[CERT-daily] Tageszusammenfassung - Mittwoch 17-12-2014

Wed Dec 17 18:27:54 CET 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 16-12-2014 18:00 − Mittwoch 17-12-2014 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Schadcode nutzt Monate alte WordPress-Lücke aus ***
---------------------------------------------
Der Schädling namens SoakSoak hat hunderttausende Webseiten über das Plug-in Slider Revolution befallen und spioniert die Server aus. In einigen Fällen werden auch Besucher per Drive-By-Download infiziert.
---------------------------------------------
http://www.heise.de/security/meldung/Schadcode-nutzt-Monate-alte-WordPress-Luecke-aus-2498327.html


*** Firefox, IE11 zero-day bugs possibly targeted in SoakSoak WordPress malware attacks ***
---------------------------------------------
Attackers exploiting a bug in the Slider Revolution plugin to compromise WordPress websites with malware may also be targeting zero-day vulnerabilities in Firefox and Internet Explorer 11.
---------------------------------------------
http://www.scmagazine.com/firefox-ie11-zero-day-bugs-possibly-targeted-in-soaksoak-wordpress-malware-attacks/article/388681/


*** Some Memory Forensic with Forensic Suite (Volatility plugins), (Tue, Dec 16th) ***
---------------------------------------------
In previous diaries we have talked about memory forensics and how important it is. In this diary I will talk about a new volatility plugins called Forensic Suite written by Dave Lasalle. The suite has 14 plugins and they cover different area of memory forensics The Forensics Suite can be obtain from: http://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip . In this diary I will talk about some of the plugins Firefox history: To test this plugin first I browsed the...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19071&rss


*** URL flaw discovered for airline mobile boarding passes ***
---------------------------------------------
A URL flaw that impacts mobile boarding passes for airlines, such as Southwest and Delta, was discovered on Tuesday.
---------------------------------------------
http://www.scmagazine.com/url-flaw-discovered-for-airline-mobile-boarding-passes/article/388666/


*** Impact of Linux bug grinch spans servers, workstations, Android devices and more ***
---------------------------------------------
Alert Logic discovered the bug, which is susceptible to exploitation due to the default installation process used by Linux.
---------------------------------------------
http://www.scmagazine.com/impact-of-linux-bug-grinch-spans-servers-workstations-android-devices-and-more/article/388689/


*** Comparing OpenBSD with FreeBSD - securitywise ***
---------------------------------------------
OpenBSD and FreeBSD are both great OS that I admire and use. OpenBSD is considered more secure since it is its main goal, but FreeBSD can be tweaked to be pretty well hardened as well. Depending on the forums or to who we ask, we will have different opinions. But what are the facts? Which OS is more secure and why?
---------------------------------------------
http://networkfilter.blogspot.co.at/2014/12/security-openbsd-vs-freebsd.html


*** SSL Labs end of year 2014 updates ***
---------------------------------------------
>From the SSL/TLS perspective, 2014 was quite an eventful year. The best way to describe what we at SSL Labs did is we kept running to stay in the same place. What I mean by this is that we spent a lot of time reacting to high profile vulnerabilities: Hearbleed, the ChangeCipherSpec protocol issue in OpenSSL, POODLE (against SSL 3 in October and against TLS in December), and others. Ultimately, this has been a very successful year for us, with millions of assessments carried out.
---------------------------------------------
http://blog.ivanristic.com/2014/12/ssl-labs-end-of-year-updates.html


*** Top 5 malware attacks: 35 reused components ***
---------------------------------------------
CyActive identified the top five malware that returned the highest ROI for hackers with the least effort per dollar - achieved by recycling code and using the same methods from previous malware attack...
---------------------------------------------
http://www.net-security.org/malware_news.php?id=2932


*** Protecting the underground electronic communications infrastructure ***
---------------------------------------------
ENISA has released a new report on the Protection of Underground Electronic Communications Infrastructure. This report - targeted at Member States (MS), public institutions, owners of underground comm...
---------------------------------------------
http://www.net-security.org/secworld.php?id=17763


