We strongly advise against using the new Outlook for data protection and security reasons.
Microsoft is currently advertising its new Outlook, which is provided free of charge by Microsoft and is intended to replace "Mail for Windows", especially in Windows 11. By using this new Outlook version, the access data from the mail accounts set up, here the RPTU account including password, as well as all mails from a mailbox, are transferred to Microsoft servers. This is very questionable in terms of data protection and security. Microsoft is thus able to analyze and evaluate the email content, attachments and contact data. We strongly advise against using the new Outlook! Data protection authorities have already taken action and also advise against using the new Outlook.
If you have any questions, please contact the RZ Service Center: https: //rz.rptu.de/support
Sources:
https://www.heise.de/news/Microsoft-krallt-sich-Zugangsdaten-Achtung-vorm-neuen-Outlook-9357691.htmlhttps://www.tlfdi.de/fileadmin/tlfdi/presse/Pressemitteilungen_2023/231117_PM_Outlook.pdf
PATCH FOR security vulnerability
The fix for the curl HIGH vulnerability has been released. https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/
[The explainer on the SOCKS5 vulnerability is absolutely worth reading! "To learn how this flaw was reported and we worked on the issue before it was made public" -> Not only for this, but also to show how to properly deal with such scenarios when it hits you and how such "bugs" can arise].
------------------------------
cURL: Info on "worst security vulnerability in a long time" coming on October 11
The founder of the cURL project announces the publication of information on a serious vulnerability in the web requests tools for next Wednesday.
The cURL tool collection is used by many projects for HTTP calls, API calls and for downloads on the command line. Now the founder of the project is announcing a security update for October 11, which is apparently quite something.
When cURL creator Daniel Stenberg uses the phrase "buckle up" to describe a security vulnerability, it doesn't bode well. The Swede's announcement on X is very clear: bug CVE-2023-38545 is the "worst security problem that has been found in cURL for a long time". Stenberg, a vehement critic of the CVE and CVSS methodology, uses his announcement to take a swipe at the US vulnerability database. The NVD will probably suffer a "complete nervous breakdown" due to the severity of the problem.
More at cURL: Info on "worst security vulnerability in a long time" coming on October 11 | heise online
Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time.
The new version and details about the two CVEs will be published around 06:00 UTC on the release day.
- CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
- CVE-2023-38546: severity LOW (affects libcurl only, not the tool)
There is no API nor ABI change in the coming curl release.
I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The "last several years" of versions is as specific as I can get.
We have notified the distros mailing list allowing the member distributions to prepare patches.(No one else gets details about these problems before October 11 without a support contract and a good reason).
Now you know. Plan accordingly.
Patch now! Exploits for glibc vulnerability publicly available
After the bug in the Linux library glibc became known last Tuesday, reliably working exploits have now emerged.
A vulnerability in the Linux core library glibc allows attackers with a local account to escalate privileges to the "root" administrator account. Several IT security researchers have now published working exploits that attackers can use to gain root privileges. IT managers with Linux systems should patch quickly.
Shortly after the disclosure of the privilege escalation vulnerability with the CVE number CVE-2023-4911 in glibc, the first proof of concept (PoC) exploits were released in addition to updates for all major distributions. While these were initially quite slow and limited to a few systems, an IT researcher has now succeeded in writing a reliable exploit that users can adapt to their own systems.
Root made easy
Dutchman Peter Geissler published a Python script on his website that opens a root shell on unpatched systems. The highlight of this exploit: With minor modifications, pentesters can adapt the script so that it also runs on their Linux version. At least as long as the bug fixes have not yet been implemented there.
The security gap in glibc was made public last Tuesday by the security company Qualys and was promptly patched by all major distributions. All glibc versions since 2.34 are affected by the "Looney Tunables" security vulnerability. Updated versions of the major Linux distributions bear the version numbers
- 2.35-0ubuntu3.4 for Ubuntu 22.04,
- 2.37-0ubuntu2.1 for Ubuntu 23.04,
- 2.31-13+deb11u7 for Debian 11,
- 2.36-9+deb12u3 for Debian 12 and
- 2.28-225.el8_8.6 for RHEL 8 and
- 2.34-60.el9_2.7 for RHEL9.
- 2.38-4.1 for OpenSUSE Tumbleweed, other SuSE versions are not affected.
Purists who compile their glibc themselves must currently rely on development version 2.39, which is not scheduled for release until next February. The version 2.38 offered for download on the glibc website at the time of reporting is still vulnerable.
Admins sometimes tend to laugh at exploits for local privilege elevation (LPE), as these do not allow a direct attack from a distance. However, in conjunction with another vulnerability, such as the current Confluence leak that allows code execution, attackers can use an LPE to take over the entire computer. Cybercriminals are therefore likely to exploit the vulnerability soon to take over Linux systems and then install ransomware, for example.
UPDATE06.10.2023 13:49
Version number of the patched version for Debian 11 "Bullseye" corrected to 2.31-13+deb11u7; patch status for SuSE added.
Found on Patch now! Exploits for glibc vulnerability publicly available | heise online
Unpatched vulnerabilities in the Exim mail transfer agent
The SMTP service of the free mail server Exim contains a critical vulnerability that could allow attackers to execute arbitrary code. Updates are on the way.
Description
The open source Mail Transfer Agent (MTA) Exim has several serious unpatched vulnerabilities. Particularly critical is a buffer overflow vulnerability in the SMTP implementation, CVE-2023-42115, which may allow a remote, unauthorized attacker to execute code with privileges of the service account used to run Exim. It therefore achieves a CVSS rating of 9.8 ("critical"). As a result of the code execution, attackers could be able to leak sensitive data including transport-encrypted emails, among other things.
The vulnerabilities were reported to the manufacturer in June 2022 and published by the Zero Day Initiative on 27.9.2023 after the time window granted for the development of patches had expired, without patches being available. It is currently unknown whether and how Exim version 4.97, which is currently under development, will close the vulnerabilities.
Recommendation
As a short-term measure, the ZDI recommends restricting the exchange via the Exim SMTP service, i.e. limiting the accessibility for delivering mail servers or switching off the receipt of emails as a precaution.
Further information can be found at Critical vulnerability in the Exim mail server | heise online and BSI - Federal Office for Information Security - Version 1.0: Unpatched vulnerabilities in the Exim mail transfer agent
Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data
Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data.
The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.
The repository, named"robust-models-transfer," is no longer accessible. Prior to its takedown, it featured source code and machine learning models pertaining to a 2020 research papertitled "Do Adversarially Robust ImageNet Models Transfer Better?"
"The exposure came as the result of an overly permissive SAS token - an Azure feature that allows users to share data in a manner that is both hard to track and hard to revoke," Wiz said in a report. The issue was reported to Microsoft on June 22, 2023.
Full article can be found here Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data (thehackernews.com)
--- shorter English version see below ---
NSO Group attack: Emergency updates for iPhone, iPad, Mac and Apple Watch
On Thursday evening, Apple released further updates for its current operating systems. Included are fixes for an active exploit.
Update quickly: iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2 and watchOS 9.6.2 have been available for download since Thursday evening. All four updates for iPhone, iPad, Mac and Apple Watch contain only a simple statement in the package insert: "This update provides important security fixes and is recommended for all users."
Caution: zero-click attack
What this actually means can be found on Apple's official support page on the subject of security updates: A total of two errors are listed there for which, according to Apple, there are already exploits in the wild: "Apple is aware of a report that this issue may have been actively exploited."
According to the research organization Citizen Lab at the University of Toronto, which is known for uncovering digital espionage attacks on activists, journalists or politicians, the loopholes are used by the controversial security company NSO Group, which has already been sued by Apple. The researchers refer to the exploit chain as "BLASTPASS". It is said to have led to an infection without user interaction - a so-called zero-click attack. Citizen Lab has not yet disclosed which victims have been attacked so far.
