Tageszusammenfassung - 21.11.2022

End-of-Day report

Timeframe: Freitag 18-11-2022 18:00 - Montag 21-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

New AxLocker ransomware encrypts files, then steals your Discord account

The new AXLocker ransomware family is not only encrypting victims files and demanding a ransom payment but also stealing the Discord accounts of infected users.

https://www.bleepingcomputer.com/news/security/new-axlocker-ransomware-encrypts-files-then-steals-your-discord-account/

Apps with over 3 million installs leak Admin search API keys

Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information.

https://www.bleepingcomputer.com/news/security/apps-with-over-3-million-installs-leak-admin-search-api-keys/

Google releases 165 YARA rules to detect Cobalt Strike attacks

The Google Cloud Threat Intelligence team has open-sourced YARA Rules and a VirusTotal Collection of indicators of compromise (IOCs) to help defenders detect Cobalt Strike components in their networks.

https://www.bleepingcomputer.com/news/security/google-releases-165-yara-rules-to-detect-cobalt-strike-attacks/

McAfee Fake Antivirus Phishing Campaign is Back!, (Sat, Nov 19th)

Yesterday I received this email that my McAfee antivirus subscription is expired and that my computer is already infected with 5 viruses (how do they know?).

https://isc.sans.edu/diary/rss/29264

Vulnerable Code Snippets

YesWeHack present code snippets containing several different vulnerabilities to practice your code analysis. The code snippets are beginner friendly but suitable for all levels!

https://github.com/yeswehack/vulnerable-code-snippets

A Confused Deputy Vulnerability in AWS AppSync

We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync. This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts.

https://securitylabs.datadoghq.com/articles/appsync-vulnerability-disclosure/

5 free resources from the Cybersecurity and Infrastructure Security Agency (CISA)

To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services.

https://www.helpnetsecurity.com/2022/11/21/5-free-resources-cybersecurity-and-infrastructure-security-agency-cisa/

Gefälschtes SMS von Netflix droht mit Kontosperrung

Aktuell macht ein Netflix-SMS die Runde. Darin steht, dass Sie eine Rechnung nicht bezahlt haben. Daher droht man Ihnen mit einer Kontosperrung. Im SMS befindet sich auch ein Link. Klicken Sie nicht auf den Link, Kriminelle stehlen Ihre Netflix-Zugangsdaten.

https://www.watchlist-internet.at/news/gefaelschtes-sms-von-netflix-droht-mit-kontosperrung/

An AI Based Solution to Detecting the DoubleZero .NET Wiper

Unit 42 presents a machine learning model to predict maliciousness of .NET samples based on file structures, by analyzing the DoubleZero .NET wiper.

https://unit42.paloaltonetworks.com/doublezero-net-wiper/

Reputationsverlust durch Cyberangriffe

Die am meisten befürchteten Schäden durch Cyberangriffe sind finanzielle Schäden sowie Verlust von Reputation und Kundenvertrauen. Bei der Umsetzung von Cybersicherheitsmaßnahmen stehen jedoch Schutz von Geschäftskontinuität, Daten und Kunden im Vordergrund.

https://www.zdnet.de/88405082/reputationsverlust-durch-cyberangriffe/

Luna Moth: Erfolg mit Callback-Phishing

Die Luna Moth/Silent Ransom Kriminellen erbeuteten durch Callback-Phishing Hunderttausende von Euro, wie eine Analyse von Palo Alto Networks aufdeckt.

https://www.zdnet.de/88405109/luna-moth-erfolg-mit-callback-phishing/

Vulnerabilities

Exploit released for actively abused ProxyNotShell Exchange bug

Proof-of-concept exploit code has been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell.

https://www.bleepingcomputer.com/news/security/exploit-released-for-actively-abused-proxynotshell-exchange-bug/

New attacks use Windows security bypass zero-day to drop malware

New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings.

https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware/

IBM Security Bulletins 2022-11-18

Power HMC, InfoSphere Information Server, IBM Operations Analytics, IBM i Access Client Solutions, IBM DataPower Gateway, IBM Tivoli, IBM Spectrum Protect Plus

https://www.ibm.com/blogs/psirt/

Security updates for Monday

Security updates have been issued by Debian (graphicsmagick and krb5), Fedora (dotnet6.0, js-jquery-ui, kubernetes, and xterm), Gentoo (php and postgresql), Mageia (php-pear-CAS, sysstat, varnish, vim, and x11-server), Red Hat (thunderbird), SUSE (389-ds, binutils, dpkg, firefox, frr, grub2, java-11-openjdk, java-17-openjdk, kernel, kubevirt stack, libpano, nodejs16, openjpeg, php7, php74, pixman, python-Twisted, python39, rubygem-loofah, sccache, sudo, thunderbird, tor, and tumbler), [...]

https://lwn.net/Articles/915623/

PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability

A security researcher has published details and proof-of-concept (PoC) code for a macOS vulnerability that could be exploited to escape a sandbox and execute code within Terminal.

https://www.securityweek.com/poc-code-published-high-severity-macos-sandbox-escape-vulnerability