- Daily - CERT.at

Tageszusammenfassung - 21.07.2017
by Daily end-of-shift report 21 Jul '17

21 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-07-2017 18:00 − Freitag 21-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 14 Warning Signs that Your Computer is Malware-Infected ∗∗∗ --------------------------------------------- Malware attacks affect us all. The increasing number of Internet users worldwide creates an equal (or larger) number of opportunities for cyber criminals to take advantage of our systems. As we become more dependent on the online environment, we can clearly see a massive growth in malware and cyber criminal activities all across the globe. --------------------------------------------- https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-ma… ∗∗∗ Practical Android Phone Forensics ∗∗∗ --------------------------------------------- Introduction Today’s world is Android World. Almost 90% of devices are running on Android, and each one of us is using Android in some or the other way. There are various devices which run on Android, but Android is widely used on Smart Phones. Also, if you check the Global Smart Phone Market Share Android [...] --------------------------------------------- http://resources.infosecinstitute.com/practical-android-phone-forensics/ ∗∗∗ BKA will mächtigeren Staatstrojaner angeblich noch 2017 einsatzbereit haben ∗∗∗ --------------------------------------------- Laut einem geleakten Dokument ist man beim Bundeskriminalamt optimistisch, noch 2017 einen Staatstrojaner einsatzbereit zu haben, der deutlich mächtiger ist als sein Vorgänger. Damit sollen auch Smartphones gehackt werden, nachdem das nun erlaubt wurde. --------------------------------------------- https://heise.de/-3779770 ∗∗∗ Companies unprepared to measure incident response ∗∗∗ --------------------------------------------- Companies struggle to keep up with and respond to cyberattacks due to lack of resources, according to Demisto. For example, more than 40 percent of respondents said their organizations are not prepared to measure incident response, and only 14.5 percent of respondents are measuring MTTR (Mean Time to Respond). While organizations are hit with an average of nearly 350 incidents per week, 30 percent of respondents reported they have no playbooks, runbooks or other documentation [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/07/21/measure-incident-response/ ∗∗∗ Smartphone mit Sicherheitslücken verkauft: Klage gegen Media Markt ∗∗∗ --------------------------------------------- Deutsche Verbraucherschützer gehen gegen Händler vor, es handelt sich um einen Präzedenzfall --------------------------------------------- http://derstandard.at/2000061599440 ∗∗∗ Cyber-Angriffe auf die Wirtschaft – jedes zweite Unternehmen betroffen ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Cyber-Angri… ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1269: Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1269/ ∗∗∗ DFN-CERT-2017-1263: GitLab: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen und die Manipulation von Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1263/ ∗∗∗ DFN-CERT-2017-1270: Red Hat 3scale API Management Platform: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1270/ ∗∗∗ IBM Security Bulletin: WebSphere Application Server may have insecure file permissions (CVE-2017-1382) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004785 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in Admin Console for WebSphere Application Server (CVE-2017-1380) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004786 ∗∗∗ IBM Security Bulletin: API Connect is affected by SSH vulnerability (CVE-1999-1085) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005718 ∗∗∗ IBM Security Bulletin: Vulnerabilitiy in OpenSSL affect IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010137 ∗∗∗ IBM Security Bulletin: Cross-site Scripting vulnerabilities affect IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006052 ∗∗∗ IBM Security Bulletin:IBM Emptoris Supplier Lifecycle Management is affected by a Cross Site Scripting vulnerability (CVE-2016-6118) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005824 ∗∗∗ IBM Security Bulletin: Reflected XSS in IBM Worklight OAuth Server Web Api ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000316 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005076 ∗∗∗ SSA-275839 (Last Update 2017-07-21): Denial-of-Service Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… ∗∗∗ SSA-293562 (Last Update 2017-07-21): Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562… ∗∗∗ SSA-731239 (Last Update 2017-07-21): Vulnerabilities in SIMATIC S7-300 and S7-400 CPUs ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-731239… ∗∗∗ libxml2 vulnerability CVE-2015-8710 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45439210 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2017
by Daily end-of-shift report 20 Jul '17

20 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-07-2017 18:00 − Donnerstag 20-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vault 7 Data Leak: Analyzing the CIA files ∗∗∗ --------------------------------------------- Digging the Vault 7 dumps In a first post on the Vault7 dump, we analyzed the information contained in files leaked by Wikileaks and allegedly originating from a network of the U.S. Central Intelligence Agency (CIA). At the time, we analyzed the following CIA projects: The Year Zero that revealed CIA hacking exploits for hardware and software. The Dark Matter dump […]The post Vault 7 Data Leak: Analyzing the CIA files appeared first on InfoSec Resources. --------------------------------------------- http://resources.infosecinstitute.com/vault-7-data-leak-analyzing-cia-files… ∗∗∗ DDoS Tools availability Online, a worrisome trend ∗∗∗ --------------------------------------------- Experts warn of an increased availability of DDoS tools online, many wannabe hackers download and use them without awareness on consequences. As cyber crime reaches new levels with new malware & viruses being realized online on a daily basis it also becomes apparent that the increase in DDoS tools that require no apparent skills to […]The post DDoS Tools availability Online, a worrisome trend appeared first on Security Affairs. --------------------------------------------- http://securityaffairs.co/wordpress/61188/hacking/ddos-tools-online.html ∗∗∗ EU Court to Rule On Right to Be Forgotten Outside Europe ∗∗∗ --------------------------------------------- The European Unions top court is set to decide whether the blocs "right to be forgotten" policy stretches beyond Europes borders, a test of how far national laws can -- or should -- stretch when regulating cyberspace. From a report: The case stems from France, where the highest administrative court on Wednesday asked the EUs Court of Justice to weigh in on a dispute between Alphabets Google and Frances privacy regulator over how broadly to apply the right (Editors note: the link could --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/RSt2wRvb9ho/eu-court-to-rul… ∗∗∗ No one still thinks iOS is invulnerable to malware, right? Well, knock it off ∗∗∗ --------------------------------------------- As platforms popularity continues to rise, so does its allure to miscreants The comforting notion that iOS devices are immune to malicious code attacks has taken a knock following the release of a new study by mobile security firm Skycure.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/ios_securit… ∗∗∗ IETF: Streit über TLS-Überwachung führt zum Eklat ∗∗∗ --------------------------------------------- Für die einen ist es passives Monitoring im Rechenzentrum. Für die anderen ist der Nachschlüssel für Netzadministratoren ein Einstieg in die Massenüberwachung und der GAU für das neue TLS-Protokoll. --------------------------------------------- https://heise.de/-3777578 ∗∗∗ Google Play Protect schützt vor Malware-Apps ∗∗∗ --------------------------------------------- Google rollt einen neuen Sicherheitsmechanismus für Android-Smartphones aus, der installierte Apps laufend überprüft. Google Play Protect funktioniert auch mit Anwendungen, die nicht aus dem Play Store stammen. --------------------------------------------- https://heise.de/-3778162 ∗∗∗ Bugfix- und Sicherheitsupdates für watchOS und tvOS ∗∗∗ --------------------------------------------- Das Apple-Watch-Betriebssystem erreicht Version 3.2.3 und das Apple-TV-4-OS Version 10.2.2. Es gibt Fehlerbehebungen und sicherheitsrelevante Fixes. --------------------------------------------- https://heise.de/-3777843 ∗∗∗ Assessing the habits and tactics of organized credit card fraud gangs ∗∗∗ --------------------------------------------- By analyzing hundreds of criminal forums, Digital Shadows discovered a new trend in the form of remote learning ‘schools’. Available to Russian speakers only, these six-week courses comprise 20 lectures with five expert instructors. The course includes webinars, detailed notes and course material. An advertisement for the WWH online course In exchange for $745 (plus $200 for course fees), aspiring cyber criminals have the potential to make $12k a month, based on a standard 40-hour --------------------------------------------- https://www.helpnetsecurity.com/2017/07/20/organized-credit-card-fraud-gang… ===================== = Advisories = ===================== ∗∗∗ Apple Sicherheitsupdates für Mac OS X und macOS Sierra ∗∗∗ --------------------------------------------- Das Betriebssystem Mac OS X ist der Standard auf Apple Laptops und Desktop-Geräten.Das von Apple entwickelte Betriebssystem macOS Sierra ist der namentliche Nachfolger von Mac OS X ab Version 10.12 für Macintosh-Systeme (Desktop und Server).Apple veröffentlicht macOS Sierra 10.12.6 und schließt damit Sicherheitslücken, durch die ein nicht angemeldeter Angreifer aus dem Internet intendierte Sicherheitsmaßnahmen umgehen, Daten auf Ihrem Rechner ausspähen oder --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_… ∗∗∗ Sicherheitsupdate auf Apple iOS 10.3.3 ∗∗∗ --------------------------------------------- iOS ist das Standardbetriebssystem auf Apple-Geräten wie iPhone, iPod touch und iPad. Es wurde auf Basis des Betriebssystems MAC OS X entwickelt.In verschiedenen von Apple iOS bis einschließlich Version 10.3.2 intern verwendeten Komponenten existieren mehrere, zum Teil schwerwiegende Sicherheitslücken. Ein Angreifer aus dem Internet kann diese insgesamt 47 Sicherheitslücken für das Ausführen beliebigen Programmcodes, auch mit erweiterten Privilegien, das --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_… ∗∗∗ Apple veröffentlicht Sicherheitsupdates für den Safari Webbrowser ∗∗∗ --------------------------------------------- Der Webbrowser Safari wurde von Apple für MAC OS X entwickelt.Apple schließt mit der neuen Safari Version für OS X Yosemite, OS X El Capitan und macOS Sierra mehrere Sicherheitslücken, durch die ein Angreifer aus dem Internet unter anderem beliebigen Programmcode auf Ihrem System ausführen, Informationen ausspähen sowie falsche Informationen darstellen kann. Insbesondere durch die Ausführung beliebigen Programmcodes kann ihr System nachhaltig geschädigt --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_… ∗∗∗ Vuln: Genivia gSOAP CVE-2017-9765 Stack Based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/99868 ∗∗∗ Cisco ASR 5000 Series Aggregation Services Routers GGSN Gateway Redirect Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Administrative Interface Access Control Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Static Credentials Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Authenticated Command Injection and Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Command Injection and Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Collaboration Provisioning Tool Web Portal Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco ASR 5000 Series Aggregation Services Routers Access Control List Security Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1253: Apple iCloud: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1253/ ∗∗∗ IBM Security Bulletin: Vulnerability in IBM SDK, Java Technology Edition Quarterly CPU – Apr 2017 – Includes Oracle Apr 2017 CPU affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005616 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2017
by Daily end-of-shift report 19 Jul '17

