Tageszusammenfassung - 24.10.2022

End-of-Day report

Timeframe: Freitag 21-10-2022 18:00 - Montag 24-10-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer


Thousands of GitHub repositories deliver fake PoC exploits with malware

Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware.


Typosquat campaign mimics 27 brands to push Windows, Android malware

A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware.


Kriminalität: Eltern durch Whatsapp-Betrug um Tausende Euro gebracht

Die Polizei warnt vor Trickbetrügern, die mit einer angeblichen Notlage des Kindes Eltern um ihr Geld bringen.


Securing IoT devices against attacks that target critical infrastructure

South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, notified its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today.


rtfdumps Find Option, (Sat, Oct 22nd)

Due to the nature of the RTF language, malicious RTF files can be very obfuscated. To the point that my tool rtfdump.py and Philippe's tool rtfobj don't find embedded objects.


C2 Communications Through outlook.com, (Mon, Oct 24th)

Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails.


SCuBA M365 Security Baseline Assessment Tool

Developed by CISA, this assessment tool verifies that an M365 tenant-s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents.


Cisco ISE: Angreifer könnten Kontrolle übernehmen

Cisco warnt, dass Angreifer Dateien in der Identity Services Engine lesen und löschen könnten. Die Übernahme der Kontrolle über die Geräte könnte möglich sein.


Gebrauchtwagen-Kauf: Abwicklung über Treuhandunternehmen ist Betrug

Sie sind gerade auf der Suche nach einem Gebrauchtwagen? Bedenken Sie: Nicht jedes Inserat ist seriös. Auch Kriminelle nutzen gängige Verkaufsplattformen, um betrügerische Lockangebote zu platzieren. Ein betrügerisches Angebot erkennen Sie an der Kommunikation und der Forderung, Geld an ein Treuhandkonto zu überweisen.


So funktioniert Domain Shadowing

Cyberkriminelle nutzen schwer auffindbare Shadow Domains für verschiedene illegale Aktivitäten, einschließlich Phishing und Botnet-Operationen.


AA22-294A: #StopRansomware: Daixin Team

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the -Daixin Team,- a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.


Treasure trove. Alive and well point-of-sale malware

Analysis of months-long MajikPOS and Treasure Hunter campaign that infected dozens of terminals.


Attacking Very Weak RC4-Like Ciphers the Hard Way

RC4 is a popular encryption algorithm. The way it works is that a -Key Scheduling Algorithm- (KSA) takes your key and generates a 256-byte array, and then a -Pseudo-Random Generation Algorithm- (PRGA) uses that byte array to output an endless stream of bytes (the -key stream-), which look like random noise unless you know what the original byte array was.


Uncovering Security Blind Spots in CNC Machines

Industry 4.0 has given rise to smart factories that have markedly improved machining processes, but it has also opened the doors for cybercriminals looking to abuse networked industrial equipment such as CNC machines. Our research investigates potential cyberthreats to CNC machines and how manufacturers can mitigate the associated risks.



IBM Security Bulletins 2022-10-21 and 2022-10-22

IBM Cloud Pak for Watson, API Connect, IBM Cloud Pak for Multicloud Management, IBM MQ Appliance, IBM Voice Gateway, Infrastructure Automation, IBM Security Identity Manager.


Security updates for Monday

Security updates have been issued by Debian (bluez, kernel, and lava), Fedora (ckeditor, drupal7, moby-engine, php-Smarty, and wavpack), Mageia (bind, e2fsprogs, epiphany, freerdp, kernel, kernel-linus, libconfuse, libosip2, ntfs-3g, perl-Image-ExifTool, and poppler), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-container, and thunderbird), Scientific Linux (firefox, java-1.8.0-openjdk, and java-11-openjdk), SUSE (bluez, firefox, kernel, libxml2, and Ubuntu (linux-gcp).


Missing Authentication in ZKTeco ZEM/ZMM Web Interface

The ZKTeco time attendance device does not require authentication to use theweb interface, exposing the database of employees and their credentials.