[CERT-daily] Tageszusammenfassung - Freitag 15-07-2016

Fri Jul 15 18:18:57 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 14-07-2016 18:00 − Freitag 15-07-2016 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Erpressungstrojaner: Locky kann jetzt auch offline ***
---------------------------------------------
Eine neue Version der Locky-Ransomware kann jetzt auch Rechner ohne Internetverbindung verschlüsseln. Die Offline-Variante hat für die Opfer immerhin einen kleinen Vorteil.
---------------------------------------------
http://www.golem.de/news/erpressungstrojaner-locky-kann-jetzt-auch-offline-1607-122125-rss.html


*** Untangling Kovter's persistence methods ***
---------------------------------------------
Kovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious modules in PowerShell scripts as well as in registry keys to make detection and analysis difficult. In this post we will take a deep dive into the techniques used by its latest samples to see all the elements and...Categories:  Malware Threat analysisTags: click fraudkovter(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/


*** Security Best Practices for Azure App Service Web Apps, Part 5 ***
---------------------------------------------
Microsoft's Azure App Service is a fully managed platform as a service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. Despite the ease of using Azure, developers need to keep security in mind because Azure will not take care of every aspect of security. In our first...
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/azure-app-service-web-apps-security-best-practices-part-5/


*** Reverse engineering DUBNIUM - Stage 2 payload analysis ***
---------------------------------------------
Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat (APT) activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident (Part 1, Part 2). In this blog, we will go through the overall infection chain structure and the Stage 2 executable details. Stage 2 executables...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/


*** Oracle Critical Patch Update Pre-Release Announcement - July 2016 ***
---------------------------------------------
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2016, which will be released on Tuesday, July 19, 2016.
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html


*** Spähsoftware: Maxthon-Browser sendet kritische Daten nach China ***
---------------------------------------------
Forscher haben entdeckt, dass der alternative Browser Maxthon sicherheitsrelevante Nutzerdaten an einen Server in Peking sendet. Die Daten ließen sich hervorragend für gezielte Angriffe nutzen. Und sie sind nur schlecht gegen Dritte abgesichert.
---------------------------------------------
http://www.golem.de/news/spaehsoftware-maxthon-browser-sendet-sensible-daten-nach-china-1607-122138-rss.html


*** Steueranlagen von Kraftwerken ungeschützt im Netz ***
---------------------------------------------
Journalisten haben über 100 Systeme - Steuerungen von Kraftwerken, Eigenheimen und Industrieanlagen - gefunden, die ungeschützt im Netz erreichbar sind - auch in Österreich.
---------------------------------------------
http://futurezone.at/digital-life/steueranlagen-von-kraftwerken-ungeschuetzt-im-netz/209.994.668


*** Neutrino EK picks up momentum in recent attacks ***
---------------------------------------------
The Neutrino developers have made some changes to the landing page source code as well as integrated a new exploit. The malware campaigns that once were Anglers continue to point to Neutrino including a large malvertising attack on top adult sites we detected a few days ago.Categories:  Cybercrime ExploitsTags: AnglerEKexploit kitmalvertisingneutrino(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2016/07/neutrino-ek-picks-up-momentum-in-recent-attacks/


*** Debian Security Advisory DSA-3618-1 - php5 security update ***
---------------------------------------------
CVE ID: CVE-2016-5768 CVE-2016-5769 CVE-2016-5770 CVE-2016-5771 CVE-2016-5772 CVE-2016-5773 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.23, which includes additional bug fixes.
---------------------------------------------
https://lists.debian.org/debian-security-announce/2016/msg00196.html


*** DFN-CERT-2016-1140: FortiManager, FortiAnalyzer: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2016-1140/


*** F5 Security Advisories ***
---------------------------------------------
*** sol53084033: OpenSSL vulnerability CVE-2016-2178 ***
An attacker could trigger an exploit using a timing side-channel attack to discover a DSA private key.
https://support.f5.com/kb/en-us/solutions/public/k/53/sol53084033.html?ref=rss
---------------------------------------------
*** sol04054286: Linux kernel TCP vulnerability CVE-2016-2070 ***
Successful exploitation of this vulnerability leads to a denial-of-service (DoS) attack, due to a divide-by-zero error which causes the system to stop responding. Product/Versions known to be vulnerable: ARX 6.2.0 - 6.4.0, Traffix SDC 5.0.0, 4.0.0 - 4.4.0
https://support.f5.com/kb/en-us/solutions/public/k/04/sol04054286.html?ref=rss
---------------------------------------------
*** sol05125306: glibc vulnerability CVE-2016-1234 ***
This vulnerability may allow a context-dependent attacker to cause a denial of service (DoS) via a long name. Product/Versions known to be vulnerable: Traffix SDC 5.0.0, 4.0.0 - 4.4.0
https://support.f5.com/kb/en-us/solutions/public/k/05/sol05125306.html?ref=rss
---------------------------------------------
*** sol23873366: OpenSSL vulnerability CVE-2016-2177 ***
This vulnerability may allow remote attackers to cause a denial-of-service (DoS) attack.
https://support.f5.com/kb/en-us/solutions/public/k/23/sol23873366.html?ref=rss
---------------------------------------------


*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Meeting Server Persistent Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-ms
---------------------------------------------
*** Cisco WebEx Meetings Server Administrator Interface Reflected Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-wms1
---------------------------------------------
*** Cisco WebEx Meetings Server Reflected Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-wms3
---------------------------------------------
*** Cisco WebEx Meetings Server Administrator Interface SQL Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-wms
---------------------------------------------
*** Cisco WebEx Meetings Server Command Injection Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160714-wms4
---------------------------------------------


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: XML External Entities Injection Vulnerability in IBM Traveler (CVE-2016-3039) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985858
---------------------------------------------
*** IBM Security Bulletin: Multiple security vulnerabilities have been identified in IBM JRE and WebSphere Application Server shipped with IBM Tivoli Service Automation Manager (CVE-2016-3426, CVE-2016-3427) ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000148
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) - IBM Java SDK updates April 2016 ***
http://www-01.ibm.com/support/docview.wss?uid=swg21985875
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21984732
---------------------------------------------
*** IBM Security Bulletin: A cross-site scripting vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager Version 9 (CVE-2015-7417) ***
http://www.ibm.com/support/docview.wss?uid=swg21987056
---------------------------------------------


*** ICS-CERT Advisories ***
---------------------------------------------
*** Schneider Electric Pelco Digital Sentry Video Management System Vulnerability ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-196-01
---------------------------------------------
*** Moxa MGate Authentication Bypass Vulnerability ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-196-02
---------------------------------------------
*** Schneider Electric SoMachine HVAC Unsafe ActiveX ControL Vulnerability ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-196-03
---------------------------------------------
*** Philips Xper-IM Connect Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSMA-16-196-01
---------------------------------------------
*** Advantech WebAccess ActiveX Vulnerabilities (Update A) ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-173-01
---------------------------------------------