Tageszusammenfassung - 10.01.2023

End-of-Day report

Timeframe: Montag 09-01-2023 18:00 - Dienstag 10-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels

Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist.

https://heise.de/-7447684


Meeting-Client Zoom unter Android, macOS und Windows angreifbar

Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar.

https://heise.de/-7453606


Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen

Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte.

https://heise.de/-7453534


Patchday: SAP behandelt vier kritische Schwachstellen

SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren.

https://heise.de/-7454402


Heads up! Xdr33, A Variant Of CIA-s HIVE Attack Kit Emerges

On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention.

https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/


New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th)

I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper.

https://isc.sans.edu/diary/rss/29416


ChatGPT-Written Malware

I don-t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.-within a few weeks of ChatGPT going live, participants in cybercrime forums-­some with little or no coding experience­-were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.

https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html


Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL

The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week.

https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html


The Dark Side of Gmail

Behind one of Gmail-s lesser-known features lies a potential threat to websites and platforms managers.

https://osintmatter.com/the-dark-side-of-gmail/


Crypto-inspired Magecart skimmer surfaces via digital crime haven

One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services.

https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven


Malware-based attacks on ATMs - A summary

Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics.

https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/

Vulnerabilities

Securepoint UTM: Hotfix schließt kritische Sicherheitslücke

In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet.

https://heise.de/-7453560


UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface

Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen.

https://heise.de/-7454141


Eleven Vulnerabilities Patched in Royal Elementor Addons

On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.

https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons/


Security updates for Tuesday

Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).

https://lwn.net/Articles/919543/


2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider

The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities.

https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advisories-siemens-schneider


CISA Releases Two Industrial Control Systems Advisories

CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A)

https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two-industrial-control-systems-advisories


Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered

Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers.

https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-access-information-disclosure-denial-of-service-vulnerabilities-discovered/


IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813)

CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM

https://www.ibm.com/support/pages/bulletin/


Siemens Security Advisories (7 new, 15 updated)

SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1 SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1 SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs

https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#SecurityPublications