[CERT-daily] Tageszusammenfassung - 12.01.2023
Daily end-of-shift report
team at cert.at
Thu Jan 12 18:47:04 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 11-01-2023 18:00 − Donnerstag 12-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Konten leergeräumt: Neue Phishing-Welle mit Apple Pay ∗∗∗
---------------------------------------------
Mit einem ausgeklügelten Trick versuchen Kriminelle an Kreditkartendaten zu kommen. Wer Grundlegendes beachtet, ist allerdings ausreichend geschützt.
---------------------------------------------
https://futurezone.at/digital-life/apple-pay-phishing-welle-mail-kreditkarten-paylife-bawag-netflix-disney-spotify-pakete/402288839
∗∗∗ Hack: Sicherheitslücke in SugarCRM-Servern wird aktiv ausgenutzt ∗∗∗
---------------------------------------------
Etliche SugarCRM-Server in den USA und Deutschland wurden schon gehackt. Ein Hotfix wurde bereits veröffentlicht.
---------------------------------------------
https://www.golem.de/news/hack-sicherheitsluecke-in-sugarcrm-servern-wird-aktiv-ausgenutzt-2301-171152.html
∗∗∗ Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability ∗∗∗
---------------------------------------------
Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers.
---------------------------------------------
https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html
∗∗∗ New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors ∗∗∗
---------------------------------------------
A new analysis of Raspberry Robins attack infrastructure has revealed that its possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.
---------------------------------------------
https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html
∗∗∗ IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours ∗∗∗
---------------------------------------------
A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.
---------------------------------------------
https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html
∗∗∗ Prowler v3: AWS & Azure security assessments ∗∗∗
---------------------------------------------
Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. Prowler v3 is now multi-cloud with Azure added as the second supported cloud provider.
---------------------------------------------
https://isc.sans.edu/diary/rss/29430
∗∗∗ Exfiltration Over a Blocked Port on a Next-Gen Firewall ∗∗∗
---------------------------------------------
[..] all successfully exfiltrated data packets were in small formats [..], smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size. When asked about this finding, the NG-FW vendor acknowledged that "to determine which application is being used, and whether the session aligned with the protocol’s standard, the NG-FW must allow at least one packet to pass."
---------------------------------------------
https://cymulate.com/blog/data-exfiltration-firewall/
∗∗∗ Kritische Sicherheitslücke bedroht End-of-Life-Router von Cisco ∗∗∗
---------------------------------------------
Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa verschiedene Router, IP-Telefone und Webex veröffentlicht.
---------------------------------------------
https://heise.de/-7456480
∗∗∗ AI-generated phishing attacks are becoming more convincing ∗∗∗
---------------------------------------------
Its time for you and your colleagues to become more skeptical about what you read. Thats a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harrass, and spread fake news. Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed.
---------------------------------------------
https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-are-becoming-more-convincing
∗∗∗ Threema Under Fire After Downplaying Security Research ∗∗∗
---------------------------------------------
The developers of the open source secure messaging app Threema have come under fire over their public response to a security analysis conducted by researchers at the Swiss university ETH Zurich.
---------------------------------------------
https://www.securityweek.com/threema-under-fire-after-downplaying-security-research
∗∗∗ SCCM Site Takeover via Automatic Client Push Installation ∗∗∗
---------------------------------------------
tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation.
---------------------------------------------
https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?source=rss----f05f8696e3cc---4
∗∗∗ Gefährliche Fehlkonfigurationen von Active Directory-Dienstkonten ∗∗∗
---------------------------------------------
Das Identifizieren von Schwachstellen in der AD-Konfiguration kann sich als Albtraum erweisen, warnt Gastautor Guido Grillenmeier von Semperis.
---------------------------------------------
https://www.zdnet.de/88406475/gefaehrliche-fehlkonfigurationen-von-active-directory-dienstkonten/
∗∗∗ Microsoft Exchange Januar 2023 Patchday-Nachlese: Dienste starten nicht etc. ∗∗∗
---------------------------------------------
Zum 10. Januar 2023 (Patchday) hat Microsoft Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software, haben aber bekannte Fehler und verursachen neue neue Probleme bei der Installation. Hier ein kurzer Überblick über den Sachstand.
---------------------------------------------
https://www.borncity.com/blog/2023/01/12/microsoft-exchange-januar-2023-patchday-nachlese-dienste-starten-nicht-etc/
∗∗∗ What is Red Teaming & How it Benefits Orgs ∗∗∗
---------------------------------------------
Running real-world attack simulations can help improve organizations cybersecurity resilience
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/what-is-red-teaming.html
∗∗∗ Shodan Verified Vulns 2023-01-01 ∗∗∗
---------------------------------------------
Mit Stand 2023-01-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2023/1/shodan-verified-vulns-2023-01-01
=====================
= Vulnerabilities =
=====================
∗∗∗ Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 ∗∗∗
---------------------------------------------
Description: This module enables users to create private vocabularies. The module doesnt enforce permissions appropriately for the taxonomy overview page and overview form.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-001
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, [...]
---------------------------------------------
https://lwn.net/Articles/919785/
∗∗∗ TP-Link SG105PE vulnerable to authentication bypass ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN78481846/
∗∗∗ WAGO: Unauthenticated Configuration Export in web-based management in multiple devices ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-054/
∗∗∗ Visual Studio Code Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21779
∗∗∗ Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854685
∗∗∗ Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854713
∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854647
∗∗∗ Vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Servers used by IBM Master Data Management (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854595
∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering products using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851835
∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854915
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-41041) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854927
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to arbitrary code execution due to [CVE-2022-25893] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854929
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-41041) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854931
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list