[CERT-daily] Tageszusammenfassung - Donnerstag 2-03-2017

Thu Mar 2 18:08:51 CET 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 01-03-2017 18:00 − Donnerstag 02-03-2017 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Kaspersky Releases Decryptor for the Dharma Ransomware ***
---------------------------------------------
Kaspersky has tested a set of Dharma master decryption keys posted to BleepingComputer and has confirmed they are legitimate. These keys have been included in their RakhniDecryptor, which I have tested against a Dharma infection. The decryptor worked flawlessly! [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/


*** The Story of an Expired WHOIS Server ***
---------------------------------------------
We write quite often about SEO spam injections on compromised websites, but this is the first time we have seen this blackhat tactic spreading into the WHOIS results for a domain name. If you are not familiar with "WHOIS", it is a protocol used to check who owns a specific domain name. These simple text records are publicly available and usually contain contact details for the website owner, i.e. their name, address, and phone number (unless the website owner purchased a WHOIS...
---------------------------------------------
https://blog.sucuri.net/2017/03/story-expired-whois-server.html


*** Infected Apps in Google Play Store (its not what you think), (Thu, Mar 2nd) ***
---------------------------------------------
Xavier pointed me towards a new issue posted on Palo Altos Unit 42 blog - the folks at PA found apps in the Google Play store infected with hidden-iframe type malware. 132 apps (so far) are affected, with the most popular one seeing roughly 10,000 downloads. But were not at the end of the trail of breadcrumbs yet .. these apps were traced back to just 7 developers, who arent in the same company, but all have a connection to Indonesia (the smoking gun here was the code signing certificate). But...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22139&rss


*** Researcher Breaks reCAPTCHA Using Googles Speech Recognition API ***
---------------------------------------------
A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Googles reCAPTCHA fields using another Google service, the Speech Recognition API. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/researcher-breaks-recaptcha-using-googles-speech-recognition-api/


*** Crypt0L0cker Ransomware is Back with Campaigns Targeting Europe ***
---------------------------------------------
Crypt0L0cker, otherwise known as TorrentLocker, has started to make resurgence as it performs targeted campaigns at European countries. These attacks are also now using Italys PEC system to digitaly sign SPAM emails in order to make them look more official. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/crypt0l0cker-ransomware-is-back-with-campaigns-targeting-europe/


*** Security Advisory - Buffer Overflow Vulnerability in the Boot Loaders of Huawei Mobile Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170302-01-smartphone-en


*** DSA-3799 imagemagick - security update ***
---------------------------------------------
This update fixes several vulnerabilities in imagemagick: Variousmemory handling problems and cases of missing or incomplete inputsanitising may result in denial of service or the execution of arbitrarycode if malformed TIFF, WPG, IPL, MPC or PSB files are processed.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3799


*** AES - Critical - Unsupported - SA-CONTRIB-2017-027 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-027Project: AES encryption (third-party module)Version: 7.x, 8.xDate: 2017-March-01DescriptionThis module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution...
---------------------------------------------
https://www.drupal.org/node/2857028


*** Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-025Project:  Remember Me  (third-party module)Version: 7.xDate: 2017-March-01Description Remember me is a module that allows users to check "Remember me" when logging in. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466CVE identifier(s) issuedA CVE identifier will...
---------------------------------------------
https://www.drupal.org/node/2857015


*** Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-028Project:  breakpoint panels  (third-party module)Version: 7.xDate: 2017-March-01Description Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will hide it from that breakpoint. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by...
---------------------------------------------
https://www.drupal.org/node/2857073


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to missing authentication checks (CVE-2016-9729) ***
http://www.ibm.com/support/docview.wss?uid=swg21999545
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to SQL injection (CVE-2016-9728) ***
http://www.ibm.com/support/docview.wss?uid=swg21999543
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to cross site scripting (CVE-2016-9723, CVE-2017-1133) ***
http://www.ibm.com/support/docview.wss?uid=swg21999534
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to cross-site request forgery (CVE-2016-9730) ***
http://www.ibm.com/support/docview.wss?uid=swg21999549
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to XML Entity Injection (CVE-2016-9724) ***
http://www.ibm.com/support/docview.wss?uid=swg21999537
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to OS command injection (CVE-2016-9726, CVE-2016-9727) ***
http://www.ibm.com/support/docview.wss?uid=swg21999542
---------------------------------------------
*** IBM Security Bulletin: Malicious File Download vulnerability in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) CVE-2016-9693 ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998655
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2016-7053, CVE-2016-7054, CVE-2016-7055) ***
http://www.ibm.com/support/docview.wss?uid=swg21998755
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere MQ administration command could cause denial of service (CVE-2016-8971) ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998663
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in dependent component shipped in IBM Development Package for Apache Spark (CVE-2016-4970) ***
http://www.ibm.com/support/docview.wss?uid=swg21999185
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Sterling Connect:Express for UNIX (CVE-2016-7055, CVE-2017-3731 and CVE-2017-3732) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999470
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark ***
http://www.ibm.com/support/docview.wss?uid=swg21999561
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999668
---------------------------------------------
*** IBM Security Bulletin: IBM Maximo Asset Management could allow a local attacker to obtain sensitive information using HTTP Header Injection (CVE-2017-1124) ***
http://www.ibm.com/support/docview.wss?uid=swg21998053
---------------------------------------------
*** IBM Security Bulletin: Mozilla NSS as used in IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2016-2834) ***
http://www.ibm.com/support/docview.wss?uid=swg21999532
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to a denial of service (CVE-2016-9740) ***
http://www.ibm.com/support/docview.wss?uid=swg21999556
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to information exposure (CVE-2016-9720) ***
http://www.ibm.com/support/docview.wss?uid=swg21999533
---------------------------------------------
*** IBM Security Bulletin: IBM QRadar Incident Forensics is vulnerable to overly permissive CORS access policies (CVE-2016-9725) ***
http://www.ibm.com/support/docview.wss?uid=swg21999539
---------------------------------------------