End-of-Day report
Timeframe: Donnerstag 24-03-2022 18:00 - Freitag 25-03-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
Phishing kits constantly evolve to evade security software
Modern phishing kits sold on cybercrime forums as off-the-shelve packages feature multiple and sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions wont mark them as a threat.
https://www.bleepingcomputer.com/news/security/phishing-kits-constantly-evolve-to-evade-security-software/
Malicious Microsoft Excel add-ins used to deliver RAT malware
Researchers report a new version of the JSSLoader remote access trojan being distributed via malicious Microsoft Excel addins.
https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/
Racing against the clock -- hitting a tiny kernel race window
This is a writeup of how I managed to hit the race on a normal Linux desktop kernel, with a hit rate somewhere around 30% if the proof of concept has been tuned for the specific machine.
https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html
XLSB Files: Because Binary is Stealthier Than XML, (Fri, Mar 25th)
In one of his last diaries, Brad mentioned an Excel sheet named with a .xlsb extension. Now, it was my turn to find one...
https://isc.sans.edu/diary/rss/28476
Linux-Malware bedroht Windows
Es taucht immer mehr Malware auf, die das Windows Subsytem for Linux (WSL) als Einfallstor nutzen. Die Gefahr steigt, warnen Sicherheitsforscher.
https://heise.de/-6631700
Mining data from Cobalt Strike beacons
Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we-ve collected over 128,000 beacons from over 24,000 active Team Servers.
https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/
E-Mails mit Anschuldigungen der Polizei sind Fake!
Auch Sie haben ein E-Mail von der Polizei oder dem Bundeskriminalamt erhalten, das Sie der Kinderpornografie, Pädophilie und des Exhibitionismus beschuldigt? Das E-Mail ist fake, die Anschuldigungen frei erfunden. Antworten Sie nicht und löschen Sie die Nachricht am besten.
https://www.watchlist-internet.at/news/e-mails-mit-anschuldigungen-der-polizei-sind-fake/
Crypto malware in patched wallets targeting Android and iOS devices
ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets.
https://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices/
Vulnerabilities
URL rendering trick enabled WhatsApp, Signal, iMessage phishing
A set of flaws affecting the worlds leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, has allowed threat actors to create legitimate-looking phishing URLs for the past three years.
https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-whatsapp-signal-imessage-phishing/
Western Digital schließt Root-Schadcode-Lücke in My-Cloud-Netzwerkspeichern
Es gibt ein wichtiges Sicherheitsupdate für verschiedene NAS-Modelle von Western Digital.
https://heise.de/-6630582
Security updates for Friday
Security updates have been issued by Debian (tiff), Fedora (nicotine+ and openvpn), openSUSE (bind, libarchive, python3, and slirp4netns), Oracle (cyrus-sasl, httpd, httpd:2.4, and openssl), Red Hat (httpd and httpd:2.4), Scientific Linux (httpd), SUSE (bind, libarchive, python3, and slirp4netns), and Ubuntu (firefox).
https://lwn.net/Articles/889265/
ZDI-22-538: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-538/
ZDI-22-537: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-537/
ZDI-22-536: (0Day) Electronic Arts Origin Web Helper Service Link Following Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-536/
ZDI-22-541: (0Day) Array Networks MotionPro Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-541/
Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nimsh-cve-2022-22351-2/
Security Bulletin: IBM QRadar Network Security is affected by denial of service vulnerabilities in OpenSSL (CVE-2021-23840, CVE-2021-23841)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-security-is-affected-by-denial-of-service-vulnerabilities-in-openssl-cve-2021-23840-cve-2021-23841/
Security Bulletin: IBM QRadar Network Security is affected by an OpenSSL vulnerability (CVE-2021-3712)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-security-is-affected-by-an-openssl-vulnerability-cve-2021-3712/
Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-security-update-october-2021/
Atlassian Confluence: Schwachstelle ermöglicht Codeausführung
http://www.cert-bund.de/advisoryshort/CB-K22-0342