End-of-Day report
Timeframe: Mittwoch 11-01-2023 18:00 - Donnerstag 12-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Konten leergeräumt: Neue Phishing-Welle mit Apple Pay
Mit einem ausgeklügelten Trick versuchen Kriminelle an Kreditkartendaten zu kommen. Wer Grundlegendes beachtet, ist allerdings ausreichend geschützt.
https://futurezone.at/digital-life/apple-pay-phishing-welle-mail-kreditkarten-paylife-bawag-netflix-disney-spotify-pakete/402288839
Hack: Sicherheitslücke in SugarCRM-Servern wird aktiv ausgenutzt
Etliche SugarCRM-Server in den USA und Deutschland wurden schon gehackt. Ein Hotfix wurde bereits veröffentlicht.
https://www.golem.de/news/hack-sicherheitsluecke-in-sugarcrm-servern-wird-aktiv-ausgenutzt-2301-171152.html
Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability
Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers.
https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html
New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors
A new analysis of Raspberry Robins attack infrastructure has revealed that its possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.
https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html
IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours
A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.
https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html
Prowler v3: AWS & Azure security assessments
Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. Prowler v3 is now multi-cloud with Azure added as the second supported cloud provider.
https://isc.sans.edu/diary/rss/29430
Exfiltration Over a Blocked Port on a Next-Gen Firewall
[..] all successfully exfiltrated data packets were in small formats [..], smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size. When asked about this finding, the NG-FW vendor acknowledged that "to determine which application is being used, and whether the session aligned with the protocol-s standard, the NG-FW must allow at least one packet to pass."
https://cymulate.com/blog/data-exfiltration-firewall/
Kritische Sicherheitslücke bedroht End-of-Life-Router von Cisco
Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa verschiedene Router, IP-Telefone und Webex veröffentlicht.
https://heise.de/-7456480
AI-generated phishing attacks are becoming more convincing
Its time for you and your colleagues to become more skeptical about what you read. Thats a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harrass, and spread fake news. Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed.
https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-are-becoming-more-convincing
Threema Under Fire After Downplaying Security Research
The developers of the open source secure messaging app Threema have come under fire over their public response to a security analysis conducted by researchers at the Swiss university ETH Zurich.
https://www.securityweek.com/threema-under-fire-after-downplaying-security-research
SCCM Site Takeover via Automatic Client Push Installation
tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation.
https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-installation-f567ec80d5b1?source=rssf05f8696e3cc4
Gefährliche Fehlkonfigurationen von Active Directory-Dienstkonten
Das Identifizieren von Schwachstellen in der AD-Konfiguration kann sich als Albtraum erweisen, warnt Gastautor Guido Grillenmeier von Semperis.
https://www.zdnet.de/88406475/gefaehrliche-fehlkonfigurationen-von-active-directory-dienstkonten/
Microsoft Exchange Januar 2023 Patchday-Nachlese: Dienste starten nicht etc.
Zum 10. Januar 2023 (Patchday) hat Microsoft Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software, haben aber bekannte Fehler und verursachen neue neue Probleme bei der Installation. Hier ein kurzer Überblick über den Sachstand.
https://www.borncity.com/blog/2023/01/12/microsoft-exchange-januar-2023-patchday-nachlese-dienste-starten-nicht-etc/
What is Red Teaming & How it Benefits Orgs
Running real-world attack simulations can help improve organizations cybersecurity resilience
https://www.trendmicro.com/en_us/research/23/a/what-is-red-teaming.html
Shodan Verified Vulns 2023-01-01
Mit Stand 2023-01-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...]
https://cert.at/de/aktuelles/2023/1/shodan-verified-vulns-2023-01-01
Vulnerabilities
Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001
Description: This module enables users to create private vocabularies. The module doesnt enforce permissions appropriately for the taxonomy overview page and overview form.
https://www.drupal.org/sa-contrib-2023-001
Security updates for Thursday
Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, [...]
https://lwn.net/Articles/919785/
TP-Link SG105PE vulnerable to authentication bypass
https://jvn.jp/en/jp/JVN78481846/
WAGO: Unauthenticated Configuration Export in web-based management in multiple devices
https://cert.vde.com/de/advisories/VDE-2022-054/
Visual Studio Code Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21779
Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management
https://www.ibm.com/support/pages/node/6854685
Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway
https://www.ibm.com/support/pages/node/6854713
Vulnerabilities in IBM Java included with IBM Tivoli Monitoring.
https://www.ibm.com/support/pages/node/6854647
Vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Servers used by IBM Master Data Management (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443)
https://www.ibm.com/support/pages/node/6854595
The IBM\u00ae Engineering Lifecycle Engineering products using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676
https://www.ibm.com/support/pages/node/6851835
IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL
https://www.ibm.com/support/pages/node/6854915
Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-41041)
https://www.ibm.com/support/pages/node/6854927
IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to arbitrary code execution due to [CVE-2022-25893]
https://www.ibm.com/support/pages/node/6854929
Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-41041)
https://www.ibm.com/support/pages/node/6854931