Trojanized OneNote Document Leads to Formbook Malware.

Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs’ researchers are always looking out for new or unusual file types, and through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service. Formbook malware can steal data from various web browsers and from other applications. This malware also has keylogging functionality and can take screenshots.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/

SafeBreach Labs Researcher Discovers Multiple Zero-Day Vulnerabilities in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions.

The vulnerabilities were used to develop an undetectable, next-generation wiper—dubbed the Aikido Wiper—with the potential to impact hundreds of millions of endpoints worldwide.

The SafeBreach Labs team is committed to conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. As part of my recent research, I uncovered multiple zero-day vulnerabilities that I was able to use to turn endpoint detection and response (EDR) and antivirus (AV) tools into next-generation wipers with the potential to impact hundreds of millions of endpoints all around the world.

https://www.safebreach.com/resources/blog/safebreach-labs-researcher-discovers-multiple-zero-day-vulnerabilities/

Sophos fixed a critical flaw in its Sophos Firewall version 19.5.

Sophos addressed several vulnerabilities affecting its Sophos Firewall version 19.5, including arbitrary code execution issues.

Sophos has released security patches to address seven vulnerabilities in Sophos Firewall version 19.5, including some arbitrary code execution bugs.

The most severe issue addressed by the security vendor is a critical code injection vulnerability tracked as CVE-2022-3236.

https://securityaffairs.co/wordpress/139362/security/sophos-firewall-critical-flaw.html

Desbordamiento de búfer en productos Fortinet

Fecha de publicación: 13/12/2022
Identificador: INCIBE-2022-1050
Importancia: 5 - Crítica

Recursos afectados:
FortiOS, versiones:
desde 7.2.0 hasta 7.2.2;
desde 7.0.0 hasta 7.0.8;
desde 6.4.0 hasta 6.4.10;
desde 6.2.0 hasta 6.2.11.
FortiOS-6K7K, versiones:
desde 7.0.0 hasta 7.0.7;
desde 6.4.0 hasta 6.4.9;
desde 6.2.0 hasta 6.2.11;
desde 6.0.0 hasta 6.0.14.

Descripción:
Fortinet ha reportado una vulnerabilidad crítica de desbordamiento de búfer en FortiOS SSL-VPN, que podría permitir a un atacante remoto, no autenticado, ejecutar código o comandos arbitrarios a través de solicitudes maliciosas.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/desbordamiento-bufer-productos-fortinet

Citrix Releases Security Updates for Citrix ADC, Citrix Gateway

Citrix has released security updates to address a critical vulnerability (CVE-2022-27518) in Citrix ADC and Citrix Gateway. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability has been exploited in the wild.

CISA encourages users and administrators to review Citrix security bulletin CTX457836 and Citrix’s blog post for more information and to apply the necessary updates. Additionally, CISA urges organizations to review NSA’s advisory APT5: Citrix ADC Threat Hunting Guidance for detection and mitigation guidance against tools employed by a malicious actor targeting vulnerable Citrix ADC systems.

https://www.cisa.gov/uscert/ncas/current-activity/2022/12/13/citrix-releases-security-updates-citrix-adc-citrix-gateway

VMSA-2022-0033

CVSSv3 Range: 5.9-9.3
Issue Date: 2022-12-13
CVE(s): CVE-2022-31705
Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)

Impacted Products
VMware ESXi
VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Cloud Foundation

Introduction
A heap out-of-bounds write vulnerability in VMware ESXi, Workstation, and Fusion was privately reported to VMware. Updates and workarounds are available to remediate this vulnerability in affected VMware products.

https://www.vmware.com/security/advisories/VMSA-2022-0033.html

VMSA-2022-0031

CVSSv3 Range: 7.5-9.8
Issue Date: 2022-12-13
CVE(s): CVE-2022-31702, CVE-2022-31703

Synopsis:
VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703)

Impacted Products
VMware vRealize Network Insight (vRNI)

Introduction
Multiple vulnerabilities in VMware vRealize Network Insight (vRNI)were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products.

https://www.vmware.com/security/advisories/VMSA-2022-0031.html

Microsoft Releases December 2022 Security Updates

https://msrc.microsoft.com/update-guide/releaseNote/2022-Dec

Apple Releases Security Updates for Multiple Products

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.

CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible:
iCloud for Windows 14.1
Safari 16.2
macOS Monterey 12.6.2
macOS Big Sur 11.7.2
tvOS 16.2
watchOS 9.2
iOS 15.7.2 and iPadOS 15.7.2
iOS 16.2 and iPadOS 16.2
macOS Ventura 13.1

https://www.cisa.gov/uscert/ncas/current-activity/2022/12/13/apple-releases-security-updates-multiple-products

VMSA-2022-0032

CVSSv3 Range: 5.3-7.2
Issue Date: 2022-12-13
CVE(s): CVE-2022-31700, CVE-2022-31701

Synopsis:
VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701).