At least two exploited vulnerabilities
According to the security researchers, the attack was carried out via PassKit attachments with malicious images that were sent to the victim from the attacker's iMessage account. Further technical details are to be provided later. According to Apple, iOS 16.6 and iPadOS 16.6 and presumably earlier versions are particularly vulnerable. There are gaps in the image processing routine ImageIO (CVE-2023-41064), which can be used to execute unwanted code via a manipulated image (Apple does not specify which rights are used for this).
The wallet app for managing credit cards and transport tickets is also affected (CVE-2023-41061), which could be infected with a manipulated attachment. This also leads to the execution of arbitrary code. Both bugs have been fixed through improved memory handling (ImageIO) and "improved logic" (Wallet).
Mac and Apple Watch
The bug in ImageIO is also present in macOS, version 13.5.2 fixes it. However, the Wallet bug is missing here. In watchOS 9.6.2, only the Wallet problem has been fixed; there does not appear to be any possibility of an attack via ImageIO.
Interestingly, the updates are not Apple's new "rapid security measures" in the form of the so-called Rapid Security Response (RSR). Instead, all four updates are distributed regularly via the software update and require complete reboots.
Found on NSO Group attack : Emergency updates for iPhone, iPad, Mac and Apple Watch | heise online
Please carry out the updates and stay safe!
Best regards,
Your information security management team
------------------------------------------
On behalf of the Chief Information Security Officer and the RHRZ, a message on heise should urgently draw attention to the fact that Apple products must be updated immediately!
There are several critical security vulnerabilities for which Apple has pushed updates for its current operating systems on Thursday evening. Included are fixes for an active exploit.
Quick update: iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2 and watchOS 9.6.2 have been available for download since Thursday evening. All four updates for iPhone, iPad, Mac, and Apple Watch contain only one simple statement in the package insert: "This update provides important security fixes and is recommended for all users."
Caution: Zero-click attack
What is meant by this can be found on Apple's official support page on the subject of security updates: There are a total of two bugs listed, for which, according to Apple, there are already exploits in the wild: "Apple is aware of a report that this problem may have been actively exploited."
According to the research organization Citizen Lab at the University of Toronto, which is known for uncovering digital espionage attacks on activists, journalists or politicians, the vulnerabilities are used by the controversial security company NSO Group, which had already been sued by Apple. The researchers refer to the exploit chain as "BLASTPASS". It is said to have led to an infection without user interaction - as a so-called zero-click attack. Citizen Lab has not yet announced which victims have been attacked so far.
At least two exploited vulnerabilities
According to the security researchers, the attack was carried out via PassKit attachments with malicious images sent to the victim from an iMessage account of the attacker. Further technical details are to be submitted later.
According to Apple, iOS 16.6 and iPadOS 16.6 are particularly vulnerable, as are probably earlier versions. There are vulnerabilities in the image processing routine ImageIO (CVE-2023-41064), which can be used to execute unwanted code via a manipulated image (Apple does not specify the rights with which this is done).
Furthermore, the wallet app for managing credit cards and traffic tickets is affected (CVE-2023-41061), which could be foisted with a manipulated attachment. This also leads to the execution of arbitrary code. Both bugs have been fixed by improved memory handling (ImageIO) and "improved logic" (wallet) respectively.
Mac and Apple Watch
The bug in ImageIO is also in macOS, version 13.5.2 fixes it. However, the wallet bug is missing here. In watchOS 9.6.2, only the wallet problem has been fixed, there seems to be no possibility of attack via ImageIO.
Interestingly, the updates are not Apple's new "rapid security measures" in the form of the so-called Rapid Security Response (RSR). Instead, all four updates are regularly distributed through Software Update and require full reboots.
For more detailed information, see NSO Group attack : Emergency updates for iPhone, iPad, Mac and Apple Watch | heise online
Please carry out the updates and stay safe!
Kind regards,
Your Information Security Management Team
Web browser: High-risk vulnerabilities in Google Chrome closed
Google is patching four security vulnerabilities classified as high-risk with updated versions of Chrome.
Google's developers have given the Chrome web browser its weekly update. It contains bug fixes for four security vulnerabilities classified as high-risk. Anyone using Chrome should therefore ensure that they use the new version as soon as possible.
The company has not yet decided on the amount of bug bounties awarded. In the version announcement, however, Google's developers explain that memory access outside the intended limits was possible in the FedCM component. According to the bug description, attackers can compromise the renderer process with manipulated HTML pages and read memory outside the specified limits (CVE-2023-4761, no CVSS value, risk"high").
Four high-risk vulnerabilities
In addition, malicious actors can abuse a type-confusion vulnerability in the Javascript engine V8 with crafted websites in order to inject malicious code (CVE-2023-4762, no CVSS value, high). With this type of vulnerability, the actual data types do not match those in the program code, which can lead to memory access outside the allocated areas.
In addition, due to a use-after-free vulnerability in Chrome's network code, attackers may be able to trigger memory scrambling on the heap and abuse it for code smuggling (CVE-2023-4763, no CVSS value, high). In the BFCache component of Chrome, malicious actors can exploit a vulnerability to spoof the contents of the address bar called Omnibox on manipulated websites (CVE-2023-4764, no CVSS score, high).
The current, secured browser versions are 116.0.5845.172 for Android, 116.0.5845.177 for iOS, 116.0.5845.179 for Linux and macOS and 116.0.5845.179/.180 for Windows. Google's programmers add that the extended stable versions have also been updated to 116.0.5845.179 for macOS and 116.0.5845.180 for Windows.
Browser version check
You can find out whether the browser is up to date by calling up the version dialog. This can be found in the settings menu, which opens by clicking on the icon with the three stacked dots to the right of the browser's address bar. It can be started via "Help" - "About Google Chrome".
Found on web browser: High-risk vulnerabilities in Google Chrome closed | heise online
VMware Tools: Vulnerability allows attackers to perform unauthorized actions in guests
VMware warns of a security vulnerability in VMware Tools. It enables a man-in-the-middle attack on guest systems.
There is a vulnerability in VMware Tools that allows attackers in a man-in-the-middle position between vCenter Server and virtual machine unauthorized access and actions. Updates are available to fix the vulnerability.
The VMware tools are designed to enable better management and seamless user interaction with guest operating systems. They significantly improve performance and are therefore likely to be installed by default by most users.
Bypassing the verification of security tokens
The vulnerability consists of a possible circumvention of the verification of so-called SAML tokens. These transmit authentication information, for example. Malicious actors can bypass the SAML token check at a man-in-the-middle position between the vCenter Server and the virtual machine and thus perform operations in the guest with VMware Tools. These are potentially comprehensive, as the VMware tools provide drivers for graphics output, keyboard, mouse, disk and network access, for example. The developers therefore classify the vulnerability as a serious threat (CVE-2023-20900, CVSS 7.5, risk"high").
VMware does not mention any temporary countermeasures. In the security message, however, they list the bug-fixed versions of VMware Tools. Version 12.3.0 corrects the error under Linux and Windows for the affected branches 10.3.x, 11.x.x and 12.x.x. Under Linux, version 10.3.26 is also available for older releases. The version with error correction depends on the version of the Linux distribution and the "distributor".
The software packages with the corrections can be found on the current download page for Windows and on the page for Linux. For Linux, only the 10.3.26 version is available there, newer packages usually come from the distribution as the open-vm-tools package.
Only on Wednesday of this week, VMware had to close a critical vulnerability in VMware Aria Operations for Networks. It allows attackers access without prior login.
Developer of Notepad++ apparently ignores security vulnerabilities
Several security vulnerabilities jeopardize the text editor Notepad++. Despite information on the gaps and possible fixes, a security update is still pending.
Anyone using Notepad++ under Windows makes their system vulnerable to attack. Security researchers reported four vulnerabilities to the developer at the end of April 2023 - but not much has happened since then. In the worst-case scenario, malicious code can get onto computers after successful attacks.
The vulnerabilities were discovered by security researchers from the GitHub Security Lab. In an article, they describe information about the vulnerabilities and how the contact with the responsible party went. Although several new versions of the text editor have been released since the vulnerabilities were reported around four months ago, according to the researchers, the security problems still exist - including the current version v8.5.6.
