End-of-Day report
Timeframe: Dienstag 31-01-2023 18:00 - Mittwoch 01-02-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Jetzt patchen! Zehntausende Qnap-NAS hängen verwundbar am Internet
Angreifer könnten direkt über das Internet an einer kritischen Sicherheitslücke in Netzwerkspeichern von Qnap ansetzen.
https://heise.de/-7477826
Microsoft Defender for Endpoint schickt nun auch Linux-Rechner in die Isolation
Weil auch Linux-Geräte als Einfallstor für Cyber-Angreifer dienen können, isoliert Microsofts Security-Software künftig bei Bedarf auch sie aus dem Firmennetz.
https://heise.de/-7477878
Diskussion um Schwachstelle in KeePass
Eine Schwachstelle erlaubt das Ändern der KeePass-Konfiguration, wenn Nutzer bestimmte Rechte haben. Mit denen können sie jedoch viel mehr anstellen.
https://heise.de/-7478396
Neue Vinted-Verkäufer:innen aufgepasst: Keine Zahlungen freigeben!
Auf der Second-Hand-Plattform vinted.at kommt es aktuell vermehrt zu einer Betrugsmasche, die sich an neue Verkäufer:innen richtet. Die ersten Interessent:innen melden sich schnell und verlangen eine Telefonnummer. Anschließend folgen SMS im Namen von Vinted, die eine Bestätigung der Kreditkartendaten zum Erhalt der Zahlung fordern. Achtung: Die SMS stammen nicht von vinted.at, sondern von Kriminellen und die vermeintlichen Bestätigungen führen zu Abbuchungen [...]
https://www.watchlist-internet.at/news/neue-vinted-verkaeuferinnen-aufgepasst-keine-zahlungen-freigeben/
Hackers use new IceBreaker malware to breach gaming companies
Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.
https://www.bleepingcomputer.com/news/security/hackers-use-new-icebreaker-malware-to-breach-gaming-companies/
DShield Honeypot Setup with pfSense, (Tue, Jan 31st)
Setting up a DShield honeypot is well guided by the installation script [1]. After several minutes of following the instructions and adding some custom details, the honeypot is up and running. What's needed after that is to expose the honeypot to the internet. I recently decided to update my home router and thought it was a great opportunity to dig into using pfSense [2].
https://isc.sans.edu/diary/rss/29490
Detecting (Malicious) OneNote Files, (Wed, Feb 1st)
We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document").
https://isc.sans.edu/diary/rss/29494
Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076)
Cisco has released patches for a high-severity vulnerability (CVE-2023-20076) found in some of its industrial routers, gateways and enterprise wireless access points, which may allow attackers to insert malicious code that can-t be deleted by simply rebooting the device or updating its firmware. -In this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system.
https://www.helpnetsecurity.com/2023/02/01/cve-2023-20076/
Google sponsored ads malvertising targets password manager
Our reserachers found a more direct way to go after your password by using Google sponsored ads campaigns
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponsored-ads-malvertising-targets-password-manager
Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.
https://www.securityweek.com/unpatched-econolite-traffic-controller-vulnerabilities-allow-remote-hacking/
Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware
Microsoft warns that phishing, fake software updates and unpatched vulnerabilities are being exploited for ransomware attacks.
https://www.zdnet.com/article/microsoft-we-are-tracking-these-100-active-ransomware-gangs-using-50-types-of-malware/
Password Nightmare Explained
This blog post belongs to a series in which we examine various influences on password strategies. The first post in the series analyzed the macrosocial influence of a country on its citizens- passwords. The second post was focused on the analysis of the influence of a community on password choice. In this last post, we aim to increase the strength of our readers- passwords by influencing their password strategies using knowledge and insights from our research.
https://www.gosecure.net/blog/2023/01/31/password-nightmare-explained/
Vulnerabilities
Vulnerability in Driver Distributor where passwords are stored in a recoverable format
Driver Distributor provided by FUJIFILM Business Innovation Corp. contains a vulnerability where passwords are stored in a recoverable format.
https://jvn.jp/en/jp/JVN22830348/
Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software
Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations.
https://thehackernews.com/2023/02/additional-supply-chain-vulnerabilities.html
Virenschutz: Datei-Upload bis Exitus durch Trend Micro Apex One-Schwachstelle
Eine hochriskante Sicherheitslücke im Trend Micro Apex One Server könnten Angreifer missbrauchen, um den Server mit Dateien zu fluten und damit lahmzulegen.
https://heise.de/-7477479
Security updates for Wednesday
Security updates have been issued by Debian (fig2dev and libstb), Fedora (seamonkey), SUSE (ctags, python-setuptools, samba, tmux, and xterm), and Ubuntu (advancecomp, apache2, python-django, slurm-llnl, and vim).
https://lwn.net/Articles/921848/
CVE-2023-22374: F5 BIG-IP Format String Vulnerability
Rapid7 found an additional vulnerability in the appliance-mode REST interface. We reported it to F5 and are now disclosing it in accordance with our vulnerability disclosure policy.
https://www.rapid7.com/blog/post/2023/02/01/cve-2023-22374-f5-big-ip-format-string-vulnerability/
IBM Security Bulletins 2023-02-01
App Connect Professional is affected by JsonErrorReportValve in Apache Tomcat.
A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-23477)
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-23477)
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-23477)
A vulnerability in the IBM Java Runtime affects IBM Rational ClearQuest (CVE-2022-21626)
A vulnerability may affect the IBM Elastic Storage System GUI (CVE-2022-43869)
HTTP header injection vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-34165)
IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to json5 (CVE-2022-46175)
IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons [CVE-2022-42889 and CVE-2022-33980]
IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML
IBM Cloud Pak for Multicloud Management is vulnerable to denial of service due to protobuf-java core and lite
IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of FasterXML Jackson (CVE-2022-42003)
IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go
IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS
IBM Infosphere Information Server is vulnerable to cross-site scripting (CVE-2023-23475)
IBM Spectrum Scale GUI is vulnerable to Format string attack (CVE-2022-43869)
IBM Sterling B2B Integrator is vulnerable to denial of service due to Netty (CVE-2021-37136, CVE-2021-37137)
IBM Sterling Connect:Direct File Agent is vulnerable to a denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626)
IBM Sterling Connect:Direct File Agent is vulnerable to a memory exploit due to Eclipse Openj9 (CVE-2022-3676)
IBM Sterling External Authentication Server vulnerable to denial of service due to Apache Xerces2 (CVE-2022-23437)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in GNU glibc (CVE-2021-3999)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-27664)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in protobuf (CVE-2022-1941)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in OpenSSL (CVE-2022-2068)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in GNU gzip (CVE-2022-1271)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to issues in OpenSSL (CVE-2022-1434, CVE-2022-1343, CVE-2022-1292, CVE-2022-1473 )
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to query parameter smuggling in Golang Go (CVE-2022-2880)
IBM WebSphere Application Server Liberty used by IBM Cloud Pak for Watson AIOps is vulnerable to HTTP header injection (CVE-2022-34165)
Multiple vulnerabilities in IBM Java SDK affects App Connect Professional.
Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061)
Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-2068, CVE-2022-2097)
https://www.ibm.com/support/pages/bulletin/
Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhis-1afe7781-en
Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhis-1556afc2-en
Multiple Vulnerabilities Patched in Quick Restaurant Menu Plugin
https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-quick-restaurant-menu-plugin/
SA45653 - Cross-site Request Forgery in Login Form
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Cross-site-Request-Forgery-in-Login-Form