Impacted Products
VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware Cloud Foundation (Cloud Foundation)

Introduction
Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

https://www.vmware.com/security/advisories/VMSA-2022-0032.html

Actualización de seguridad de SAP de diciembre de 2022

Fecha de publicación: 14/12/2022
Identificador: INCIBE-2022-1055
Importancia: 5 - Crítica

Recursos afectados:
SAP Business Client, versiones 6.5, 7.0 y 7.70;
SAP BusinessObjects Business Intelligence Platform, versiones 420 y 430;
SAP NetWeaver Process Integration, versión 7.50;
SAP Commerce, versiones 1905, 2005, 2105, 2011 y 2205;
SAP NetWeaver Process Integration, versión 7.50;
SAPBASIS, versiones 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790 y 791;
SAP Business Planning y Consolidation, versiones SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300 y CPMBPC 810;
SAP BusinessObjects Business Intelligence Platform (Program Objects) versiones 420 y 430;
SAP Commerce Webservices 2.0 (Swagger UI), versiones 1905, 2005, 2105, 2011 y 2205;
SAPUI5, versiones 754, 755, 756, 757 y CLIENT RUNTIME, versiones –600, 700, 800, 900 y 1000;
El resto de productos afectados se pueden consultar en SAP Security Patch Day – Diciembre 2022.

Descripción:
SAP ha publicado varias actualizaciones de seguridad en diferentes productos en su comunicado mensual.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-diciembre-2022

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Múltiples vulnerabilidades que afectan a productos de TIBCO

Fecha de publicación: 14/12/2022
Identificador: INCIBE-2022-1054
Importancia: 5 - Crítica

Recursos afectados:
TIBCO JasperReports Server, versiones 8.0.2 y anteriores.
Servidor TIBCO JasperReports, versión 8.1.0.
TIBCO JasperReports Server - Community Edition, versiones 8.1.0 y anteriores.
TIBCO JasperReports Server - Developer Edition, versiones 8.1.0 y anteriores.
TIBCO JasperReports Server para AWS Marketplace, versiones 8.0.2 y anteriores.
TIBCO JasperReports Server para AWS Marketplace, versión 8.1.0.
TIBCO JasperReports Server para Microsoft Azure, versiones 8.0.2 y anteriores.
TIBCO JasperReports Server para Microsoft Azure, versión 8.1.0.

Descripción:
TIBCO ha detectado 3 vulnerabilidades: 2 de severidad crítica y 1 de severidad alta que podrían permitir a un atacante con privilegios de administrador y acceso a la red, ejecutar código de forma remota o un ataque XSS en el sistema afectado.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-afectan-productos-tibco

Akamai WAF bypassed via Spring Boot to trigger RCE.

Akamai issued an update to resolve the flaw several months ago

A researcher has disclosed a technique that bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

[...]
Akamai response
When approached for comment, Akamai told The Daily Swig that the bypass was only possible as the researchers used an old version of the Akamai WAF protection engine.

A patch was issued on July 25, 2022. As a result, customers running the latest engine version are not at risk of exploitation.
[...]

https://portswigger.net/daily-swig/akamai-waf-bypassed-via-spring-boot-to-trigger-rce

VMSA-2021-0025.6

CVSSv3 Range: 7.1
Issue Date: 2021-11-10
Updated On: 2022-12-15
CVE(s): CVE-2021-22048

Synopsis:
VMware vCenter Server updates address a privilege escalation vulnerability (CVE-2021-22048)

https://www.vmware.com/security/advisories/VMSA-2021-0025.html

VMSA-2022-0034

CVSSv3 Range: 4.4-7.2
Issue Date: 2022-12-15
Updated On: 2022-12-15 (Initial Advisory)
CVE(s): CVE-2022-31707, CVE-2022-31708

Synopsis:
VMware vRealize Operations (vROps) updates address privilege escalation vulnerabilities (CVE-2022-31707, CVE-2022-31708)

Impacted Products
VMware vRealize Operations (vROps)

Introduction
Multiple vulnerabilities in VMware vRealize Operations (vROps) were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products.

https://www.vmware.com/security/advisories/VMSA-2022-0034.html

Samba Releases Security Updates
Original release date: December 16, 2022

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Samba security announcements and apply the necessary updates.
CVE-2022-38023
CVE-2022-37966
CVE-2022-37967
CVE-2022-45141

https://www.cisa.gov/uscert/ncas/current-activity/2022/12/16/samba-releases-security-updates

Múltiples vulnerabilidades en productos Netgear

Fecha de publicación: 19/12/2022
Identificador: INICBE-2022-1060
Importancia: 5 - Crítica

Recursos afectados:
Routers NETGEAR Nighthawk WiFi6, versiones anteriores a la v1.0.9.90.

Descripción:
Se han detectado 3 vulnerabilidades que podrían permitir a un atacante ejecutar comandos arbitrarios en el dispositivo sin autenticación.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-productos-netgear-22

Cisco lanza 29 parches de seguridad: 5 críticos y 17 altos en la última semana

https://unaaldia.hispasec.com/2022/12/cisco-lanza-29-parches-de-seguridad-5-criticos-y-17-altos-en-la-ultima-semana.html?utm_source=rss&utm_medium=rss&utm_campaign=cisco-lanza-29-parches-de-seguridad-5-criticos-y-17-altos-en-la-ultima-semana

#CCNNovedades Ya están disponibles las ponencias y talleres de las #XVIJornadasCCNCERT y #IVJornadasCiberdefensaESPDEFCERT 📽️Lista de reproducción: https://t.co/htEfnIgBlT https://t.co/4Dd2XjBaJ7

New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix.

The Securonix Threat Research team has recently identified a new malicious attack campaign related to a malicious threat actor (MTA) tracked by Securonix as STEPPY#KAVACH targeting victims likely associated with the Indian government.

https://www.securonix.com/blog/new-steppykavach-attack-campaign/