End-of-Day report
Timeframe: Freitag 21-10-2022 18:00 - Montag 24-10-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Thousands of GitHub repositories deliver fake PoC exploits with malware
Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware.
https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/
Typosquat campaign mimics 27 brands to push Windows, Android malware
A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware.
https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27-brands-to-push-windows-android-malware/
Kriminalität: Eltern durch Whatsapp-Betrug um Tausende Euro gebracht
Die Polizei warnt vor Trickbetrügern, die mit einer angeblichen Notlage des Kindes Eltern um ihr Geld bringen.
https://www.golem.de/news/kriminalitaet-eltern-durch-whatsapp-betrug-um-tausende-euro-gebracht-2210-169155.html
Securing IoT devices against attacks that target critical infrastructure
South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, notified its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today.
https://www.microsoft.com/en-us/security/blog/2022/10/21/securing-iot-devices-against-attacks-that-target-critical-infrastructure/
rtfdumps Find Option, (Sat, Oct 22nd)
Due to the nature of the RTF language, malicious RTF files can be very obfuscated. To the point that my tool rtfdump.py and Philippe's tool rtfobj don't find embedded objects.
https://isc.sans.edu/diary/rss/29174
C2 Communications Through outlook.com, (Mon, Oct 24th)
Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails.
https://isc.sans.edu/diary/rss/29180
SCuBA M365 Security Baseline Assessment Tool
Developed by CISA, this assessment tool verifies that an M365 tenant-s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents.
https://github.com/cisagov/ScubaGear
Cisco ISE: Angreifer könnten Kontrolle übernehmen
Cisco warnt, dass Angreifer Dateien in der Identity Services Engine lesen und löschen könnten. Die Übernahme der Kontrolle über die Geräte könnte möglich sein.
https://heise.de/-7317442
Gebrauchtwagen-Kauf: Abwicklung über Treuhandunternehmen ist Betrug
Sie sind gerade auf der Suche nach einem Gebrauchtwagen? Bedenken Sie: Nicht jedes Inserat ist seriös. Auch Kriminelle nutzen gängige Verkaufsplattformen, um betrügerische Lockangebote zu platzieren. Ein betrügerisches Angebot erkennen Sie an der Kommunikation und der Forderung, Geld an ein Treuhandkonto zu überweisen.
https://www.watchlist-internet.at/news/gebrauchtwagen-kauf-abwicklung-ueber-treuhandunternehmen-ist-betrug/
So funktioniert Domain Shadowing
Cyberkriminelle nutzen schwer auffindbare Shadow Domains für verschiedene illegale Aktivitäten, einschließlich Phishing und Botnet-Operationen.
https://www.zdnet.de/88404347/so-funktioniert-domain-shadowing/
AA22-294A: #StopRansomware: Daixin Team
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the -Daixin Team,- a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.
https://us-cert.cisa.gov/ncas/alerts/aa22-294a
Treasure trove. Alive and well point-of-sale malware
Analysis of months-long MajikPOS and Treasure Hunter campaign that infected dozens of terminals.
https://blog.group-ib.com/majikpos_treasurehunter_malware
Attacking Very Weak RC4-Like Ciphers the Hard Way
RC4 is a popular encryption algorithm. The way it works is that a -Key Scheduling Algorithm- (KSA) takes your key and generates a 256-byte array, and then a -Pseudo-Random Generation Algorithm- (PRGA) uses that byte array to output an endless stream of bytes (the -key stream-), which look like random noise unless you know what the original byte array was.
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-the-hard-way/
Uncovering Security Blind Spots in CNC Machines
Industry 4.0 has given rise to smart factories that have markedly improved machining processes, but it has also opened the doors for cybercriminals looking to abuse networked industrial equipment such as CNC machines. Our research investigates potential cyberthreats to CNC machines and how manufacturers can mitigate the associated risks.
https://www.trendmicro.com/en_us/research/22/j/uncovering-security-blind-spots-in-cnc-machines.html
Vulnerabilities
IBM Security Bulletins 2022-10-21 and 2022-10-22
IBM Cloud Pak for Watson, API Connect, IBM Cloud Pak for Multicloud Management, IBM MQ Appliance, IBM Voice Gateway, Infrastructure Automation, IBM Security Identity Manager.
https://www.ibm.com/blogs/psirt/
Security updates for Monday
Security updates have been issued by Debian (bluez, kernel, and lava), Fedora (ckeditor, drupal7, moby-engine, php-Smarty, and wavpack), Mageia (bind, e2fsprogs, epiphany, freerdp, kernel, kernel-linus, libconfuse, libosip2, ntfs-3g, perl-Image-ExifTool, and poppler), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-container, and thunderbird), Scientific Linux (firefox, java-1.8.0-openjdk, and java-11-openjdk), SUSE (bluez, firefox, kernel, libxml2, and Ubuntu (linux-gcp).
https://lwn.net/Articles/912178/
Missing Authentication in ZKTeco ZEM/ZMM Web Interface
The ZKTeco time attendance device does not require authentication to use theweb interface, exposing the database of employees and their credentials.
https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-003/