The loopholes
When converting from UTF16 to UTF8, errors can occur that trigger a buffer overflow (CVE-2023-40031"high"). Attackers can use this to push malicious code onto systems and execute it. The researchers are not currently explaining what a specific attack might look like. In any case, a victim must open a prepared file.
The three remaining vulnerabilities (CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) are classified as"medium". What happens after a successful attack is currently unclear. The researchers assume that information can be leaked via the vulnerability.
When will the security patch be released?
The researchers state that communication with the developer is proceeding slowly. According to their own statements, they have already communicated information on closing the vulnerabilities in their first messages. An answer to a request from heise Security to the developer is still pending.
Found on Developer of Notepad++ apparently ignores security vulnerabilities | heise online
High-risk security vulnerabilities in 7-Zip allow code smuggling
The new version of the archive tool 7-Zip closes high-risk security gaps. There is no integrated update mechanism. Manual work is necessary.
The 7-Zip archive tool closes two security loopholes with updated installation packages, which attackers can use to plant malicious code on victims. Opening carefully prepared files is sufficient for this. Users should therefore install the available update as soon as possible.
Version 23.00 of 7-Zip, which was released at the end of May, already closes the security gaps. Version 23.01 from June is now up to date and available on the 7-Zip download page.
The Zero-Day-Initiative has found and reported the vulnerabilities. On the one hand, the parser for SquashFS file images can write outside the allocated memory areas because it does not sufficiently check transferred data. Attackers can exploit the vulnerability by tricking victims into opening manipulated files (CVE-2023-40481, CVSS 7.8, risk"high").
On the other hand, an integer underflow can occur when processing 7-Zip archives, as the code does not sufficiently check and filter values before use. This error can also be triggered by prepared archives (CVE-2023-31102, CVSS 7.8, high).
The changelog for version 23.00 of 7-Zip does not mention the correction of security vulnerabilities. Since version 23.01 is now available, you should update to this version immediately.
RECOMMENDATION: update manually!
7-Zip has no integrated update mechanism, neither to initiate a manual update nor an automatic version. Therefore, 7-Zip users must download and execute the installation package themselves in order to update the software to the corrected version. On Linux, however, the software management of the distribution used helps with the update search and installation.
Only recently, vulnerabilities were discovered in the WinRAR archive program. Here too, attackers could have used manipulated files to infect victims with malicious code.
Found on Update now! High-risk vulnerabilities in 7-Zip enable code smuggling | heise online
WinRAR gap more far-reaching than expected
A security vulnerability in WinRAR became known at the weekend. This affects other software. There are also other leaks in it that have already been abused.
The effects of a critical security vulnerability in the popular archive software WinRAR go further than initially thought. Programs other than WinRAR are also suspected to be affected. IT security researchers have also discovered another vulnerability in the software, which has been abused by cybercriminals since April of this year.
Last weekend, it became known that a critical vulnerability in WinRAR could be abused by attackers to smuggle in arbitrary program code (CVE-2023-40477, CVSS 7.8, risk"high"). The problem was based on an inadequate check of data in so-called recovery volumes for RAR archives, which allowed write access outside the intended storage areas. Even opening carefully prepared archives is enough to smuggle malicious code onto vulnerable computers.
Gap probably also in other programs
The update to WinRAR 6.23, which closes the security gap, was distributed on August 2. However, the fact that the unrar.dll and unrar64.dll libraries from Rarlabs were probably also vulnerable and included with other software has so far gone largely unnoticed. An update for the popular file manager Total Commander, for example, explicitly corrects the error: "Critical vulnerability in unrar.dll (from RARLAB) fixed, also available as a separate download", the developers write in the changelog. In the forum, however, the programmer Ghisler specifies that nobody knows exactly whether unrar.dll is vulnerable.
Andreas Marx from AV-Test contacted heise Security and wrote to us that he "found over 400 programs that use 'unrar.dll' or 'unrar64.dll' (with a last update before August 1, 2023) in our clean file database". Antivirus software often also uses publicly available libraries and could be vulnerable - after all, the manufacturers may use the automatic update mechanisms to distribute bug-fixed versions. The Windows-internal ZIP tool will soon also receive support for RAR archives with the libarchive code base. However, the publicly available Rarlab-unrar code is based on C++, while libarchive presumably uses its own C implementation. In case of doubt, Microsoft would still have time to address the potential vulnerability before the release.
Zero-day gap
Meanwhile, the IT security researchers at GroupIB write in a blog entry about a malware called "DarkMe", which they investigated on July 10 of this year. This exploited a vulnerability in the processing of ZIP formats in WinRAR to smuggle malicious code onto victims' computers and execute it. The vulnerability makes it possible to disguise file extensions so that supposed images are listed as .jpg or documents as .txt in the prepared archives (CVE-2023-38831, no CVSS classification yet). Behind this, however, was malware that was unknowingly launched by victims by double-clicking.
Manipulated ZIP files containing the malware DarkMe, GuLoader or Remco's RAT were distributed by cybercriminals in trading forums and allowed money to be extracted from the brokers who executed the malicious code. Currently, 130 traders' devices are still infected. The attacks have been taking place since April 2023. WinRAR 6.23 also closes this vulnerability.
Recommendation
If this has not yet been done, WinRAR users should update to the latest version of the software. In addition, other programs that include and use vulnerable unrar libraries are likely to offer updates in the near future.
Found on WinRAR gap more far-reaching than expected | heise online
Windows update preview: Possible boot abort due to unsupported CPU
Microsoft is investigating reports that the boot process may abort with the error message "UNSUPPORTED_PROCESSOR" after installing the recently released Windows Update Previews. The update may then uninstall itself automatically in order to restore Windows to a bootable state.
The update preview fixes some errors that affect system security. For example, the package provides protection against the Downfall Intel CPU vulnerability and corrects problems in the context of hard disk encryption with Bitlocker.
Some messages received
In the Windows Release Health notes, the developers write that they have received several messages stating that users have seen a blue screen with the error message "UNSUPPORTED_PROCESSOR" after installing the update previews from the end of August during the startup process.
Recommendation
To ensure that Windows starts as expected, the update can be uninstalled automatically. On the one hand, this is good news, as the computer remains usable. On the other hand, protective measures that users assume are now active are then missing. If anyone encounters this problem, Microsoft's developers ask them to report it via the integrated feedback hub, which opens by pressing the Windows and F keys simultaneously.
The developers are currently investigating whether the cause of the error lies with Microsoft. Since Windows 11 no longer officially supports many older processors, but the operating system can still be installed on them with tricks, the idea that a check should prevent such installations is obvious. However, as Windows 10 installations are also affected by the problem, this can actually be ruled out. Hopefully, Microsoft will be able to fix the problem by the official patch day in mid-September.
-----------------------------------------------------------------------------------
Found on Windows Update Preview: Possible boot abort due to unsupported CPU | heise online
Please also note the English version of this security warning from 24.08.2023.
How Microsoft covered up a data breach
Microsoft has combated attacks by suspected Chinese hackers. The attackers, known as Storm-0558, were targeting the data of customers of Microsoft cloud services. This could be the end of the story, but it is only just beginning. What is initially astonishing is that neither the German Federal Office for Information Security (BSI) nor other European specialist authorities have so far provided an assessment of the relevance and significance of the incident or given any indication of who might have been affected. The trade journal "c't" has now put an end to the silence with a look behind the scenes.
Background - What happened?
It can be summarized briefly: With a captured key, attackers were able to access all data in Microsoft's cloud services such as Outlook, Office 365, Onedrive or Teams at will and for weeks . This key is the crown jewel of a cloud provider, and Microsoft not only had the key stolen, but it was also inadequately stored, as it now turns out.
But it gets even worse: the stolen key originates from the end customer sector and should therefore not have been suitable for opening enterprise applications. The hackers were primarily spyingon governments and authorities. The key has now been blocked, but it is not known what the hackers read or manipulated in the Microsoft cloud. Perhaps they planted backdoors there. That remains unclear. Microsoft is keeping a low profile, as are the governments concerned, and the disaster is being hushed up everywhere: move along, there's nothing to see here.
