[CERT-daily] Tageszusammenfassung - Dienstag 6-09-2016

Tue Sep 6 18:12:29 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 05-09-2016 18:00 − Dienstag 06-09-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops ***
---------------------------------------------
Whaling attackers fall for poison PDF invoices HITB Florian Lukavsky hacks criminals profiting from out of control multi-billion dollar CEO wire transfer scams and they hate him for it.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/09/06/hacker_hacks_ceo_wire_transfer_scammers_sends_win_10_creds_to_cops/


*** House of Keys: 9 Months later... 40% Worse ***
---------------------------------------------
In November 2015 SEC Consult released the results of our study on hardcoded cryptographic secrets in embedded systems. Its time to summarize what has happened since.To accomplish the mammoth task of informing about 50 different vendors and various ISPs we teamed up with CERT/CC (VU#566724). We would really like to report that our efforts were successful, but as it turns out the number of devices on the web using known private keys for HTTPS server certificates has gone up by 40% in the last...
---------------------------------------------
http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html


*** Too many Cisco ASA boxes still open to an EXTRABACON attack ***
---------------------------------------------
Among the Equation Group exploits leaked by the Shadow Brokers, the one named EXTRABACON that targets Cisco ASA devices got the most attention from security researchers and attackers. It has been demonstrated that the original exploit can be easily modified to work on more recent versions of the Cisco ASA SSL VPN appliances, and researchers armed with honeypots noted that exploitation attempts started soon after the leak. You would think that news like this would...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/06/cisco-asa-still-open-extrabacon/


*** Digital Forensics According to the FORZA Model and Diamond Model for Intrusion Analysis ***
---------------------------------------------
The Bridge on the River Forza  We can teach these barbarians a lesson in Western methods and efficiency that will put them to shame. -Colonel Nicholson (The Bridge on the River Kwai, 1957)  Efficiency. Something we look to implement in everything we do, whether that be through the elimination of waste through Six Sigma, or other frameworks and methodologies, efficiency is what we strive for. When performing digital forensics, efficiency and rigor in our approach to ensure no stone left...
---------------------------------------------
https://feeds.feedblitz.com/~/192237180/0/alienvault-blogs~Digital-Forensics-According-to-the-FORZA-Model-and-Diamond-Model-for-Intrusion-Analysis


*** How False Positives can ruin your day - and how to stop them ***
---------------------------------------------
False positives can seriously ruin your day, and can cost enterprises serious money. Highlighted by a recent example, we share some key tips on how to mitigate false alerts.
---------------------------------------------
https://www.htbridge.com/blog/how-false-positives-can-ruin-your-day-and-how-to-stop-them.html


*** A week in security (Aug 28 - Sep 03) ***
---------------------------------------------
A compilation of notable security news and blog posts from August 28th to September 3rd. This week, we talked about browser-based fingerprinting; what was going on with the Mac app, Transmission; and a tech support scam that banked on an iPad error popping up on Windows systems.Categories:  Security world Week in securityTags: recapweekly blog roundup(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/security-world/2016/09/a-week-in-security-aug-28-sep-03/


*** [2016-09-06] Private key for browser-trusted certificate embedded in multiple Aruba Networks / Alcatel-Lucent products ***
---------------------------------------------
A browser-trusted certificate including its private key is embedded in the firmware of several Aruba Networks/Alcatel-Lucent products. The certificate is used for providing user access to a captive portal via HTTPS as well as EAP connections for WPA2-Enterprise clients. An attacker can use this vulnerability to impersonate a captive portal or Wi-Fi AP and gain access to sensitive information.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160906-0_Aruba_Networks_Browser_trusted_cert_private_key_embedded_v10.txt


*** SSA-630413 (Last Update 2016-09-05): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-630413.pdf


*** ArcServe UDP - Unquoted Service Path Privilege Escalation ***
---------------------------------------------
Topic: ArcServe UDP - Unquoted Service Path Privilege Escalation Risk: High Text:Title: ArcServe UDP - Unquoted Service Path Privilege Escalation CWE Class: CWE-427: Uncontrolled Search Path Element Date: 0...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090024


*** ArcServe UDP - Download Manager/Setup - DLL Hijacking ***
---------------------------------------------
Topic: ArcServe UDP - Download Manager/Setup - DLL Hijacking Risk: Medium Text:Title: ArcServe UDP - Download Manager/Setup - DLL Hijacking CWE Class: CWE-427: Uncontrolled Search Path Element Date: 04/09...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090030


*** ArcServe UDP - HTTP Installation MiTM ***
---------------------------------------------
Topic: ArcServe UDP - HTTP Installation MiTM Risk: Low Text:Title: ArcServe UDP - MiTM CWE Class: CWE-300: Channel Accessible by Non-Endpoint (Man-in-the-Middle) | CWE-319: Cleartext T...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090029


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Network Security Services (NSS) affects the IBM FlashSystem model V9000 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009104
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Network Security Services (NSS) affect the IBM FlashSystem models 840 and 900 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009103
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Network Security Services (NSS) affects the IBM FlashSystem model V840 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009102
---------------------------------------------
*** IBM Security Bulletin: BigInsights is affected by a vulnerability in DB2 (CVE-2014-0919, CVE-2016-0211) ***
http://www.ibm.com/support/docview.wss?uid=swg21987604
---------------------------------------------
*** IBM Security Bulletin: IBM Forms Viewer may be affected by an Apache Xerces-C XML Parser library vulnerability (CVE-2016-0729) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988714
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2016-2107) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009106
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2016-2107) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009105
---------------------------------------------