End-of-Day report
Timeframe: Mittwoch 15-12-2021 18:00 - Donnerstag 16-12-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Large-scale phishing study shows who bites the bait more often
A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices.
https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-shows-who-bites-the-bait-more-often/
Emotet starts dropping Cobalt Strike again for faster attacks
Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks.
https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/
Hive ransomware enters big league with hundreds breached in four months
The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June.
https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-league-with-hundreds-breached-in-four-months/
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works.
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
PseudoManuscrypt: a mass-scale spyware attack campaign
Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group-s arsenal.
https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/105286/
'DarkWatchman' RAT Shows Evolution in Fileless Malware
The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access.
https://threatpost.com/darkwatchman-rat-evolution-fileless-malware/177091/
How the "Contact Forms" campaign tricks people, (Thu, Dec 16th)
"Contact Forms" is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint.
https://isc.sans.edu/diary/rss/28142
Log4j-Lücke: Erste Angriffe mit Ransomware und von staatlicher Akteuren
Die bisherigen Angriffsversuche waren wohl vor allem Tests. Doch jetzt wird es Ernst. Cybercrime und Geheimdienste nutzen die Lücke gezielt für ihre Zwecke.
https://heise.de/-6296549
When is a Scrape a Breach?
A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car. It's not clear if the car was locked or not. Is this a data breach?
https://www.troyhunt.com/when-is-a-scrape-a-breach/
Achtung: giesswein-outdoor.de ist ein Fake-Shop!
Die Webseite giesswein-outdoor.de sieht auf den ersten Blick sehr seriös aus. Doch tatsächlich handelt es sich um einen Fake-Shop, der das österreichische Unternehmen Giesswein imitiert.
https://www.watchlist-internet.at/news/achtung-giesswein-outdoorde-ist-ein-fake-shop/
The dirty dozen of Latin America: From Amavaldo to Zumanek
The grand finale of our series dedicated to demystifying Latin American banking trojans.
https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/
Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware
New ransomware used in mid-November attack, ConnectWise was likely infection vector.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware
Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions
Check Point Research (CPR) spots a botnet variant that has stolen nearly half a million dollars- worth of cryptocurrency through a technique called -crypto clipping-. The new variant, named Twizt and a descendant of Phorpiex, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor-s wallet address.
https://blog.checkpoint.com/2021/12/16/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/
Vulnerabilities
Lenovo laptops vulnerable to bug allowing admin privileges
Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges.
https://www.bleepingcomputer.com/news/security/lenovo-laptops-vulnerable-to-bug-allowing-admin-privileges/
Security updates for Thursday
Security updates have been issued by Debian (apache-log4j2 and mediawiki), Fedora (libmysofa, libolm, and vim), Oracle (httpd), Red Hat (go-toolset:rhel8), and Ubuntu (apache-log4j2 and mumble).
https://lwn.net/Articles/878844/
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
SSA-714170: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to SPPA-T3000
https://cert-portal.siemens.com/productcert/txt/ssa-714170.txt
TYPO3-PSA-2021-004: Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228)
https://typo3.org/security/advisory/typo3-psa-2021-004
TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters
https://typo3.org/security/advisory/typo3-psa-2021-003
MediaWiki: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K21-1290