[CERT-daily] Tageszusammenfassung - 02.02.2023

Thu Feb 2 18:17:51 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 01-02-2023 18:00 − Donnerstag 02-02-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ New DDoS-as-a-Service platform used in recent attacks on hospitals ∗∗∗
---------------------------------------------
A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platform-used-in-recent-attacks-on-hospitals/


∗∗∗ New Nevada Ransomware targets Windows and VMware ESXi systems ∗∗∗
---------------------------------------------
A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/


∗∗∗ LockBit ransomware goes Green, uses new Conti-based encryptor ∗∗∗
---------------------------------------------
The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/


∗∗∗ Password-stealing “vulnerability” reported in KeePass – bug or feature? ∗∗∗
---------------------------------------------
Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?
---------------------------------------------
https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability-reported-in-keypass-bug-or-feature/


∗∗∗ Rotating Packet Captures with pfSense, (Wed, Feb 1st) ∗∗∗
---------------------------------------------
Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files.
---------------------------------------------
https://isc.sans.edu/diary/rss/29500


∗∗∗ What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits ∗∗∗
---------------------------------------------
We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/b/what-socs-need-to-know-about-water-dybbuk.html


∗∗∗ OpenSSH 9.2 released ∗∗∗
---------------------------------------------
OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe is exploitable.
---------------------------------------------
https://lwn.net/Articles/922006/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Vulnerability Causing Deletion of All Users in CrushFTP Admin Area ∗∗∗
---------------------------------------------
During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerability-causing-deletion-of-all-users-in-crushftp-admin-area/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django).
---------------------------------------------
https://lwn.net/Articles/921957/


∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001 ∗∗∗
---------------------------------------------
CVE identifiers: CVE-2023-23517, CVE-2023-23518,CVE-2022-42826.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
---------------------------------------------
https://webkitgtk.org/security/WSA-2023-0001.html


∗∗∗ Jira Service Management Server and Data Center Advisory (CVE-2023-22501) ∗∗∗
---------------------------------------------
This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0
---------------------------------------------
https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html


∗∗∗ Drupal Releases Security Update to Address a Vulnerability in Apigee Edge ∗∗∗
---------------------------------------------
Drupal released a security update to address a vulnerability affecting the Apigee Edge module for Drupal 9.x. An attacker could exploit this vulnerability to bypass access authorization or disclose sensitive information. CISA encourages users and administrators to review Drupal’s security advisory SA-CONTRIB-2023-005 and apply the necessary update.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/drupal-releases-security-update-address-vulnerability-apigee-edge


∗∗∗ Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-pi-xss-PU6dnfD9?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Prime%20Infrastructure%20Reflected%20Cross-Site%20Scripting%20Vulnerability&vs_k=1


∗∗∗ Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20RV340,%20RV340W,%20RV345,%20and%20RV345P%20Dual%20WAN%20Gigabit%20VPN%20Routers%20Arbitrary%20File%20Upload%20Vulnerability&vs_k=1


∗∗∗ Cisco Identity Services Engine Privilege Escalation Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-os-injection-pxhKsDM?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Identity%20Services%20Engine%20Privilege%20Escalation%20Vulnerabilities&vs_k=1


∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOx%20Application%20Hosting%20Environment%20Command%20Injection%20Vulnerability&vs_k=1


∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6912697


∗∗∗ IBM API Connect is impacted by an external service interaction vulnerability (CVE-2022-34350) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6921243


∗∗∗ IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6921285


∗∗∗ IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6952181


∗∗∗ IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6909467

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily