[CERT-daily] Tageszusammenfassung - Montag 29-05-2017

Mon May 29 18:17:01 CEST 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 26-05-2017 18:00 − Montag 29-05-2017 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw ***
---------------------------------------------
Microsoft quietly patched a critical vulnerability found by Googles Project Zero team in the Malware Protection Engine.
---------------------------------------------
http://threatpost.com/microsoft-quietly-patches-another-critical-malware-protection-engine-flaw/125951/


*** Crysis ransomware master keys posted to Pastebin ***
---------------------------------------------
Why would someone release the keys to victims? Who knows, but as the poster who uploaded them says, Enjoy!
---------------------------------------------
https://nakedsecurity.sophos.com/2017/05/26/crysis-ransomware-master-keys-posted-to-pastebin/


*** File2pcap - A new tool for your toolkit!, (Fri, May 26th) ***
---------------------------------------------
One of our readers, Gebhard, submitted a pointer to a tool today, released byTalos, that I wasnt familiar with. However, when I realized it could generate packets, I had to try it out. Its called File2pcap. The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see. You get a nice pcap in the end.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22456&rss


*** CyberChef a Must Have Tool in your Tool bag!, (Sun, May 28th) ***
---------------------------------------------
This multipurpose and feature rich tool has been available for a while now and is updated regularly. What I find the most interesting is the number of features that are available this tool. CyberChef is fully portable and can be downloaded locally as an simple HTML self-contained page that can run in any browsers or if you prefer, you can download the package from Github and compile it yourself[2] but why bother. Since the code is updated regularly, I find the first option more practical. It [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22458&rss


*** Analysis of Competing Hypotheses (ACH part 1), (Sun, May 28th) ***
---------------------------------------------
In threat intelligence, by definition, an analyst will most of the times have to perform assessments in an environment of incomplete information, and/or with information that is being produced with the purpose of misleading the analyst. One of the well-known methodologies is the Analysis of Competing Hypotheses (ACH) [1], developed by Richards J. Heuer, Jr., a former CIA veteran. ACH is an analytic process that identifies a set of alternative hypotheses, and assesses whether data available are [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22460&rss


*** Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience ***
---------------------------------------------
[Primary authors: Dan Simon and Nir Ben Zvi] The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run. These defaults were...
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2017/05/29/guidance-on-disabling-system-services-on-windows-server-2016-with-desktop-experience/


*** Network Time Protocol updated to spook-harden user comms ***
---------------------------------------------
Network time lords decide we dont need IP address swaps The Internet Engineering Task Force has taken another small step in protecting everybodys privacy - this time, in making the Network Time Protocol a bit less spaffy.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/05/29/network_time_protocol_updated_to_spookharden_user_comms/


*** CFP Time ***
---------------------------------------------
We decided to create a website for a clearer view of what conferences are happening all around the world. The project is still in beta and after seeing how the community takes it, we might take it one step further.
---------------------------------------------
https://cfptime.org/cfps/about


*** Dirty COW and why lying is bad even if you are the Linux kernel ***
---------------------------------------------
[...] There have been plenty of articles and blog posts about the exploit, but none of them give a satisfactory explanation on exactly how Dirty COW works under the hood from the kernel's perspective. The following analysis is based on this attack POC, although the idea applies to all other similar attacks.
---------------------------------------------
https://chao-tic.github.io/blog/2017/05/24/dirty-cow


*** DFN-CERT-2017-0928: Microsoft Malware Protection Engine: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0928/


*** DFN-CERT-2017-0913: WebKitGTK+: Mehrere Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und einen Cross-Site-Scripting-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0913/
https://webkitgtk.org/security/WSA-2017-0004.html


*** DFN-CERT-2017-0925: FortiOS: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0925/


*** Security Advisory - Multiple Vulnerabilities in MTK Platform ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170527-01-smartphone-en


*** Bugtraq: Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Key and Token ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540636


*** Bugtraq: [security bulletin] HPESBHF03730 rev.1 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540635


*** Bugtraq: [security bulletin] HPESBHF03754 rev.1 - HPE ML10 Gen 9 Server using Intel Xeon E3-1200 v5 Processor, Remote Access Restriction Bypass ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540634


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM PowerVC is affected by vulnerability in OpenStack Nova (CVE-2017-7214) ***
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022011
---------------------------------------------
*** IBM Security Bulletin: A security vulnerability has been identified in Red Hat Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) (CVE-2017-6462 CVE-2017-6463 CVE-2017-6464) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025209
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 - January 2017 ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010245
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM Virtual Fabric 10Gb Switch Module ***
http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099590
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099589
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5099586
---------------------------------------------