[CERT-daily] Tageszusammenfassung - 22.02.2023

Daily end-of-shift report team at cert.at
Wed Feb 22 20:26:20 CET 2023 

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 21-02-2023 18:00 − Mittwoch 22-02-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Warnung vor Angriffen auf IBM Aspera Faspex und Mitel MiVoice ∗∗∗
---------------------------------------------
Die US-IT-Sicherheitsbehörde CISA warnt davor, dass Cyberkriminelle Sicherheitslücken in IBM Aspera Faspex und Mitel MiVoice angreifen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7523870


∗∗∗ Jetzt patchen! Exploit-Code für kritische Fortinet FortiNAC-Lücke in Umlauf ∗∗∗
---------------------------------------------
Da Exploit-Code veröffentlicht wurde, könnten Angreifer Fortinets Netzwerk-Zugangskontrolllösung FortiNAC ins Visier nehmen.
---------------------------------------------
https://heise.de/-7523427


∗∗∗ Fake Give-Aways und Geschenkaktionen im Namen von ‚MrBeast‘! ∗∗∗
---------------------------------------------
Wer sich regelmäßig YouTube-Videos ansieht, kommt kaum an MrBeast vorbei. Der Youtuber mit über 134 Millionen Abonnent:innen ist für seine Give-Away-Videos bekannt, bei denen er Tausende oder gar Millionen von Dollar verschenkt. Diesen Ruf machen sich auch Kriminelle zunutze, indem sie betrügerische Gewinnversprechen und Geschenkaktionen im Namen von MrBeast verbreiten.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-give-aways-und-geschenkaktionen-im-namen-von-mrbeast/


∗∗∗ Hydrochasma hackers target medical research labs, shipping firms ∗∗∗
---------------------------------------------
A previously unknown threat actor named Hydrochasma has been targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hydrochasma-hackers-target-medical-research-labs-shipping-firms/


∗∗∗ WhatsApp ignoriert seit Jahren ein Sicherheitsproblem, das alle betrifft ∗∗∗
---------------------------------------------
Fremde können das eigene Profil übernehmen und sich für euch ausgeben - ganz ohne Hacking oder Phishing.
---------------------------------------------
https://futurezone.at/apps/whatsapp-sicherheit-problem-konto-telefonnummer-recycelt-fremde-account/402337845


∗∗∗ Attackers Abuse Cron Jobs to Reinfect Websites ∗∗∗
---------------------------------------------
Malicious cron jobs are nothing new; we’ve seen attackers use them quite frequently to reinfect websites. However, in recent months we’ve noticed a distinctive new wave of these infections that appears to be closely related to this article about a backdoor that we’ve been tracking.
---------------------------------------------
https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websites.html


∗∗∗ Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks ∗∗∗
---------------------------------------------
An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc.
---------------------------------------------
https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.html


∗∗∗ Lets build a Chrome extension that steals everything ∗∗∗
---------------------------------------------
Manifest v3 may have taken some of the juice out of browser extensions, but I think there is still plenty left in the tank. To prove it, let’s build a Chrome extension that steals as much data as possible.
---------------------------------------------
https://mattfrisbie.substack.com/p/spy-chrome-extension


∗∗∗ How NPM Packages Were Used to Spread Phishing Links ∗∗∗
---------------------------------------------
[...] On Monday, 20th of February, Checkmarx Labs discovered an anomaly in the NPM ecosystem when we cross-referenced new information with our databases. Clusters of packages had been published in large quantities to the NPM package manager. Further investigation revealed that the packages were part of a trending new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns.
---------------------------------------------
https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-links/


∗∗∗ Android voice chat app with 5m installs leaked user chats ∗∗∗
---------------------------------------------
The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan.
---------------------------------------------
https://www.hackread.com/android-voice-chat-app-data-leak/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Sicherheitsupdates: VMware dichtet kritisches Sicherheitsleck ab ∗∗∗
---------------------------------------------
VMware schließt mit Updates für Carbon Black App Control und vRealize sowie Cloud Foundation eine kritische und eine hochriskante Schwachstelle.
---------------------------------------------
https://heise.de/-7523335


∗∗∗ Foxit PDF-Updates dichten hochriskante Schwachstellen ab ∗∗∗
---------------------------------------------
In der PDF-Software Foxit klafften Sicherheitslücken, durch die Angreifer etwa mit manipulierten PDF-Dateien Schadcode einschleusen und ausführen hätten können.
---------------------------------------------
https://heise.de/-7523313


∗∗∗ Multiple vulnerabilities in Nokia BTS Airscale ASIKA [PDF] ∗∗∗
---------------------------------------------
Synacktiv performed an audit on the base transceiver station Nokia Airscale ASIKA, running the firmware version btsmed_5G19B_GNB_0007_001836_000863, and discovered multiple vulnerabilities.
---------------------------------------------
https://www.synacktiv.com/sites/default/files/2023-02/Synacktiv-Nokia-BTS-AirScale-Asika-Multiple-Vulnerabilities.pdf


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6).
---------------------------------------------
https://lwn.net/Articles/924070/


∗∗∗ Synology-SA-23:01 ClamAV ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers to possibly execute arbitrary code or local users to obtain sensitive information via a susceptible version of Antivirus Essential, Synology Mail Server, and Synology MailPlus Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_23_01


∗∗∗ IBM Security Bulletins 2023-02-22 ∗∗∗
---------------------------------------------
* A vulnerability in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * A vulnerability in the GUI affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * BM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) * IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] * IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities in jsonwebtoken affects IBM Watson Assistant for IBM Cloud Pak for Data * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Plus (CVE-2019-11777) * Vulnerability in Log4j affects IBM Integrated Analytics System [CVE-2022-23305]
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Cisco Nexus 9000 Series Fabric Switches in ACI Mode Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-lldp-dos-ySCNZOpX


∗∗∗ Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsm-bkpsky-H8FCQgsA


∗∗∗ Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation Issues ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-x509v3-unsupportedconfig-ScRtAbUk


∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cli-cmdinject-euQVK9u


∗∗∗ Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS Fabric Interconnects Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxfp-cmdinj-XXBZjtR


∗∗∗ Cisco Nexus 9300-FX3 Series Fabric Extender for UCS Fabric Interconnects Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-elyfex-dos-gfvcByx


∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-csrfv-DMx6KSwV


∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 6.0.0: SC-202302.2 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-06


∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 5.23.1: SC-202302.3 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-05

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list