Threat actor uses HP iLO rootkit to wipe servers.
An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations.
Named iLOBleed, the rootkit was discovered by Tehran-based security firm Amnpardaz and detailed in a report released on Tuesday.
https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/
An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations.
Named iLOBleed, the rootkit was discovered by Tehran-based security firm Amnpardaz and detailed in a report released on Tuesday.
https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/
therecord.media
Threat actor uses HP iLO rootkit to wipe servers
An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations.
How to implant a malware in hidden area of SSDs with Flex Capacity feature
Researchers devised a series of attacks against SSDs that could allow to implant malware in a location that is not monitored by security solutions.
https://securityaffairs.co/wordpress/126170/hacking/ssds-flex-capacity-feature-attacks.html
Researchers devised a series of attacks against SSDs that could allow to implant malware in a location that is not monitored by security solutions.
https://securityaffairs.co/wordpress/126170/hacking/ssds-flex-capacity-feature-attacks.html
Security Affairs
How to implant a malware in a hidden area of SSDs
Researchers devised a series of attacks against SSDs that could allow to implant malware in memory location bypassing security solutions.
Múltiples vulnerabilidades en router Netgear Nighthawk RAX43
Fecha de publicación: 03/01/2022
Importancia: 5 - Crítica
Recursos afectados:
Nighthawk RAX43, versión de firmware 1.0.3.96 y anteriores.
Descripción:
Los investigadores, Evan Grant y Jimi Sebree han detectado varias vulnerabilidades en el router Nighthawk RAX43 de Netgear, que en su conjunto aportan un valor de severidad crítico.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-router-netgear-nighthawk-rax43
Fecha de publicación: 03/01/2022
Importancia: 5 - Crítica
Recursos afectados:
Nighthawk RAX43, versión de firmware 1.0.3.96 y anteriores.
Descripción:
Los investigadores, Evan Grant y Jimi Sebree han detectado varias vulnerabilidades en el router Nighthawk RAX43 de Netgear, que en su conjunto aportan un valor de severidad crítico.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-router-netgear-nighthawk-rax43
www.incibe.es
Multiples Vulnerabilidades Router Netgear Nighthawk Rax43 | INCIBE-CERT | INCIBE
Los investigadores, Evan Grant y Jimi Sebree han detectado varias vulnerabilidades en el router
Múltiples vulnerabilidades en Trendnet AC2600 TEW-827DRU
Fecha de publicación: 03/01/2022
Importancia: 5 - Crítica
Recursos afectados:
Firmware de Trendnet AC2600 TEW-827DRU.
Descripción:
Jimi Sebree, investigador de Zero Day Research de Tenable, ha reportado 17 vulnerabilidades, por las que un atacante podría realizar una omisión de autenticación, reutilizar tokens antiguos, realizar una ejecución remota de código, acceder a información sin cifrar, cambiar la configuración del dispositivo, instalar firmware modificado, realizar una denegación de servicio, cambiar la contraseña de administrador, realizar una inyección de comandos, controlar el dispositivo y acceder a nombres de usuario y contraseñas en texto plano.
Solución:
Aplicar los parches suministrados por el proveedor, una vez que estén disponibles. Tenable no tiene conocimiento de los parches disponibles a fecha de publicación de su aviso.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-trendnet-ac2600-tew-827dru
Fecha de publicación: 03/01/2022
Importancia: 5 - Crítica
Recursos afectados:
Firmware de Trendnet AC2600 TEW-827DRU.
Descripción:
Jimi Sebree, investigador de Zero Day Research de Tenable, ha reportado 17 vulnerabilidades, por las que un atacante podría realizar una omisión de autenticación, reutilizar tokens antiguos, realizar una ejecución remota de código, acceder a información sin cifrar, cambiar la configuración del dispositivo, instalar firmware modificado, realizar una denegación de servicio, cambiar la contraseña de administrador, realizar una inyección de comandos, controlar el dispositivo y acceder a nombres de usuario y contraseñas en texto plano.