19 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-07-2017 18:00 − Mittwoch 19-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk ∗∗∗ --------------------------------------------- Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking. The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development --------------------------------------------- https://thehackernews.com/2017/07/gsoap-iot-device-hacking.html ∗∗∗ Sicherheitslücke in allen Node.js-Versionen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke macht viele Node.js-Anwendungen anfällig für Denial-of-Service-Attacken. Die Entwickler haben korrigierte Versionen von Node.js 4, 6, 7 und 8 bereitgestellt und raten dringend zum Update. --------------------------------------------- https://heise.de/-3775843 ∗∗∗ Adware the series, the final: Tools section ∗∗∗ --------------------------------------------- The final episode of our adware series talks specifically about the tools that we use in identifying adware and the places where it lurks on a system.Categories: PUPTags: adwareFileASSASSINfrstPieter Arntzprocess explorerResource Monitorrootkitthe more you knowtoolstrojan(Read more...)The post Adware the series, the final: Tools section appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/puppum/2017/07/adware-the-series-the-final-to… ===================== = Advisories = ===================== ∗∗∗ DSA-3914 imagemagick - security update ∗∗∗ --------------------------------------------- This updates fixes several vulnerabilities in imagemagick: Variousmemory handling problems and cases of missing or incomplete inputsanitising may result in denial of service, memory disclosure or theexecution of arbitrary code if malformed RLE, SVG, PSD, PDB, DPX, MAT,TGA, VST, CIN, DIB, MPC, EPT, JNG, DJVU, JPEG, ICO, PALM or MNGfiles are processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3914 ∗∗∗ WP Statistics 12.0.9 - Authenticated Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8866 ∗∗∗ DFN-CERT-2016-1068: Apache Commons FileUpload, Apache Tomcat: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1068/ ∗∗∗ DFN-CERT-2017-1240: Apache Software Foundation HTTP-Server: Eine Schwachstelle ermöglicht das Ausspähen von Informationen und einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1240/ ∗∗∗ DFN-CERT-2017-1245: Wireshark: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1245/ ∗∗∗ DFN-CERT-2017-1249: Symfony: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1249/ ∗∗∗ IBM Security Bulletin: IBM Cisco MDS Series Switches DCNM is affected by unauthenticated, remote attacker vulnerability (CVE-2017-6639, CVE-2017-6640). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010329 ∗∗∗ IBM Security Bulletin: IBM TRIRIGA Application Platform Reports Privilege Escalation (CVE-2017-1373) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004677 ∗∗∗ Oracle Critical Patch Update Advisory - July 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html ∗∗∗ Solaris Third Party Bulletin - July 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinjul2017-3814622.h… ∗∗∗ Oracle Linux Bulletin - July 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2017-3832… ∗∗∗ Oracle VM Server for x86 Bulletin - July 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2017-383236… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2017
by Daily end-of-shift report 18 Jul '17

18 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Montag 17-07-2017 18:00 − Dienstag 18-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗ --------------------------------------------- Für unser "Daily Business" suchen wir derzeit 1 Berufsein- oder -umsteiger/in mit ausgeprägtem Interesse an IT-Security, welche/r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich hier: https://www.cert.at/about/jobs/jobs.html --------------------------------------------- https://www.cert.at/services/blog/20170718152748-2072.html ∗∗∗ Exploit Derived From ETERNALSYNERGY Upgraded to Target Newer Windows Versions ∗∗∗ --------------------------------------------- Thai security researcher Worawit Wang has put together an exploit based on ETERNALENERGY that can also target newer versions of the Windows operating system. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-derived-from-eternal… ∗∗∗ Economic losses from cyber attack ‘akin to natural disaster’ ∗∗∗ --------------------------------------------- Not just a disaster for your data, a major attack could cost the global economy up to $120bn, according to new study. --------------------------------------------- https://www.htbridge.com/blog/economic-losses-from-cyber-attack-akin-to-nat… ∗∗∗ Linux Users Urged to Update as a New Threat Exploits SambaCry ∗∗∗ --------------------------------------------- A seven-year old vulnerability in Samba—an open-source implementation of the SMB protocol used by Windows for file and printer sharing—was patched last May but continues to be exploited. According to a security advisory released by the company, the vulnerability allows a malicious actor to upload a shared library to a writable share, causing the server to load and execute it. If leveraged successfully, an attacker could open a command shell in a vulnerable device and take control of --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/lri-dU9kM1o/ ===================== = Advisories = ===================== ∗∗∗ Cisco WebEx Browser Extension Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.The --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Bitdefender Remote Stack Buffer Overflow via 7z PPMD ∗∗∗ --------------------------------------------- submitted by /u/landave [link] [comments] --------------------------------------------- https://www.reddit.com/r/netsec/comments/6o0gji/bitdefender_remote_stack_bu… ∗∗∗ Bitdefender Remote Stack Buffer Overflow via 7z PPMD ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/6o0gji/bitdefender_remote_stack_bu… ∗∗∗ DFN-CERT-2017-1230/">XML::LibXML: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1230/ ∗∗∗ [webapps] Barracuda Load Balancer Firmware <= 6.0.1.006 - Remote Command Injection (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/42333/?rss ∗∗∗ [webapps] Sophos Web Appliance 4.3.0.2 - trafficType Remote Command Injection (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/42332/?rss ∗∗∗ [remote] Belkin NetCam F7D7601 - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/42331/?rss ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is affected by a user password being stored in plain text vulnerability (CVE-2017-1309) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005437 ∗∗∗ IBM Security Bulletin: BigFix Family WebUI Component Has Security Vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005246 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Sterling Connect:Direct for UNIX (CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005893 ∗∗∗ IBM Security Bulletin: Vulnerabilities in zlib affect IBM Sterling Connect:Direct for UNIX (CVE-2016-9840, CVE-2016-9841, CVE-2016-9843) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005891 ∗∗∗ IBM Security Bulletin: The BigFix Platform versions 9.1 and 9.2 have security vulnerabilities that have been addressed via patch releases ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006014 ∗∗∗ IBM Security Bulletin: Detailed error messages in IBM Emptoris Contract Management are vulnerable to attacks (CVE-2016-6018) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005664 ∗∗∗ IBM Tivoli Enterprise Portal Server Bugs Let Remote Users Execute Arbitrary Commands and Modify SQL Queries and Let Local Users Gain Elevated Privileges ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038913 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2017
by Daily end-of-shift report 17 Jul '17

17 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-07-2017 18:00 − Montag 17-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Week in Ransomware - July 14th 2017 - NemucodAES, LeakerLocker, and More ∗∗∗ --------------------------------------------- It has been a slow week in terms of new releases, which is always a good thing. Still lots of small crapware being released that will never have much wide distribution. We also have some good news, which is the release of a NemucodAES decryptor by Emsisoft. This allows victims of this ransomware to get their files back for free. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-july-… ∗∗∗ We Tested More than 50 Free Security Tools so You can Use Them for Your Online Protection ∗∗∗ --------------------------------------------- The idea that we should create a gargantuan list of cyber security tools started to spring in our minds around the beginning of this year. We started from a simple idea: It should be useful. We need it. You need it. It will come in handy in the future, to have all those tools in […] --------------------------------------------- https://heimdalsecurity.com/blog/free-cyber-security-tools-list/ ∗∗∗ Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware ∗∗∗ --------------------------------------------- An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTubes standard features. Because Google was planning major changes to YouTubes UI, the extensions original author decided to retire it and create a new one. This is when the a mysterious company --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/StqZHG6JsVY/popular-chrome-… ∗∗∗ Petya From The Wire: Detection using IDPS ∗∗∗ --------------------------------------------- Most malware that traverses a network do so with specific indicators, some of which look like legitimate network traffic and others that are completely unique to the malware. A single IDPS signature can have high confidence of detecting an infection... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Petya-From-The-Wire--Detecti… ∗∗∗ Gandi.net: Angreifer klaut interne Login-Daten und leitet Domains auf Malware um ∗∗∗ --------------------------------------------- Ein Angreifer hat die Login-Daten des französischen Registrars Gandi.net für einen seiner technischen Provider erlangt und 751 DNS-Einträge manipuliert, damit sie auf eine schädliche Website umleiten. --------------------------------------------- https://heise.de/-3772259 ∗∗∗ DDoS-Angriffe: Hacker flooden liebsten am Wochenende und abends ∗∗∗ --------------------------------------------- In seinem aktuellen DDoS-Report katalogisiert die deutsche Sicherheitsfirma Link11 die Distributed-Denial-of-Service-Angriffe auf Unternehmen der DACH-Region. Der Bericht legt nahe, dass solche Angriffe nach wie vor viel Schaden in Unternehmen anrichten. --------------------------------------------- https://heise.de/-3773640 ∗∗∗ Jetzt patchen: FreeRADIUS stopft Sicherheitslücken ∗∗∗ --------------------------------------------- Wer den beliebten Open-Source-RADIUS-Server FreeRADIUS verwendet, sollte Updates einspielen. Über Sicherheitslücken können Angreifer aus der Ferne Schadcode zur Ausführung bringen. --------------------------------------------- https://heise.de/-3773875 ∗∗∗ Keeping up with the Petyas: Demystifying the malware family ∗∗∗ --------------------------------------------- Last June 27, there was a huge outbreak of a Petya-esque malware with WannaCry-style infector in the Ukraine. Since there is still confusion about how exactly this malware is linked to the original Petya, we have prepared this small guide on the background of the Petya family.Categories: CybercrimeMalwareTags: Anti-RansomwareEternalPetyaGoldeneye ransomwaregreen petyajanusMischa ransomwareNotPetyaPetrwrappetya originsPetya ransomwareransomwarered petya(Read more...)The post Keeping up with the --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas… ===================== = Advisories = ===================== ∗∗∗ DSA-3911 evince - security update ∗∗∗ --------------------------------------------- Felix Wilhelm discovered that the Evince document viewer made insecureuse of tar when opening tar comic book archives (CBT). Opening amalicious CBT archive could result in the execution of arbitrary code.This update disables the CBT format entirely. --------------------------------------------- https://www.debian.org/security/2017/dsa-3911 ∗∗∗ DSA-3910 knot - security update ∗∗∗ --------------------------------------------- Clément Berthaux from Synaktiv discovered a signature forgery vulnerability inknot, an authoritative-only DNS server. This vulnerability allows an attackerto bypass TSIG authentication by sending crafted DNS packets to a server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3910 ∗∗∗ DSA-3909 samba - security update ∗∗∗ --------------------------------------------- Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutualauthentication bypass vulnerability in samba, the SMB/CIFS file, print, andlogin server. Also known as Orpheus Lyre, this vulnerability is located inSamba Kerberos Key Distribution Center (KDC-REP) component and could be used byan attacker on the network path to impersonate a server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3909 ∗∗∗ WordPress Download Manager <= 2.9.49 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8856 ∗∗∗ WP-Members <= 3.1.7 - Authenticated Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8858 ∗∗∗ WordPress Download Manager <= 2.9.50 - Open Redirect ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8857 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2017
by Daily end-of-shift report 14 Jul '17

14 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-07-2017 18:00 − Freitag 14-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Hackers Are Using Automated Scans to Target Unfinished WordPress Installs ∗∗∗ --------------------------------------------- Experts from security firm Wordfence say they have observed a wave of web attacks that took aim at unfinished WordPress installations. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-using-automated-… ∗∗∗ Experts Warn Too Often AWS S3 Buckets Are Misconfigured, Leak Data ∗∗∗ --------------------------------------------- An analysis of Amazon Web Services storage containers reveals troubling trend of misconfigured S3 buckets that leak data. --------------------------------------------- http://threatpost.com/experts-warn-too-often-aws-s3-buckets-are-misconfigur… ∗∗∗ Reverse Engineering Hardware of Embedded Devices: From China to the World ∗∗∗ --------------------------------------------- This article covers some basic hardware reverse engineering techniques on PCB-level, which are applicable to any electronic embedded device to showcase how to analyze a previously unknown (to the researcher or public white-hat community) hardware device. --------------------------------------------- http://blog.sec-consult.com/2017/07/reverse-engineering-hardware.html ∗∗∗ Code Injection in Signed PHP Archives (Phar) ∗∗∗ --------------------------------------------- PHP contains an interesting but rarely used feature called Phar, which stands for PHp ARchive, that allows developers to package entire applications as a single executable file. It also boasts some additional security benefits by signing archives with a digital signature, disallowing the modification of the archives on production machines. --------------------------------------------- https://blog.sucuri.net/2017/07/code-injection-in-phar-signed-php-archives.… ∗∗∗ Peng!!! Comic HACKT Linux ∗∗∗ --------------------------------------------- Der unter Linux weit verbreitete Dokumenten-Betrachter Evince weist eine kritische Lücke auf, die sich ausnutzen lässt, um das System mit Schad-Software zu infizieren. Der Fehler lässt sich durch Comic-Books auslösen; Updates werden bereits ausgeliefert. --------------------------------------------- https://heise.de/-3771980 ∗∗∗ Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’ ∗∗∗ --------------------------------------------- A greater number of ATM skimming incidents now involve so-called "insert skimmers," wafer-thin fraud devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. New evidence suggests that at least some of these insert skimmers -- which record card data and store it on a tiny embedded flash drive are -- equipped with technology allowing it to transmit stolen card data wirelessly via infrared, the same technology built into a television remote control. --------------------------------------------- https://krebsonsecurity.com/2017/07/thieves-used-infrared-to-pull-data-from… ∗∗∗ Gefälschte Rechnung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Mit einer gefälschten Rechnung fordern Kriminelle Empfänger/innen dazu auf, einen Dateianhang zu öffnen. Er beinhalt angeblich eine "vollständige Kostenaufstellung". Diese ist in Wahrheit Schadsoftware. Rechnungsempfänger/innen dürfen sie nicht öffnen, andernfalls drohen ihnen erhebliche Nachteile. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-rechnu… ===================== = Advisories = ===================== ∗∗∗ Siemens SiPass integrated ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper authentication, improper privilege management, channel accessible by non-endpoint, and storing passwords in a recoverable format vulnerabilities in the Siemens SiPass integrated access control system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-194-01 ∗∗∗ GE Communicator ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a heap-based buffer overflow vulnerability in the GE Communicator. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-194-02 ∗∗∗ Vulnerabilities in Dasan Networks GPON ONT WiFi Router H64X Series ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070101 https://cxsecurity.com/issue/WLB-2017070102 https://cxsecurity.com/issue/WLB-2017070103 https://cxsecurity.com/issue/WLB-2017070104 ∗∗∗ DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2892404 ∗∗∗ Search 404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-053 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2888094 ∗∗∗ DFN-CERT-2017-1218: Evince: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1218/ ∗∗∗ DFN-CERT-2017-1221: GLPi: Mehrere Schwachstellen ermöglichen SQL-Injektionen und das Löschen beliebiger Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1221/ ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Flex System FC5022 16Gb SAN Scalable Switch and IBM Flex System EN4023 10Gb Scalable Switch (CVE-2016-2108) ∗∗∗ --------------------------------------------- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099625 ∗∗∗ Critical Patch Update - July 2017- Pre-Release Announcement ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html ∗∗∗ Apache mod_auth_digest Uninitialized Memory Error Lets Remote Users Obtain Potentially Sensitive Information and Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038906 ∗∗∗ EMC ViPR SRM Default Accounts Let Remote Users Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038905 ∗∗∗ Pulse Connect Secure Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038880 ∗∗∗ SSA-589378 (Last Update 2017-07-13): Vulnerabilities in Android App SIMATIC Sm@rtClient ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-589378… ∗∗∗ SSA-874235 (Last Update 2017-07-13): Intel Vulnerability in Siemens Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2017
by Daily end-of-shift report 13 Jul '17

13 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-07-2017 18:00 − Donnerstag 13-07-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Learning Pentesting with Metasploitable3: Exploiting WebDAV ∗∗∗ --------------------------------------------- Introduction: In the third part of this series, we discussed how to exploit Metasploitable3 using a vulnerability in Elasticsearch 1.1.1. As mentioned in one of the .. --------------------------------------------- http://resources.infosecinstitute.com/learning-pentesting-metasploitable3-e… ∗∗∗ Evolution of Conditional Spam Targeting Drupal Sites ∗∗∗ --------------------------------------------- Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor’s session. If your Drupal site has been compromised, .. --------------------------------------------- https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html ∗∗∗ New Ransomware Threatens to Send Your Internet History & Private Pics to All Your Friends ∗∗∗ --------------------------------------------- After WannaCry and Petya ransomware outbreaks, a scary (but rather creative) new strain of ransomware is spreading via bogus apps on the Google Play Store, this time targeting Android mobile users. Dubbed LeakerLocker, the Android .. --------------------------------------------- https://thehackernews.com/2017/07/leakerlocker-android-ransomware.html ∗∗∗ The Rodeo: Scammer bauen falschen Tor-Browser für falschen Darknet-Marktplatz ∗∗∗ --------------------------------------------- Dieser angebliche Darknet-Marktplatz entpuppt sich als wilder Ritt: Die gekauften Waren kommen nie an und die ausgegebenen Bitcoins sind futsch. --------------------------------------------- https://heise.de/-3770979 ∗∗∗ 250 Euro Spar-Gutschein zu gewinnen? ∗∗∗ --------------------------------------------- WhatsApp-Nutzer/innen erhalten die Nachricht, dass sie einen 250 Euro Gutschein von Spar gewinnen können. Dafür sollen sie drei Fragen beantworten und das Gewinnspiel über WhatsApp teilen. Dafür gibt es den Gutschein .. --------------------------------------------- https://www.watchlist-internet.at/handy-abzocke/250-euro-spar-gutschein-zu-… ===================== = Advisories = ===================== ∗∗∗ SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software ∗∗∗ --------------------------------------------- The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1212/">Apache Software Foundation Struts: Zwei Schwachstelle ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1212/ ∗∗∗ DFN-CERT-2017-1214/">McAfee Advanced Threat Defence (ATD): Mehrere Schwachstellen ermöglichen u.a. Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1214/ ∗∗∗ Die Leier des Orpheus: Samba, Microsoft und andere fixen kritische Kerberos-Lücke ∗∗∗ --------------------------------------------- Durch einen simplen Fehler bei der Nutzung von Kerberos können sich Angreifer im Netz Zugriffsrechte auf Dienste wie Dateifreigaben erschleichen. Betroffen sind sowohl Windows- als auch Linux-Server beziehungsweise deren Clients. --------------------------------------------- https://heise.de/-3770761 ∗∗∗ SAP schließt Sicherheitslücken in Point-of-Sale-Software ∗∗∗ --------------------------------------------- SAP hat zehn Sicherheitsupdates veröffentlicht. Bei zwei davon schätzt die Firma die damit verbundene Gefahr als "hoch" ein. --------------------------------------------- https://heise.de/-3770849 ∗∗∗ Juniper Junos Default Credentials in SRX Series Integrated User Firewall Lets Remote Users Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038904 ∗∗∗ Juniper Junos SNMP Processing Bug Lets Remote Users Deny Service and Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038903 ∗∗∗ Juniper Junos Configuration Error Lets Remote Users Bypass Authentication and Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038902 ∗∗∗ BIG-IP PEM vulnerability CVE-2017-6144 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K81601350 ∗∗∗ iControl REST vulnerability CVE-2017-6145 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22317030 ∗∗∗ TMM SSL/TLS profile vulnerability CVE-2017-6141 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21154730 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2017
by Daily end-of-shift report 12 Jul '17

