[CERT-daily] Tageszusammenfassung - 16.12.2021

Daily end-of-shift report team at cert.at
Thu Dec 16 18:25:44 CET 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 15-12-2021 18:00 − Donnerstag 16-12-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Large-scale phishing study shows who bites the bait more often ∗∗∗
---------------------------------------------
A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-shows-who-bites-the-bait-more-often/


∗∗∗ Emotet starts dropping Cobalt Strike again for faster attacks ∗∗∗
---------------------------------------------
Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/


∗∗∗ Hive ransomware enters big league with hundreds breached in four months ∗∗∗
---------------------------------------------
The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-league-with-hundreds-breached-in-four-months/


∗∗∗ A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution ∗∗∗
---------------------------------------------
Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works.
---------------------------------------------
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html


∗∗∗ PseudoManuscrypt: a mass-scale spyware attack campaign ∗∗∗
---------------------------------------------
Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s arsenal.
---------------------------------------------
https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/105286/


∗∗∗ 'DarkWatchman' RAT Shows Evolution in Fileless Malware ∗∗∗
---------------------------------------------
The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access.
---------------------------------------------
https://threatpost.com/darkwatchman-rat-evolution-fileless-malware/177091/


∗∗∗ How the "Contact Forms" campaign tricks people, (Thu, Dec 16th) ∗∗∗
---------------------------------------------
"Contact Forms" is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint.
---------------------------------------------
https://isc.sans.edu/diary/rss/28142


∗∗∗ Log4j-Lücke: Erste Angriffe mit Ransomware und von staatlicher Akteuren ∗∗∗
---------------------------------------------
Die bisherigen Angriffsversuche waren wohl vor allem Tests. Doch jetzt wird es Ernst. Cybercrime und Geheimdienste nutzen die Lücke gezielt für ihre Zwecke.
---------------------------------------------
https://heise.de/-6296549


∗∗∗ When is a Scrape a Breach? ∗∗∗
---------------------------------------------
A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car. It's not clear if the car was locked or not. Is this a data breach?
---------------------------------------------
https://www.troyhunt.com/when-is-a-scrape-a-breach/


∗∗∗ Achtung: giesswein-outdoor.de ist ein Fake-Shop! ∗∗∗
---------------------------------------------
Die Webseite giesswein-outdoor.de sieht auf den ersten Blick sehr seriös aus. Doch tatsächlich handelt es sich um einen Fake-Shop, der das österreichische Unternehmen Giesswein imitiert.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-giesswein-outdoorde-ist-ein-fake-shop/


∗∗∗ The dirty dozen of Latin America: From Amavaldo to Zumanek ∗∗∗
---------------------------------------------
The grand finale of our series dedicated to demystifying Latin American banking trojans.
---------------------------------------------
https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/


∗∗∗ Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware ∗∗∗
---------------------------------------------
New ransomware used in mid-November attack, ConnectWise was likely infection vector.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware


∗∗∗ Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions ∗∗∗
---------------------------------------------
Check Point Research (CPR) spots a botnet variant that has stolen nearly half a million dollars’ worth of cryptocurrency through a technique called “crypto clipping”. The new variant, named Twizt and a descendant of Phorpiex, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor’s wallet address.
---------------------------------------------
https://blog.checkpoint.com/2021/12/16/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Lenovo laptops vulnerable to bug allowing admin privileges ∗∗∗
---------------------------------------------
Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lenovo-laptops-vulnerable-to-bug-allowing-admin-privileges/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache-log4j2 and mediawiki), Fedora (libmysofa, libolm, and vim), Oracle (httpd), Red Hat (go-toolset:rhel8), and Ubuntu (apache-log4j2 and mumble).
---------------------------------------------
https://lwn.net/Articles/878844/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ SSA-714170: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to SPPA-T3000 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-714170.txt


∗∗∗ TYPO3-PSA-2021-004: Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-psa-2021-004


∗∗∗ TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-psa-2021-003


∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1290

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list