[CERT-daily] Tageszusammenfassung - Montag 19-09-2016

Mon Sep 19 18:17:05 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 16-09-2016 18:00 − Montag 19-09-2016 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** The Week in Ransomware - September 16 2016 - Stampado, Locky, Atom, and More ***
---------------------------------------------
Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor. [...]
---------------------------------------------
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-16-2016-stampado-locky-atom-and-more/


*** Windows Events log for IR/Forensics ,Part 1, (Sun, Sep 18th) ***
---------------------------------------------
In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them . Here is of the most useful events for Forensics/Incident response:     Event ID   Description   Log Name     4624   Successful Logon   Security     4625   Failed Login...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21493&rss


*** Mozilla will patch zero-day Firefox bug to fiddle man-in-the-middle diddle ***
---------------------------------------------
Researcher revealed Tor flaw after initially being ignored Mozilla will patch a flaw in its Firefox browser that could allow well-resourced attackers to launch man-in-the-middle impersonation attacks that also affects the Tor anonymity network.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/09/18/mozilla_tor_flaws/


*** Untangling the Ripper ATM Malware ***
---------------------------------------------
Last August , security researchers released a blog discussing a new ATM malware family called Ripper which they believe was involved in the recent ATM attacks in Thailand. Large numbers of ATMs were also temporarily shut down as a precautionary measure.During our analysis we noticed some additional details that where not called out, or which appear to contradict this earlier analysis. We highlight these differences in this blog post. We have also included technical indicators such as code...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ddt8SN3uzhs/


*** Periscope ATM Skimmers ***
---------------------------------------------
"Periscope skimmers" are the most sophisticated kind of ATM skimmers. They are entirely inside the ATM, meaning theyre impossible to notice.Theyre been found in the US.
---------------------------------------------
https://www.schneier.com/blog/archives/2016/09/periscope_atm_s.html


*** 324,000 payment cards breached, CVVs included, source still unknown! ***
---------------------------------------------
When you decide to add debugging logs to your payment application, the PCI DSS rules about what you are allowed to store DO NOT CHANGE!
---------------------------------------------
http://feedproxy.google.com/~r/nakedsecurity/~3/NpR-rDlVOj0/


*** Does it Matter If You Cover Your Webcam?, (Mon, Sep 19th) ***
---------------------------------------------
During security conferences, laptops with tape covering the webcam has certainly been a common sight. But recently, covering webcams has become somewhat of a main-stream phenomenon, after Mark Zuckerberg was sighted with a covered webcam [1], and even the FBI director suggests people covering their cameras [2]. Laptops are often used in private spaces, and an attacker, with access to the camera, is expected to be able to spy on the user of the laptop. Attacks like this have happened, and even...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21497&rss


*** Reverse Engineering Cisco ASA for EXTRABACON Offsets ***
---------------------------------------------
[...] One of the zero-day vulnerabilities released was a remote code execution in the Cisco Adaptive Security Appliance (ASA) device. The Equation Groups exploit for this was named EXTRABACON. [...] At RiskSense we had spare ASAs lying around in our red team lab, and my colleague Zachary Harding was extremely interested in exploiting this vulnerability. I told him if he got the ASAs properly configured for remote debugging I would help in the exploitation process.
---------------------------------------------
https://zerosum0x0.blogspot.cz/2016/09/reverse-engineering-cisco-asa-for.html


*** BENIGNCERTAIN-like flaw affects various Cisco networking devices ***
---------------------------------------------
The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products - and they found one. CVE-2016-6415 arises from insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/19/beningcertain-cisco-networking-devices/


*** IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products ***
---------------------------------------------
A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept...
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1


*** iPrint Appliance 2.1 Hot Patch 2 ***
---------------------------------------------
Abstract: iPrint Appliance 2.1 Hot Patch 2 is the first patch set for the iPrint Appliance version 2.1. Document ID: 5254950Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.1.0.68.HP.zip (755.2 MB)Products:iPrint Appliance 2.1Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=AJTQmn_Q1yk~


*** iPrint Appliance 2.0 Hot Patch 2 ***
---------------------------------------------
Abstract: Hot Patch 2 includes bug fixes, security fixes and a consolidation of previously released patches, including iPrint Appliance 2.0 Patch 2. Document ID: 5254970Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.533.HP.zip (881.14 MB)Products:iPrint Appliance 2Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=C1Xh-X9MGcc~


*** Forthcoming OpenSSL releases ***
---------------------------------------------
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0a, 1.0.2i, 1.0.1u. These releases will be made available on 22nd September 2016 at approximately 0800 UTC. They will fix several security defects: one classfied as severity "high", one as "moderate", and the rest "low".
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html


*** IBM Security Bulletin: Spice-server vulnerabilities affect IBM SmartCloud Entry (CVE-2016-0749 CVE-2016-2150 ) ***
---------------------------------------------
SmartCloud Entry is vulerable to Spice-server vulnerabilities. Attackers could exploit them to cause improper bounds checking by smartcard interaction or bypass security restrictions CVE(s): CVE-2016-0749, CVE-2016-2150 Affected product(s) and affected version(s): IBM SmartCloud Entry 3.2 through Appliance fix pack 21 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1024006X-Force...
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=isg3T1024006


*** IBM Security Bulletin: Vulnerability in openssl affects IBM System Networking Switch products (CVE-2016-2108) ***
---------------------------------------------
IBM System Networking Switch products have addressed the following vulnerability in openssl. CVE(s): CVE-2016-2108 Affected product(s) and affected version(s): Product Affected Version IBM Flex System Fabric EN4093R 10Gb Scalable Switch 7.8.14.0 IBM Flex System Fabric CN4093 10Gb Converged Scalable Switch 7.8.14.0 IBM Flex System Fabric SI4093 System Interconnect Module 7.8.14.0 IBM Flex System EN2092 1Gb...
---------------------------------------------
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099464


*** BINOM3 Electric Power Quality Meter Vulnerabilities ***
---------------------------------------------
Topic: BINOM3 Electric Power Quality Meter Vulnerabilities Risk: Medium Text:*Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities* *About* The meters are designed...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090122


*** MyBB 1.8.6 Improper validation of data passed to eval ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090124


*** MyBB 1.8.6 CSRF Weak Hashing, Plaintext Passwords ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090126


*** MyBB 1.8.6 SQL Injection ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090125