12 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-07-2017 18:00 − Mittwoch 12-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ NTLM Relay Attacks Still Causing Problems in 2017 ∗∗∗ --------------------------------------------- Microsofts July 2017 Patch Tuesday includes a fix for an issue with the NT LAN Manager (NTLM) Authentication Protocol that can be exploited to allow attackers to create admin accounts on a local networks domain controller (DC). [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ntlm-relay-attacks-still-cau… ∗∗∗ HTTPS: Private Schlüssel auf dem Webserver ∗∗∗ --------------------------------------------- Zu einem Zertifikat für verschlüsselte HTTPS-Verbindungen gehört ein privater Schlüssel. Doch was, wenn der Schlüssel auf dem Webserver landet - und dann nicht mehr privat ist? Wir fanden zahlreiche Webseiten, die ihren privaten Schlüssel zum Herunterladen anbieten. (SSL, Technologie) --------------------------------------------- https://www.golem.de/news/https-private-schluessel-auf-dem-webserver-1707-1… ∗∗∗ Telegram-Controlled Hacking Tool Targets SQL Injection at Scale ∗∗∗ --------------------------------------------- The Katyusha Scanner can find SQL injection bugs at scale, and is managed via the Telegram messenger on any smartphone. --------------------------------------------- http://threatpost.com/telegram-controlled-hacking-tool-targets-sql-injectio… ∗∗∗ July 2017 security update release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice. More information about this month’s security updates can be found on the Security Update Guide. MSRC team --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/07/11/july-2017-security-upda… ∗∗∗ Who Controls The Internet? ∗∗∗ --------------------------------------------- The title of the paper Who controls the Internet? Analyzing global threats using property traversal graphs is enough to ensnare any Internet researcher. The control plane for a number of attacks, as the paper points out, is the DNS due to the role it plays in mapping names to resources. MX records in the DNS control [...] --------------------------------------------- http://dyn.com/blog/who-controls-the-internet/ ∗∗∗ Julys Microsoft Patch Tuesday, (Tue, Jul 11th) ∗∗∗ --------------------------------------------- TodaysMicrosoft Patch Tuesdayfixes critical and important flaws that, if exploited, could give an attacker a range of possibilities - from privilege escalation to remote code execution (RCE) - on different Windows OS and Microsoft Office versions. --------------------------------------------- https://isc.sans.edu/diary/rss/22602 ∗∗∗ Backup Scripts, the FIM of the Poor, (Wed, Jul 12th) ∗∗∗ --------------------------------------------- File Integrity Management or FIM is an interesting security control that can help to detect unusual changes in a file system. By example, on a server, they are directories that do not change often. --------------------------------------------- https://isc.sans.edu/diary/rss/22606 ∗∗∗ Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers ∗∗∗ --------------------------------------------- Customer-premises equipment (CPE)—specifically small office/home office (SOHO) routers—has become ubiquitous. CPE routers are notorious for their web interface vulnerabilities, old versions of software components with known vulnerabilities, default and hard-coded credentials, and other security issues. --------------------------------------------- http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=502613 ∗∗∗ What will it take to improve the ICS patch process? ∗∗∗ --------------------------------------------- While regular patching is indisputably good advice for IT networks, one of the main takeaways from the Petya and WannaCry attacks is that a lot of companies don’t do it. And with even more NSA exploits like EternalBlue scheduled to be released by The Shadow Brokers (TSB), it’s certainly not going to get any better. Patching IT systems is hard enough, but it’s even more difficult to patch industrial control systems (ICS), commonly found in [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/07/12/ics-patch-process/ ===================== = Advisories = ===================== ∗∗∗ Security Update for Windows Kernel (3186973) ∗∗∗ --------------------------------------------- V1.0 (September 13, 2016): Bulletin published. V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-111 ∗∗∗ [2017-07-12] Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products ∗∗∗ --------------------------------------------- The AGFEO ES 5xx/6xx SmartHome product lines are prone to multiple critical vulnerabilities. It is possible to read the whole user database by an active debug web service in order to reveal all passwords even from the administrative account. Furthermore, many debug services are active which enable an attacker to reconfigure the whole device without such administrative permissions. A hardcoded cryptographic key pair is embedded in the firmware which is used for HTTPS communication. Those keys [...] --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… ∗∗∗ Fuji Electric V-Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-02 ∗∗∗ ABB VSN300 WiFi Logger Card ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-03 ∗∗∗ OSIsoft PI Coresight ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04 ∗∗∗ Schweitzer Engineering Laboratories, Inc. SEL-3620 and SEL-3622 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-06 ∗∗∗ OSIsoft PI ProcessBook and PI ActiveView ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-05 ∗∗∗ NetIQ Privileged Account Manager 3.1 Patch Update 3 (3.1.0.3) ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=MtsbTyzebZw~ ∗∗∗ DFN-CERT-2017-1206/">FreeBSD, Heimdal: Eine Schwachstelle ermöglicht die vollständige Kompromittierung des Dienstes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1206/ ∗∗∗ Security Advisory - Directory Traversal Vulnerability in Push Module of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ Security Advisory - Escalation of Privilege Vulnerability in Intel AMT, Intel ISM and Intel SMT ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Push Module of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ IBM Security Bulletin: Daeja ViewONE arbitrary files can be accessed ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003806 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004602 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Functional Tester (CVE-2017-3511, CVE-2017-3514, CVE-2017-3539) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005085 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in zlib affects IBM Common Inventory Technology (CIT) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005841 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities addressed in the IBM Emptoris Sourcing product (CVE-2017-1447, CVE-2017-1449, CVE-2017-1450, CVE-2017-1444) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005834 ∗∗∗ IBM Security Bulletin: Vulnerability in account lockout affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8964) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21995024 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-50… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities addressed in IBM Emptoris Strategic Supply Management (CVE-2016-6019, CVE-2016-8951, CVE-2016-8952 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005839 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM WebSphere MQ (CVE-2016-3485 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22001630 ∗∗∗ JSA10806 - 2017-07 Security Bulletin: Junos OS: SRX Series: Cluster configuration synch failures occur if the root user account is locked out (CVE-2017-10604) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10806&actp=RSS ∗∗∗ JSA10775 - 2017-07 Security Bulletin: OpenSSL Security Advisory [26 Jan 2017] ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10775&actp=RSS ∗∗∗ JSA10779 - 2017-07 Security Bulletin: Junos: RPD crash due to malformed BGP OPEN message (CVE-2017-2314) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10779&actp=RSS ∗∗∗ JSA10782 - 2017-07 Security Bulletin: ScreenOS: Multiple XSS vulnerabilities in ScreenOS Firewall ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10782&actp=RSS ∗∗∗ JSA10787 - 2017-07 Security Bulletin: Junos: VM to host privilege escalation in platforms with Junos OS running in a virtualized environment. (CVE-2017-2341) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10787&actp=RSS ∗∗∗ JSA10789 - 2017-07 Security Bulletin: Junos: SRX Series denial of service vulnerability in flowd due to crafted DHCP packet (CVE-2017-10605) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10789&actp=RSS ∗∗∗ JSA10790 - 2017-07 Security Bulletin: SRX Series: MACsec failure to report errors (CVE-2017-2342) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10790&actp=RSS ∗∗∗ JSA10791 - 2017-07 Security Bulletin: SRX Series: Hardcoded credentials in Integrated UserFW feature. (CVE-2017-2343) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10791&actp=RSS ∗∗∗ JSA10792 - 2017-07 Security Bulletin: Junos: Buffer overflow in sockets library (CVE-2017-2344) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10792&actp=RSS ∗∗∗ JSA10793 - 2017-07 Security Bulletin: Junos: snmpd denial of service upon receipt of crafted SNMP packet (CVE-2017-2345) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10793&actp=RSS ∗∗∗ JSA10794 - 2017-07 Security Bulletin: MS-MPC or MS-MIC crash when passing large fragmented traffic through an ALG (CVE-2017-2346) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10794&actp=RSS ∗∗∗ JSA10797 - 2017-07 Security Bulletin: Junos OS: Incorrect argument handling in sendmsg() affects Junos OS (CVE-2016-1887) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10797&actp=RSS ∗∗∗ HPE Performance Center Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038868 ∗∗∗ HPE LoadRunner Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038867 ∗∗∗ Linux kernel vulnerability CVE-2017-1000365 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15412203 ∗∗∗ Linux kernel vulnerability CVE-2016-8399 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23030550 ∗∗∗ IPv6 fragmentation vulnerability CVE-2016-10142 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K57211290 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2017
by Daily end-of-shift report 11 Jul '17

11 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Montag 10-07-2017 18:00 − Dienstag 11-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Security Bulletins posted for Adobe Flash Player and Adobe Connect ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-21) and Adobe Connect (APSB17-22). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided “AS IS” with no [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1474 ∗∗∗ Exploiting Windows Authentication Protocols: Introduction ∗∗∗ --------------------------------------------- SMB relay attack Exploiting the weak Windows authentication protocols is on the top of the list for any adversary, because it mostly relies on a design flaw in the protocol itself, moreover, it is easy and could allow the adversary to get access to remote systems with almost no alert from most systems such as [...] --------------------------------------------- http://resources.infosecinstitute.com/exploiting-windows-authentication-pro… ∗∗∗ A Computational Complexity Attack against Racoon and ISAKMP Fragmentation ∗∗∗ --------------------------------------------- Trustwave recently reported a remotely exploitable computational complexity vulnerability in the racoon isakmp daemon that is part of the ipsec-tools open-source project (http://ipsec-tools.sourceforge.net/). The vulnerability is present in the handling of fragmented packets. A computational complexity attack seeks to cause [...] --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/A-Computational-Complexity-A… ∗∗∗ Verschlüsselung knackbar: Hoffnung für (manche) NotPetya-Opfer ∗∗∗ --------------------------------------------- Die Entwickler des Verschlüsselungstrojaners NotPetya haben entscheidende Fehler bei der Umsetzung ihrer Verschlüsselung gemacht. Unter bestimmten Umständen lässt sich diese knacken. Automatische Tools wird es aber wohl erst einmal nicht geben. --------------------------------------------- https://heise.de/-3768889 ∗∗∗ SambaCry bedroht HPE-NonStop-Server ∗∗∗ --------------------------------------------- Das NonStopOS von Hewlett Packards NonStop-Serversystemen ist anfällig für Angriffe über die SambaCry-Lücke. Die Firma empfiehlt, entsprechende Workarounds umzusetzen, bis Patches bereit stehen. --------------------------------------------- https://heise.de/-3769117 ∗∗∗ Learning PowerShell: The basics ∗∗∗ --------------------------------------------- Get acquainted with some of the basic principles of Powershell and get prepared for some basic usage of this versatile tool that is available on all modern Windows systems. --------------------------------------------- https://blog.malwarebytes.com/101/how-tos/2017/07/learning-powershell-the-b… ∗∗∗ SAP Security Patch Day – July 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/ ===================== = Advisories = ===================== ∗∗∗ Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070080 ∗∗∗ Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070076 ∗∗∗ DFN-CERT-2017-1193: Sophos UTM: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1193/ ∗∗∗ HPESBNS03755 rev.1 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004729 ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance invalid requests cause denial of service to SDR and CLUSSDR channels (CVE-2017-1285) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22003856 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Cast Iron ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005610 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Emptoris Spend Analysis product (CVE-2017-1445, CVE-2017-1446) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005787 ∗∗∗ IBM Security Bulletin:Multiple vulnerabilities in the IBM Emptoris Services Procurement product ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005550 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM Emptoris Sourcing product ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005549 ∗∗∗ IBM Security Bulletin: Apache PDFBox affects IBM Emptoris Contract Management (CVE-2016-2175) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005591 ∗∗∗ SQL Injection in extension "Content Rating Extbase" (content_rating_extbase) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/sql-injection-in-extension-content-rating-ex… ∗∗∗ Remote Code Execution in extension "PHPMailer" (bb_phpmailer) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-phpmailer… ∗∗∗ Remote Code Execution in extension "AH Sendmail" (ah_sendmail) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-ah-sendma… ∗∗∗ Remote Code Execution in extension "Maag Sendmail" (maag_sendmail) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-maag-send… ∗∗∗ SQL Injection in extension "Faceted Search" (ke_search) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/sql-injection-in-extension-faceted-search-ke… ∗∗∗ Linux kernel vulnerability CVE-2017-1000364 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51931024 ∗∗∗ Linux kernel vulnerability CVE-2017-1000366 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20486351 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2017
by Daily end-of-shift report 10 Jul '17

10 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-07-2017 18:00 − Montag 10-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ A VBScript with Obfuscated Base64 Data, (Sat, Jul 8th) ∗∗∗ --------------------------------------------- A few months ago, I posted a diary to explain how to search for (malicious) PE files in Base64 data[1]. Base64 is indeed a common way to distribute binary content in an ASCII form. There are plenty of scripts based on this technique. On my Macbook, Im using width:800px [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22590 ∗∗∗ Adversary hunting with SOF-ELK, (Sun, Jul 9th) ∗∗∗ --------------------------------------------- As we recently celebrated Independence Day in the U.S., Im reminded that we honor what was, of course, an armed conflict. Todays realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray. We live in a world of asymmetrical battles, often conflicts that arent always obvious in purpose and intent, and likely fought on multiple fronts. For one of the best reads on the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22592 ∗∗∗ 94 .ch & .li domain names hijacked and used for drive-by ∗∗∗ --------------------------------------------- A Swiss domain holder called us today telling us that the .ch zone points to the wrong name servers for his domain. The NS entries were ns1.dnshost[.]ga and ns2.dnshost[.]ga. We contacted the registrar and soon realized that this is not the [...] --------------------------------------------- https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-an… ∗∗∗ BSI warnt Unternehmen gezielt vor akutem Risiko durch CEO Fraud ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/CEO_Fraud_1… ∗∗∗ Attack on Critical Infrastructure Leverages Template Injection ∗∗∗ --------------------------------------------- Contributors: Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall Executive SummaryAttackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro [...] --------------------------------------------- http://blog.talosintelligence.com/2017/07/template-injection.html ===================== = Advisories = ===================== ∗∗∗ Microsoft .NET Privilege Escalation ∗∗∗ --------------------------------------------- Topic: Microsoft .NET Privilege Escalation Risk: Medium Text:Hi @ll, all versions of .NET Framework support to load a COM object as code profiler, enabled via two or three environment ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070067 ∗∗∗ DSA-3905 xorg-server - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3905 ∗∗∗ Petya Malware Variant (Update C) ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C ∗∗∗ iManager 3.0.3 Patch 2 (3.0.3.2) ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=KhPP8lJyDik~ ∗∗∗ DFN-CERT-2017-1188: SQLite: Eine Schwachstelle ermöglicht u.a. das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1188/ ∗∗∗ DFN-CERT-2017-1187: Apache Software Foundation Struts: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1187/ ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server for Bluemix April 2017 CPU ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004278 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Performance Tester. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004418 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Service Tester. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004419 ∗∗∗ EMC Data Protection Advisor Input Validation Flaws Let Remote Authenticated Users Obtain Potentially Sensitive Information and Inject SQL Commands ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038841 ∗∗∗ EMC Secure Remote Services (ESRS) Policy Manager Undocumented Account With Default Password Lets Remote Users Access the Target System ∗∗∗ --------------------------------------------- -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2017
by Daily end-of-shift report 07 Jul '17