Found on How Microsoft is covering up a data disaster: Chinese hackers in the cloud (faz.net)
Windows-Update: New Windows updates cause UNSUPPORTED_PROCESSOR blue screens
Microsoft says the August 2023 preview updates released this week for Windows 11 and Windows 10 systems are causing blue screens with errors mentioning an unsupported processor issue. The updates in question are tagged as KB5029351 (Windows 11) and KB5029331 (Windows 10), and they come with Search app fixes and introduce a new Backup app, respectively.
The complete list of affected platforms includes Windows 10 21H2/22H2 and Windows 11 22H2.
"Microsoft has received reports of an issue in which users are receiving an'UNSUPPORTED_PROCESSOR' error message on a blue screen after installing updates released on August 2," Redmond said.
The company also added that the problematic cumulative updates "might automatically uninstall to allow Windows to start up as expected." Some customers who experienced this issue reported[1, 2] have already confirmed that the buggy optional updates were automatically rolled back after several reboots. Microsoft is investigating the newly acknowledged known issue to find out whether it stems from a Microsoft-related cause.
The company also urged users encountering these BSOD errors to file a report using the Feedback Hub. To do that, you will have to go through the following steps:
- Launch Feedback Hub by opening the Start menu and typing "Feedback hub", or pressing the Windows key + F
- Fill in the "Summarize your feedback" and "Explain in more detail" boxes, then click Next.
- Under the "Choose a category" section, click the "Problem" button, and select "Install and Update" category. Then select "Downloading, installing, and configuring Windows Update" subcategory. Click Next.
- Under the "Find similar feedback" section, select the "Make new bug" radio button and click Next.
- Under the "Add more details" section, supply any relevant detail (Note this is not critical to addressing your issue).
- Expand the "Recreate my problem" box and press "Start recording". Reproduce the issue on your device.
- Press "Stop recording" once finished. Click the "Submit" button.
This week, Microsoft also introduces a new Windows 11 policy providing administrators with better control over how monthly non-security preview updates are delivered on enterprise devices.
Once enabled, users can choose between having optional updates installed automatically or manually selecting the ones they want to receive.
Related Articles:
Microsoft fixes bug that breaks video recording in Windows apps
Microsoft fixes bug that breaks Windows Start Menu, UWP apps
Windows 11 KB5029351 preview update released with Search fixes
Windows Task Manager refresh can be paused using CTRL key
Microsoft August 2023 Patch Tuesday warns of 2 zero-days, 87 flaws
-----------------------------------------------------------------------------------------------------
Found here New Windows updates cause UNSUPPORTED_PROCESSOR blue screens (bleepingcomputer.com)
Please consider to also read the German Version of this warning from 25.08.2023.
Citrix: Updates close critical zero-day vulnerability in Netscaler ADC and Gateway
The US cyber security authority CISA warns that attackers can take control of affected devices through the vulnerability. Citrix does not provide any further details on the vulnerabilities in the security alert. However, the manufacturer does state the nature of the vulnerabilities:
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467.
Citrix: Critical vulnerability is already under attack
The critical vulnerability, which has already been abused in the wild, affects Citrix ADC and Citrix Gateway - the older names of the products - explains Citrix, and allows malicious code to be executed without prior login. The appliance must be configured as a gateway in the form of a VPN Virtual Server, ICA Proxy, CVPN, RDP Proxy or AAA Virtual Server (CVE-2023-3519, CVSS 9.8, risk"critical").
In addition, attackers could convince potential victims in the same network as an NSIP (NetScaler IP) to follow a manipulated link and thus abuse a Reflected Cross Site Scripting (XSS) vulnerability (CVE-2023-3466, CVSS 8.3, high). Logged-in users with access to the management interface of NSIP or SNIP can also extend their rights to root or administrator (CVE-2023-3467, CVSS 8.0, high).
Citrix does not explain temporary countermeasures, but strongly recommends that IT managers install the updated software versions as soon as possible. The bugs fix NetScaler ADC and NetScaler Gateway 13.1-49.13 and 13.0-91.13 and later versions and NetScaler ADC 13.1-FIPS 13.1-37.159, 12.1-FIPS 12.1-55.297 and 12.1-NDcPP 12.1-55.297 and later versions. The company emphasizes that Netscaler DAC and Gateway 12.1 have reached end-of-life and that customers are therefore advised to upgrade the appliances to versions that are still supported in order to seal the vulnerabilities.
Just last week, Citrix had to seal critical security gaps in the Secure Access Clients. The new zero-day vulnerability, which has already been attacked, shows that administrators should install vulnerabilities in Citrix software as soon as they become available.
Recommendation
Read more at Citrix: Updates close critical zero-day vulnerability in Netscaler ADC and Gateway | heise online
IT managers should update quickly: Citrix has released updates for previously attacked vulnerabilities in Netscaler ADC and Gateway.
Detect traces of attacks on Netscaler ADC and Gateway
Prior to the availability of updates, CItrix gaps had already been attacked in the wild. It therefore makes sense to check for traces of attacks.
On Wednesday of this week, Citrix released updates that patch zero-day vulnerabilities in Netscaler ADC and Gateway, formerly Citrix ADC and Gateway. The vulnerability was exploited before patches were available. IT managers should therefore check whether their systems have already been attacked.
In 2019, cyber criminals often used the vulnerability known as Shitrix to first install a backdoor after an intrusion. This was then active even after the patches had been installed and enabled subsequent access. This was the approach taken by the perpetrators in a cyber extortion attack on Düsseldorf University Hospital, for example.
Citrix vulnerability: Highly dangerous
The CVE-2023-3519 vulnerability is a so-called Unauthenticated Remote Code Execution vulnerability in a service accessible from the Internet. This is the very highest risk category, as attackers can use a corresponding exploit to attack and take over many vulnerable systems within a very short time.
A guide has now been published on deyda.net which can be used to check your own Citrix systems for signs of intrusion. According to the guide, attacks can only be detected by changing file timestamps. The timestamps actually only change with the Netscaler updates, so administrators need to know the time of the last update. This can be recognized by the date of the unpacked installation packages, for example.
The guide also provides some further indicators of compromise (IOCs) that IT managers should check as soon as possible. The authors also provide tips on how administrators should proceed if the suspicion of compromise is confirmed.
Further information at Citrix Zero Days: Detecting traces of attacks on Netscaler ADC and Gateway | heise online.
Microsoft security vulnerability (CVE-2023-36884, CVSS 8.3) in Office
Dear colleagues,
As you may know, Microsoft has identified a highly classified vulnerability (CVE-2023-36884, CVSS 8.3) in Office. This vulnerability is already being actively exploited to inject malicious code and gain access to systems.
Action plan
Until a security patch is provided by Microsoft, Microsoft recommends making certain changes to the registry to prevent exploitation of the vulnerability.
We have made a change in our central Active Directory group policy to set the registry keys recommended by Microsoft. The affected registry entries are:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION with the respective applications created as DWORD with the value 1.
The applications are:
- Excel.exe
- Graph.exe
- MSAccess.exe
- MsPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
This measure is intended to prevent the vulnerability from being exploited.
Warning and recommendation
Please note that at this stage we are unable to assess whether this change could have any undesirable effects.
In the meantime, we strongly recommend to be careful with unknown or unexpected Office documents and not to open files from unknown senders.
If you have any questions, please contact the RHRZ AD team or the RHRZ hotline and support team.
More frequent cyber attacks on
administrations and doctors' surgeries
Public administrations, universities and doctors' surgeries are being targeted more frequently by criminals, said BKA chief Münch. Such attacks could have massive economic and social consequences.
Cyber criminals are increasingly targeting public administrations, universities and doctors' surgeries in Germany, warned BKA chief Holger Münch. "The threat from cybercrime has been increasing for years and is causing massive economic and social damage in some cases," Münch told the Funke Mediengruppe newspapers.