*** The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire ***
---------------------------------------------
In this paper, we discuss an attacker model that accounts for the hijacking of network ownership information stored in Regional Internet Registry (RIR) databases. We show that such threats emerge from abandoned Internet resources (e.g., IP address blocks, AS numbers). When DNS names expire, attackers gain the opportunity to take resource ownership by re-registering domain names that are referenced by corresponding RIR database objects.
---------------------------------------------
http://arxiv.org/abs/1412.5052


*** How the FBI Unmasked Tor Users ***
---------------------------------------------
Kevin Poulson has a good article up on Wired about how the FBI used a Metasploit variant to identify Tor users....
---------------------------------------------
https://www.schneier.com/blog/archives/2014/12/how_the_fbi_unm.html


*** Fast Flux Networks Working and Detection, Part 1 ***
---------------------------------------------
Introduction In this series of articles, we will learn about a not-so-new type of attack, but one of the most difficult attacks to control. Yes, we will lean about the demon Fast Flux!! In this article, we will learn about what exactly Fast Flux is, types of Fast Flux, and [...]The post Fast Flux Networks Working and Detection, Part 1 appeared first on InfoSec Institute.
---------------------------------------------
http://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/


*** What's New in Exploit Kits in 2014 ***
---------------------------------------------
Around this time in 2013, the most commonly used exploit kit - the Blackhole Exploit Kit - was shut down after its creator, Paunch, was arrested by law enforcement. Since then, a variety of exploit kits has emerged and have been used by cybercriminals. The emergence of so many replacements has also meant that there...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/N44vwrIcGrM/


*** Researchers warn of new OphionLocker ransomware ***
---------------------------------------------
OphionLocker doesnt diverge much from previous ransomware schemes, although it does generate a unique hardware ID based on the first hard drives serial number, the motherboards serial number and other information.
---------------------------------------------
www.scmagazine.com/ophionlocker-discovered-in-the-wild-update-provided-on-torrentlocker/article/388699/


*** Certified pre-pw0ned Android Smartphones: Coolpad Firmware Backdoor, (Wed, Dec 17th) ***
---------------------------------------------
Researchers at Palo Alto found that many ROM images used for Android smart phones manufactured by Coolpad contain a backdoor, giving an attacker full control of the device. Palo Alto named the backdoor Coolreaper. With Android, it is very common for manufacturers to install additional applications. But these applications are installed on top of the Android operating system. In this case, Coolpad integrated additional functionality into the firmware of the device. This backdoor was then used by
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19075&rss


*** BSI-Sicherheitsbericht: Erfolgreiche Cyber-Attacke auf deutsches Stahlwerk ***
---------------------------------------------
Bei einem bislang unbekannten Angriff beschädigten die Angreifer einen Hochofen schwer. Doch neben den gezielten Angriffen auf Industrieanlagen bilanziert das BSI auch eine steigende Gefahr für Endanwender.
---------------------------------------------
http://www.heise.de/security/meldung/BSI-Sicherheitsbericht-Erfolgreiche-Cyber-Attacke-auf-deutsches-Stahlwerk-2498990.html


*** Meet FlashFlood, the lightweight script that causes websites to falter ***
---------------------------------------------
Bringing big database-driven sites to their knees just got a little easier.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/ir5Zy4m-thY/


*** iCloud-Daten: Forensik-Software verspricht umfangreichen Zugriff ***
---------------------------------------------
Die vermutlich auch für den iCloud-Promi-Hack genutzte Forensik-Software "Phone Breaker" erweitert die Möglichkeiten, bei Apples Cloud-Dienst gespeicherte Nutzerdaten auszulesen. Unterstützung zum Fremdzugriff auf iCloud Drive soll folgen.
---------------------------------------------
http://www.heise.de/security/meldung/iCloud-Daten-Forensik-Software-verspricht-umfangreichen-Zugriff-2499262.html