Solución:
Aplicar los parches suministrados por el proveedor, una vez que estén disponibles. Tenable no tiene conocimiento de los parches disponibles a fecha de publicación de su aviso.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-trendnet-ac2600-tew-827dru
INCIBE-CERT
Múltiples vulnerabilidades en Trendnet AC2600 TEW-827DRU
Jimi Sebree, investigador de Zero Day Research de Tenable, ha reportado 17 vulnerabilidades, por las que un atacante podría realizar una omisión de autenticación, reutilizar tokens antiguos, realizar
VMSA-2022-0001
CVSSv3 Range:7.7
Issue Date:2022-01-04
CVE(s):CVE-2021-22045
Synopsis:
VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)
Impacted Products
VMware ESXi
VMware Workstation
VMware Fusion
VMware Cloud Foundation
https://www.vmware.com/security/advisories/VMSA-2022-0001.html
CVSSv3 Range:7.7
Issue Date:2022-01-04
CVE(s):CVE-2021-22045
Synopsis:
VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)
Impacted Products
VMware ESXi
VMware Workstation
VMware Fusion
VMware Cloud Foundation
https://www.vmware.com/security/advisories/VMSA-2022-0001.html
An Apple HomeKit bug can send iOS devices into a death spiral.
https://www.theverge.com/2022/1/3/22865145/apple-ios-vulnerability-homekit-devices-bug-crash
https://www.theverge.com/2022/1/3/22865145/apple-ios-vulnerability-homekit-devices-bug-crash
The Verge
An Apple HomeKit bug can send iOS devices into a death spiral
Apple’s slow response puts users at risk, said security researcher Trevor Spiniolas.
Log4j flaw attack levels remain high, Microsoft warns.
Organizations might not realize their environments are already compromised.
Microsoft has warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j 'Log4Shell' flaw through December.
Disclosed by the Apache Software Foundation on December 9, Log4Shell will likely take years to remediate because of how widely the error-logging software component is used in applications and services.
Microsoft warns that customers might not be aware of how widespread the Log4j issue is in their environment.
https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-problems-microsoft-warns/
Organizations might not realize their environments are already compromised.
Microsoft has warned Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j 'Log4Shell' flaw through December.
Disclosed by the Apache Software Foundation on December 9, Log4Shell will likely take years to remediate because of how widely the error-logging software component is used in applications and services.
Microsoft warns that customers might not be aware of how widespread the Log4j issue is in their environment.
https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-problems-microsoft-warns/
ZDNet
Log4j flaw attack levels remain high, Microsoft warns
Organizations might not realize their environments are already compromised.
Experts warn against storing passwords in Chrome after hackers target remote workers.
https://nypost.com/2022/01/02/experts-warn-against-storing-passwords-in-chrome/
https://nypost.com/2022/01/02/experts-warn-against-storing-passwords-in-chrome/
New York Post
Experts warn against storing passwords in Chrome after hackers target...
Hackers are preying on people working from home for passwords stored in web browsers, experts claim.
Implant.ARM.iLOBleed.a.
HP servers provide a management module called iLO (a.k.a. Integrated Lights-Out), which turns on as soon as the power cable is connected, loading a full-blown proprietary operating system. This module has full access to all the firmware, hardware, software, and operating system installed on the server. In addition to managing the server hardware, it allows the admin to remotely turn the server on and off, gain access to the server’s console, and even install an operating system on it.
There are numerous aspects of iLO that make it an ideal utopia for malware and APT groups: Extremely high privileges (above any level of access in the operating system), very low-level access to the hardware, being totally out of the sight of the admins, and security tools, the general lack of knowledge and tools for inspecting iLO and/or protecting it
https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/
HP servers provide a management module called iLO (a.k.a. Integrated Lights-Out), which turns on as soon as the power cable is connected, loading a full-blown proprietary operating system. This module has full access to all the firmware, hardware, software, and operating system installed on the server. In addition to managing the server hardware, it allows the admin to remotely turn the server on and off, gain access to the server’s console, and even install an operating system on it.
There are numerous aspects of iLO that make it an ideal utopia for malware and APT groups: Extremely high privileges (above any level of access in the operating system), very low-level access to the hardware, being totally out of the sight of the admins, and security tools, the general lack of knowledge and tools for inspecting iLO and/or protecting it
https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/
Boletín de seguridad de Android de enero de 2022
Fecha de publicación: 05/01/2022
Importancia: 4 - Alta
Recursos afectados:
Android Open Source Project (AOSP):
Versiones 9, 10, 11 y 12.