Such attacks could have massive consequences. For example, administrations could be unable to work for weeks. What's more, in many cases systems could be encrypted and sensitive data could be tapped.
Comparatively low hurdles for cyber criminals
According to Münch, if the technical hurdles are also low, this is "quickly attractive to criminals and subsequently lucrative".
Prosecution, on the other hand, is much more difficult. It takes a long time and is made even more difficult as the perpetrators are usually abroad.
Prosecution also records successes
However, the law enforcement authorities have also been successful recently, for example against illegal online marketplaces such as "Hydra Market" or the money laundering service "ChipMixer".
"In total, we confiscated over one hundred million euros in these two cases and thus took away the criminal scene's money, customers and tools," said Münch.
Found on BKA President warns of cyber attacks in Germany | tagesschau.de
Kernel vulnerability allows privilege escalation under Linux
A vulnerability in the memory management subsystem of the Linux kernel allows attackers to potentially gain elevated privileges.
More information can be found at Stackrot: Kernel vulnerability allows privilege escalation on Linux - Golem.de.
Version check
Administrators are advised to check the respective kernel version of their Linux systems and, if necessary, update to a version protected against the exploitation of CVE-2023-3269.
Firefox 115 and Thunderbird 102.13 seal security leaks
The Mozilla Foundation has released Firefox 115, Firefox ESR 115 and Thunderbird 102.13. The new versions close numerous security gaps.
More information can be found at Firefox 115 and Thunderbird 102.13 seal security leaks | heise online.
Version check
As some of the closed gaps have been classified as high-risk, Firefox users should ensure that they are already running the latest version. Otherwise, they run the risk of catching malware when visiting a manipulated website.
iOS 16.5.1 & Co: Apple fixes zero-day vulnerabilities in all systems
The serious vulnerabilities were apparently exploited to infiltrate surveillance tools on Apple hardware. Patches are also available for older hardware.
Apple is on a major update spree: a fresh version of the respective operating system is available to download for iPhones, iPads, Macs and Apple Watches - including older devices - which fixes serious security vulnerabilities. The company recommends that all users install it. According to reports, the vulnerabilities "may be actively exploited for attacks", says Apple.
Serious bugs in kernel and WebKit
The bugs in the kernel and the WebKit browser engine, which allow malicious code to be infiltrated and devices to be completely taken over, were discovered and reported by security researchers from Kaspersky, among others. The sophisticated TriangleDB monitoring software, new details of which were released on Wednesday, was apparently infiltrated via this. The attacks using the kernel vulnerability were aimed at iOS versions older than 15.7, Apple explains.
iOS 16.5.1 and iPadOS 16.5.1 are available for newer iPhones (from iPhone 8) and iPads. Apple has released iOS 15.7.7 and iPadOS 15.7.7 at the same time; the updates are intended for hardware that cannot be updated to iOS 16 - including the iPhone 6s and iPhone 7 model series, which are now eight and seven years old respectively. There are also patched versions of the operating system for MacBooks and desktop Macs in the form of macOS 13.4.1 Ventura, macOS 12.6.7 Monterey and macOS 11.7.8 Big Sur. The watchOS kernel also receives the bug fix, both with watchOS version 9.5.2 and with watchOS 8.8.1. The latter also covers the Apple Watch Series 3, which is no longer sold by Apple.
Found on iOS 16.5.1 & Co: Apple fixes zero-day vulnerabilities in all systems | heise online
Call: Updates already available, install as soon as possible!
Microsoft: Problems with Outlook
Microsoft confirms the strange behavior of Outlook and is working on a patch for the problem. In the meantime, there is a workaround.
Microsoft is currently working on a known Outlook problem that causes the email client to freeze or crash for some users. It also appears to users as if the tool wants to synchronize an offline Outlook file (OST) after startup. However, according to Microsoft, this is not the case. No corresponding entries are created that could be associated with this.
In some cases, Outlook also simply opens again as soon as it is closed using the corresponding button in the top bar. On systems that activate airplane mode, Outlook sometimes does not start at all. Instead, they receive the message: "Microsoft Outlook cannot be started. The Outlook window cannot be opened. The folder set cannot be opened. The attempt to log in to Microsoft Exchange has failed."
Workaround possible
Microsoft is currently working on a patch for this problem. According to the manufacturer, it occurs because the program has problems recognizing the default status of the cache. In the meantime, workarounds exist, but they require an intervention in the registry or some configuration work. For example, customers can set the registry entry RestUpdatesForCalendar to 1. This is located in the registry directory
"HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\Calendar".
Kaiserslautern University of Applied Sciences - Cyber attack!
Further information can be found at hs-kl-offline.de or:
Dear students and staff of Kaiserslautern University of Applied Sciences,
Unfortunately, our IT infrastructure has been affected by a hacker attack. Therefore, the entire IT infrastructure of the university is currently unavailable. This also includes e-mail communication and all accesses for which you need your university login (also from home).
Therefore, the central service facilities, such as the library, the computer pools, the student secretariat, etc. will remain closed for the time being.
Please understand that we are unable to publish any further information at this time!
We will keep you up to date on this page.
Yours sincerely,
Your university management
Attackers gain access - Microsoft Patchday!
As attackers are currently gaining system rights under Windows, Microsoft is closing several critical malicious code gaps in Windows, among other things. Attacks are already underway and more could be imminent.
Important security updates have been released for Microsoft Office, Edge, Teams and Windows, among others. In many cases, attackers could execute malicious code on computers and compromise them completely. Several vulnerabilities are publicly known, and attackers are already exploiting a vulnerability in Windows.
Further information on heise at Microsoft Patchday: Attackers gain system rights under Windows | heise online
Patch now!
IMPORTANT INFORMATION:
Ransomware "emotet" returns - OneNote email attachment!
The sophisticated Emotet malware is active again. It is finding its way into the email inboxes of potential victims in the form of malicious OneNote files.
The cyber gang behind the sophisticated malware is known for taking long breaks in between. Since the beginning of the month, however, the cyber criminals have been on the hunt for victims again. Around two weeks ago, IT security researchers at Cofense observed that Emotet was becoming active again. The emails appear to be replies to existing email histories , as has often been the case with Emotet. They mostly deal with finance and invoices.
Malicious emails with unencrypted ZIP files attached have landed in inboxes. The previously used ZIP files did not require a password for unpacking and contained Office documents with malicious macros; however, recipients had to "activate content" before executing them. Once launched, they then download the Emotet malware as a .dll file.
To circumvent such hurdles and restrictions, Emotet's masterminds now rely on OneNote file attachments in emails. The OneNote file is simple, yet effective in social engineering. It contains a false notification that the document is protected. When victims double-click the "View" button, it passes the clicks through instead and launches an embedded script.
This script is heavily obfuscated and downloads the Emotet malware from the network. In this case, the malware is also available as a .dll file and is launched using regsvr32.exe. If the malware is running, it contacts its Command&Control servers and waits for instructions from there.
Microsoft has already recognized the "OneNote gap", through which malware can be infiltrated more easily than with Office macros, for example. The company is now working on better protection against phishing using OneNote file attachments.
Emotet has been threatening users on the internet since 2018. The Trojan has numerous malicious functions. Once the malware has been launched, it can, for example, download further Trojans, embed itself deep in the network and install backdoors. To persuade victims to run the malware, the masterminds behind it usually use well-crafted fraudulent emails. They use spearphishing, for example, to obtain internal information that makes the emails more credible.
At the beginning of 2021, law enforcement officers struck a major blow against the infrastructure behind Emotet. After that, the malware initially went quiet, but it keeps reappearing on the scene at irregular intervals.
IMPORTANT INFORMATION:
SECURITY VULNERABILITY IN OUTLOOK
The German Federal Office for Information Security (BSI) warns of a significant security vulnerability in Outlook (message CSW no. 2023-214328-1032 or CVE-2023-23397; CVSS score 9.1).
