End-of-Day report
Timeframe: Montag 13-03-2023 18:00 - Dienstag 14-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
Cybercriminals exploit SVB collapse to steal money and data
The collapse of the Silicon Valley Bank (SVB) on March 10, 2023, has sent ripples of turbulence throughout the global financial system, but for hackers, scammers, and phishing campaigns, its becoming an excellent opportunity.
https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-svb-collapse-to-steal-money-and-data/
HUNT_RTF_CVE_2023_21716.yar
Detects RTF documents with an inflated fonttable. Hunting for CVE-2023-21716
https://github.com/SIFalcon/Detection/blob/main/Yara/Hunting/HUNT_RTF_CVE_2023_21716.yar
Kali Purple: Die Linux-Distribution für Sicherheitsforscher wird defensiver
Kali Linux feiert Geburtstag und ist in der neuen Version 2023.1 erschienen. Das neue Kali Purple ist auf defensive Sicherheitstests spezialisiert.
https://heise.de/-7544725
Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach
Fortinet says recently patched FortiOS vulnerability was exploited in sophisticated attacks targeting government entities.
https://www.securityweek.com/fortinet-finds-zero-day-exploit-in-government-attacks-after-devices-detect-integrity-breach/
Kaufen Sie keine Amazon-Paletten oder Mystery-Boxen
Auf Facebook und Instagram bewirbt der gefälschte Amazon-Shop -datinted.com- -Amazon-Paletten-. Die Paletten, sogenannte Mystery-Boxen, beinhalten angeblich unterschiedliche Produkte wie Kopfhörer, Drohnen und Spielkonsolen - und das für weniger als 50 Euro. Wer bestellt, bekommt aber keine Ware und verliert sein Geld!
https://www.watchlist-internet.at/news/kaufen-sie-keine-amazon-paletten-oder-mystery-boxen/
Verbesserte Office-Makrosicherheit führt zu neuen Angriffsmethoden über OneNote & Co.
Seit Microsoft und Administratoren von Windows-Systemen mehr in die Makrosicherheit investieren, werden Angriffe über diesen Vektor schwieriger. Cyberkriminelle suchen nach neuen Wegen, um Malware an die Nutzer zu bringen. OneNote nimmt da eine prominente Position als Einfallstor ein - aber auch andere Dateien und die Mark of the Web-Schwachstelle in Windows werden neuerdings vermehr für Angriffe genutzt.
https://www.borncity.com/blog/2023/03/14/verbesserte-office-makrosicherheit-fhrt-zu-neuen-angriffsmethoden-ber-onenote-co/
Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency
Cisco Talos has identified a new espionage oriented threat actor, which we are naming -YoroTrooper,- targeting a multitude of entities in Europe and Turkey.
https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
ZTNA vs VPN: Secure Remote Work and Access
Explore the drivers behind switching from VPN to Zero Trust Network Access (ZTNA) for any device access from anywhere.
https://www.trendmicro.com/en_us/ciso/22/h/ztna-vs-vpn-secure-remote-work.html
Vulnerabilities
Siemens Security Advisories 2023-03-14
* SSA-847261 V1.1 (Last Update: 2023-03-14): Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation
* https://cert-portal.siemens.com/productcert/html/ssa-847261.html
* SSA-840800 V1.2 (Last Update: 2023-03-14): Code Injection Vulnerability in RUGGEDCOM ROS
* https://cert-portal.siemens.com/productcert/html/ssa-840800.html
* SSA-787941 V1.1 (Last Update: 2023-03-14): Denial of Service Vulnerability in RUGGEDCOM ROS V4
* https://cert-portal.siemens.com/productcert/html/ssa-787941.html
* SSA-772220 V2.2 (Last Update: 2023-03-14): OpenSSL Vulnerabilities in Industrial Products
* https://cert-portal.siemens.com/productcert/html/ssa-772220.html
* SSA-764417 V1.7 (Last Update: 2023-03-14): Weak Encryption Vulnerability in RUGGEDCOM ROS Devices
* https://cert-portal.siemens.com/productcert/html/ssa-764417.html
* SSA-726834 V1.0: Denial of Service Vulnerability in the RADIUS Client of SIPROTEC 5 Devices
* https://cert-portal.siemens.com/productcert/html/ssa-726834.html
* SSA-712929 V1.8 (Last Update: 2023-03-14): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products
* https://cert-portal.siemens.com/productcert/html/ssa-712929.html
* SSA-700053 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go
* https://cert-portal.siemens.com/productcert/html/ssa-700053.html
* SSA-697140 V1.2 (Last Update: 2023-03-14): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products
* https://cert-portal.siemens.com/productcert/html/ssa-697140.html
* SSA-565386 V1.0: Third-Party Component Vulnerabilities in SCALANCE W-700 IEEE 802.11ax devices before V2.0
* https://cert-portal.siemens.com/productcert/html/ssa-565386.html
* SSA-552702 V1.4 (Last Update: 2023-03-14): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products
* https://cert-portal.siemens.com/productcert/html/ssa-552702.html
* SSA-539476 V1.4 (Last Update: 2023-03-14): Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan
* https://cert-portal.siemens.com/productcert/html/ssa-539476.html
* SSA-517377 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices
* https://cert-portal.siemens.com/productcert/html/ssa-517377.html
* SSA-491245 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Solid Edge
