[CERT-daily] Tageszusammenfassung - Freitag 5-05-2017

Fri May 5 18:25:09 CEST 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 04-05-2017 18:00 − Freitag 05-05-2017 18:00
Handler:     Robert Waldner
Co-Handler:  Petr Sikuta


*** Bondnet botnet goes after vulnerable Windows servers ***
---------------------------------------------
A botnet consisting of some 2,000 compromised servers has been mining cryptocurrency for its master for several months now, "earning" him around $1,000 per day. GuardiCore researchers first spotted it in December 2016, and have been mapping it out and following its evolution since then. The've dubbed it Bondnet, after the handle its herder uses online [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/04/compromised-windows-servers/


*** Unpatched WordPress Password Reset Vulnerability Lingers ***
---------------------------------------------
A zero day vulnerability exists in WordPress Core that in some instances, could allow an attacker to reset a users password and in turn, gain access to their account.
---------------------------------------------
http://threatpost.com/unpatched-wordpress-password-reset-vulnerability-lingers/125421/


*** 1 Million Gmail Users Impacted by Google Docs Phishing Attack ***
---------------------------------------------
Researchers said good social engineering and users' trust in the convenience afforded by the OAUTH mechanism guaranteed Wednesday's Google Docs phishing attacks would spread quickly.
---------------------------------------------
http://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/


*** New Mac Malware Manages to Spy on Encrypted Browser Traffic ***
---------------------------------------------
This blog was written by Douglas McKee. There's a new cyberattack targeted at Mac OS users'a malware program called OSX/Dok. Discovered late last week primarily in Europe, the program is capable of spying on encrypted browser traffic to steal sensitive information. You heard correctly: it can eavesdrop on all of your web browsing. How does [...]
---------------------------------------------
https://securingtomorrow.mcafee.com/business/new-mac-malware-manages-spy-encrypted-browser-traffic/


*** Dridex and Locky Return Via PDF Attachments in Latest Campaigns ***
---------------------------------------------
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new large campaigns. While the PDF downloader described in this post is responsible for spreading both Dridex and Locky, for the purposes of this blog, we will be discussing the PDF downloader and the Dridex [...]
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/05/dridex_and_lockyret.html


*** Intel ME-Firmware: Hersteller kündigen Patches für Intel-Exploit an ***
---------------------------------------------
Bald sollen die ersten Updates für die Schwachstelle in der Management Engine von Intel-Systemen erscheinen. Derweil gibt es Unklarheit über Details zu der Sicherheitslücke.
---------------------------------------------
https://www.golem.de/news/intel-me-firmware-hersteller-kuendigen-patches-fuer-intel-exploit-an-1705-127648-rss.html


*** Carbanak Attackers Devise Clever New Persistence Trick ***
---------------------------------------------
Hackers behind the Carbanak criminal gang have devised a clever way to gain persistence on targeted systems to more effectively pull off financially motivated crimes.
---------------------------------------------
http://threatpost.com/carbanak-attackers-devise-clever-new-persistence-trick/125457/


*** [SANS ISC] HTTP Headers' the Achilles' heel of many applications ***
---------------------------------------------
When browsing a target web application, a pentester is looking for all "entry" or "injection" points present in the pages. Everybody knows that a static website with pure HTML code is less juicy compared to a [...]
---------------------------------------------
https://blog.rootshell.be/2017/05/05/sans-isc-http-headers-achilles-heel-many-applications/


*** Snake malware ported from Windows to Mac ***
---------------------------------------------
Snake, also known as Turla and Uroburos, is backdoor malware that has been around and infecting Windows systems since at least 2008. It is thought to be Russian governmental malware and on Windows is highly-sophisticated. It was even seen infecting Linux systems in 2014. Now, it appears to have been ported to Mac.Categories: MacThreat analysisTags: Adobe Flash PlayerApplemacMac TrojanmalwareSnaketrojanTurlaUroburos [...]
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/


*** More Android phones than ever are covertly listening for inaudible sounds in ads ***
---------------------------------------------
Your Android phone may be listening to ultrasonic ad beacons without your knowledge.
---------------------------------------------
https://arstechnica.com/security/2017/05/theres-a-spike-in-android-apps-that-covertly-listen-for-inaudible-sounds-in-ads/


*** DFN-CERT-2017-0790: LibreSSL : Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0790/


*** Linux kernel vulnerability CVE-2017-7308 ***
---------------------------------------------
Linux kernel vulnerability CVE-2017-7308. Security Advisory. Security Advisory Description. The packet_set_ring function ...
---------------------------------------------
https://support.f5.com/csp/article/K82224417


*** Apache Tomcat vulnerability CVE-2017-5647 ***
---------------------------------------------
Apache Tomcat vulnerability CVE-2017-5647. Security Advisory. Security Advisory Description. A bug in the handling of ...
---------------------------------------------
https://support.f5.com/csp/article/K49000195


*** Hikvision Cameras ***
---------------------------------------------
This advisory contains mitigation details for use of improper authentication and password in configuration file vulnerabilities in Hikvision's cameras.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01


*** Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras ***
---------------------------------------------
This advisory contains mitigation details for use of password hash instead of password for authentication and password in configuration file vulnerabilities in Dahua Technology Co., Ltd digital video recorders and IP cameras.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02


*** Advantech WebAccess ***
---------------------------------------------
This advisory contains mitigation details for an absolute path traversal vulnerability in Advantech's WebAccess.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-124-03


*** Rockwell Automation ControlLogix 5580 and CompactLogix 5380 ***
---------------------------------------------
This advisory was originally posted to the NCCIC Portal on April 4, 2017, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for use a resource exhaustion vulnerability in Rockwell Automations ControlLogix 5580 and CompactLogix 5380.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-05


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in bind affects SmartCloud Entry (CVE-2016-9147) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1025133
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in memcached affects SmartCloud Entry (CVE-2016-8704, CVE-2016-8705) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1025081
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Algo Risk Application (CVE-2016-8745) ***
http://www.ibm.com/support/docview.wss?uid=swg22000781
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities affect IBM Rational Quality Manager and IBM Rational Team Concert with potential for security attacks ***
http://www.ibm.com/support/docview.wss?uid=swg22002429
---------------------------------------------
*** IBM Security Bulletin: Cross Site Scripting (XSS) vulnerability affects Cognos Analytics ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999791
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Net-SNMP affects IBM Tivoli Composite Application Manager for Transactions (CVE-2015-5621) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000624
---------------------------------------------