[CERT-daily] Tageszusammenfassung - 24.10.2022

Mon Oct 24 18:43:33 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 21-10-2022 18:00 − Montag 24-10-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Thousands of GitHub repositories deliver fake PoC exploits with malware ∗∗∗
---------------------------------------------
Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/


∗∗∗ Typosquat campaign mimics 27 brands to push Windows, Android malware ∗∗∗
---------------------------------------------
A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27-brands-to-push-windows-android-malware/


∗∗∗ Kriminalität: Eltern durch Whatsapp-Betrug um Tausende Euro gebracht ∗∗∗
---------------------------------------------
Die Polizei warnt vor Trickbetrügern, die mit einer angeblichen Notlage des Kindes Eltern um ihr Geld bringen.
---------------------------------------------
https://www.golem.de/news/kriminalitaet-eltern-durch-whatsapp-betrug-um-tausende-euro-gebracht-2210-169155.html


∗∗∗ Securing IoT devices against attacks that target critical infrastructure ∗∗∗
---------------------------------------------
South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, notified its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/10/21/securing-iot-devices-against-attacks-that-target-critical-infrastructure/


∗∗∗ rtfdumps Find Option, (Sat, Oct 22nd) ∗∗∗
---------------------------------------------
Due to the nature of the RTF language, malicious RTF files can be very obfuscated. To the point that my tool rtfdump.py and Philippe's tool rtfobj don't find embedded objects.
---------------------------------------------
https://isc.sans.edu/diary/rss/29174


∗∗∗ C2 Communications Through outlook.com, (Mon, Oct 24th) ∗∗∗
---------------------------------------------
Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails.
---------------------------------------------
https://isc.sans.edu/diary/rss/29180


∗∗∗ SCuBA M365 Security Baseline Assessment Tool ∗∗∗
---------------------------------------------
Developed by CISA, this assessment tool verifies that an M365 tenant’s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents.
---------------------------------------------
https://github.com/cisagov/ScubaGear


∗∗∗ Cisco ISE: Angreifer könnten Kontrolle übernehmen ∗∗∗
---------------------------------------------
Cisco warnt, dass Angreifer Dateien in der Identity Services Engine lesen und löschen könnten. Die Übernahme der Kontrolle über die Geräte könnte möglich sein.
---------------------------------------------
https://heise.de/-7317442


∗∗∗ Gebrauchtwagen-Kauf: Abwicklung über Treuhandunternehmen ist Betrug ∗∗∗
---------------------------------------------
Sie sind gerade auf der Suche nach einem Gebrauchtwagen? Bedenken Sie: Nicht jedes Inserat ist seriös. Auch Kriminelle nutzen gängige Verkaufsplattformen, um betrügerische Lockangebote zu platzieren. Ein betrügerisches Angebot erkennen Sie an der Kommunikation und der Forderung, Geld an ein Treuhandkonto zu überweisen.
---------------------------------------------
https://www.watchlist-internet.at/news/gebrauchtwagen-kauf-abwicklung-ueber-treuhandunternehmen-ist-betrug/


∗∗∗ So funktioniert Domain Shadowing ∗∗∗
---------------------------------------------
Cyberkriminelle nutzen schwer auffindbare Shadow Domains für verschiedene illegale Aktivitäten, einschließlich Phishing und Botnet-Operationen.
---------------------------------------------
https://www.zdnet.de/88404347/so-funktioniert-domain-shadowing/


∗∗∗ AA22-294A: #StopRansomware: Daixin Team ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.
---------------------------------------------
https://us-cert.cisa.gov/ncas/alerts/aa22-294a


∗∗∗ Treasure trove. Alive and well point-of-sale malware ∗∗∗
---------------------------------------------
Analysis of months-long MajikPOS and Treasure Hunter campaign that infected dozens of terminals.
---------------------------------------------
https://blog.group-ib.com/majikpos_treasurehunter_malware


∗∗∗ Attacking Very Weak RC4-Like Ciphers the Hard Way ∗∗∗
---------------------------------------------
RC4 is a popular encryption algorithm. The way it works is that a “Key Scheduling Algorithm” (KSA) takes your key and generates a 256-byte array, and then a “Pseudo-Random Generation Algorithm” (PRGA) uses that byte array to output an endless stream of bytes (the “key stream”), which look like random noise unless you know what the original byte array was.
---------------------------------------------
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-the-hard-way/


∗∗∗ Uncovering Security Blind Spots in CNC Machines ∗∗∗
---------------------------------------------
Industry 4.0 has given rise to smart factories that have markedly improved machining processes, but it has also opened the doors for cybercriminals looking to abuse networked industrial equipment such as CNC machines. Our research investigates potential cyberthreats to CNC machines and how manufacturers can mitigate the associated risks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/j/uncovering-security-blind-spots-in-cnc-machines.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ IBM Security Bulletins 2022-10-21 and 2022-10-22 ∗∗∗
---------------------------------------------
IBM Cloud Pak for Watson, API Connect, IBM Cloud Pak for Multicloud Management, IBM MQ Appliance, IBM Voice Gateway, Infrastructure Automation, IBM Security Identity Manager.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bluez, kernel, and lava), Fedora (ckeditor, drupal7, moby-engine, php-Smarty, and wavpack), Mageia (bind, e2fsprogs, epiphany, freerdp, kernel, kernel-linus, libconfuse, libosip2, ntfs-3g, perl-Image-ExifTool, and poppler), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-container, and thunderbird), Scientific Linux (firefox, java-1.8.0-openjdk, and java-11-openjdk), SUSE (bluez, firefox, kernel, libxml2, and Ubuntu (linux-gcp).
---------------------------------------------
https://lwn.net/Articles/912178/


∗∗∗ Missing Authentication in ZKTeco ZEM/ZMM Web Interface ∗∗∗
---------------------------------------------
The ZKTeco time attendance device does not require authentication to use theweb interface, exposing the database of employees and their credentials.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-003/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily