Tageszusammenfassung - 16.12.2021

End-of-Day report

Timeframe: Mittwoch 15-12-2021 18:00 - Donnerstag 16-12-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer


Large-scale phishing study shows who bites the bait more often

A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices.


Emotet starts dropping Cobalt Strike again for faster attacks

Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks.


Hive ransomware enters big league with hundreds breached in four months

The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June.


A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works.


PseudoManuscrypt: a mass-scale spyware attack campaign

Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group-s arsenal.


'DarkWatchman' RAT Shows Evolution in Fileless Malware

The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access.


How the "Contact Forms" campaign tricks people, (Thu, Dec 16th)

"Contact Forms" is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint.


Log4j-Lücke: Erste Angriffe mit Ransomware und von staatlicher Akteuren

Die bisherigen Angriffsversuche waren wohl vor allem Tests. Doch jetzt wird es Ernst. Cybercrime und Geheimdienste nutzen die Lücke gezielt für ihre Zwecke.


When is a Scrape a Breach?

A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car. It's not clear if the car was locked or not. Is this a data breach?


Achtung: giesswein-outdoor.de ist ein Fake-Shop!

Die Webseite giesswein-outdoor.de sieht auf den ersten Blick sehr seriös aus. Doch tatsächlich handelt es sich um einen Fake-Shop, der das österreichische Unternehmen Giesswein imitiert.


The dirty dozen of Latin America: From Amavaldo to Zumanek

The grand finale of our series dedicated to demystifying Latin American banking trojans.


Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware

New ransomware used in mid-November attack, ConnectWise was likely infection vector.


Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions

Check Point Research (CPR) spots a botnet variant that has stolen nearly half a million dollars- worth of cryptocurrency through a technique called -crypto clipping-. The new variant, named Twizt and a descendant of Phorpiex, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor-s wallet address.



Lenovo laptops vulnerable to bug allowing admin privileges

Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges.


Security updates for Thursday

Security updates have been issued by Debian (apache-log4j2 and mediawiki), Fedora (libmysofa, libolm, and vim), Oracle (httpd), Red Hat (go-toolset:rhel8), and Ubuntu (apache-log4j2 and mumble).


IBM Security Bulletins


SSA-714170: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to SPPA-T3000


TYPO3-PSA-2021-004: Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228)


TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters


MediaWiki: Mehrere Schwachstellen