07 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-07-2017 18:00 − Freitag 07-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ CIA Malware Can Steal SSH Credentials, Session Traffic ∗∗∗ --------------------------------------------- WikiLeaks dumped today the documentation of two CIA hacking tools codenamed BothanSpy and Gyrfalcon, both designed to steal SSH credentials from Windows and Linux systems, respectively. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security /cia-malware-can-steal-ssh-credentials-session-traffic/ ∗∗∗ ZIP Bombs Can Protect Websites From Getting Hacked ∗∗∗ --------------------------------------------- Webmasters can use so-called ZIP bombs to crash a hackers vulnerability and port scanner and prevent him from gaining access to their website. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security /zip-bombs-can-protect-websites-from-getting-hacked/ ∗∗∗ IT und Energiewende: Stromnetzbetreiber fordern das ganz große Lastmanagement ∗∗∗ --------------------------------------------- Silizium statt Kupfer und Stahl: Die Energiewende und die Elektromobilität erfordern einen Ausbau des Stromnetzes. Doch die Netzbetreiber setzen lieber auf Digitalisierung und "Flexibilisierung". Stromlieferanten wollen sich gegen die Bevormundung wehren. (Smart Grid, GreenIT) --------------------------------------------- https://www.golem.de/news /it-und-energiewende-stromnetzbetreiber-fordern-das-ganz-grosse-last management-1707-128779-rss.html ∗∗∗ Decryption Key to Original Petya Ransomware Released ∗∗∗ --------------------------------------------- The key to decrypt the original Petya ransomware has been reportedly released by the ransomware’s author. --------------------------------------------- http://threatpost.com /decryption-key-to-original-petya-ransomware-released/126705/ ∗∗∗ Someones phishing US nuke power stations. So far, no kaboom ∗∗∗ --------------------------------------------- Stuxnet, this aint Dont panic, but attackers are trying to phish their way into machines in various US power facilities, including nuclear power station operators. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/071/07 /someones_phishing_us_nuke_power_stations_so_far_no_kaboom/ ∗∗∗ Lets not help attackers by spreading fear, uncertainty and doubt ∗∗∗ --------------------------------------------- Spreading FUD in the wake of cyber-attacks is never a good idea. But its even worse when this might be one of the attackers implicit goals. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/07 /lets-not-help-attackers-spreading-fear-uncertainty-and-doubt/ ∗∗∗ Hacker-Sammlung gefunden: 500 Mio. E-Mail-Adressen und Passwörter betroffen ∗∗∗ --------------------------------------------- Das Bundeskriminalamt hat in einer Underground-Economy-Plattform im Internet eine Sammlung von ca. 500.000.000 ausgespähten Zugangsdaten gefunden. Die Daten bestehen aus Email-Adressen mit dazugehörigen Passwörtern. Vermutlich stammen die Daten von verschiedenen Hacking-Angriffen und wurden über einen längeren Zeitraum zusammengetragen. Die aktuellsten ausgespähten Zugangsdaten sind wahrscheinlich aus Dezember 2016. --------------------------------------------- https://www.bka.de/SharedDocs/Kurzmeldungen/DE/Kurzmeldungen /170705_HackerSammlung.html ∗∗∗ Abgesicherte PHP-Versionen erschienen ∗∗∗ --------------------------------------------- Trotz der Möglichkeit von Angreifern Schadcode ausführen zu können, gilt der Bedrohungsgrad nicht als kritisch. --------------------------------------------- https://heise.de/-3766935 ∗∗∗ Android-Mega-Patch: Google schließt haufenweise kritische Lücken ∗∗∗ --------------------------------------------- Unter anderem werden Lücken in WLAN-Chipsets von Broadcom geschlossen, die Angreifern das Ausführen von Code mittels manipulierter Wifi-Pakete erlauben. Auch für Android 4.4 (KitKat) sind Patches dabei. --------------------------------------------- https://heise.de/-3767103 ∗∗∗ New Ransomware Variant "Nyetya" Compromises Systems Worldwide ∗∗∗ --------------------------------------------- Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.Update 2017-07-06 12:30 EDT: Updated to explain the modified DoublePulsar backdoor.Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of malware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in [...] --------------------------------------------- http://blog.talosintelligence.com/2017/06 /worldwide-ransomware-variant.html ===================== = Advisories = ===================== ∗∗∗ Schneider Electric Wonderware ArchestrA Logger ∗∗∗ --------------------------------------------- This advisory contains mitigation details for stack-based buffer overflow, uncontrolled resource consumption, and null pointer deference vulnerabilities in Schneider Electric’s Wonderware ArchestrA Logger. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-187-04 ∗∗∗ Schneider Electric Ampla MES ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cleartext transmission of sensitive information and inadequate encryption strength vulnerabilities in Schneider Electric’s Ampla MES. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Credential Disclosure ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070056 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Support Tunnel Hijack ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070060 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Username / Session ID Leak ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070059 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Early Boot Root Shell ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070058 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Grub Password Complexity ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070057 ∗∗∗ Bugtraq: KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/540812 ∗∗∗ Bugtraq: [SYSS-2017-011] Office 365: Insufficient Session Expiration (CWE-613) ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/540814 ∗∗∗ iManager 2.7 Support Pack 7 - Patch 10 Hotfix 2 ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=WeEb4PchpTU~ ∗∗∗ eDirectory 8.8 SP8 Patch 10 ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=VYtYu65T21Y~ ∗∗∗ IBM Security Bulletin: IBM MQ Java/JMS application can incorrectly flow password in plain text. (CVE-2017-1337) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003853 ∗∗∗ IBM Security Bulletin: IBM MQ Passwords specified by MQ java or JMS applications can appear in WebSphere Application Server trace. (CVE-2017-1284) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003851 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server and Tivoli Netcool Performance Manager October 2016 and January 2017 CPU (multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005615 ∗∗∗ IBM Security Bulletin: Vulnerabilities in tcpdump affect AIX ∗∗∗ --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc ∗∗∗ PHP Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038837 ∗∗∗ systemd vulnerability CVE-2017-9445 ∗∗∗ ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 6-07-2017
by Daily end-of-shift report 06 Jul '17

06 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-07-2017 18:00 − Donnerstag 06-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Decryptor Released for the Mole02 CryptoMix Ransomware Variant *** --------------------------------------------- It is always great to be able to announce a free decryptor for victims who have had their files encrypted by a ransomware. This is the case today, where a decryptor for the Mole02 cryptomix variant was released. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-m… *** Evolution of Conditional Spam Targeting Drupal Sites *** --------------------------------------------- Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor's session. It's quite common for attackers to evolve their techniques and add new variations of hidden backdoors to make it harder to get rid of the infection. These evasion and reinfection techniques can also make it difficult to modify the malicious code, which is what has exactly happened in this case, [...] --------------------------------------------- https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html *** New BTCWare Ransomware Decrypter Released for the Master Variant *** --------------------------------------------- Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-btcware-ransomware-decry… *** Sicherheitsupdates: Cisco kämpft gegen statische und unverschlüsselte Zugangsdaten *** --------------------------------------------- Der Netzwerkausrüster stopft zum Teil kritische Sicherheitslücken in seinem Elastic Services Controller und seinem Ultra Services Framework. --------------------------------------------- https://heise.de/-3765238 *** M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013 *** --------------------------------------------- Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoo… *** The MeDoc Connection *** --------------------------------------------- The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was [...] --------------------------------------------- http://blog.talosintelligence.com/2017/07/the-medoc-connection.html *** Fritzbox-Lücke erlaubt delikate Einblicke ins lokale Netz *** --------------------------------------------- Durch ein Informationsleck können Webseiten offenbar viele Details über das Heimnetz eines Fritzbox-Nutzers erfahren. Zu den abfischbaren Daten zählen die Netzwerknamen aller Clients, IP- und Mac-Adresssen und die eindeutige ID der Fritzbox. --------------------------------------------- https://heise.de/-3764885 *** FIRST announces release of Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure *** --------------------------------------------- The Forum of Incident Response and Security Teams announces the release of a set of guidelines and norms for vulnerability disclosure that affects multiple parties. --------------------------------------------- https://www.first.org/newsroom/releases/20170706 *** APWG Global Phishing Survey 2016: Trends and Domain Name Use *** --------------------------------------------- This report comprehensively examines a large data set of more than 250,000 phishing attacks detected in 2015 and 2016. By quantifying this cybercrime activity and understanding the patterns that lurk therein, we have learned more about what phishers have been doing, and how they have accomplished their schemes. --------------------------------------------- https://apwg.org/resources/apwg-reports/domain-use-and-trends https://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf *** Gefälschte Anwaltsschreiben verbreiten Schadsoftware *** --------------------------------------------- In gefälschten Anwaltsschreiben behaupten Kriminelle, dass Adressat/innen Schulden bei einem Unternehmen haben. Weiterführende Informationen zu der offenen Geldforderung sollen sich im Dateianhang der Nachricht finden. In Wahrheit verbirgt er Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-anwalt… *** BadGPO - Using Group Policy Objects for Persistence and Lateral Movement *** --------------------------------------------- [...] Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. --------------------------------------------- http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_052_Willi_… *** ZDI-17-452: (0Day) Advantech WebOP Designer Project File Heap Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebOP Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-452/ *** Android Security Bulletin July 2017 *** --------------------------------------------- https://source.android.com/security/bulletin/2017-07-01.html *** BlackBerry powered by Android Security Bulletin July 2017 *** --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… *** Petya Malware Variant (Update B) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01A Petya Ransomware Variant that was published July 3, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk [...] --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B *** rsyslog: remote syslog PRI vulnerability CVE-2014-3634 *** --------------------------------------------- rsyslog: remote syslog PRI vulnerability CVE-2014-3634. Security Advisory. Security Advisory Description. rsyslog before ... --------------------------------------------- https://support.f5.com/csp/article/K42903299 *** DFN-CERT-2017-1171: LibTIFF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1171/ *** Security Advisories for Drupal Third-Party Modules *** --------------------------------------------- *** SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055 *** https://www.drupal.org/node/2890357 --------------------------------------------- *** DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 *** https://www.drupal.org/node/2892404 --------------------------------------------- *** OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056 *** https://www.drupal.org/node/2892400 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A Security vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms (CVE-2017-1289). *** http://www.ibm.com/support/docview.wss?uid=swg22005058 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002336 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22002335 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand *** http://www-01.ibm.com/support/docview.wss?uid=swg22000488 --------------------------------------------- *** Siemens Security Advisories *** --------------------------------------------- *** SSA-804859 (Last Update 2017-07-06): Denial of Service Vulnerability in SIMATIC Logon *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-804859… --------------------------------------------- *** SSA-874235 (Last Update 2017-07-06): Intel Vulnerability in Siemens Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… --------------------------------------------- *** SSA-275839 (Last Update 2017-07-06): Denial-of-Service Vulnerability in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… --------------------------------------------- *** SSA-931064 (Last Update 2017-07-06): Authentication Bypass in SIMATIC Logon *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-931064… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Nexus Series Switches Telnet CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Nexus Series Switches CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco FireSIGHT System Software Arbitrary Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wide Area Application Services Central Manager Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wide Area Application Services Core Dump Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework Staging Server Arbitrary Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework AutoVNF Log File User Credential Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework UAS Unauthenticated Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco StarOS Border Gateway Protocol Process Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Network Privilege Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Identity Services Engine Guest Portal Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Multicast Source Discovery Protocol Session Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Incorrect Permissions Privilege Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Elastic Services Controller Unauthorized Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Network Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco StarOS CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 5-07-2017
by Daily end-of-shift report 05 Jul '17

