Tageszusammenfassung - 28.11.2022

End-of-Day report

Timeframe: Freitag 25-11-2022 18:00 - Montag 28-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer


Win32.Ransom.Conti / Crypto Logic Flaw

Conti ransomware FAILS to encrypt non PE files that have a ".exe" in the filename.


Bring Your Own Key - A Placebo?

BYOK was envisioned to reduce the risk of using a cloud service provider processing sensitive data, yet there are several deficiencies.


All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now its distributing malicious spam. Lets dive into details and discuss all you need to know about the notorious malware to combat it.


Hacking Smartwatches for Spear Phishing

In this article we explain how to hack into a SmartWatch and show a custom text message.


Exploiting an N-day vBulletin PHP Object Injection Vulnerability

vBulletin is one of the most popular proprietary forum solutions over the Internet. It is used by some major websites, and according to the BuildWith website, vBulletin currently ranks at the second place on the Forum Software Usage Distribution in the Top 1 Million Sites, with over 2.000 websites using it among the -top 1 million-.


Poking a mobile hotspot

Ive been playing with an Orbic Speed, a relatively outdated device that only speaks LTE Cat 4, but the towers I can see from here are, uh, not well provisioned so throughput really isnt a concern (and refurbs are $18, so). As usual Im pretty terrible at just buying devices and using them for their intended purpose, and in this case it has the irritating behaviour that if theres a power cut and the battery runs out it doesnt boot again when power returns, so heres what Ive learned so far.


Vorsicht vor gefälschtem FinanzOnline-E-Mail

-Sie erhalten einen Betrag- lautet der Betreff eines betrügerischen E-Mail, das angeblich von FinanzOnline kommt. Sie werden informiert, dass Sie eine Rückerstattung von 578,99 Euro erhalten. Um das Geld zu bekommen, müssen Sie auf den Link im E-Mail klicken. Vorsicht: Dieser führt auf eine gefälschte FinanzOnline-Seite. Kriminelle stehlen Ihre Daten.


Emotet Strikes Again - LNK File Leads to Domain Wide Ransomware

The intrusion began when a user double clicked a LNK file, which then executed encoded Powershell commands to download an Emotet DLL onto the computer. Once executed, Emotet setup a Registry Run Key to maintain persistence on the beachhead host.


LockBit Ransomware Being Mass-distributed With Similar Filenames

The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames.



Security updates for Monday

Security updates have been issued by Debian (chromium, commons-configuration2, graphicsmagick, heimdal, inetutils, ini4j, jackson-databind, and varnish), Fedora (drupal7-i18n, grub2, kubernetes, and python-slixmpp), Mageia (botan, golang, kernel, kernel-linus, radare2/rizin, and xterm), Red Hat (krb5, varnish, and varnish:6), SUSE (busybox, chromium, erlang, exiv2, firefox, freerdp, ganglia-web, java-1_8_0-openj9, nodejs12, nodejs14, opera, pixman, python3, sudo, tiff, and xen), [...]


Cisco ISE Vulnerabilities Can Be Chained in One-Click Exploit

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks.


Google Projekt Zero legt Schwachstelle in Mali GPU offen, Millionen Android-Geräte betroffen

Google Sicherheitsforscher haben im Project Zero eine Schwachstelle (CVE-2022-33917) im Kerneltreiber der in vielen Android-Geräten mit ARM CPU verwendeten Mali GPU offen gelegt.


Security Bulletin: IBM Maximo Mobile is vulnerable to Information Disclosure (CVE-2022-41732)


Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect App Connect Professional.


Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to arbitrary code execution due to X-Force 237819


MISP v2.4.166