*** Cisco ISB8320-E High-Definition IP-Only DVR Remote Unauthenticated Access Vulnerability ***
---------------------------------------------
CVE-2014-8006
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8006


*** Symantec Web Gateway OS Authenticated Command Injection ***
---------------------------------------------
Revisions None Severity CVSS2Base ScoreImpactExploitabilityCVSS2 VectorSymantec Web Gateway Operating System Command Injection - Low...
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2014&suid=20141216_00


*** IBM Business Process Manager cross-site scripting ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/98418

*** IBM WebSphere Process Server, IBM WebSphere Enterprise Service Bus, IBM Business Process Manager information disclosure ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/98488

*** IBM Business Process Manager security bypass ***
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/95724


*** HP Security Bulletins ***
---------------------------------------------
[security bulletin] HPSBMU03221 rev.1 - HP Connect-IT running SSLv3, Remote Disclosure of Information
---------------------------------------------
http://www.securityfocus.com/archive/1/534259

[security bulletin] HPSBMU03217 rev.1 - HP Vertica Analytics Platform running Bash Shell, Remote Code Execution
---------------------------------------------
http://www.securityfocus.com/archive/1/534262

[security bulletin] HPSBOV03226 rev.1 - HP TCP/IP Services for OpenVMS, BIND 9 Resolver, Multiple Remote Vulnerabilities
---------------------------------------------
http://www.securityfocus.com/archive/1/534261

[security bulletin] HPSBOV03225 rev.1 - HP OpenVMS running POP, Remote Denial of Service (DoS)
---------------------------------------------
http://www.securityfocus.com/archive/1/534260


*** Patches for Novell Products ***
---------------------------------------------
https://download.novell.com/Download?buildid=3dJODsdcDKE~
https://download.novell.com/Download?buildid=STisn28FRWs~
https://download.novell.com/Download?buildid=q4S96klvwhE~
https://download.novell.com/Download?buildid=Mh8CRo1Ljh8~
https://download.novell.com/Download?buildid=nlOmW2y333Q~
https://download.novell.com/Download?buildid=anuuh6CDWX8~


*** DSA-3105 heirloom-mailx - security update ***
---------------------------------------------
Two security vulnerabilities were discovered in Heirloom mailx, animplementation of the mail command:
---------------------------------------------
https://www.debian.org/security/2014/dsa-3105


*** DSA-3104 bsd-mailx - security update ***
---------------------------------------------
It was discovered that bsd-mailx, an implementation of the mailcommand, had an undocumented feature which treats syntactically validemail addresses as shell commands to execute.
---------------------------------------------
https://www.debian.org/security/2014/dsa-3104


*** SSA-134508 (Last Update 2014-12-16): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC in TIA Portal ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-134508.pdf


*** iWifi For Chat 1.1 Denial Of Service ***
---------------------------------------------
Topic: iWifi For Chat 1.1 Denial Of Service Risk: Medium Text:Document Title: iWifi for Chat v1.1 iOS - Denial of Service Vulnerability References (Source): == http://w...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120110


*** iUSB 1.2 Arbitrary Code Execution ***
---------------------------------------------
Topic: iUSB 1.2 Arbitrary Code Execution Risk: High Text:Document Title: iUSB v1.2 iOS - Arbitrary Code Execution Vulnerability References (Source): == http://www....
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120109


*** Bugtraq: [REVIVE-SA-2014-002] Revive Adserver 3.0.6 and 3.1.0 fix multiple vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534264


*** Security Advisory-Multiple Vulnerabilities in Huawei eSpace Desktop Product ***
---------------------------------------------
Dec 17, 2014 16:09
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-406589.htm


*** Schneider Electric ProClima Command Injection Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for command injection vulnerabilities in Schneider Electrics ProClima software package.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-14-350-01


*** Bird Feeder <= 1.2.3 CSRF & XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7727


*** DB Backup <= 4.5 - Path Traversal File Access ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7726