05 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-07-2017 18:00 − Mittwoch 05-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** #NoPetya-Attacke hinterließ Sicherheitslücke *** --------------------------------------------- Der weltweite Cyberangriff in der vergangenen Woche hat schwerwiegendere Folgen als bislang bekannt. --------------------------------------------- https://futurezone.at/digital-life/nopetya-attacke-hinterliess-sicherheitsl… *** Cyber-Attacke NotPetya: Angebliche Angreifer wollen 250.000 Euro für Datenrettung *** --------------------------------------------- Die mutmaßlichen Entwickler der Schadsoftware NotPetya wollen gegen 100 Bitcoin (fast 250.000 Euro) einen Schlüssel herausgeben, mit dem die Daten zu retten sein sollen. Ob sie Wort halten, ist unklar. Beobachter vermuten andere Motive hinter der Wendung. --------------------------------------------- https://heise.de/-3764208 *** Ukrainian Police Seize Servers From Where NotPetya Outbreak First Spread *** --------------------------------------------- Ukrainian Police announced today it seized the servers from where the NotPetya ransomware outbreak first started to spread. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-serve… *** The day a mysterious cyber-attack crippled Ukraine *** --------------------------------------------- On the morning of Tuesday, 27 June, Oleh Derevianko, the head of Kiev-based cybersecurity firm Information Security Systems Partners (ISSP), was at Bessarabska market, a popular food market in the heart of downtown. Derevianko was picking up a few things before heading out for the 300km drive to his parents' village. Wednesday was constitution day in Ukraine, a national holiday, and he'd be using the mid-week break to spend a couple days with his kids. --------------------------------------------- http://www.bbc.com/future/story/20170704-the-day-a-mysterious-cyber-attack-… *** NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web *** --------------------------------------------- The person or group behind the NotPetya ransomware has made its first move since the outbreak that took place eight days ago. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/notpetya-group-moves-all-the… *** Doctor Web: M.E.Doc backdoor lets cybercriminals access computers *** --------------------------------------------- July 4, 2017 Doctor Web security researchers examined the update module M.E.Doc and discovered that it is involved in the distribution of at least one other malicious program. You may recall that independent researchers named specifically this M.E.Doc update module as the source of the recent outbreak of the encryption worm Trojan.Encoder.12544, also known as NePetya, Petya.A, ExPetya and WannaCry-2. M.E.Doc is tax accounting software that is popular in Ukraine. --------------------------------------------- http://news.drweb.com/show/?i=11363&lng=en&c=9 *** Qubes OS im Test: Linux sicher und nutzerfreundlich? *** --------------------------------------------- Anwendungen und Einsatzbereiche voneinander per Virtualisierung trennen, gleichzeitig eine für den regulären Nutzer einfach zu bedienende Desktop-Oberfläche bieten: Das Qubes-OS-Projekt hat sich einiges vorgenommen. --------------------------------------------- https://heise.de/-3764500 *** Österreich im Bereich Cybersicherheit auf Platz 30 *** --------------------------------------------- Große Industriestaaten schneiden bei der Cybersicherheit einer UN-Studie zufolge teils schlechter ab als einige deutlich ärmere Staaten. --------------------------------------------- https://futurezone.at/digital-life/oesterreich-im-bereich-cybersicherheit-a… *** Introducing Linux Support for FakeNet-NG: FLARE's Next GenerationDynamic Network Analysis Tool *** --------------------------------------------- Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware analysis and reverse engineering. Since FakeNet-NG's release, FLARE has added support for additional protocols. FakeNet-NG now has out-of-the-box support for DNS, HTTP (including BITS), FTP, TFTP, [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-faken… *** The Hardware Forensic Database *** --------------------------------------------- The Hardware Forensic Database (or HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools. --------------------------------------------- http://hfdb.io/ *** Kundendaten: Datenleck bei der Deutschen Post *** --------------------------------------------- Eine Datenbank mit 200.000 Umzugsmitteilungen der Post lag ungeschützt im Netz. Tausende andere Firmen aus aller Welt haben exakt den gleichen Fehler gemacht. --------------------------------------------- https://www.golem.de/news/kundendaten-datenleck-bei-der-deutschen-post-1707… *** Vulnerability Spotlight: Dell Precision Optimizer and Invincea Vulnerabilities *** --------------------------------------------- Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user. --------------------------------------------- http://blog.talosintelligence.com/2017/06/vulnerability-spotlight-dell-prec… *** Security Advisory - DoS Vulnerability in TLS of Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170705-… *** rt-sa-2017-011 *** --------------------------------------------- Remote Command Execution in PDNS Manager --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2017-011.txt *** DFN-CERT-2017-1159: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1159/ *** IBM Security Bulletin: Incorrect saved channel status enquiry could cause denial of service for IBM MQ (CVE-2017-1236) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003510 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005108 *** IBM Security Bulletin: RabbitMQ vulnerability affect IBM Cloud Manager with OpenStack (CVE-2015-8786) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025403

1 0

Tageszusammenfassung - Dienstag 4-07-2017
by Daily end-of-shift report 04 Jul '17

04 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-07-2017 18:00 − Dienstag 04-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Yet more reasons to disagree with experts on nPetya *** --------------------------------------------- In WW II, they looked at planes returning from bombing missions that were shot full of holes. Their natural conclusion was to add more armor to the sections that were damaged, to protect them in the future. But wait, said the statisticians. The original damage is likely spread evenly across the plane. Damage on returning planes indicates where they could damage and still return. The undamaged areas are where they were hit and couldnt return. Thus, its the undamaged areas you need to [...] --------------------------------------------- http://blog.erratasec.com/2017/07/yet-more-reasons-to-disagree-with.html *** Analysis of TeleBots cunning backdoor *** --------------------------------------------- On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors' intention was to cause damage, so they did all that they could to make data decryption very unlikely. --------------------------------------------- https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-back… *** GnuPG crypto library cracked, look for patches *** --------------------------------------------- Boffins bust libgcrypt via side-channel Linux users need to check out their distributions to see if a nasty bug in libgcrypt20 has been patched. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/07/04/gnupg_crypt… *** Cryptology ePrint Archive: Report 2017/627 *** --------------------------------------------- Sliding right into disaster: Left-to-right sliding windows leak Abstract: It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery [...] --------------------------------------------- https://eprint.iacr.org/2017/627 *** ERCIM News 110 published - Special theme "Blockchain Engineering" *** --------------------------------------------- The ERCIM News No. 110 has just been published at with a special theme on "Blockchain Engineering". SBA Research contributes two articles in this issue. The first article is by Aljosha Judmayer, Alexei Zamyatin, Nicholas Stifter and Edgar Weippl on [...] --------------------------------------------- https://www.sba-research.org/2017/07/03/ercim-news-110-published-special-th… *** Joomla! 3.7.3 Release *** --------------------------------------------- Security Issues Fixed Core - Information Disclosure (affecting Joomla 1.7.3-3.7.2) Core - XSS Vulnerability (affecting Joomla 1.7.3-3.7.2) Core - XSS Vulnerability (affecting Joomla 1.5.0-3.6.5) --------------------------------------------- https://www.joomla.org/announcements/release-news/5709-joomla-3-7-3-release… *** Petya Malware Variant (Update A) *** --------------------------------------------- This updated alert is a follow-up to the original alert titled ICS-ALERT-17-181-01 Petya Ransomware Variant that was published June 30, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01A *** RSA Archer eGRC Multiple Flaws Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks and Let Remote Authenticated Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1038815 *** DFN-CERT-2017-1145: Apache Subversion: Eine Schwachstelle ermöglicht die Manipulation von Daten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1145/ *** SSA-563539 (Last Update: 2017-07-04): Vulnerabilities in OZW672 and OZW772 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-563539… *** SSA-323211 (Last Update: 2017-07-04): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211… *** SSA-452237 (Last Update: 2017-07-04): Vulnerabilities in Reyrolle *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-452237… *** IBM Security Bulletin: Weak Cipher available in IBM API Connect (CVE-2015-2808) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003868 *** IBM Security Bulletin: Multiple vulnerabilities in Open Source zlib affects IBM Netezza Platform Software clients (CVE-2016-9840, CVE-2016-9841 and CVE-2016-9843). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001026