Descripción:
El boletín mensual de Android de enero de 2022 soluciona catorce vulnerabilidades de severidad alta: once afectan al sistema y tres a componentes del kernel, que podrían permitir a un ciberatacante instalar paquetes sin el consentimiento del usuario, divulgación de información o una escalada de privilegios en el sistema.
https://www.incibe.es/protege-tu-empresa/avisos-seguridad/boletin-seguridad-android-enero-2022
Fecha de publicación: 05/01/2022
Importancia: 4 - Alta
Recursos afectados:
Android Open Source Project (AOSP):
Versiones 9, 10, 11 y 12.
Descripción:
El boletín mensual de Android de enero de 2022 soluciona catorce vulnerabilidades de severidad alta: once afectan al sistema y tres a componentes del kernel, que podrían permitir a un ciberatacante instalar paquetes sin el consentimiento del usuario, divulgación de información o una escalada de privilegios en el sistema.
https://www.incibe.es/protege-tu-empresa/avisos-seguridad/boletin-seguridad-android-enero-2022
www.incibe.es
Boletín de seguridad de Android de enero de 2022
El boletín mensual de Android de enero de 2022 soluciona catorce vulnerabilidades de severidad alta: o
Emergency Windows Server update fixes Remote Desktop issues.
https://www.bleepingcomputer.com/news/microsoft/emergency-windows-server-update-fixes-remote-desktop-issues/
https://www.bleepingcomputer.com/news/microsoft/emergency-windows-server-update-fixes-remote-desktop-issues/
BleepingComputer
Emergency Windows Server update fixes Remote Desktop issues
Microsoft has released an emergency out-of-band update to address a Windows Server bug leading to Remote Desktop connection and performance issues.
Careful! Uber flaw allows anyone to send an email from uber.com.
On New Year’s Eve, Seif Elsallamy (@0x21SAFE on Twitter), a bug bounty hunter and security researcher, pointed out a phish-worthy security flaw he found on Uber’s email system. The flaw allowed anyone to send emails on behalf of Uber, meaning they would end with “@uber.com“
https://blog.malwarebytes.com/social-engineering/2022/01/careful-uber-flaw-allows-anyone-to-send-an-email-from-uber-com/
On New Year’s Eve, Seif Elsallamy (@0x21SAFE on Twitter), a bug bounty hunter and security researcher, pointed out a phish-worthy security flaw he found on Uber’s email system. The flaw allowed anyone to send emails on behalf of Uber, meaning they would end with “@uber.com“
https://blog.malwarebytes.com/social-engineering/2022/01/careful-uber-flaw-allows-anyone-to-send-an-email-from-uber-com/
Malwarebytes
Careful! Uber flaw allows anyone to send an email from uber.com
Uber didn’t think that this is much of a problem, even though several researchers already raised the grave possibility of phishing.
Actualización de seguridad 5.8.3 para WordPress
Fecha de publicación: 07/01/2022
Importancia: 4 - Alta
Recursos afectados:
WordPress, versiones entre la 3.7 y la 5.8.
Descripción:
Se han publicado 4 vulnerabilidades que afectan a WordPress del tipo stored XSS, Object injection y SQL injection.
Solución:
Actualizar a la versión 5.8 desde WordPress.org o desde el panel de control (Updates>Update Now).
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-583-wordpress
Fecha de publicación: 07/01/2022
Importancia: 4 - Alta
Recursos afectados:
WordPress, versiones entre la 3.7 y la 5.8.
Descripción:
Se han publicado 4 vulnerabilidades que afectan a WordPress del tipo stored XSS, Object injection y SQL injection.
Solución:
Actualizar a la versión 5.8 desde WordPress.org o desde el panel de control (Updates>Update Now).