According to this, attackers could use a manipulated email to gain access to the credentials of the attacked person. The attack takes place while the email is being processed - no action by the recipient is necessary, which makes this vulnerability particularly dangerous.
All Outlook versions for Windows are affected. Further information can be found in the blog post on the manufacturer's website [MSRC2023b].
Microsoft has already released a patch for this vulnerability, which must be installed immediately. As part of our service agreements, we are now carrying out the necessary updates as quickly as possible on the systems we support, insofar as this is possible centrally.
However, the security vulnerability primarily affects the client systems and the MS Office software installed on them. This should actually update itself automatically. To be on the safe side, we recommend that you also trigger the Office software updates on your computer workstations manually. You can find instructions on how to do this under Instructions-manually-triggering-MS-Office-Updates.pdf (computer-manufaktur.de). Please inform your users accordingly.
For other systems that are not managed by us, we recommend that you ensure that the relevant updates are installed as quickly as possible.
As always, we will be happy to answer any questions you may have.
Further information can be found under Active exploitation of a vulnerability in Microsoft Outlook (bund.de).
The most frequently leaked passwords in 2022 "1Qay2wsx3edc"
The city of Potsdam was attacked with a brute force attack. A computer program systematically tries out known passwords and word-number combinations. It is time for public sector employees to look for secure passwords. The Hasso Plattner Institute (HPI) has compiled a list of how not to do it.
"123456" is the most popular password among Germans, or at least it is the most frequently compromised. The Hasso Plattner Institute (HPI) has compiled a list of the ten most frequently leaked passwords in 2022.
This list is based on the HPI Identity Leak Checker database. This is a database in which the HPI regularly records email accounts that have been published somewhere on the Internet with a unique password. This year, the Leak Checker administrators have maintained around 300 data leaks in the portal. Users can enter their e-mail address on the Leak Checker website and check whether it has been hacked. There is a separate contact point for companies.
The passwords that appear most frequently have been ranked by HPI. Different versions of the number series from "1" to "9" are therefore very popular. Third place went to "1Qaz2wsx3edc". This results from the simple input of the first three keyboard columns. In sixth place comes "qwerty" and in seventh place the classic "fuck". But "password" (fifth place) and "password" (ninth place) also made it into the stands.
"The theft and trade in personal data has long been a billion-dollar business," warns Professor Christoph Meinel, Managing Director of the Hasso Plattner Institute. "The lax use of passwords is dangerous," emphasizes the professor. With the ranking, the HPI wants to contribute to clarifying the topic of password security.
Source: "Behördenspiegel - January 2023"
If you need help choosing a secure, suitable password to protect your RPTU account, please read the guidelines at:
Knowledge Base - What guidelines do I need to follow for my password? (uni-kl.de)
Notes and certificates freely accessible: we tested the IT security of universities and colleges
Universities are increasingly being attacked by criminal hackers. It's not just private data that is at risk, the entire operation can be paralyzed. But how do universities react to attacks? We put it to the test.
Read the article at Cybersecurity at universities and colleges is abysmal (riffreporter.de)
TODAY: Safer Internet Day 07.02.2023
Here's a little information security tip to increase awareness and sensitization:
Today is Safer Internet Day (SID)! Never heard of it? Okay, here's some information: SID is a global day of action for more online security. It takes place for the twentieth time (always in February) and focuses on a new topic every year as part of the international motto "Together for a better internet". In Germany, Safer Internet Day is coordinated by the EU initiative klicksafe and will be held in 2023 under the motto #OnlineAmLimit. This year, the focus is particularly on children and young people and the topic of "balanced media consumption".
If you need more information on this topic, you can browse and research various providers online. You will also find, for example, a little help on preventing cybercrime and suggestions on how to take action in the event of an attack.
Here is a small selection:
https://www.heise.de/news/Safer-Internet-Day-2023-Wann-ist-digitaler-Medienkonsum-zuviel-7483429.html
https://www.heise.de/ratgeber/Safer-Internet-Day-FAQ-Internetsicherheit-fuer-Kinder-und-Jugendliche-7333482.html
https://www.saferinternetday.org/
https://www.klicksafe.de/sid23
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2019/safer-internet-day-040219.html
Best regards and stay safe - SEC_RITY is not complete without U !!!
Vanessa Anefeld
Information Security Officer (ISB)
https://rptu.de/informationssicherheit
An HTML version with the complete contents can be found at:
https://rundmail.rptu.de/archive/item/63e24b5517156
TODAY: Safer Internet Day 07.02.2023
Here is a small note from information security to increase awareness and more consciousness:
Today is Safer Internet Day (SID)! Never heard of it? Okay, here's some information: the SID is a worldwide day of action for more online safety. It takes place for the twentieth time (always in February) and sets a new thematic focus every year within the framework of the international motto "Together for a better internet". In Germany, Safer Internet Day is coordinated by the EU initiative klicksafe and will be held under the motto #OnlineAmLimit in 2023. This year, the focus is on children and young people and the topic is "balanced media consumption".
If you need further information on this topic, you can browse and research various providers by simply searching the net. For example, you will also find small assistance for the prevention of cybercrime and suggestions for taking measures in the event of an attack.
Here is a small selection:
https://www.heise.de/news/Safer-Internet-Day-2023-Wann-ist-digitaler-Medienkonsum-zuviel-7483429.html
https://www.heise.de/ratgeber/Safer-Internet-Day-FAQ-Internetsicherheit-fuer-Kinder-und-Jugendliche-7333482.html
https://www.saferinternetday.org/
https://www.klicksafe.de/sid23
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2019/safer-internet-day-040219.html
Kind regards and stay safe - SEC_RITY is not complete without U!!!
Vanessa Anefeld
Chief Information Security Officer (CISO)
https://rptu.de/informationssicherheit
An HTML version with the complete contents can be found at:
https://rundmail.rptu.de/archive/item/63e24b5517156
IT security is a complex topic that is developing so quickly that even experts with a background in information technology find it difficult to keep up. The arrival of complex cloud infrastructure providers, the Industrial Internet of Things (IIOT), artificial intelligence and a massive increase in the networking of hardware, software and processes, coupled with data protection requirements, makes IT security an issue that can quickly consume a company's resources.
But what is the right level or the right amount of employee time, money and capacity that companies should make available in order to avoid being driven to ruin by a cyber attack tomorrow, while at the same time not burning every euro earned on IT security?
There is no universal answer to this question. However, a good approach is to focus on widespread and practically relevant threats. By way of introduction, the current IT threat situation is roughly described below.
Phishing
Phishing (a neologism of fishing) is a subtype of social engineering and has been causing the most damage to companies for years. Attackers use phishing to deceive users and trick them into disclosing sensitive information. The level of phishing attacks has increased significantly in recent years. The content of phishing messages is now difficult to distinguish from real messages and attackers also use modern communication services (Instagram, WhatsApp, etc.) to appear even more authentic.
Interfaces
Hardly any company can do without interfaces between the internal company network and mobile devices (laptops, tablets, smartphones, etc.). Even before the outbreak of the COVID-19 pandemic, around 39 percent of employees had the option of working from home and field work is difficult without access to internal data. Such interfaces inevitably open up gateways for attackers. If they are not properly secured, this can have serious consequences. To make matters worse, compromising employees' mobile devices also poses a threat to the internal network. This can lead to problems, especially with BYOD "Bring Your Own Device". Both interfaces and end devices must therefore be secured.
Cloud security
The use of cloud solutions is steadily increasing. Almost 69% of companies were already using hybrid cloud solutions in 2019 and it is expected that around 94% of digital workloads will take place in the cloud by 2021. This trend is understandable. The list of advantages includes, among many other points, core aspects such as scalability, flexibility and cost reduction. Unfortunately, the list of disadvantages and potential risks is also very long. Data protection considerations must also be taken into account at this point. An unstructured move to the cloud can therefore end up costing more than it benefits.
Where can you find more information and keep up to date with security problems, especially acute attack scenarios?
- In addition to the BSI website described above, the Alliance for Cyber Securityalso provides information on current threats.