1 0

Tageszusammenfassung - Montag 3-07-2017
by Daily end-of-shift report 03 Jul '17

03 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 30-06-2017 18:00 − Montag 03-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** From Pass-the-Hash to Pass-the-Ticket with No Pain *** --------------------------------------------- We are all grateful to the Microsoft which gave us the possibility to use the "Pass the Hash" technique! In short: if we have the NTLM hashes of the user password, we can authenticate against the remote system without knowing the real password, just using the hashes. Things were (finally) changing, starting from Windows 7, [...] --------------------------------------------- http://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/ *** SQL Injection Vulnerability in WP Statistics *** --------------------------------------------- As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues. While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites. Are You at Risk? This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right [...] --------------------------------------------- https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.h… *** OutlawCountry Is CIAs Malware for Hacking Linux Systems *** --------------------------------------------- WikiLeaks dumped today a manual describing a new CIA malware strain. Called OutlawCountry, this is malware designed for Linux operating systems. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/outlawcountry-is-cias-malwar… *** So You Think You Can Spot a Skimmer? *** --------------------------------------------- This week marks the 50th anniversary of the automated teller machine -- better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think youre good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge. --------------------------------------------- https://krebsonsecurity.com/2017/06/so-you-think-you-can-spot-a-skimmer/ *** PE Section Name Descriptions, (Sun, Jul 2nd) *** --------------------------------------------- PE files (.exe, .dll, ...) have sections: a section with code, one with data, ... Each section has a name, and different compilers use different section names. Section names can help us identify the compiler and the type of PE file we are analyzing. --------------------------------------------- https://isc.sans.edu/diary/rss/22576 *** TLS security: Past, present and future *** --------------------------------------------- The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet. It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/07/03/tls-security/ *** Achtung, Fake: Nein, Billa verlost keinen 250-Euro-Gutschein auf Whatsapp *** --------------------------------------------- Der Kettenbrief verbreitet sich momentan rasant - Verlinkung auf mysteriöse Seite --------------------------------------------- http://derstandard.at/2000060650645 *** WSUSpendu? What for? *** --------------------------------------------- At BlackHat USA 2015, the WSUSpect attack scenario has been released. Approximately at the same time, some french engineers have been wondering if it would be possible to use a compromised WSUS server to extend the compromise to its clients, similarly to this WSUSpect attack. After letting this topic rest for almost two years, weve been able, at Alsid and ANSSI, to demonstrate this attack. --------------------------------------------- https://github.com/AlsidOfficial/WSUSpendu *** SB17-184: Vulnerability Summary for the Week of June 26, 2017 *** --------------------------------------------- Original release date: July 03, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit [...] --------------------------------------------- https://www.us-cert.gov/ncas/bulletins/SB17-184 *** DSA-3901 libgcrypt20 - security update *** --------------------------------------------- Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal andYuval Yarom discovered that Libgcrypt is prone to a local side-channelattack allowing full key recovery for RSA-1024. --------------------------------------------- https://www.debian.org/security/2017/dsa-3901 *** Bugtraq: [CVE-2017-9313] Webmin 1.840 Multiple XSS Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540794 *** Microsoft Dynamics CRM Input Validation Flaw in SyncFilterPage.aspx Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1038813 *** FortiWLM upgrade user account hard-coded credentials *** --------------------------------------------- FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-115 *** F5 Security Advisories *** --------------------------------------------- *** BIND vulnerability CVE-2017-3142 *** https://support.f5.com/csp/article/K59448931 --------------------------------------------- *** BIND vulnerability CVE-2017-3143 *** https://support.f5.com/csp/article/K02230327 --------------------------------------------- *** GnuTLS vulnerability CVE-2017-7507 *** https://support.f5.com/csp/article/K37830055 --------------------------------------------- *** Novell Patches *** --------------------------------------------- *** Sentinel 8.1 (Sentinel 8.1.0.0) Build 3732 *** https://download.novell.com/Download?buildid=SISjocZzgJM~ --------------------------------------------- *** eDirectory 9.0.3 Patch 1 (9.0.3.1) *** https://download.novell.com/Download?buildid=_f8Eq87R-gs~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 10 HotFix 1 *** https://download.novell.com/Download?buildid=z1R5CZBTHBM~ --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Improper Authentication vulnerability affects IBM Security Guardium (CVE-2017-1264) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004425 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by XML External Entity vulnerability (CVE-2017-1254) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004463 --------------------------------------------- *** IBM Security Bulletin: OS Command Injection vulnerability affects IBM Security Guardium (CVE-2017-1253 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004426 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a local user to obtain sensitive information due to inappropriate data retention of attachments(CVE-2017-1176) *** http://www-01.ibm.com/support/docview.wss?uid=swg22005210 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection(CVE-2017-1175) *** http://www-01.ibm.com/support/docview.wss?uid=swg22005212 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting(CVE-2017-1208) *** http://www-01.ibm.com/support/docview.wss?uid=swg22005243 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service *** http://www-01.ibm.com/support/docview.wss?uid=swg22001007 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg21999760 --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Team Concert *** http://www.ibm.com/support/docview.wss?uid=swg22004611 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics *** http://www-01.ibm.com/support/docview.wss?uid=swg21997020 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect SmartCloud Entry *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025357 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg22005345 --------------------------------------------- *** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Information Disclosure vulnerability *** http://www.ibm.com/support/docview.wss?uid=swg22005382 --------------------------------------------- *** IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker are affected by Unquoted Search Path or Element (CWE-428) Vulnerability on Windows *** http://www.ibm.com/support/docview.wss?uid=swg22005383 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg22005335 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Open Source Botan affects IBM Netezza Platform Software clients (CVE-2016-2849). *** http://www-01.ibm.com/support/docview.wss?uid=swg22001108 --------------------------------------------- *** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability *** http://www.ibm.com/support/docview.wss?uid=swg22005331 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 30-06-2017
by Daily end-of-shift report 30 Jun '17

30 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-06-2017 18:00 − Freitag 30-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Eternal Champion Exploit Analysis *** --------------------------------------------- Recently, a group named the ShadowBrokers published several remote server exploits targeting various protocols on older versions of Windows. In this post we are going to look at the EternalChampion exploit in detail to see what vulnerabilities it exploited, how it exploited them, and how the latest mitigations in Windows 10 break the exploit as-written.... --------------------------------------------- https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit… *** Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone *** --------------------------------------------- A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-… *** Sicherheitsupdates angekündigt: Ciscos IOS-System ist für Schadcode anfällig *** --------------------------------------------- Bisher können Betroffene die Bedrohung durch neu entdeckte Schwachstellen in Ciscos IOS und IOS EX nur über Workarounds eindämmen. Sicherheitspatches sollen folgen. --------------------------------------------- https://heise.de/-3759927 *** e-Government in Deutschland: Kritische Schwachstellen in zentraler Transportkomponente *** --------------------------------------------- You can find the English version of this post here containing further technical details.Die "OSCI-Transport" Java-Bibliothek ist eine Kernkomponente im deutschen e-Government. Schwachstellen in dieser Komponente erlauben es einem Angreifer, bestimmte zwischen Behörden ausgetauschte Informationen zu entschlüsseln oder zu manipulieren bzw. sogar Daten von Behördenrechnern auszulesen.OSCI-Transport ist ein Protokoll, das dazu dient Daten zwischen Behörden sicher [...] --------------------------------------------- http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachstel… *** Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation *** --------------------------------------------- On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers. Using ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-ana… *** Eternal Blues: A free EternalBlue vulnerability scanner *** --------------------------------------------- It is to be hoped that after the WannaCry and NotPetya outbreaks, companies will finally make sure to install - on all their systems - the Windows update that patches SMB vulnerabilities leveraged by the EternalBlue and EternalRomance exploits. These exploits are currently available to practically any hacker who might want to use them, and protecting systems against them should be a must for every organization. But while bigger ones might have an IT department [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/06/30/eternal-blues-eternalblue-vulner… *** Cyber Europe 2016: Key lessons from a simulated cyber crisis *** --------------------------------------------- Today marks the end of the latest cyber crisis exercise organised by ENISA, with the release of the after action report and closure video of Cyber Europe 2016. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2016-key-lessons-f… *** TeleBots are back: supply-chain attacks against Ukraine *** --------------------------------------------- The latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many details about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about previously unpublished attacks. --------------------------------------------- https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attack… *** How Malicious Websites Infect You in Unexpected Ways *** --------------------------------------------- You probably spend most of your time on a PC browsing, whether that is Facebook, news or just blogs or pages that appeal to your particular interest. If a malicious hacker wants to break into your computer and scramble the kilobytes that make up your digital life, his starting point will be to create a [...] --------------------------------------------- https://heimdalsecurity.com/blog/malicious-websites/ *** SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software *** --------------------------------------------- The Simple Network Management Protocol(SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Schneider Electric U.motion Builder *** --------------------------------------------- This advisory contains mitigation details for SQL injection, path traversal, improper authentication, use of hard-coded password, improper access control, denial of service, and information disclosure vulnerabilities in Schneider Electric's U.motion Builder. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-180-02 *** BIND TSIG Authentication Bugs Let Remote Users Bypass Authentication to Transfer or Modify Zone Conetnt *** --------------------------------------------- http://www.securitytracker.com/id/1038809 *** SSA-545214 (Last Update 2017-06-29): Vulnerability in ViewPort for Web Office Portal *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-545214… *** SSA-874235 (Last Update 2017-06-29): Intel Vulnerability in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… *** 2017-06-16 (updated 2017-06-30): Cyber Security Notification - CrashOverride/Industroyer Malware *** --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang… *** [2017-06-30] Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government *** --------------------------------------------- The OSCI-transport library 1.2, a core component of Germanys e-government infrastructure, is affected by XXE, padding oracle and signature wrapping. These vulnerabilities could be used to read local files from OSCI-systems, decrypt certain parts of a message or, under specific circumstances, even to forge messages. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin:OpenSource ICU4C Vulnernabilties in IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg21996949 --------------------------------------------- *** IBM Security Bulletin:Cross-site scripting vulnerability in WebSphere Application Server admin console in IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21998348 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg21996957 --------------------------------------------- *** IBM Security Bulletin: WebSphere Application Server vulnerability with malformed SOAP requests in IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21998347 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections *** https://www-01.ibm.com/support/docview.wss?uid=swg21999097 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint *** https://www-01.ibm.com/support/docview.wss?uid=swg21999099 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for File Systems *** https://www-01.ibm.com/support/docview.wss?uid=swg21999105 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21999106 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache PDFBox Vulnerability in IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg21991027 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections *** https://www-01.ibm.com/support/docview.wss?uid=swg21999098 --------------------------------------------- *** IBM Security Bulletin: zlib vulnerability may affect IBM SDK, Java Technology Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg22004465 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Intel Ethernet Controller XL710 affects IBM MQ Appliance *** http://www-01.ibm.com/support/docview.wss?uid=swg22002763 --------------------------------------------- *** IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Security Guardium (CVE-2017-1256) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004461 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in openssl, gnutl, mysql, kernel, glibc, ntp shipped with SmartCloud Entry Appliance *** http://www.ibm.com/support/docview.wss?uid=isg3T1025342 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect Content Collector for IBM Connections *** https://www-01.ibm.com/support/docview.wss?uid=swg22001465 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg22001458 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Microsoft SharePoint *** https://www-01.ibm.com/support/docview.wss?uid=swg22001455 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for File Systems *** https://www-01.ibm.com/support/docview.wss?uid=swg22001463 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg22001460 --------------------------------------------- *** IBM Security Bulletin: WebSphere Application Server vulnerability in IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21998346 --------------------------------------------- *** IBM Security Bulletin: SQL Injection vulnerability affects IBM Security Guardium (CVE-2017-1269) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004462 --------------------------------------------- *** IBM Security Bulletin: Missing Authentication for Critical Function affects IBM Security Guardium (CVE-2017-1258) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004309 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Guardium is affected by Cleartext Transmission of Sensitive Information vulnerability (CVE-2016-0238 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21989124 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM HTTP Server affects Netezza Performance Portal (CVE-2015-8743) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003173 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 29-06-2017
by Daily end-of-shift report 29 Jun '17

