[CERT-daily] Tageszusammenfassung - Donnerstag 7-07-2016

Thu Jul 7 18:11:05 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 06-07-2016 18:00 − Donnerstag 07-07-2016 18:00
Handler:     Robert Waldner
Co-Handler:  n/a


*** New Mac backdoor malware: Eleanor ***
---------------------------------------------
This new malware is only the second piece of true Mac malware spotted so far in 2016, with the first being the KeRanger ransomware.
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/


*** CryptXXX ransomware updated, (Wed, Jul 6th) ***
---------------------------------------------
This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. 
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21229&rss


*** [webapps] - OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities ***
---------------------------------------------
Several vulnerabilities have been discovered between 2015, October and 2016, February. Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages.
In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over.
---------------------------------------------
https://www.exploit-db.com/exploits/40065


*** Realstatistics Malware Campaign Leads To Ransomware ***
---------------------------------------------
Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last 2 weeks ( codenamed 'Realstatistics'). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS). We have codenamed the campaign 'Realstatistics' because of the domain being used by the attackers.
---------------------------------------------
https://blog.sucuri.net/2016/07/joomla-wordpress-affected-by-realstatistics-infection-campaign-distributing-randsomware-malware.html


*** EMC Avamar Backup Restoration Flaw Lets Remote Authenticated Users Read and Delete Files on the Target System ***
---------------------------------------------
A vulnerability was reported in EMC Avamar. A remote authenticated user can read and delete files on the target system.
A remote authenticated user can exploit a flaw in the backup restoration component to read and delete files on the target system.
EMC Avamar Data Store and Avamar Virtual Edition are affected.
---------------------------------------------
http://www.securitytracker.com/id/1036235


*** Androids July security bulletin patches 20 critical flaws ***
---------------------------------------------
Google releases Android security bulletin, providing updates for 89 critical and high severity vulnerabilities affecting software and hardware components including Mediaserver, OpenSSL, BoringSSL, Bluetooth, Qualcomm, and numerous drivers.
---------------------------------------------
http://www.scmagazine.com/androids-july-security-bulletin-patches-20-critical-flaws/article/507919/


*** mimikittenz ***
---------------------------------------------
mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
---------------------------------------------
https://github.com/putterpanda/mimikittenz


*** Acer Portal Android Application - MITM SSL Certificate Vulnerability (CVE-2016-5648) ***
---------------------------------------------
The Acer Portal Android application (version 3.9.3.2006 and below), installed by the manufacturer on all Acer branded Android devices, does not validate the SSL certificate it receives when connecting to the mobile application login server.
---------------------------------------------
http://www.securityfocus.com/archive/1/538851


*** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-26) ***
---------------------------------------------
A prenotification Security Advisory (APSB16-26) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, July 12, 2016.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1374


*** Insecure Unserialize in extension "Page path" (pagepath) ***
---------------------------------------------
It has been discovered that the extension "Page path" (pagepath) is susceptible to Insecure Unserialize.
---------------------------------------------
https://typo3.org/news/article/insecure-unserialize-in-extension-page-path-pagepath/


*** Cross-Site Scripting in extension "CCDebug" (cc_debug) ***
---------------------------------------------
It has been discovered that the extension "CCDebug" (cc_debug) is susceptible to Cross-Site Scripting.
---------------------------------------------
https://typo3.org/news/article/cross-site-scripting-in-extension-ccdebug-cc-debug/


*** ZDI-16-407: Eaton ELCSoft ELCSimulator Stack Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. Authentication is not required to exploit this vulnerability.
---------------------------------------------
www.zerodayinitiative.com/advisories/ZDI-16-407/


*** ZDI-16-406: Novell NetIQ Sentinel Server ReportViewServlet fileName Directory Traversal Information Disclosure Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to disclose arbitrary file contents on vulnerable installations of Novell NetIQ Sentinel Server. Authentication is required to exploit this vulnerability but it can be bypassed using a separate flaw within the LogonFormController.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-406/


*** Cisco Video Communication Server and Expressway Trusted Certificate Authentication Bypass Vulnerability ***
---------------------------------------------
A vulnerability in certificate management and validation for the Mobile and Remote Access (MRA) feature for Cisco Expressway Series and TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to bypass authentication and access internal HTTP system resources.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160706-vcs


*** Cisco AMP Threat Grid Unauthorized Clean IP Access Vulnerability ***
---------------------------------------------
A vulnerability in the virtual network stack of the Cisco AMP Threat Grid Appliance could allow an unauthenticated, remote attacker to access internal interfaces within the appliance.
The vulnerability is due to insufficient isolation between the sandbox and other internal components. An attacker could exploit this vulnerability by submitting a malware sample crafted to exploit this flaw. An exploit could allow the attacker to intercept interprocess calls and allow them to access, modify, and delete information from the system.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160706-tg


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Virtual Server Protection for VMware (CVE-2015-3195) ***
http://www.ibm.com/support/docview.wss?uid=swg21986312
---------------------------------------------
*** IBM Security Bulletin: IBM TRIRIGA Applications are vulnerable to a privilege escalation attack. (CVE-2016-2917) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21984304
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2016-3427) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985522
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21984496
---------------------------------------------
*** IBM Security Bulletin: Multiple Samba vulnerability issues in IBM Storwize V7000 Unified ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005814
---------------------------------------------
*** IBM Security Bulletin: Multiple Samba vulnerability issue on IBM SONAS. ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005813
---------------------------------------------
*** IBM Security Bulletin: Badlock Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2118) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005816
---------------------------------------------
*** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2015-5252) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1005810
---------------------------------------------
*** IBM Security Bulletin:Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2015-7560) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005805
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in openldap2 affects IBM Flex System Chassis Management Module (CVE-2015-6908) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099421
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM UrbanCode Release (CVE-2015-5174) ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000164
---------------------------------------------