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-583-wordpress
www.incibe.es
Actualizacion Seguridad 583 Wordpress | INCIBE-CERT | INCIBE
Se han publicado 4 vulnerabilidades que afectan a WordPress del tipo stored XSS, Object injection
Unauthenticated RCE in H2 Database Console is similar to Log4Shell
Jfrog researchers discovered a critical vulnerability in the H2 open-source Java SQL database related to the Log4Shell Log4J vulnerability. The flaw, tracked as CVE-2021-42392, could allow attackers to execute remote code on vulnerable systems, the good news is that unlike the Log4J issue it should not be as widespread.
https://securityaffairs.co/wordpress/126460/security/unauthenticated-rce-h2-database.html
Jfrog researchers discovered a critical vulnerability in the H2 open-source Java SQL database related to the Log4Shell Log4J vulnerability. The flaw, tracked as CVE-2021-42392, could allow attackers to execute remote code on vulnerable systems, the good news is that unlike the Log4J issue it should not be as widespread.
https://securityaffairs.co/wordpress/126460/security/unauthenticated-rce-h2-database.html
Security Affairs
Unauthenticated RCE in H2 Database Console is similar to Log4Shell
Researchers disclosed a critical RCE flaw in the H2 open-source Java SQL database which is similar to the Log4J vulnerability.
Vulnerabilidad JNDI en la consola de la base de datos H2 (RCE sin autenticación)
creado por Vicente Motos el enero 08, 2022
https://www.hackplayers.com/2022/01/vulnerabilidad-jndi-en-la-consola-de-.html
creado por Vicente Motos el enero 08, 2022
https://www.hackplayers.com/2022/01/vulnerabilidad-jndi-en-la-consola-de-.html
Hackplayers
Vulnerabilidad JNDI en la consola de la base de datos H2 (RCE sin autenticación)
Recientemente los investigadores de JFrog han alertado de que la consola de h2 , la popular base de datos Java SQL de código abierto que al...
USN-5219-1: Linux kernel vulnerability
11 JANUARY 2022
The system could be made to crash or run programs as an administrator.
Releases
Ubuntu 21.10 Ubuntu 21.04 Ubuntu 20.04 LTS
Details
It was discovered that the eBPF implementation in the Linux kernel did
not properly validate the memory size of certain ring buffer operation
arguments. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.
https://ubuntu.com/security/notices/USN-5219-1
11 JANUARY 2022
The system could be made to crash or run programs as an administrator.
Releases
Ubuntu 21.10 Ubuntu 21.04 Ubuntu 20.04 LTS
Details
It was discovered that the eBPF implementation in the Linux kernel did
not properly validate the memory size of certain ring buffer operation
arguments. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.
https://ubuntu.com/security/notices/USN-5219-1
Ubuntu
USN-5219-1: Linux kernel vulnerability | Ubuntu security notices | Ubuntu
Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.
DLA-2876-1 vim -- LTS security update
Date Reported: 10 Jan 2022
Affected Packages: vim
Description:
vim is vulnerable to Heap-based Buffer Overflow ...
CVE-2022-0158
https://www.debian.org/lts/security/2022/dla-2876
https://security-tracker.debian.org/tracker/CVE-2022-0158
Date Reported: 10 Jan 2022
Affected Packages: vim
Description:
vim is vulnerable to Heap-based Buffer Overflow ...
CVE-2022-0158
https://www.debian.org/lts/security/2022/dla-2876
https://security-tracker.debian.org/tracker/CVE-2022-0158
Forwarded from Una al día
Malware bancario explota la verificación de firma de Microsoft
https://unaaldia.hispasec.com/2022/01/malware-bancario-explota-la-verificacion-de-firma-de-microsoft.html
https://unaaldia.hispasec.com/2022/01/malware-bancario-explota-la-verificacion-de-firma-de-microsoft.html
Una al Día
Malware bancario explota la verificación de firma de Microsoft
Nueva campaña del malware bancario Zloader explota una vulnerabilidad en la verificación de firma digital de Microsoft.
Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed
https://www.zdnet.com/article/microsoft-january-2022-patch-tuesday-six-zero-days-over-90-vulnerabilities-fixed/
https://www.zdnet.com/article/microsoft-january-2022-patch-tuesday-six-zero-days-over-90-vulnerabilities-fixed/
ZDNet
Microsoft January 2022 Patch Tuesday: Six zero-days, over 90 vulnerabilities fixed
This month's round of security fixes includes patches for publicly-known remote code execution bugs.
Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/mozilla-releases-security-updates-firefox-firefox-esr-and
https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/mozilla-releases-security-updates-firefox-firefox-esr-and
www.cisa.gov
Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird | CISA
Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.