[CERT-daily] Tageszusammenfassung - 11.05.2023

Daily end-of-shift report team at cert.at
Thu May 11 18:25:10 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 10-05-2023 18:00 − Donnerstag 11-05-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Interview: Hacker Witold Waligóra über Seitenkanalangriffe ∗∗∗
---------------------------------------------
Wir haben beim Hacker Witold Waligóra nachgehakt, was man mit Seitenkanalattacken erreichen kann und wie man sich dagegen schützt.
---------------------------------------------
https://heise.de/-8983428


∗∗∗ Smishing: Vorsicht vor betrügerischer Reisepass-SMS! ∗∗∗
---------------------------------------------
Haben Sie ein SMS bekommen, in dem behauptet wird Ihr Reisepass wäre fertig? Klicken Sie nicht auf den Link "oesterreich.at-anmelden.net", es handelt sich um einen Betrugsversuch!
---------------------------------------------
https://www.watchlist-internet.at/news/smishing-vorsicht-vor-betruegerischen-sms/


∗∗∗ Fake in-browser Windows updates push Aurora info-stealer malware ∗∗∗
---------------------------------------------
A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-in-browser-windows-updates-push-aurora-info-stealer-malware/


∗∗∗ RapperBot DDoS malware adds cryptojacking as new revenue stream ∗∗∗
---------------------------------------------
New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/rapperbot-ddos-malware-adds-cryptojacking-as-new-revenue-stream/


∗∗∗ Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs ∗∗∗
---------------------------------------------
Two years ago, a popular ransomware-as-a-service groups source code got leaked. Now other ransomware groups are using it for their own purposes.
---------------------------------------------
https://www.darkreading.com/cloud/multiple-ransomware-groups-adapt-babuk-code-to-target-esxi-vms


∗∗∗ New ransomware trends in 2023 ∗∗∗
---------------------------------------------
On the eve of the global Anti-Ransomware Day, Kaspersky researchers share an overview of the key trends observed among ransomware groups.
---------------------------------------------
https://securelist.com/new-ransomware-trends-in-2023/109660/


∗∗∗ Analysis of CLR SqlShell Used to Attack MS-SQL Servers ∗∗∗
---------------------------------------------
This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
---------------------------------------------
https://asec.ahnlab.com/en/52479/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Experts share details of five flaws that can be chained to hack Netgear RAX30 Routers ∗∗∗
---------------------------------------------
Researchers disclosed the details of five vulnerabilities that can be chained to take over some Netgear router models.
---------------------------------------------
https://securityaffairs.com/146111/hacking/netgear-router-exploit-2.html


∗∗∗ Zyxel Chained Remote Code Execution ∗∗∗
---------------------------------------------
This module exploits multiple vulnerabilities in the `zhttpd` binary (/bin/zhttpd) and `zcmd` binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration of the router [..]
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023050030


∗∗∗ Multiple vulnerabilities in Danfoss EM100 ∗∗∗
---------------------------------------------
Multiple injection-related vulnerabilities exist in a set of Danfoss products, among which the EM100. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised to phase out the EM100, as its vendor Danfoss confirms the EM100 to be End of Life and that it will not be releasing a patch for this product. [..] If this is not possible, ensure it is not connected to the public Internet.
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2023-00021/


∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023) ∗∗∗
---------------------------------------------
Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Review those vulnerabilities in this report now to ensure your site is not affected.
---------------------------------------------
https://www.wordfence.com/blog/2023/05/wordfence-intelligence-weekly-wordpress-vulnerability-report-may-1-2023-to-may-7-2023/


∗∗∗ CISA Releases Fifteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-131-01 Siemens Solid Edge 
* ICSA-23-131-02 Siemens SCALANCE W1750D 
* ICSA-23-131-03 Siemens Siveillance 
* ICSA-23-131-04 Siemens SIMATIC Cloud Connect 7 
* ICSA-23-131-05 Siemens SINEC NMS Third-Party 
* ICSA-23-131-06 Siemens SCALANCE LPE9403 
* ICSA-23-131-07 Sierra Wireless AirVantage 
* ICSA-23-131-08 Teltonika Remote Management System and RUT Model Routers 
* ICSA-23-131-09 Rockwell Automation Kinetix 5500 EtherNetIP Servo Drive 
* ICSA-23-131-10 Rockwell Automation Arena Simulation Software 
* ICSA-23-131-11 BirdDog Cameras & Encoders 
* ICSA-23-131-12 SDG PnPSCADA 
* ICSA-23-131-13 PTC Vuforia Studio 
* ICSA-23-131-14 Rockwell PanelView 800 
* ICSA-23-131-15 Rockwell ThinManager 
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-releases-fifteen-industrial-control-systems-advisories


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and nvidia-graphics-drivers-legacy-390xx), Fedora (firefox, java-11-openjdk, LibRaw, moodle, python-django3, and vtk), Slackware (mozilla), SUSE (buildah, cloud-init, container-suseconnect, firefox, golang-github-prometheus-prometheus, kernel, and ntp), and Ubuntu (heat, linux-azure-fde-5.15, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-raspi, linux-raspi-5.4, linux-raspi2, neutron, openvswitch, and sqlparse).
---------------------------------------------
https://lwn.net/Articles/931638/


∗∗∗ ThinkPad Dock Firmware Update Tool Elevation of Privilege Vulnerability ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500562-THINKPAD-DOCK-DRIVER-ELEVATION-OF-PRIVILEGE-VULNERABILITY


∗∗∗ CVE-2023-0008 PAN-OS: Local File Disclosure Vulnerability in the PAN-OS Web Interface (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0008


∗∗∗ CVE-2023-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0007


∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-43930, CVE-2014-3577, CVE-2022-43927, CVE-2022-43929) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989465


∗∗∗ IBM Content Manager Enterprise Edition is affected by a vulnerability in Eclipse Openj9 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6987029


∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856659


∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856661


∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856663


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - IBM\u00ae Java SDK CVE-2023-30441 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989589


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989591


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989593


∗∗∗ Vega Vulnerabilities affect IBM Decision Optimization in IBM Cloud Pak for Data (CVE-2023-26486, CVE-2023-26487) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989625


∗∗∗ IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989451


∗∗∗ Multiple Security Vulnerabilities have been fixed in IBM Security Verify Access ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989653


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989657

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list