[CERT-daily] Tageszusammenfassung - Mittwoch 27-07-2016

Wed Jul 27 18:26:20 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 26-07-2016 18:00 − Mittwoch 27-07-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Dridex Re-Mastered ***
---------------------------------------------
Well, its been quite an eventful time since last I posted. I have so much in the works that it is hard to tell where to begin. It seems that we are seeing new flavors of ransomware every week and botnets seem to come and go with a frequency weve not seen in a while. This week, though, I promised Dridex, so Dridex it is.
---------------------------------------------
http://www.scmagazine.com/dridex-re-mastered/article/511683/


*** Analyze of a Linux botnet client source code, (Wed, Jul 27th) ***
---------------------------------------------
I like to play active-defense. Every day, I extract attackers IP addresses from my SSH honeypots and performa quick Nmap scan against them. The goal is to gain more knowledge about the compromised hosts. Most of the time, hosts are located behind a residential broadband connection. But sometimes, you find more interesting stuff. When valid credentials are found, the classic scenario is the installation of a botnet client that will be controlled via IRC to launchmultiple attacks or scans.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21305&rss


*** Erpressungs-Trojaner: Malware-Entwickler spioniert bei der Konkurrenz - Opfer profitieren davon ***
---------------------------------------------
Auf Pastebin sind tausende Schlüssel zum Dechiffrieren von Daten aufgetaucht, die vom Verschlüsselungs-Trojaner Chimera gefangengenommen wurden.
---------------------------------------------
http://heise.de/-3279201


*** Kritische Lücke in Lastpass: Entwickler arbeiten an Lösung ***
---------------------------------------------
Tavis Ormandy hat eine kritische Sicherheitslücke im Passwort-Manager Lastpass gefunden und über Twitter gemeldet. Die Entwickler der Software arbeiten demnach bereits an einer Lösung.
---------------------------------------------
http://heise.de/-3279424


*** Black Hat 2016: Neuer Angriff schafft Zugriff auf Klartext-URLs trotz HTTPS ***
---------------------------------------------
Besonders in öffentlichen Netzwerken schützen verschlüsselte HTTPS-Verbindungen davor, dass Admins oder gar andere Nutzer im gleichen Netz den eigenen Datenverkehr belauschen. Dieser Schutz ist offenbar löchrig - und zwar auf fast allen Browsern und Betriebssystemen.
---------------------------------------------
http://www.golem.de/news/black-hat-2016-neuer-angriff-schafft-zugriff-auf-klartext-urls-trotz-https-1607-122366-rss.html


*** Free and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 16: Account Monitoring and Control ***
---------------------------------------------
This is Part 16 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here:  Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure...
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/free-and-commercial-tools-to-implement-the-center-for-internet-security-cis-security-controls-part-16-6-account-monitoring-and-control


*** From Locky with love - reading malicious attachments ***
---------------------------------------------
Read on to learn how the latest downloaders used to deliver Locky ransomware and show how to statically decipher their hidden URLs.Categories:  Malware Threat analysisTags: downloaderLocky(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/07/from-locky-with-love-reading-malicious-attachments/


*** httpoxy in Österreich ***
---------------------------------------------
Wir haben vorige Woche eine Warnung zu httpoxy veröffentlicht, dabei geht es um: CGI ist ein Standard, mit dem Webseiten dynamisch mit Hilfe von Scripten serverseitig erstellt werden können. Dazu werden die Informationen über den Client und zur Anfrage in Umgebungsvariablen an das Script übergeben. Enthält der HTTP-Request einen Header "Proxy:", dann wird der Inhalt dieses Headers in die Umgebungsvariable HTTP_PROXY...
---------------------------------------------
http://www.cert.at/services/blog/20160727173056-1764.html


*** Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access ***
---------------------------------------------
The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file ICAMClient.jar into users browser which serves additional admin features. In the JAR file there is an account rou with password iris4000 that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php


*** Iris ID IrisAccess ICU 7000-2 Remote Root Command Execution ***
---------------------------------------------
The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote command execution vulnerability. The vulnerability exist due to several POST parameters in the /html/SetSmarcardSettings.php script not being sanitized when using the exec() PHP function while updating the Smart Card Settings on the affected device. Calling the $CommandForExe variable which is set to call the /cgi-bin/setsmartcard CGI binary with the affected parameters as arguments allows the attacker to execute
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5346.php


*** Iris ID IrisAccess ICU 7000-2 Multiple XSS and CSRF Vulnerabilities ***
---------------------------------------------
The application is prone to multiple reflected cross-site scripting vulnerabilities due to a failure to properly sanitize user-supplied input to the HidChannelID and HidVerForPHP POST parameters in the SetSmarcardSettings.php script. Attackers can exploit this issue to execute arbitrary HTML and script code in a users browser session. The application also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5345.php


*** F5 Security Advisory: MySQL vulnerability CVE-2016-2047 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53729441.html?ref=rss


*** Bugtraq: [security bulletin] HPSBST03603 rev.1 - HPE StoreVirtual Products running LeftHand OS using glibc, Remote Arbitrary Code Execution, Denial of Service (DoS) ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539015


*** Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for two vulnerabilities in the Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-01


*** Siemens SIMATIC NET PC-Software Denial-of-Service Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a denial-of-service vulnerability in the Siemens SIMATIC NET PC-Software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-02


*** Siemens SINEMA Remote Connect Server Cross-site Scripting Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a cross-site scripting vulnerability in the Siemens SINEMA Remote Connect Server application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-03


*** Rockwell Automation FactoryTalk EnergyMetrix Vulnerabilities ***
---------------------------------------------
This advisory was originally posted to the US-CERT secure Portal library on June 21, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for authentication vulnerabilities in the Rockwell Automation FactoryTalk EnergyMetrix application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-173-03