[CERT-daily] Tageszusammenfassung - Donnerstag 5-11-2015

Thu Nov 5 18:16:40 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 04-11-2015 18:00 − Donnerstag 05-11-2015 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** A Technical Look At Dyreza ***
---------------------------------------------
Inside the core of Dyreza - a look at its malicious functions and their implementation.Categories:  Malware AnalysisTags: dyrezamalware(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/intelligence/2015/11/a-technical-look-at-dyreza/


*** Malicious spam with links to CryptoWall 3.0 - Subject: Domain [name] Suspension Notice, (Thu, Nov 5th) ***
---------------------------------------------
Introduction Since Monday 2015-10-26, weve noticed a particular campaign sending malicious spam (malspam) with links to download CryptoWall 3.0 ransomware. This campaign has been impersonating domain registrars. Conrad Longmore blogged about it last week [1], and Techhelplist.com has a good write-up on the campaign [2]. Several other sources have also discussed this wave of malspam [3, 4, 5, 6, 7, 8 to name a few]. For this diary, well take a closer look at the emails and associated CryptoWall
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=20333&rss


*** CryptoWall 4.0 Released with a New Look and Several New Features ***
---------------------------------------------
The fourth member of the CryptoWall family of ransomware, CryptoWall 4.0, has just been released, complete with new features and a brand new look. We recently reported that CryptoWall 3.0 has allegedly caused over $325 million in annual damages. CryptoWall first emerged in April 2014. Its first major upgrade was dubbed CryptoWall 2.0, and first emerged in October...
---------------------------------------------
http://securityaffairs.co/wordpress/41718/cyber-crime/cryptowall-4-0-released.html


*** SSL-Zertifikate: Microsoft will sich schon nächstes Jahr von SHA-1 trennen ***
---------------------------------------------
Die Firma überlegt ob der neuen Qualität von Angriffen auf den Hash-Algorithmus, diesen schon Mitte 2016 auf die verbotene Liste zu setzen. Google und Mozilla gehen ähnliche Wege.
---------------------------------------------
http://heise.de/-2880134


*** Mabouia: The first ransomware in the world targeting MAC OS X ***
---------------------------------------------
Rafael Salema Marques, a Brazilian researcher, published a PoC about the existence of Mabouia ransomware, the first ransomware that targets MAC OS X. Imagine this scenario: You received a ransom warning on your computer stating that all your personal files had been locked. In order to unlock the files, you would have to pay $500.
---------------------------------------------
http://securityaffairs.co/wordpress/41755/cyber-crime/mabouia-ransomware-mac-os-x.html


*** Meet the Android rooting adware that cannot be removed ***
---------------------------------------------
Researchers have identified a new strain of malicious adware that is impossible for affected Android device owners to uninstall.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/Prm6r3X3tzk/


*** No C&C server needed: Russia menaced by offline ransomware ***
---------------------------------------------
Harder to take down, nyet? Miscreants have cooked up a new strain of ransomware that works offline and so might be more resistant to law enforcement takedown efforts as a result.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/11/05/offline_ransomware_menaces_russia/


*** Thousands of legitimate iOS apps discovered containing ad library backdoors ***
---------------------------------------------
More than 2,000 iOS apps stocked in Apples legitimate App Store reportedly contained backdoored versions of an ad library, which could have allowed for surveillance without users knowledge.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/nxOb5Ac0sYo/


*** The Omnipresence of Ubiquiti Networks Devices on the Public Web ***
---------------------------------------------
There are ongoing in the wild attacks against Ubiquiti Networks devices. Attackers are using default credentials to gain access to the affected devices via SSH. The devices are infected by a botnet client that is able to infect other devices.Further information about these attacks is available at:Krebs on Security: http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberheists/Imperva/Incapsula Research: https://www.incapsula.com/blog/ddos-botnet-soho-router.htmlCARISIRT
---------------------------------------------
http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-networks.html


*** vBulletin Exploits in the Wild ***
---------------------------------------------
The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9. The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As aRead More The post vBulletin Exploits in the Wild appeared first on Sucuri Blog.
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/NNlPrHaDARs/vbulletin-exploits-in-the-wild.html