* https://cert-portal.siemens.com/productcert/html/ssa-491245.html
* SSA-482757 V1.2 (Last Update: 2023-03-14): Missing Immutable Root of Trust in S7-1500 CPU devices
* https://cert-portal.siemens.com/productcert/html/ssa-482757.html
* SSA-476715 V1.1 (Last Update: 2023-03-14): Two Vulnerabilities in Automation License Manager
* https://cert-portal.siemens.com/productcert/html/ssa-476715.html
* SSB-439005 V5.1 (Last Update: 2023-03-14): Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP
* https://cert-portal.siemens.com/productcert/html/ssb-439005.html
* SSA-419740 V1.0: Multiple Third-Party Component Vulnerabilities in RUGGEDCOM and SCALANCE Products before V7.2
* https://cert-portal.siemens.com/productcert/html/ssa-419740.html
* SSA-413565 V1.1 (Last Update: 2023-03-14): Multiple Vulnerabilities in SCALANCE Products
* https://cert-portal.siemens.com/productcert/html/ssa-413565.html
* SSA-324955 V2.0 (Last Update: 2023-03-14): SAD DNS Attack in Linux Based Products
* https://cert-portal.siemens.com/productcert/html/ssa-324955.html
* SSA-321292 V1.4 (Last Update: 2023-03-14): Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products
* https://cert-portal.siemens.com/productcert/html/ssa-321292.html
* SSA-320629 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.3
* https://cert-portal.siemens.com/productcert/html/ssa-320629.html
* SSA-260625 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.2
* https://cert-portal.siemens.com/productcert/html/ssa-260625.html
* SSA-256353 V1.3 (Last Update: 2023-03-14): Third-Party Component Vulnerabilities in RUGGEDCOM ROS
* https://cert-portal.siemens.com/productcert/html/ssa-256353.html
* SSA-250085 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in SINEC NMS and SINEMA Server
* https://cert-portal.siemens.com/productcert/html/ssa-250085.html
* SSA-244969 V1.9 (Last Update: 2023-03-14): OpenSSL Vulnerability in Industrial Products
* https://cert-portal.siemens.com/productcert/html/ssa-244969.html
* SSA-223771 V1.2 (Last Update: 2023-03-14): SISCO Stack Vulnerability in SIPROTEC 5 Devices
* https://cert-portal.siemens.com/productcert/html/ssa-223771.html
* SSA-203374 V1.0: Multiple OpenSSL Vulnerabilities in SCALANCE W1750D Devices
* https://cert-portal.siemens.com/productcert/html/ssa-203374.html
* SSA-941426 V1.4 (Last Update: 2023-03-14): Multiple LLDP Vulnerabilities in Industrial Products
* https://cert-portal.siemens.com/productcert/html/ssa-941426.html
* SSA-851884 V1.0: Authentication Bypass Vulnerability in Mendix SAML Module
* https://cert-portal.siemens.com/productcert/html/ssa-851884.html
https://new.siemens.com/global/en/products/services/cert.html?d=2023-03#SecurityPublications
Dolibarr : unauthenticated contacts database theft
Our pentester discovered a critical vulnerability exploitable by an unauthenticated attacker. It provides access to a competitor-s entire customer file, prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it affects Dolibarr 16.x versions.
https://www.dsecbypass.com/en/dolibarr-pre-auth-contact-database-dump/
PaperCut MF/NG vulnerability bulletin (March 2023)
We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We do not have any evidence of these vulnerabilities being used against customers at this point.
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
Schneider Elecronic Security Advisories 2023-03-14
3 new, 15 updated
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
Patchday: SAP schließt 19 teils kritische Sicherheitslücken
Zum März-Patchday hat SAP Sicherheitsnotizen zu 19 Sicherheitslücken veröffentlicht. Davon stuft der Hersteller fünf als kritisch ein. Updates stehen bereit.
https://heise.de/-7544782
Security updates for Tuesday
Security updates have been issued by Debian (redis), Fedora (cairo, freetype, harfbuzz, and qt6-qtwebengine), Red Hat (kpatch-patch), SUSE (chromium, java-1_8_0-openj9, and nodejs18), and Ubuntu (chromium-browser, libxstream-java, php-twig, twig, protobuf, and python-werkzeug).
https://lwn.net/Articles/926083/
Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service
https://jvn.jp/en/jp/JVN64453490/
TXONE SECURITY BULLETIN: TXOne StellarOne Improper Access Control Privilege Escalation Vulnerability
https://success.trendmicro.com/dcx/s/solution/000292486?language=en_US
PHOENIX CONTACT: Multiple vulnerabilities in ENERGY AXC PU
https://cert.vde.com/de/advisories/VDE-2023-003/
Lenovo System Update Elevation of Privileges Vulnerability
http://support.lenovo.com/product_security/PS500553-LENOVO-SYSTEM-UPDATE-ELEVATION-OF-PRIVILEGES-VULNERABILITY
Lenovo XClarity Controller (XCC) Vulnerabilities
http://support.lenovo.com/product_security/PS500552-LENOVO-XCLARITY-CONTROLLER-XCC-VULNERABILITIES
A security vulnerability has been identified in IBM HTTP Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2023-26281)
https://www.ibm.com/support/pages/node/6963268
Multiple Vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition affects WebSphere eXtreme Scale
https://www.ibm.com/support/pages/node/6963278
Multiple vulnerabilities in Curl affect PowerSC
https://www.ibm.com/support/pages/node/6963308