[CERT-daily] Tageszusammenfassung - Montag 9-03-2015

Mon Mar 9 18:22:46 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 06-03-2015 18:00 − Montag 09-03-2015 18:00
Handler:     Stephan Richter
Co-Handler:  Alexander Riepl


*** Attackers concealing malicious macros in XML files ***
---------------------------------------------
XML files are harmless text files right? Wrong! The group behind the malicious Microsoft Office document campaigns have started to utilize Microsoft Office XML formats to hide malicious macros. This week, our spam traps were flooded with spam with XML...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/


*** Samba Remote Code Execution Vulnerability - CVE-2015-0240 ***
---------------------------------------------
The Samba team reported CVE-2015-0240 last February 23, 2015. This vulnerability is very difficult to exploit and we are not aware of successful exploitation. However, it is quite interesting from the point for view of detection. There are two important facts: The vulnerability resides in the Netlogon Remote Protocol implementation of Samba which is a...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/samba-remote-code-execution-vulnerability-cve-2015-0240/


*** How Malware Generates Mutex Names to Evade Detection, (Mon, Mar 9th) ***
---------------------------------------------
Malicious software sometimes uses mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host. Incident responders can look for known mutex names to spot the presence of malware on the system. To evade detection, some malware avoids using a hardcoded name for its mutex, as is the case with the specimen discussed in this note. Static Mutex Names as Indicators of Compromise For background details about mutex...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19429&rss


*** New crypto ransomware in town : CryptoFortress ***
---------------------------------------------
This post has been heavily edited to  fix my mistake.
---------------------------------------------
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html


*** Seagate Confirms NAS Zero Day, Won't Patch Until May ***
---------------------------------------------
Seagate confirmed a publicly disclosed vulnerability in one of its network attached storage products, but said it wont have a patch available until May.
---------------------------------------------
http://threatpost.com/seagate-confirms-nas-zero-day-wont-patch-until-may/111513


*** OpenSSL Audit ***
---------------------------------------------
IntroductionThe reputation built by NCC Group, including iSEC Partners, Matasano Security, Intrepidus Group and NGS Secure, has led compani ...
---------------------------------------------
https://www.nccgroup.com/en/blog/2015/03/openssl-audit/


*** l+f: Vernetzte Wetterstation funkte WLAN-Passwort zum Hersteller ***
---------------------------------------------
Die Netatmo-Wetterstationen schickten nicht nur ihre Messwerte ins Netz, sondern auch SSID und WLAN-Passwort des Nutzers.
---------------------------------------------
http://heise.de/-2571218


*** Update - Notizen zu FREAK ***
---------------------------------------------
In den letzten Tagen gab es wieder einmal große mediale Aufmerksamkeit für eine Schwachstelle in OpenSSL und anderen Crypto-Libraries. Der Eintrag für die zugehörige CVE-ID CVE-2015-0204 besteht seit November letzten Jahres, aktualisierte Versionen von OpenSSL wurden heuer im Jänner veröffentlicht. | Update 2015-03-09 | Ergänzung: Auflistungen betroffener Bibliotheken/Anbieter finden sich auf...
---------------------------------------------
http://www.cert.at/services/blog/20150306175713-1442.html


*** Mono TLS vulnerabilities ***
---------------------------------------------
Topic: Mono TLS vulnerabilities Risk: Medium Text:Hi A TLS impersonation attack was discovered in Monos TLS stack by researchers at Inria. During checks on our TLS stack, w...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030042


*** IBM Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM Notes and Domino (Oracle January 2015 Critical Patch Update) ***
---------------------------------------------
2015-03-09T11:05:28-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21698222


*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204) ***
---------------------------------------------
2015-03-09T11:04:47-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21698574


*** IBM Security Bulletin: Vulnerability in SSLv3 Affects Power Hardware Management Console (CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568) ***
---------------------------------------------
2015-03-09T11:01:43-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1020593


*** IBM Security Bulletin: Vulnerability in SSLv3 enabled in IBM Host On-Demand affects Rational Functional Tester (CVE-2014-3566) ***
---------------------------------------------
2015-03-09T11:01:10-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21697348


*** IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal (CVE-2014-6214; CVE-2015-0139; CVE-2015-0177) ***
---------------------------------------------
2015-03-09T11:10:19-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21697213


*** HPSBUX03235 SSRT101750 rev.3 - HP-UX Running BIND, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04550240


*** Vulnerabilities in WordPress Pluins ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7826
https://wpvulndb.com/vulnerabilities/7827
https://wpvulndb.com/vulnerabilities/7828
https://wpvulndb.com/vulnerabilities/7829
https://wpvulndb.com/vulnerabilities/7830
https://wpvulndb.com/vulnerabilities/7831
https://wpvulndb.com/vulnerabilities/7832
https://wpvulndb.com/vulnerabilities/7833
https://wpvulndb.com/vulnerabilities/7834
https://wpvulndb.com/vulnerabilities/7835
https://wpvulndb.com/vulnerabilities/7836
https://wpvulndb.com/vulnerabilities/7837