[CERT-daily] Tageszusammenfassung - 01.03.2023
Daily end-of-shift report
team at cert.at
Wed Mar 1 19:30:55 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 28-02-2023 18:00 − Mittwoch 01-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ TPM-2.0-Spezifikationen: Angreifer könnten Schadcode auf TPM schmuggeln ∗∗∗
---------------------------------------------
In die Spezifikation der TPM-2.0-Referenzbibliothek haben sich Fehler eingeschlichen. Angreifer könnten verwundbaren Implementierungen eigenen Code unterjubeln.
---------------------------------------------
https://heise.de/-7531171
∗∗∗ Finish him! Kostenloses Entschlüsselungstool besiegt MortalKombat-Ransomware ∗∗∗
---------------------------------------------
Kaum hat der Erpressungstrojaner MortalKombat das Licht der Welt erblickt, holen Sicherheitsforscher zum finalen Schlag aus.
---------------------------------------------
https://heise.de/-7531337
∗∗∗ Gefälschter PayLife-Login in Anzeigen bei Google-Suche! ∗∗∗
---------------------------------------------
PayLife-User:innen aufgepasst: Kriminelle schalten aktuell Werbung auf Google, welche auf eine gefälschte PayLife-Website führt. Ein kleiner Tippfehler reicht aus, um die betrügerische Werbung als erstes Ergebnis angezeigt zu bekommen. Wer die eigenen Login-Daten auf der Phishing-Seite eingibt, ermöglicht es den Kriminellen, Zahlungen zu tätigen. Das Geld ist verloren!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschter-paylife-login-in-anzeigen-bei-google-suche/
∗∗∗ The dangers from across browser-windows ∗∗∗
---------------------------------------------
Beim Durchsuchen des Webs versucht Ihr Browser, Sie bestmöglich zu schützen, aber manchmal scheitert er daran, wenn er nicht ordnungsgemäß von der Website angewiesen wird, die Sie besuchen. Einer der wichtigsten Sicherheitsmechanismen des Browsers ist die Same-Origin Policy [1][2][3] (SOP), die einschränkt, wie Skripte und Dokumente aus einer Ursprungsquelle mit Ressourcen und Dokumenten aus einer [...]
---------------------------------------------
https://certitude.consulting/blog/de/the-dangers-from-across-browser-windows/
∗∗∗ BlackLotus UEFI-Bootkit überwindet Secure Boot in Windows 11 ∗∗∗
---------------------------------------------
Sicherheitsforscher von ESET haben eine BlackLotus getaufte Malware in freier Wildbahn entdeckt, die sich des UEFI bemächtigt. BlackLotus dürfte die erste UEFI-Bootkit-Malware in freier Wildbahn sein, die Secure Boot unter Windows 11 (und wohl auch Windows 10) aushebeln kann.
---------------------------------------------
https://www.borncity.com/blog/2023/03/01/blacklotus-uefi-bootkit-berwindet-secure-boot-in-windows-11/
∗∗∗ CISA: ZK Java Framework RCE Flaw Under Active Exploit ∗∗∗
---------------------------------------------
The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.
---------------------------------------------
https://www.darkreading.com/risk/cisa-zk-java-framework-rce-flaw-under-active-exploit
∗∗∗ SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft ∗∗∗
---------------------------------------------
The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.
---------------------------------------------
https://sysdig.com/blog/cloud-breach-terraform-data-theft/
∗∗∗ DNS abuse: Advice for incident responders ∗∗∗
---------------------------------------------
What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers.
---------------------------------------------
https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-responders/
∗∗∗ Google Cloud Platform allows data exfiltration without a (forensic) trace ∗∗∗
---------------------------------------------
Attackers can exfiltrate company data stored in Google Cloud Platform (GCP) storage buckets without leaving obvious forensic traces of the malicious activity in GCP’s storage access logs, Mitiga researchers have discovered. [...] In short, the main problem is that GCP’s basic storage logs – which are, by the way, not enabled by default – use the same description/event (objects.get) for [...]
---------------------------------------------
https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/
∗∗∗ Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads ∗∗∗
---------------------------------------------
The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements [...]
---------------------------------------------
https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-cisco-anyconnect-client-to-drop-and-run-payloads/
∗∗∗ The Level of Human Engagement Behind Automated Attacks ∗∗∗
---------------------------------------------
Even automated attacks are driven by humans, but the level of engagement we observed may surprise you! When the human or an organization behind an automated attack shows higher levels of innovation and sophistication in their attack tactics, the danger increases dramatically as they are no longer simply employing an opportunistic “spray and pray” strategy, but rather more highly evolved strategies that are closer to a so-called targeted attack.
---------------------------------------------
https://www.gosecure.net/blog/2023/02/28/the-level-of-human-engagement-behind-automated-attacks/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (multipath-tools and syslog-ng), Fedora (gnutls and guile-gnutls), Oracle (git, httpd, lua, openssl, php, python-setuptools, python3.9, sudo, tar, and vim), Red Hat (kpatch-patch), Scientific Linux (git), SUSE (compat-openssl098, glibc, openssl, postgresql13, python-Django, webkit2gtk3, and xterm), and Ubuntu (awstats, expat, firefox, gnutls28, lighttpd, php7.2, php7.4, php8.1, python-pip, and tar).
---------------------------------------------
https://lwn.net/Articles/924794/
∗∗∗ Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products ∗∗∗
---------------------------------------------
Several ThingWorx and Kepware products are affected by two vulnerabilities that can be exploited for DoS attacks and unauthenticated remote code execution. The post Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products appeared first on SecurityWeek.
---------------------------------------------
https://www.securityweek.com/critical-vulnerabilities-patched-in-thingworx-kepware-iiot-products/
∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-pi-epnm-xss-mZShH2J
∗∗∗ Cisco Webex App for Web Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-Yn8HHsMJ
∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP
∗∗∗ Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-proxy-dos-vY5dQhrV
∗∗∗ Cisco Unified Intelligence Center Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuic-infodisc-ssrf-84ZBmwVk
∗∗∗ TPM 2.0 Vulnerabilities ∗∗∗
---------------------------------------------
https://support.lenovo.com/product_security/PS500551-TPM-20-VULNERABILITIES
∗∗∗ Nuvoton TPM Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://support.lenovo.com/product_security/PS500550-NUVOTON-TPM-DENIAL-OF-SERVICE-VULNERABILITY
∗∗∗ Malicious IKEv2 packet by authenticated peer can cause libreswan to restart ∗∗∗
---------------------------------------------
https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 5.23.1: SC-202303.1-5 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-08
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 6.0.0: SC-202303.1-6 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-07
∗∗∗ IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856457
∗∗∗ DataPower Operator vulnerable to Denial of Service (CVE-2022-41724) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958490
∗∗∗ Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958504
∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-22389, CVE-2022-25313, CVE-2022-25236, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235 and CVE-2022-22390) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959019
∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959033
∗∗∗ IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958701
∗∗∗ IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957688
∗∗∗ IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957686
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list