- The Initiative Wirtschaftsschutz provides information from federal security authorities and business and security associations on threat scenarios as well as practical recommendations for action to counter these threats.
- The Federal Office for the Protection of the Constitution provides information about current cyberattack campaigns against German commercial enterprises and explains state-controlled cyberattacks in its Cyber Brief.
Several cyber attacks have caused damage. In addition to a university and a hospital, an Austrian news agency has also been affected.
Over the past few days, there have been several cyber attacks on the IT systems of a university, a hospital and a news agency. Operations are continuing in each case, but in some cases with restrictions. The IT departments of the institutions are still investigating the incidents.
University of Duisburg-Essen
The University of Duisburg-Essen is currently offline following a cyber attack last weekend. According to the press office of the North Rhine-Westphalian university, the system managers had to shut down the entire IT system in order to assess the damage caused. In addition to the MS Office suite, university employees also have to do without e-mail and telephony at the moment.
Those responsible are not yet able to estimate when the services will be available again. Students will continue to be taught in person, but will have to be patient with administrative questions relating to their studies.
The university is informing those affected about the progress of the restoration on its website. According to an initial analysis by the IT department, the attackers infiltrated the university network at the weekend and encrypted all the data they were able to get hold of. The university management responded to the inevitable ransom demand with a criminal complaint.
News agency APA
The Austrian news agency APA also received an unwanted visit to its network on Saturday. After detecting the attack, the "leading information service provider in Austria" managed to isolate the affected systems. This prevented any negative impact on its core business - the production and distribution of news.
The investigating authorities are also involved here. Forensic experts and security specialists are dealing with the incident.
Lippe Hospital
Lippe Hospital confirmed a similar incident at the beginning of last week. According to the hospital, there was a partial IT system failure following a massive hacker attack. All three locations in Detmold, Lemgo and Bad Salzuflen were affected. Internally, IT systems are available or have been restored to their former analog form, for example for ordering meals. The care of patients in the hospital and emergency patients remains guaranteed at all times.
Following the attack, the hospital's IT department is still working on reinstalling all systems. The hospital's sites can therefore only be reached by telephone and fax until further notice, as the facility reports on a status page.
In all three cases, there is still no (public) indication of who is responsible. However, the procedure and the confirmed effects point to one of the currently operating ransomware gangs.
Source: Cyber attacks: IT paralyzed at university, press agency and hospital | heise online
Ransomware: Lippe Hospital decrypts data after "intensive negotiations"
Following a massive cyberattack, Lippe Hospital has negotiated with the blackmailers and obtained the necessary data to decrypt the systems.
See also: Ransomware: Lippe Hospital decrypts data after "intensive negotiations" | heise online
Reports of cyber-attacks have emerged again and again in the recent past, particularly in the university and college environment. There are certainly some people here who would like to know more details about security incidents: How does something like this happen? What are the possible consequences? What measures need to be taken?
The IT security officer at Münster University of Applied Sciences has now given a presentation on the security incident in June 2022.
Here is the press release:
https://www.fh-muenster.de/hochschule/aktuelles/pressemitteilungen.php?madid=8960
And a link to the presentation as a video:
Exchange is currently only available to a limited extent - security problem
Due to a zero day vulnerability in the Exchange mail system, we have blocked external access until further notice.
and
https://www.heise.de/news/Exchange-Server-Zero-Day-Bisheriger-Workaround-unzureichend-7283072.html
The Exchange mail system can therefore only be accessed internally or via VPN.
This will remain the case until Microsoft provides an update to close the gap.
If you have any questions, please contact hotline[at]rhrk.uni-kl.de
https://www.rhrk.uni-kl.de/vpn/einrichtung
Users have been informed of the situation and the immediate measures via a separate circular email.
There is information that adapted phishing e-mails are again circulating from fraudsters who are deliberately circulating fake e-mails with fraudulent intent at RPTU. To ensure that you all have the most relaxed and stress-free summer days possible, we ask you to be mindful and, despite the heat, to be careful when communicating by e-mail. Examples of what such an e-mail might look like can be found below.
Please forward suspicious e-mails by sending the phishing e-mails as an attachment (e.g. in Outlook: drag & drop the suspicious e-mail into a new e-mail) to the following address: antivirus[at]rhrk.uni-kl.de. Only in this way can the header information be evaluated and, if necessary, further measures such as the blocking of linked websites be taken by the RHRK.
Further information on this topic "How to recognize phishing emails" can be found on the website of the "Federal Office for Information Security ": https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Spam-Phishing-Co/Passwortdiebstahl-durch-Phishing/Wie-erkenne-ich-Phishing-in-E-Mails-und-auf-Webseiten/wie-erkenne-ich-phishing-in-e-mails-und-auf-webseiten_node.html
Do you still feel unsure whether you are acting correctly when dealing with phishing e-mails? Contact the ISB and ask about the "E-Mail & Phishing 2022" awareness and sensitization measure specially adapted to RPTU . In just under half an hour, the ISB and another expert from the data center will provide you with tailor-made training, after which you will know how to recognize phishing, what the dangers and defensive measures are, so that you can get through your day-to-day work more easily and safely again. After successful participation, you will receive a certificate of attendance. Dates on request from the Information Security Officer Ms. Vanessa Anefeld - see contact details below.
I wish you as little or no harassment from fraudsters as possible, but instead a great summer!
The ISB will be available again for further questions and problems from September 2022.
Kind regards,
Vanessa Anefeld - ISB / CISO
There is information that newly adapted phishing e-mails from fraudsters are circulating, which deliberately circulate fake e-mails with fraudulent intent at the RPTU. So that you all have as relaxed and stress-free summer days as possible, we ask you to act carefully and despite all the heat when it comes to communication by e-mail. Examples of what such an e-mail could look like can be found on the CISO website under the text here.
Please forward suspicious e-mails by sending the phishing e-mails as an attachment (e.g. for Outlook: drag and drop the suspicious e-mail into a new e-mail) to the following address: antivirus[at]rhrk.uni-kl.de. Only in this way can the header information be evaluated and, if necessary, further measures such as the blocking of linked websites can be taken by the RHRK.
Further information on this topic "How do I recognize phishing e-mails" can be found on the pages of the "Federal Office for Information Security": https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Spam-Phishing-Co/Passwortdiebstahl-durch-Phishing/Wie-erkenne-ich-Phishing-in-E-Mails-und-auf-Webseiten/wie-erkenne-ich-phishing-in-e-mails-und-auf-webseiten_node.html
You still feel unsure whether you are acting correctly when dealing with phishing emails? Contact the ISB and ask about the awareness and awareness-raising measure "E-Mail & Phishing 2022" specially adapted to the RPTU. Please note that this course is only available in German language at the moment. Appointments on request with the Chief Information Security Officer Ms. Vanessa Anefeld - contact details see below.
I wish you as little to no harassment by scammers as possible, but instead a nice summer!
For further questions and problems, the ISB will be available again from September 2022.
Kind regards,
Vanessa Anefeld
As communicated in the circular mail of 02.06.2022, there is a massive security vulnerability in Microsoft Office. Information such as a description and recommended security measures can still be found on the website of the Information Security Officers (ISB) at https://www.uni-kl.de/informationssicherheit/sicherheitswarnungen.
The following good news: a protective measure has been implemented for all devices located in the central directory service of the RHRK (Active Directory/AD) and rolled out via group policy so that these devices are now protected by the recommended work-around. It may only be necessary to restart (reboot) your own device.
For all other devices that are not in an AD, the workaround must be implemented manually.
If you have any questions, users can contact their local IT support or RHRK support as well as the ISB, Ms. Anefeld.
An HTML version with the complete contents can be found at: https: //rundmail.uni-kl.de/archive/item/6299ee6264235
---------------
As communicated in the mail of 02.06.2022, there is a massive security vulnerability in Microsoft Office. The information such as description and recommended security measures can still be found on the website of the Chief Information Security Officer (CISO) under https://www.uni-kl.de/informationssicherheit/sicherheitswarnungen.
