[CERT-daily] Tageszusammenfassung - 21.06.2023
Daily end-of-shift report
team at cert.at
Wed Jun 21 18:53:50 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 20-06-2023 18:00 − Mittwoch 21-06-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Sicherheitsupdates: Angreifer können Zyxel NAS ins Visier nehmen ∗∗∗
---------------------------------------------
Aktualisierte Firmware-Versionen für verschiedene NAS-Modelle von Zyxel schließen eine kritische Schwachstelle.
---------------------------------------------
https://heise.de/-9193271
∗∗∗ Zielgerichtete Angriffe auf iPhones: Neue Details zu Spyware ∗∗∗
---------------------------------------------
iPhone-Spyware kommt per iMessage und kann laut einer Analyse etwa Dateien manipulieren und den Standort tracken. Möglicherweise zählen auch Macs zu den Zielen.
---------------------------------------------
https://heise.de/-9193906
∗∗∗ VMware Aria: Angriffe auf kritische Sicherheitslücke – Update installieren! ∗∗∗
---------------------------------------------
VMware hat seine Sicherheitsmeldung zu einer kritischen Schwachstelle in der Monitoring-Software Aria Operations aktualisiert. Demnach wird sie angegriffen.
---------------------------------------------
https://heise.de/-9193354
∗∗∗ Hilfe, Kriminelle imitieren meine Telefonnummer für betrügerische Anrufe! ∗∗∗
---------------------------------------------
Dass Kriminelle auch gerne zum Telefon greifen, um Menschen zu betrügen, ist wohl allseits bekannt. Häufig setzen sie dabei allerdings auf „Spoofing“, wodurch bei den Angerufenen nicht die tatsächliche Nummer angezeigt wird, die hinter dem Scam-Anruf steckt. Immer häufiger wenden sich Personen an uns, deren Nummer simuliert und für Spam-Anrufe genutzt wird, weil sie ständig Rückrufe verärgerter Personen erhalten, [...]
---------------------------------------------
https://www.watchlist-internet.at/news/hilfe-kriminelle-imitieren-meine-telefonnummer-fuer-betruegerische-anrufe/
∗∗∗ Microsoft fixes Azure AD auth flaw enabling account takeover ∗∗∗
---------------------------------------------
Microsoft has addressed an Azure Active Directory (Azure AD) authentication flaw that could allow threat actors to escalate privileges and potentially fully take over the targets account.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-fixes-azure-ad-auth-flaw-enabling-account-takeover/
∗∗∗ New Condi malware builds DDoS botnet out of TP-Link AX21 routers ∗∗∗
---------------------------------------------
A new DDoS-as-a-Service botnet called "Condi" emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-condi-malware-builds-ddos-botnet-out-of-tp-link-ax21-routers/
∗∗∗ Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites ∗∗∗
---------------------------------------------
Two critical-severity authentication bypass vulnerabilities in WordPress plugins with tens of thousands of installations.
---------------------------------------------
https://www.securityweek.com/critical-wordpress-plugin-vulnerabilities-impact-thousands-of-sites/
∗∗∗ Enphase Ignores CISA Request to Fix Remotely Exploitable Flaws ∗∗∗
---------------------------------------------
Enphase Energy has ignored CISA requests to fix remotely exploitable vulnerabilities in Enphase products.
---------------------------------------------
https://www.securityweek.com/enphase-ignores-cisa-request-to-fix-remotely-exploitable-flaws/
∗∗∗ Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries ∗∗∗
---------------------------------------------
Backdoor leverages Microsoft Graph API for C&C communication.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/threat-intelligence/flea-backdoor-microsoft-graph-apt15
∗∗∗ Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox) ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the Mallox ransomware with the BAT file extension being distributed to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox. The distributions include cases that use PowerShell and sqlps.
---------------------------------------------
https://asec.ahnlab.com/en/54704/
∗∗∗ AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice ∗∗∗
---------------------------------------------
While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass.
---------------------------------------------
https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/
∗∗∗ MOVEIt Vulnerability: A Painful Reminder That Threat Actors Aren’t the Only Ones Responsible for a Data Breach ∗∗∗
---------------------------------------------
The MOVEIt data breach continues to impact a number of both private and government groups across the US and Europe by exposing confidential data. With breaches like this becoming increasingly common, it can be easy to blame advanced persistent threat (APT) groups and other malicious actors; however, there is a valuable lesson to learn from the MOVEit breach: it is essential to be proactive about these threats, Not doing so may lead to a breach. I’ve put together this blog post as a reminder that security organizations—and quite frankly, boards and executive leadership—should view internal security threats just as seriously as external ones when it comes time to protecting their organization’s sensitive information.
---------------------------------------------
https://www.safebreach.com/moveit-vulnerability-a-painful-reminder-that-threat-actors-arent-the-only-ones-responsible-for-a-data-breach/
∗∗∗ Gaps in Azure Service Fabric’s Security Call for User Vigilance ∗∗∗
---------------------------------------------
In this blog post, we discuss different configuration scenarios that may lead to security issues with Azure Service Fabric, a distributed platform for deploying, managing, and scaling microservices and container applications.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/f/gaps-in-azure-service-fabric-s-security-call-for-user-vigilance.html
∗∗∗ GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking ∗∗∗
---------------------------------------------
Millions of GitHub repositories are potentially vulnerable to RepoJacking. New research by Aqua Nautilus sheds light on the extent of RepoJacking, which if exploited may lead to code execution on organizations’ internal environments or on their customers’ environments. As part of our research, we found an enormous source of data that allowed us to sample a dataset and find some highly popular targets.
---------------------------------------------
https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking
=====================
= Vulnerabilities =
=====================
∗∗∗ Heap-based buffer over-read in Autodesk® Desktop Licensing Service ∗∗∗
---------------------------------------------
Autodesk® Desktop Licensing Installer has been affected by privilege escalation vulnerabilities. Exploitation of these vulnerabilities could lead to code execution due to weak permissions.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0011
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libfastjson, libx11, opensc, python-mechanize, and wordpress), SUSE (salt and terraform-provider-helm), and Ubuntu (firefox, libx11, pngcheck, python-werkzeug, ruby3.1, and vlc).
---------------------------------------------
https://lwn.net/Articles/935552/
∗∗∗ K000135122 : Linux kernel vulnerability CVE-2023-0461 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000135122
∗∗∗ Multiple vulnerabilities in Open JDK affecting Rational Functional Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005601
∗∗∗ IBM Storage Protect is vulnerable to a denial of service attack due to Google Gson (CVE-2022-25647) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005605
∗∗∗ Multiple vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server January 2023 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005623
∗∗∗ Python Cryptographic Authority cryptography is vulnerable to IBM X-Force ID: 239927 used in IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005639
∗∗∗ There is a vulnerability in Apache Commons BCEL used by IBM Maximo Asset Management (CVE-2022-42920) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6991671
∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964694
∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect Cloud Pak System (CVE-2023-21830, 2023-21843) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005573
∗∗∗ Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005499
∗∗∗ IBM Operational Decision Manager June 2023 - Multiple CVEs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005851
∗∗∗ Operations Dashboard is vulnerable to multiple vulnerabilities in Golang ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005869
∗∗∗ SnakeYaml is vulnerable to CVE-2022-1471 used by IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005873
∗∗∗ A security vulnerability has been identified in FasterXML jackson-databind shipped with IBM Tivoli Netcool Impact (CVE-2021-46877) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005907
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list