[CERT-daily] Tageszusammenfassung - 28.11.2022

Mon Nov 28 18:11:04 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 25-11-2022 18:00 − Montag 28-11-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Win32.Ransom.Conti / Crypto Logic Flaw ∗∗∗
---------------------------------------------
Conti ransomware FAILS to encrypt non PE files that have a ".exe" in the filename.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022110044


∗∗∗ Bring Your Own Key — A Placebo? ∗∗∗
---------------------------------------------
BYOK was envisioned to reduce the risk of using a cloud service provider processing sensitive data, yet there are several deficiencies.
---------------------------------------------
https://www.darkreading.com/cloud/bring-your-own-key-a-placebo-


∗∗∗ All You Need to Know About Emotet in 2022 ∗∗∗
---------------------------------------------
For 6 months, the infamous Emotet botnet has shown almost no activity, and now its distributing malicious spam. Lets dive into details and discuss all you need to know about the notorious malware to combat it.
---------------------------------------------
https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html


∗∗∗ Hacking Smartwatches for Spear Phishing ∗∗∗
---------------------------------------------
In this article we explain how to hack into a SmartWatch and show a custom text message.
---------------------------------------------
https://cybervelia.com/?p=1380


∗∗∗ Exploiting an N-day vBulletin PHP Object Injection Vulnerability ∗∗∗
---------------------------------------------
vBulletin is one of the most popular proprietary forum solutions over the Internet. It is used by some major websites, and according to the BuildWith website, vBulletin currently ranks at the second place on the Forum Software Usage Distribution in the Top 1 Million Sites, with over 2.000 websites using it among the “top 1 million”.
---------------------------------------------
https://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injection


∗∗∗ Poking a mobile hotspot ∗∗∗
---------------------------------------------
Ive been playing with an Orbic Speed, a relatively outdated device that only speaks LTE Cat 4, but the towers I can see from here are, uh, not well provisioned so throughput really isnt a concern (and refurbs are $18, so). As usual Im pretty terrible at just buying devices and using them for their intended purpose, and in this case it has the irritating behaviour that if theres a power cut and the battery runs out it doesnt boot again when power returns, so heres what Ive learned so far.
---------------------------------------------
https://mjg59.dreamwidth.org/61725.html


∗∗∗ Vorsicht vor gefälschtem FinanzOnline-E-Mail ∗∗∗
---------------------------------------------
„Sie erhalten einen Betrag“ lautet der Betreff eines betrügerischen E-Mail, das angeblich von FinanzOnline kommt. Sie werden informiert, dass Sie eine Rückerstattung von 578,99 Euro erhalten. Um das Geld zu bekommen, müssen Sie auf den Link im E-Mail klicken. Vorsicht: Dieser führt auf eine gefälschte FinanzOnline-Seite. Kriminelle stehlen Ihre Daten.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschtem-finanzonline-e-mail/


∗∗∗ Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware ∗∗∗
---------------------------------------------
The intrusion began when a user double clicked a LNK file, which then executed encoded Powershell commands to download an Emotet DLL onto the computer. Once executed, Emotet setup a Registry Run Key to maintain persistence on the beachhead host.
---------------------------------------------
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/


∗∗∗ LockBit Ransomware Being Mass-distributed With Similar Filenames ∗∗∗
---------------------------------------------
The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames.
---------------------------------------------
https://asec.ahnlab.com/en/42890/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, commons-configuration2, graphicsmagick, heimdal, inetutils, ini4j, jackson-databind, and varnish), Fedora (drupal7-i18n, grub2, kubernetes, and python-slixmpp), Mageia (botan, golang, kernel, kernel-linus, radare2/rizin, and xterm), Red Hat (krb5, varnish, and varnish:6), SUSE (busybox, chromium, erlang, exiv2, firefox, freerdp, ganglia-web, java-1_8_0-openj9, nodejs12, nodejs14, opera, pixman, python3, sudo, tiff, and xen), [...]
---------------------------------------------
https://lwn.net/Articles/916135/


∗∗∗ Cisco ISE Vulnerabilities Can Be Chained in One-Click Exploit ∗∗∗
---------------------------------------------
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks.
---------------------------------------------
https://www.securityweek.com/cisco-ise-vulnerabilities-can-be-chained-one-click-exploit


∗∗∗ Google Projekt Zero legt Schwachstelle in Mali GPU offen, Millionen Android-Geräte betroffen ∗∗∗
---------------------------------------------
Google Sicherheitsforscher haben im Project Zero eine Schwachstelle (CVE-2022-33917) im Kerneltreiber der in vielen Android-Geräten mit ARM CPU verwendeten Mali GPU offen gelegt.
---------------------------------------------
https://www.borncity.com/blog/2022/11/27/google-projekt-zero-legt-schwachstelle-in-mali-gpu-offen-millionen-android-gerte-betroffen/


∗∗∗ Security Bulletin: IBM Maximo Mobile is vulnerable to Information Disclosure (CVE-2022-41732) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-mobile-is-vulnerable-to-information-disclosure-cve-2022-41732/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect App Connect Professional. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-app-connect-professional-3/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to arbitrary code execution due to X-Force 237819 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-operands-may-be-vulnerable-to-arbitrary-code-execution-due-to-x-force-237819/


∗∗∗ MISP v2.4.166 ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.166

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily