[CERT-daily] Tageszusammenfassung - Mittwoch 10-02-2016

Wed Feb 10 18:20:10 CET 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 09-02-2016 18:00 − Mittwoch 10-02-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Fast Flux Bot Nets and Fluxer - Part 1 ***
---------------------------------------------
This time well start a two-parter on fast flux bot nets including the concept of domain generation algorithms.
---------------------------------------------
http://www.scmagazine.com/fast-flux-bot-nets-and-fluxer--part-1/article/473047/


*** DMA Locker Strikes Back ***
---------------------------------------------
A few days ago we published a post about a new ransomware - DMA Locker (read more here). At that time, it was using a pretty simple way of storing keys. Having the original sample was enough to recover files. Unfortunately, the latest version (discovered February 8th) comes with several improvements and RSA key. Let's...
---------------------------------------------
https://blog.malwarebytes.org/news/2016/02/dma-locker-strikes-back/


*** Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months ***
---------------------------------------------
Regen your keys ASAP Web hosting biz Linode broke the security in its customers virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/linode_ssh_security/


*** Skimmers Hijack ATM Network Cables ***
---------------------------------------------
If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.
---------------------------------------------
http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/


*** Patchday: Microsoft stopft 6 kritische Lücken, lässt alte Internet-Explorer-Versionen im Regen stehen ***
---------------------------------------------
Es ist wieder einmal Zeit zum Updaten für Microsoft-Anwender. Wer noch ältere Versionen des Internet Explorer im Einsatz hat, muss jetzt schleunigst handeln.
---------------------------------------------
http://heise.de/-3098499


*** The history of Cryptowall: a large scale cryptographic ransomware threat ***
---------------------------------------------
This tracker focusses on tracking the development changes in the CryptoWall ransomware, it does not attempt to track every single CryptoWall sample that exists. It simply exists to track the family in a more higher level fashion, a few samples will be listed next to specific versions just for reference rather than bulk collection. The timeline below shows the development track of CryptoWall when new versions were first seen. Below the timeline you will find an overview.
---------------------------------------------
https://www.cryptowalltracker.org/


*** Sparkle-Installer: Gatekeeper-Sicherung für Macs lässt sich umgehen ***
---------------------------------------------
Viele App-Entwickler für Mac nutzen das Sparkle-Framwork für praktische Auto-Updates - und machen damit zahlreiche Mac-Programme angreifbar. Betroffen sind nicht nur VLC und uTorrent.
---------------------------------------------
http://www.golem.de/news/man-in-the-middle-angriff-sparkle-installer-macht-viele-mac-apps-angreifbar-1602-119038-rss.html


*** Cracking Damn Insecure and Vulnerable App (DIVA) - part 5: ***
---------------------------------------------
In the first four articles, we have discussed solutions for the first eleven challenges in DIVA. In this last article of this series, we will discuss the remaining two challenges that are related to native code. In case if you missed the previous articles in this series, here are the links. http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable-apps-diva-part-1/ http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable-app-diva-part-2/
---------------------------------------------
http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable-app-diva-part-5/


*** Hijacking forgotten & misconfigured subdomains ***
---------------------------------------------
Its been a while since my last blog post, so I decided to release a new tool. I think that we need more articles about "DNS hacking", I hope that you will learn something new here.
---------------------------------------------
http://www.xexexe.cz/2016/02/hijacking-forgotten-misconfigured.html


*** Network forensic analysis tool NetworkMiner 2.0 released ***
---------------------------------------------
NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. ...
---------------------------------------------
http://www.net-security.org/secworld.php?id=19421


*** MSRT February 2016 ***
---------------------------------------------
The February release of the Microsoft Malicious Software Removal Tool (MSRT) includes updated detections for the following malware families: Bladabindi Gamarue Sality Kelihos Diplugem The updates include detections for the latest variants from these malware families. There were no new malware families added to the MSRT this month. The MSRT works in tandem with real-time...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/


*** MS16-FEB - Microsoft Security Bulletin Summary for February 2016 - Version: 1.0 ***
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-FEB


