------------------------
https://heise.de/-8961420


∗∗∗ Passwortschutz umgehbar: Drupal-Modul Protected Pages verwundbar ∗∗∗
---------------------------------------------
Angreifer könnten auf eigentlich durch Passwörter abgeschottete Drupal-Websites zugreifen. Ein Sicherheitsupdate ist verfügbar.
---------------------------------------------
https://heise.de/-8959518


∗∗∗ Cloudflare: Botnetzwerke setzen auf gehackte VPS statt auf IoT ∗∗∗
---------------------------------------------
Laut Cloudflare setzen Botnetze auf gehackte Virtual Private Server (VPS), beispielsweise von Start-ups, die deutlich mehr Leistung für DDoS-Angriffe bieten.
---------------------------------------------
https://www.golem.de/news/cloudflare-botnetzwerke-setzen-auf-gehackte-vps-statt-auf-iot-2304-173418.html


∗∗∗ HTTP: Whats Left of it and the OCSP Problem, (Thu, Apr 13th) ∗∗∗
---------------------------------------------
It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP.
---------------------------------------------
https://isc.sans.edu/diary/rss/29744


∗∗∗ How to Set Up a Content Security Policy (CSP) in 3 Steps ∗∗∗
---------------------------------------------
What is a Content Security Policy (CSP)? A Content Security Policy (CSP) is a security feature used to help protect websites and web apps from clickjacking, cross-site scripting (XSS), and other malicious code injection attacks. At the most basic level, a CSP is a set of rules that restricts or green lights what content loads onto your website. It is a widely-supported security standard recommended to anyone who operates a website.
---------------------------------------------
https://blog.sucuri.net/2023/04/how-to-set-up-a-content-security-policy-csp-in-3-steps.html


∗∗∗ RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed the tactics of a "rising" cybercriminal gang called "Read The Manual" (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit.
---------------------------------------------
https://thehackernews.com/2023/04/rtm-locker-emerging-cybercrime-group.html


∗∗∗ Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation ∗∗∗
---------------------------------------------
The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog.
---------------------------------------------
https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports-of-chinese-app-zero-day-exploitation/


∗∗∗ Automating Qakbot decode at scale ∗∗∗
---------------------------------------------
This is a technical post covering methodology to extract configuration data from recent Qakbot samples. I will provide background on Qakbot, walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/04/14/automating-qakbot-decode/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ CISA Releases Sixteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released sixteen Industrial Control Systems (ICS) advisories on April 13, 2023. * B. Braun Battery Pack SP with Wi-Fi * 13x Siemens * Datakit CrossCAD-WARE * Mitsubishi Electric GOC35 Series
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/04/13/cisa-releases-sixteen-industrial-control-systems-advisories


∗∗∗ Advisory SA23P002: Several Issues in B&R VC4 Visualization ∗∗∗
---------------------------------------------
An unauthenticated network-based attacker who successfully exploits these vulnerabilities could bypass the authentication mechanism of the VC4 visualization, read stack memory or execute code on an affected device.
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/1681046878970-en-original-1.0.pdf


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (haproxy and openvswitch), Fedora (bzip3, libyang, mingw-glib2, thunderbird, xorg-x11-server, and xorg-x11-server-Xwayland), and Ubuntu (apport, ghostscript, linux-bluefield, node-thenify, and python-flask-cors).
---------------------------------------------
https://lwn.net/Articles/929107/


∗∗∗ Cross-Site Scripting in Timesheet Tracking for Jira (SYSS-2022-050) ∗∗∗
---------------------------------------------
Über Cross-Site Scripting-Schwachstellen im Plug-in "Timesheet Tracking for Jira" kann Schadcode eingebaut werden, der von allen Besuchern ausgeführt wird.
---------------------------------------------
https://www.syss.de/pentest-blog/cross-site-scripting-in-timesheet-tracking-for-jira-syss-2022-050


∗∗∗ CPE2023-001 – Regarding vulnerabilities for Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers – 14 April 2023 ∗∗∗
---------------------------------------------
Several vulnerabilities have been identified for certain Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers.
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily