[CERT-daily] Tageszusammenfassung - Montag 11-11-2013

Mon Nov 11 18:01:48 CET 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 08-11-2013 18:00 − Montag 11-11-2013 18:00
Handler:     Matthias Fraidl
Co-Handler:  n/a

*** New IE Zero-Day found in Watering Hole Attack ***
---------------------------------------------
FireEye Labs has identified a new IE zero-day exploit hosted on a breached website based in the U.S. It´s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.
---------------------------------------------
http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html


FOLLOW-UP:
*** Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method ***
---------------------------------------------
Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy.
---------------------------------------------
http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html


*** No Patch Tuesday update for Microsoft zero-day vulnerability ***
---------------------------------------------
Microsoft is preparing eight fixes for next weeks upcoming Nov. 12 Patch Tuesday, but an update to a recently discovered zero-day vulnerability is not one of them.
---------------------------------------------
http://www.scmagazine.com/no-patch-tuesday-update-for-microsoft-zero-day-vulnerability/article/320227/


*** Case Study: Analyzing a WordPress Attack - Dissecting the webr00t cgi shell - Part I ***
---------------------------------------------
November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.
---------------------------------------------
http://blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html


*** CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest ***
---------------------------------------------
The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-emergence-connected-to-blackhole-exploit-kit-arrest/


*** October 2013 virus activity overview ***
---------------------------------------------
November 5, 2013 Mid-autumn 2013 was marked by an upsurge in the number of encryption Trojans: hundreds of users whose systems were compromised by encoders contacted Doctor Webs support service in October. Also discovered were new malicious programs for Android, which has long been targeted by intruders. Viruses Statistics collected in October by Dr.Web CureIt! indicate that the downloader Trojan.LoadMoney.1 tops the list of detected threats.
---------------------------------------------
http://news.drweb.com/show/?i=4052&lng=en&c=9


*** Supertrojaner BadBIOS: Unwahrscheinlich, aber möglich ***
---------------------------------------------
Der Sicherheitsforscher Dragos Ruiu behauptet, auf seinen Rechnern wüte ein im BIOS verankerter Supertrojaner, der auch ohne Netzanschluss kommuniziert. Es mehren sich skeptische Stimmen -  technisch unmöglich ist Malware wie BadBIOS jedoch nicht.
---------------------------------------------
http://www.heise.de/security/meldung/Supertrojaner-BadBIOS-Unwahrscheinlich-aber-moeglich-2043114.html


*** Hintergrund: ENISA-Empfehlungen zu Krypto-Verfahren ***
---------------------------------------------
Die oberste, europäische Sicherheitsbehörde, die ENISA gibt Empfehlungen zu Algorithmen und Schlüssellängen.
---------------------------------------------
http://www.heise.de/security/artikel/ENISA-Empfehlungen-zu-Krypto-Verfahren-2043356.html


*** Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream ***
---------------------------------------------
This month, a security researcher disclosed that a version of the old banking Trojan 'Trojan.ibank' has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime. 
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2013/11/11/learn-to-pentest-sap-with-metasploit-as-erp-attacks-go-mainstream


*** Erweiterungen für Googles Webbrowser Chrome nur noch aus offiziellem Store ***
---------------------------------------------
Google will Windows-Anwender besser vor Malware schützen. Chrome-Versionen für andere Plattformen sind von der Maßnahme nicht betroffen.
---------------------------------------------
http://www.heise.de/security/meldung/Erweiterungen-fuer-Googles-Webbrowser-Chrome-nur-noch-aus-offiziellem-Store-2043614.html


*** Horde Groupware Web Mail Edition 5.1.2 - CSRF Vulnerability ***
---------------------------------------------
http://www.exploit-db.com/exploits/29519


*** Debian Security Advisory DSA-2793 libav ***
---------------------------------------------
http://www.debian.org/security/2013/dsa-2793


*** Redaxo 4.5 CMS Vulnerabilities ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110070


*** Bugtraq: Belkin WiFi NetCam video stream backdoor with unchangeable admin/admin credentials ***
---------------------------------------------
http://www.securityfocus.com/archive/1/529722


*** D-Link Router 2760N Multiple XSS ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2013110075


*** Security Bulletin: IBM WebSphere Portal vulnerable to URL Manipulation CVE-2013-5454 PM99205 ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_websphere_portal_vulnerable_to_url_manipulation_cve_2013_5454_pm99205?lang=en_us


*** Security Bulletin: Multiple vulnerabilities in Security AppScan Enterprise (CVE-2013-5453, CVE-2013-5450) ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_multiple_vulnerabilities_in_security_appscan_enterprise_cve_2013_5453_cve_2013_5450?lang=en_us