Good news: for all devices that are located in the central directory service of the RHRK (Active Directory/AD), a protection measure has been implemented and rolled out via Group Policy, so that these devices are now protected by the recommended work-around. For this purpose, it may be necessary to simply restart (reboot) your own device.
For all other devices that are not in an AD, the work-around must be implemented manually.
If you have any questions, users can also contact the ISB/CISO, Ms. Anefeld, in addition to their on-site IT support or RHRK support.
Security level 3/Orange: The IT threat situation is business-critical. Massive impairment of regular operations.
Zero-day gap in Microsoft Office enables code smuggling - see also Zero-day gap in Microsoft Office enables code smuggling | heise online
Security researchers have discovered a Word document that can download and execute malicious code from the Internet when opened. According to current knowledge, Office 2013, 2016, 2019, 2021, Office Pro Plus and Office 365 are affected. The vulnerability can be exploited using a prepared Word file, which can enable attackers to trigger the download of an HTML file from the Internet based on the remote template function (RTF) contained in the document processing program. This can be misused for further execution of PowerShell code, allowing attackers to install programs, display, change or delete files.
The vulnerability has since been classified as critical (level 3 of 4) by both Microsoft https://www.heise.de/news/Zero-Day-Luecke-Erste-Cybergangs-greifen-MSDT-Sicherheitsluecke-an-7128265.html and the German Federal Office for Information Security (BSI). You can find detailed information here: Follina vulnerability: Malicious code is infiltrated via Microsoft Office (bund.de)
A security advisory on the problem was only published today https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190, which also only contains information on the issue.
There is still no official patch or update, but there is a possible "work-around": https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ The deactivation of the MSDT URL protocol handler is also described by the BSI as the only protective measure until a security patch is made available.
Further information also here: Zero-day gap in MS Office: Microsoft gives recommendations | heise online
Please handle the information carefully. If you have any questions or problems, please contact your local IT support or RHRK support.
A Russian hacker group under the name "Conti Gang" has been up to mischief with so-called "Conti" ransomware since 2020. What seems to be striking and particularly dangerous is that it is partly unclear exactly how the software gets into companies. Furthermore, the criminally organized hacker group offers the infiltration of the blackmail-motivated attack as a service. It has been reported that common tactics such as man-in-the-middle attacks were also used, for example to manipulate account transactions in order to transfer funds. Apparently, all Microsoft Windows versions are affected.
Further information and possible protective measures can be found on various search engine pages under the keyword "Conti Ransomware Gang".
https://www-user.rhrk.uni-kl.de/~rundmail/2022/alle_4_14.html
With Easter just around the corner, scammers and phishing emails are booming again. To ensure that you all have as relaxed and stress-free a time as possible, we ask you to be careful and, despite the Easter holidays, to be cautious when communicating by e-mail. There are currently a lot of fake e-mails circulating with fraudulent intent. For example, you may be tempted to purchase "gift vouchers" or to click on certain links so that malware can be introduced.
Please report suspicious emails by sending the phishing emails as an attachment (e.g. in Outlook: drag & drop the suspicious email into a new email) to the following address: antivirus[at]rhrk.uni-kl.de. This is the only way to analyze the header information and block the linked pages within the university network. Please note that the blocking initiated by the RHRK only applies within the university network, but not in your home network, i.e. not if you are working from home!
Further information on this topic "How to recognize phishing emails" can be found on the website of the "Federal Office for Information Security ": https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Spam-Phishing-Co/Passwortdiebstahl-durch-Phishing/Wie-erkenne-ich-Phishing-in-E-Mails-und-auf-Webseiten/wie-erkenne-ich-phishing-in-e-mails-und-auf-webseiten_node.html
Unknown persons have carried out a cyber attack on the Technical University in Aschaffenburg, the university has just announced on its website. The internet connection was cut yesterday after IT security found evidence of the attack. The origin of the cyber attack is unknown.
Further information can be found on the internet, including on the TH Aschaffenburg homepage.
Aschaffenburg University of Applied Sciences is not the first university to be hit by hackers. Back in November 2021, there was a cyber attack on Nuremberg Institute of Technology. After three weeks, Nuremberg Tech's IT was restored. There had previously been hacker attacks on Düsseldorf University Hospital, TU Berlin and the University of Giessen.
In the last few days, some RPTU employees have received e-mails whose senders are allegedly known persons at RPTU (e.g. from the university management). The recipients are asked to contact the sender. No specific reason is given, it is merely implied that it is important (e.g. "please treat discreetly").
At least in the current e-mails, the reason given is that contact can only be made by e-mail (e.g. "I'm on my way to a meeting").
According to the information available, fraudsters use this method to try to get the person contacted to reply to the email so that the fraudster can reply in the next step in a possible form such as "I am at a conference at the moment, have to settle an invoice, please help me (time pressure) and click here or send me an (Amazon) voucher" and in this way - if the potential victim falls for it - can scam money. Please be careful and attentive.
If you receive such an e-mail, DO NOT RESPOND to it:
- Ask yourself whether it is realistic to receive this request from the alleged sender.
- If possible, check whether the actual reply address is an e-mail address at RPTU, i.e. ends in ".uni-kl.de".
- If in doubt, contact the sender by writing a NEW e-mail using an e-mail address you know at RPTU.
In general, you can send e-mails that seem suspicious to antivirus@rhrk.uni-kl.de antivirus[at]rhrk.uni-kl.de. An RHRK employee will then look at this e-mail. Please send us these e-mails as attachments, as we will then receive the e-mail in full, including the "header", which is important for the evaluation.
https://www-user.rhrk.uni-kl.de/~rundmail/2021/alle_12_13.html
The Federal Office for Information Security (BSI) warns of a vulnerability with security level red / 4 / critical!
www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf
Affected is Java library or specifically: CVE-2021-44228 [MIT2021] in log4j in versions 2.0 to 2.14.1, which may allow attackers to execute their own program code on the target system and thus compromise the server.
Please check to what extent your applications, processes and IT systems are affected by this and take the necessary measures recommended by the BSI immediately. It is to be expected that this vulnerability will be exploited, especially with the upcoming holidays.
The quickest way to obtain further information and help with implementing the measures is to follow the attached link to the BSI by clicking on the heading "Security warning" above, you will then be taken directly there.
Helpful links - in particular whether the problem (still) exists - on this topic can be found at
and at DFN-CERT:
Critical vulnerability in Apache Log4j affects Java applications (CVE-2021-44228) - DFN-CERT
and at the Karlsruhe Institute of Technology KIT:
https://www.cert.kit.edu/p/cve-2021-44228
Note: Please visit these pages regularly to follow the latest developments.
"Since the vectors through which this vulnerability can be exploited are very broad and full mitigations will take time to play out in large environments, we recommend that defenders watch for signs of subsequent exploitation rather than relying entirely on prevention."
+++++++++++++++++++++++++++++++++
The Federal Office for Information Security (BSI) warns of a vulnerability with security level red / 4 / high critical!
Affected is Java library or specifically: CVE-2021-44228 [MIT2021] in log4j in versions 2.0 to 2.14.1, which may allow attackers to execute their own program code on the target system and thus compromise the server.
Please check to what extent your application, procedures, IT systems are affected by this and immediately take the necessary measures recommended by the BSI. It is to be expected that the exploitation of this vulnerability is to be expected, especially due to the upcoming holidays.
Further information and help with the implementation of the measures can be obtained as quickly as possible by following the attached link to the BSI, clicking on the heading "Security Warning" above and you will then be directed directly there.
Helpful links - especially whether the problem (still) exists - on this topic can be found at:
and here DFN-CERT:
Critical vulnerability in Apache Log4j affects Java applications (CVE-2021-44228) - DFN-CERT
as well as here Karlsruher Institut for Technology KIT:
Note: Please regularly visit these pages independently to follow the latest developments.
"Because the vectors through which this vulnerability can be exploited are very broad and will take time to fully deploy remedial action in large environments, we encourage defenders to look for signs of subsequent exploitation rather than rely entirely on prevention."