End-of-Day report
Timeframe: Montag 09-01-2023 18:00 - Dienstag 10-01-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels
Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist.
https://heise.de/-7447684
Meeting-Client Zoom unter Android, macOS und Windows angreifbar
Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar.
https://heise.de/-7453606
Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen
Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte.
https://heise.de/-7453534
Patchday: SAP behandelt vier kritische Schwachstellen
SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren.
https://heise.de/-7454402
Heads up! Xdr33, A Variant Of CIA-s HIVE Attack Kit Emerges
On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention.
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/
New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th)
I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper.
https://isc.sans.edu/diary/rss/29416
ChatGPT-Written Malware
I don-t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.-within a few weeks of ChatGPT going live, participants in cybercrime forums-some with little or no coding experience-were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.
https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html
Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL
The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week.
https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html
The Dark Side of Gmail
Behind one of Gmail-s lesser-known features lies a potential threat to websites and platforms managers.
https://osintmatter.com/the-dark-side-of-gmail/
Crypto-inspired Magecart skimmer surfaces via digital crime haven
One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services.
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven
Malware-based attacks on ATMs - A summary
Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics.
https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/
Vulnerabilities
Securepoint UTM: Hotfix schließt kritische Sicherheitslücke
In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet.
https://heise.de/-7453560
UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface
Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen.
https://heise.de/-7454141
Eleven Vulnerabilities Patched in Royal Elementor Addons
On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.
https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons/
Security updates for Tuesday
Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).
https://lwn.net/Articles/919543/
2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider
The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities.
https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advisories-siemens-schneider
CISA Releases Two Industrial Control Systems Advisories
CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A)
https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two-industrial-control-systems-advisories
Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered
Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers.
https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-access-information-disclosure-denial-of-service-vulnerabilities-discovered/
IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813)
CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM
https://www.ibm.com/support/pages/bulletin/
Siemens Security Advisories (7 new, 15 updated)
SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1
SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge
SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products
SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products
SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products
SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices
SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products
SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products
SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client
SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module
SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices
SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products
SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers
SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager
SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices
SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack
SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families
SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products
SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices
SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1
SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module
SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs
https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#SecurityPublications