*** TalkTalk, Script Kids & The Quest for "OG" ***
---------------------------------------------
So youve got two-step authentication set up to harden the security of your email account (you do, right?). But when was the last time you took a good look at the security of your inboxs recovery email address? That may well be the weakest link in your email security chain, as evidenced by the following tale of a IT professional who saw two of his linked email accounts recently hijacked in a bid to steal his Twitter identity.Earlier this week, I heard from Chris Blake, a longtime KrebsOnSecurity...
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/im8m6Imwfsk/


*** Connecting the Dots in Cyber Threat Campaigns, Part 2: Passive DNS ***
---------------------------------------------
This is the second part of our series on "connecting the dots", where we investigate ways to link attacks together to gain a better understanding of how they are related. In Part 1, we looked...
---------------------------------------------
http://feedproxy.google.com/~r/PaloAltoNetworks/~3/7x_ynKHJKns/


*** Xen Project 4.5.2 Maintenance Release Available ***
---------------------------------------------
I am pleased to announce the release of Xen 4.5.2. Xen Project Maintenance releases are released roughly every 4 months, in line with our Maintenance Release Policy. We recommend that all users of the 4.5 stable series update to this point release.
---------------------------------------------
https://blog.xenproject.org/2015/11/05/xen-project-4-5-2-maintenance-release-available/


*** Open-Xchange Input Validation Flaw in Printing Dialogs Lets Remote Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1034018


*** Bugtraq: [KIS-2015-10] Piwik <= 2.14.3 (DisplayTopKeywords) PHP Object Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536839


*** Bugtraq: [KIS-2015-09] Piwik <= 2.14.3 (viewDataTable) Autoloaded File Inclusion Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/536838


*** MIT Kerberos Multiple Bugs Let Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1034084


*** [2015-11-05] Insecure default configuration in Ubiquiti Networks products ***
---------------------------------------------
Ubiquiti Networks products have remote administration enabled by default (WAN port). Additionally these products use the same certificates and private keys for administration via HTTPS.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20151105-0_Ubiquiti_Networks_Insecure_Default_Configuration_v10.txt


*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise ...
---------------------------------------------
http://support.citrix.com/article/CTX202404


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ is affected by multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 5, 6 & 7 ***
http://www.ibm.com/support/docview.wss?uid=swg21968485
---------------------------------------------
*** IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to Denial of Service Attack. (CVE-2014-0230) ***
http://www.ibm.com/support/docview.wss?uid=swg21970036
---------------------------------------------
*** IBM Security Bulletin: Openstack Nova vulnerability affects IBM Cloud Manager with OpenStack (CVE-2015-2687) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022691
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM DB2 LUW (CVE-2015-0204) ***
http://www.ibm.com/support/docview.wss?uid=swg21968869
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931) ***
http://www.ibm.com/support/docview.wss?uid=swg21969911
---------------------------------------------
*** PowerHA SystemMirror privilege escalation vulnerability (CVE-2015-5005) ***
http://www.ibm.com/support/
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to change work orders that the user should not have access to change (CVE-2015-7395 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21969072
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022785
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Python affect PowerKVM (CVE-2013-5123, CVE-2014-8991) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022786
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSLP affects PowerKVM (CVE-2015-5177) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022876
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Python-httplib2 affects PowerKVM (CVE-2013-2037) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022877
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in lcms affects PowerKVM (CVE-2015-4276) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022834
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Libcrypt++ affects PowerKVM (CVE-2015-2141) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022879
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in lighttpd affects PowerKVM (CVE-2015-3200) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022837
---------------------------------------------
*** IBM Security Bulletin:Vulnerabilities in wpa_supplicant may affect PowerKVM (CVE-2015-1863 and CVE-2015-4142) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022832
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libXfont affect PowerKVM (CVE-2015-1802, CVE-2015-1803, CVE-2015-1804) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022787
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Mozilla NSS affects PowerKVM (CVE-2015-2730) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022790
---------------------------------------------
*** IBM Security Bulletin: Information disclosure vulnerability could expose user personal data in IBM WebSphere Commerce (CVE-2015-5015) ***
http://www.ibm.com/support/docview.wss?uid=swg21969174
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager is affected by a vulnerability from FSM's use of strongswan: (CVE-2015-4171) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022817
---------------------------------------------
*** IBM Security Bulletin: IBM Netezza Host Management is vulnerable to a BIND 9 utility issue (CVE-2015-5722) ***
http://www.ibm.com/support/docview.wss?uid=swg21966952
---------------------------------------------