Cyber Security Weekly Briefing, 11 – 18 November

Telefónica Tech    18 November, 2022

Security updates for 35 Cisco vulnerabilities

Cisco has released a security update that addresses 35 vulnerabilities in Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD) and Firepower Management Center (FMC). Eight of the 35 vulnerabilities are of high criticality, the highest being CVE-2022-20946 and CVE-2022-20947 (both with a CVSS score of 8.6), which affect Cisco ASA and Cisco FTD products.

An unauthenticated attacker could exploit them to achieve a denial-of-service (DoS) condition. In addition, vulnerability CVE-2022-20927 (CVSS of 7.7), which affects the same products as the previous ones and could also lead an attacker to cause a DoS condition, also stands out.

Of the remaining bugs, 15 cross-site scripting (XSS) vulnerabilities in the Cisco FMC interface stand out. According to Cisco’s bulletin, there are no known active exploits against any of the newly patched vulnerabilities.

More info

* * *

Large-scale Fangxiao campaign impersonating hundreds of companies

The Cyjax team has published research into a sophisticated large-scale campaign in which malicious actors allegedly created and used more than 42,000 web domains.

According to the researchers, the Fangxiao group was behind the campaign, whose modus operandi consisted of sending links via WhatsApp that redirected the user to a domain controlled by the attackers, where known companies were impersonated. More than 400 impersonated companies in the banking, retail, energy, travel, etc. sectors have been detected so far.

After completing an initial survey under the pretext of winning prizes, users are redirected again to other domains that are constantly changing, ending in the download of an application with the Triada trojan. In other cases, the fraudulent scheme redirects users to Amazon’s website via an affiliate link that results in a commission to whoever controls the final redirection.

Cases have also been detected where users are referred to a micro-payment SMS scam. Cyjax indicates that the campaign is aimed at users all over the world.

More info

* * *

Mozilla fixes multiple vulnerabilities

Mozilla has announced the release of a new version of the Firefox 107 browser in which numerous vulnerabilities have been fixed. A total of 19 vulnerabilities have been fixed with this new version, of which Mozilla has categorised nine as high impact.

Among these, the majority are due to bugs related to memory mismanagement that could lead to program crashes, among other bugs that could lead to disclosure of information or omission of notifications to carry out phishing attacks.

An example of this is the vulnerability identified as CVE-2022-45407, whereby an attacker could load a legitimate font file and trigger a crash, a flaw Mozilla calls a “potentially exploitable crash”. Another of the fixed vulnerabilities, identified as CVE-2022-45404, is described as “full screen notification bypass”.

It should be noted that these bugs have also been fixed in Mozilla Thunderbird with version 102.5.

More info

* * *

New details on the latest Emotet campaign

Following the detection of new Emotet infections at the beginning of November, numerous researchers have analysed in detail the latest campaign carried out between 2 and 11 November.

As initially reported by Cryptolaemus researchers, one of the most notable changes in this email campaign compared to previous campaigns is that the malicious actors (TA542) instruct victims to copy the malicious Excel attachment to the Templetes folder, where macro protection is not enabled.

In addition, new features have also been detected in the Emotet binary, as well as a return to the delivery functionality of other malware families, which have been found to be used to spread new variants of the IcedID loader or Bumblebee.

According to the research published by Proofpoint, this campaign has attempted to deliver hundreds of thousands of emails every day with different lures and written in several languages, which has placed victims in Spain, Mexico, Greece, Brazil, the United States, the United Kingdom, Japan, Germany, Italy and France, among others.

It is also estimated that, although no activity has been detected since the 11th, it is very likely that TA542 will soon distribute Emotet again as its network is once again fully operational.

More info

* * *

​Qbot changes to misuse Windows 10 control panel

The security researcher known on Twitter as “proxylife” (@pr0xylife) has uncovered a phishing campaign involving the Qbot malware, also known as Qakbot, which has been observed to have moved from exploiting a vulnerability in the Windows 7 calculator to exploiting a bug in the ‘control. exe’ executable in the Windows 10 control panel.

Qbot creates a malicious DLL file with the same name and in the same folder as the legitimate DLL, causing Windows to run it and download the trojan onto the victim’s computer.

In this way, it also manages to evade the protection of antivirus software, as it will not flag as malicious a program that has been installed from the Windows 10 control panel.

Once installed on the target computer, Qbot will steal emails for use in phishing campaigns or can even be used to download other types of malware such as Brute Ratel or Cobalt Strike.

More info


Leave a Reply

Your email address will not be published.