[CERT-daily] Tageszusammenfassung - 17.01.2023

Daily end-of-shift report team at cert.at
Tue Jan 17 18:09:35 CET 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 16-01-2023 18:00 − Dienstag 17-01-2023 18:00
Handler:     Stephan Richter
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th) ∗∗∗
---------------------------------------------
I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it.
---------------------------------------------
https://isc.sans.edu/diary/rss/29442


∗∗∗ The misadventures of an SPF record ∗∗∗
---------------------------------------------
I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT,  University, University of Miami, along with 1000+ other domains had mistakenly used the “+all” SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf.
---------------------------------------------
https://caniphish.com/phishing-resources/blog/scanning-spf-records


∗∗∗ Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung ∗∗∗
---------------------------------------------
Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen.
---------------------------------------------
https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-sorgen-fuer-Verwirrung-7459051.html


∗∗∗ Beware of DDosia, a botnet created to facilitate DDoS attacks ∗∗∗
---------------------------------------------
The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky.
---------------------------------------------
https://blog.avast.com/ddosia-project


∗∗∗ The prevalence of RCE exploits and what you should know about RCEs ∗∗∗
---------------------------------------------
Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem.
---------------------------------------------
https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what-you-should-know-about-rces


∗∗∗ Attackers Can Abuse GitHub Codespaces for Malware Delivery ∗∗∗
---------------------------------------------
A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.
---------------------------------------------
https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-delivery


∗∗∗ Gefälschtes Post-SMS im Umlauf ∗∗∗
---------------------------------------------
Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/


∗∗∗ Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks ∗∗∗
---------------------------------------------
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Microsoft resolves four SSRF vulnerabilities in Azure cloud services ∗∗∗
---------------------------------------------
Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security.
---------------------------------------------
https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vulnerabilities-in-azure-cloud-services/


∗∗∗ Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich ∗∗∗
---------------------------------------------
Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren.
---------------------------------------------
https://heise.de/-7461118


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).
---------------------------------------------
https://lwn.net/Articles/920217/


∗∗∗ Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc. ∗∗∗
---------------------------------------------
Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen.
---------------------------------------------
https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-firmware-von-inhand-networks-bedroht-roboter-stromzhler-med-gerte-etc/


∗∗∗ LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen ∗∗∗
---------------------------------------------
Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen.
---------------------------------------------
https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-controller-mit-januar-2023-updates-patchen/


∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.7 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/


∗∗∗ Security Vulnerabilities fixed in Firefox 109 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/


∗∗∗ A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855731


∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855777


∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855831


∗∗∗ AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855827


∗∗∗ IBM Robotic Process Automation is vulnerable to Cross-Site Scripting. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855835

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list