Tageszusammenfassung - 22.03.2022

End-of-Day report

Timeframe: Montag 21-03-2022 18:00 - Dienstag 22-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner


Serpent malware campaign abuses Chocolatey Windows package manager

Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new Serpent backdoor malware on systems of French government agencies and large construction firms.


Conti Ransomware V. 3, Including Decryptor, Leaked

The latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it-s reportedly clunkier code. Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously released - specifically, the source code for Conti Ransomware V3.0 - to VirusTotal.


CryptoRom Crypto Scam Abusing iPhone Features to Target Mobile Users

Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been deceiving unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips.


Microsoft und Okta: Hacker-Gruppe Lapsus$ hat offenbar erneut zugeschlagen

Derzeit untersuchen Microsoft bei Azure DevOps und der Zugriffsmanagement-Dienstleister Okta unberechtigte Server-Zugriffe.


Ausgesperrt? Vorsicht vor unseriösen Schlüsseldiensten

Sie haben sich ausgesperrt und benötigen einen Schlüsseldienst, um wieder in Ihre Wohnung zu kommen? Bleiben Sie ruhig, recherchieren Sie sorgfältig und überprüfen Sie das Unternehmen genau! Bedenken Sie: Die ersten Google-Suchergebnisse sind nicht immer die besten. Im Gegenteil: Wie Erfahrungen und Analysen zeigen, sind viele beworbene Schlüsseldienste unseriös!


Sandworm: A tale of disruption told anew

[..] BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group - Sandworm. Who is Sandworm?


FBI and FinCEN Release Advisory on AvosLocker Ransomware

The Federal Bureau of Investigation (FBI) and the Department of the Treasury-s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware.


Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS

In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis.


Facestealer-Trojaner aus der Google Play Store-App Craftsart Cartoon Photo Tools klaut Facebook-Zugangsdaten

Sicherheitsforscher von Pradeo haben eine Android-App Craftsart Cartoon Photo Tools im Google Play Store entdeckt. Diese ist mit dem bekannten Facestealer-Trojaner verseucht und 100.000 Leute haben die App auf ihre Geräte gezogen.


Cobalt Strike: Overview - Part 7

This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods.


Detecting shadow credentials

This article is about my journey into tracing changes to the msDS-KeyCredentialLink attribute to verify if their origin is legitimate or a potential attack (aka. Shadow Credentials).


8 Tips for Securing Networks When Time Is Scarce

In light of increased cyber risk surrounding the Russia-Ukraine conflict, we-ve put together 8 tips that defenders can take right now to prepare.



Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Security risk: Moderately critical Vulnerability: Third-party libraries CVE IDs: CVE-2022-24775 Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.


Multiple Vulnerabilities in GARO Wallbox

1. Without Authentication(CVE-2021-45878) 2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877) 3. Unauthenticated Command Injection(CVE-2021-45876)


Kritische Sicherheitslücken in mehr als 200 HP-Drucker-Modellen

Zahlreiche HP-Drucker haben Sicherheitslücken, durch die Angreifer Schadcode einschleusen und ausführen könnten. Firmware-Updates schaffen Abhilfe.


Sophos schließt Sicherheitslücken in Unified Threat Management-Firmware

Eine neue Firmware-Version schließt unter anderem Sicherheitslücken, durch die angemeldete Nutzer Schadcode hätten ausführen können.


Cyclops-Blink-Botnet: Asus-Router im Fokus, Firmware-Updates verfügbar

Die Cybergang Sandworm hat ihr Cyclops-Blink-Botnet inzwischen auf Asus-Router angesetzt. Firmware-Updates sollen dem Befall vorbeugen.


Security updates for Tuesday

Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon).


Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-23192)


Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty through could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID:


Security Bulletin: Apache Log4j vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2021-44228)


Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2124)


Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0


Security Bulletin: Vulnerability in Apache Log4j affects DB2 Recovery Expert for Linux, Unix and Windows


Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0


Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299)


K31323265: OpenSSL vulnerability CVE-2022-0778


PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager


Delta Electronics DIAEnergie