*** Deception: Shine Bright Like a Diamond ***
---------------------------------------------
***German Summary: Projektpläne, Designs, Kundendaten: Die Kronjuwelen eines jeden Unternehmens gehören vor Cyberkriminellen unter allen Umständen versteckt - oder? Werfen Sie den Ködern aus, denn jetzt täuschen die Guten! Deception ("Täuschung") lautet der neue Cyber-Security-Ansatz, der nach Schätzungen des renommierten Marktforschungsunternehmens Gartner bereits 2018 in rund 10 % aller Unternehmen zum Einsatz kommen wird. Virtuelle Fallen...
---------------------------------------------
http://blog.sec-consult.com/2016/02/deception-shine-bright-like-diamond.html


*** Tollgrade SmartGrid Sensor Management System Software Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s SmartGrid LightHouse Sensor Management System (SMS) Software EMS.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-040-01


*** Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537490


*** Bugtraq: ESA-2016-010 EMC Documentum xCP Security Update for Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537489


*** Bugtraq: dotDefender Firewall CSRF ***
---------------------------------------------
http://www.securityfocus.com/archive/1/537491


*** [2016-02-10] Yeager CMS multiple vulnerabilities ***
---------------------------------------------
Yeager CMS suffers from multiple critical security issues including multiple SQL injections, arbitrary file upload, server-side request forgery and non-permanent cross-site scripting vulnerabilities. Unauthenticated attackers are able to compromise Yeager CMS in both application and database levels.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160210-0_Yeager_CMS_Multiple_Vulnerabilities_v10.txt


*** DFN-CERT-2016-0237: Horde Application Framework: Zwei Schwachstellen ermöglichen einen Cross-Site-Scripting-Angriff ***
---------------------------------------------
09.02.2016
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-0237/


*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
---------------------------------------------
*** Cisco Prime Collaboration Provisioning Local Privilege Escalation Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160209-pcp
---------------------------------------------
*** Cisco Application Policy Infrastructure Controller Enterprise Module Web Framework Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-apic
---------------------------------------------
*** Cisco Video Communications Server Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-vcs
---------------------------------------------
*** Cisco Unified Products Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-ucm
---------------------------------------------
*** Cisco Unified Communications Manager Information Disclosure Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-201600208-ucm
---------------------------------------------


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect Liberty for Java for IBM Bluemix January 2016 CPU (CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) ***
http://www.ibm.com/support/docview.wss?uid=swg21976217
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Security SiteProtector System (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21976042
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) (CVE-2016-0777, CVE-2016-0778) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023319
---------------------------------------------
*** IBM Security Bulletin: IBM Pure Power Integrated Manager (PPIM) is affected by vulnerabilities in ntp (CVE-2014-9750, CVE-2014-9751) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023291
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Pure Power Integrated Manager (PPIM) (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1023292
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects Watson Explorer (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21974808
---------------------------------------------
*** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2015-8380, CVE-2015-8382, CVE-2015-8391) ***
http://www.ibm.com/support/docview.wss?uid=swg21976124
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803) ***
http://www.ibm.com/support/docview.wss?uid=swg21971058
---------------------------------------------
*** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1819) ***
http://www.ibm.com/support/docview.wss?uid=swg21976393
---------------------------------------------
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2014-8121) ***
http://www.ibm.com/support/docview.wss?uid=swg21976290
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Mobile (CVE-2015-2730) ***
http://www.ibm.com/support/docview.wss?uid=swg21976295
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by an OpenSSH vulnerability (CVE-2008-5161) ***
http://www.ibm.com/support/docview.wss?uid=swg21976082
---------------------------------------------
*** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by multiple NTP vulnerabilities ***
http://www.ibm.com/support/docview.wss?uid=swg21975967
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM MQ Light (CVE-2015-3197) ***
http://www.ibm.com/support/docview.wss?uid=swg21976345
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21975832
---------------------------------------------
*** IBM Security Bulletin: A Security Vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis ***
http://www.ibm.com/support/docview.wss?uid=swg21975544
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in cURL and libcURL affect IBM Security Access Manager (CVE-2014-3613, CVE-2014-8150) ***
http://www.ibm.com/support/docview.wss?uid=swg21974736
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM MQ Light (CVE-2015-7575) ***
http://www.ibm.com/support/docview.wss?uid=swg21976341
---------------------------------------------