29 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 28-06-2017 18:00 − Donnerstag 29-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Petya/NotPetya: Kein Erpressungstrojaner sondern ein "Wiper" *** --------------------------------------------- Nach eingehenden Analysen des Schädlings NotPetya sind sich die meisten Experten einig: Der Schädling hatte es nicht auf Geld abgesehen sondern auf Randale, sprich: auf möglichst großen Datenverlust bei den Opfern. --------------------------------------------- https://heise.de/-3759293 *** Update on Petya malware attacks *** --------------------------------------------- As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware… *** Websites Grabbing User-Form Data Before Its Submitted *** --------------------------------------------- Websites are sending information prematurely:...we discovered NaviStones code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.This is important because it goes [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/websites_grabbi.html *** Microsoft Announces "Controlled Folder Access" to Fend Off Crypto-Ransomware *** --------------------------------------------- This fall, Microsoft plans to release a new Windows Defender feature called Controlled Folder Access, which blocks and blacklists unauthorized apps from making changes to files located inside specially-designated folders. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-control… *** DFN-CERT-2017-1124: Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1124/ *** Symantec Management Console XSS/XXE Issues *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Kaspersky Anti-Virus for Linux File Server Multiple Flaws Let Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks, Remote Authenticated Users View Files on the Target System, and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1038798 *** Bugtraq: ESA-2017-062: VASA Provider Virtual Appliance Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540783 *** 2017-06-16 (updated 2017-06-27): Cyber Security Notification - CrashOverride/Industroyer Malware *** --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang… *** SMTP - Moderatley Critical - Information Disclosure - SA-CONTRIB-2017-055 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-055Project: SMTP Authentication Support (third-party module)Version: 7.x, 8.xDate: 2017-June-28Security risk: 10/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescriptionThis SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged [...] --------------------------------------------- https://www.drupal.org/node/2890357 *** Services - Critical - SQL Injection - SA-CONTRIB-2017-054 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-054Project: Services (third-party module)Version: 7.xDate: 2017-June-28Security risk: 19/25 ( Critical) AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescriptionThis module provides a standardized solution for building APIs so that external clients can communicate with Drupal.The module doesnt sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.This vulnerability is [...] --------------------------------------------- https://www.drupal.org/node/2890353 *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2 and v5.0.2. (CVE-2017-3539, CVE-2016-9840, CVE-2016-9841,CVE-2016-9842, CVE-2016-9843) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005365 *** IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1217) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004348 *** IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX (CVE-2017-3514, CVE-2017-3512, CVE-2017-3511, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, *** --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/java_apr2017_advisory.asc

1 0

Tageszusammenfassung - Mittwoch 28-06-2017
by Daily end-of-shift report 28 Jun '17

28 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 27-06-2017 18:00 − Mittwoch 28-06-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Newport XPS-Cx, XPS-Qx *** --------------------------------------------- This advisory contains mitigation details for an improper authentication vulnerability in the Newport XPS-Cx and XPS-Qx controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-178-01 *** Schroedinger’s Pet(ya) *** --------------------------------------------- Earlier today (June 27th), we received reports about a new wave of ransomware attacks spreading around the world, primarily targeting businesses in Ukraine, Russia and Western Europe. Our investigation is ongoing and our findings are far from final at this time. Despite rampant public speculation, the following is what we can confirm from our independent analysis. --------------------------------------------- http://securelist.com/schroedingers-petya/78870/ *** Microsoft bringing EMET back as a built-in part of Windows 10 *** --------------------------------------------- The built-in exploit mitigations are getting stronger and easier to configure. --------------------------------------------- https://arstechnica.com/?p=1124813 *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security issues have been identified within Citrix XenServer. These issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues .. --------------------------------------------- https://support.citrix.com/article/CTX224740 *** New ransomware, old techniques: Petya adds worm capabilities *** --------------------------------------------- On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-tech… *** DFN-CERT-2017-1114/">systemd: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff und die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1114/ *** DFN-CERT-2017-1112/">Microsoft Azure Active Directory (AD) Connect: Eine Schwachstelle ermöglicht eine Privilegieneskalation *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1112/ *** DSA-3900 openvpn - security update *** --------------------------------------------- Several issues were discovered in openvpn, a virtual private network application. --------------------------------------------- https://www.debian.org/security/2017/dsa-3900 *** Security Advisory - DoS Vulnerability of isub Service in Some Huawei Smartphones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170628-… *** HPESBGN03763 rev.1 - HPE SiteScope, Disclosure of Sensitive Information, Bypass Security Restriction, Remote Arbitrary Code Execution *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow disclosure of sensitive information, bypass security restriction, and remote arbitrary code execution. --------------------------------------------- http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us *** Linux-Kernel-Security: Torvalds bezeichnet Grsecurity als "Müll" *** --------------------------------------------- Mit seinem wie üblich wenig diplomatischen Feingefühl machte Kernel-Chefhacker Linus Torvalds auf der Kernel-Mailingliste deutlich, was er von dem auf Sicherheit fokussierten .. --------------------------------------------- https://www.golem.de/news/linux-kernel-security-torvalds-bezeichnet-grsecur… *** Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS *** --------------------------------------------- Last month we shared statistics on some popular reflection attacks. Back then the average SSDP attack size was ~12 Gbps and largest SSDP reflection we recorded was:30 Mpps (millions of packets per second)80 .. --------------------------------------------- https://blog.cloudflare.com/ssdp-100gbps/

1 0

Tageszusammenfassung - Dienstag 27-06-2017
by Daily end-of-shift report 27 Jun '17

27 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 26-06-2017 18:00 − Dienstag 27-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Petya Ransomware Outbreak *** --------------------------------------------- Heute hat es in mehreren Firmen in Europa IT-Ausfälle durch Ransomware gegeben. Dabei dürfte die Ransomware auch ein "lateral movement" innerhalb einer Organisation durchführen, und so eine breitflächige Infektion und damit Verschlüsselung erreichen. Die Faktenlage zu den genauen Vektoren, sowohl für die initiale Infektion, als auch für die Weiterverbreitung innerhalb des lokalen Netzes, ist noch sehr dünn und [...] --------------------------------------------- http://www.cert.at/services/blog/20170627170903-2046.html *** Second Global Ransomware Outbreak Under Way *** --------------------------------------------- A massive ransomware outbreak is spreading globally and being compared to WannaCry. --------------------------------------------- http://threatpost.com/second-global-ransomware-outbreak-under-way/126549/ *** E-Mails über angebliche Verkehrsstrafen *** --------------------------------------------- E-Mails über angebliche Verkehrsstrafen – ACHTUNG: dahinter verbirgt sich Schadsoftware --------------------------------------------- http://www.bmi.gv.at/cms/BK/betrug/files/2762017_E_Mails_ber_angebliche_Ver… *** How Spora ransomware tries to fool antivirus *** --------------------------------------------- Spora ransomware is back and its trying to confuse antivirus products and email filters. --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/fpIDs0aHpNY/ *** $1 Million Ransomware Payment Has Spurred New DDoS-for-Bitcoin Attacks *** --------------------------------------------- The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/-1-million-ransomware-paymen… *** How Not to Encrypt a File - Courtesy of Microsoft *** --------------------------------------------- A client recently sent me a crypto spec which involved some, how do I say, suboptimal use of crypto primitives. They're .Net users so I decided to search for a nice msdn crypto reference to set them straight. Instead I found the likely culprit behind their confusion. --------------------------------------------- https://medium.com/@bob_parks1/how-not-to-encrypt-a-file-courtesy-of-micros… *** New Shifr RaaS Lets Any Dummy Enter the Ransomware Business *** --------------------------------------------- Several security researchers have spotted a new Ransomware-as-a-Service (RaaS) portal over the weekend that lets anyone generate their own ransomware executable just by filling in three form fields and pressing a button. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shifr-raas-lets-any-dumm… *** What's new in Windows Defender ATP Fall Creators Update *** --------------------------------------------- When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-de… *** Micro Focus GroupWise Mobility Service 2014 R2 Support Pack 2 Hot Patch 2 *** --------------------------------------------- Abstract: Micro Focus GroupWise Mobility Service 2014 R2 Support Pack 2 HP2 has been released. Please see the details section below for installation instructions and the change log section for bug fixes since the last release. NOTE: Please do not continue using older versions of GMS SSLCheck. It has been superceded by GroupWise Mobility Service SSLCheck 1.1 found here: http://download.novell.com/Download?buildid=9naDJkniVtg~Document ID: 5311890Security Alert: YesDistribution Type: [...] --------------------------------------------- https://download.novell.com/Download?buildid=SIbPzOKmofQ~ *** SSA-874235 (Last Update 2017-06-26): Intel Vulnerability in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM PureApplication System *** http://www-01.ibm.com/support/docview.wss?uid=swg22005209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK Java Technology Edition Version 6, 7, 8 and IBM Runtime Environment Java Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation *** http://www.ibm.com/support/docview.wss?uid=swg22003154 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM PureApplication System (CVE-2017-3731) *** http://www.ibm.com/support/docview.wss?uid=swg22005135 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilites in IBM Java Runtime Affect Optim Data Growth, Test Data Management and Application Retirement *** http://www-01.ibm.com/support/docview.wss?uid=swg22003285 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability in SWF files shipped with IBM Cúram Social Program Management (CVE-2017-1106) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004580 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 26-06-2017
by Daily end-of-shift report 26 Jun '17

26 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 23-06-2017 18:00 − Montag 26-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Erneut kritische Lücke in Windows Defender & Co *** --------------------------------------------- Alle AV-Produkte aus dem Hause Microsoft wiesen einen kritischen Fehler auf, der es erlaubte, Windows-Systeme zu kapern. Dazu genügte es, wenn die AV-Software etwa eine Datei in einer E-Mail oder auf der Festplatte auf Schadcode untersucht. --------------------------------------------- https://heise.de/-3756013 *** Brutal Kangaroo: CIA-Werkzeug infiziert Rechner per USB-Stick *** --------------------------------------------- WikiLeaks hat geheime CIA-Dokumente veröffentlicht, in denen eine Werkzeug-Suite beschrieben ist, mit der sich via USB-Stick Informationen von Rechnern abgreifen lassen, die nicht mit dem Internet verbunden sind. --------------------------------------------- https://heise.de/-3754923 *** Aktuelle Intel-Prozessoren von "Albtraum"-Bug geplagt *** --------------------------------------------- Debian-Projekt spürt Fehler auf, der zu Datenverlust unter allen Betriebssystemen führen kann --------------------------------------------- http://derstandard.at/2000059819966 *** Cyber-Angriffe auf private E-Mail-Postfächer von Funktionsträgern *** --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet derzeit professionelle Cyber-Angriffe auf private E-Mail-Postfächer von Funktionsträgern aus Wirtschaft und Verwaltung. Bei dieser Angriffskampagne werden täuschend echt erscheinende Spearphishing-Mails an ausgewähltes Spitzenpersonal gesandt. Die Angreifer geben beispielsweise vor, Auffälligkeiten bei der Nutzung des Postfachs [...] --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Spearphishi… *** Traveling with a Laptop / Surviving a Laptop Ban: How to Let Go of "Precious", (Mon, May 29th) *** --------------------------------------------- For a few months now, passengers on flights from certain countries are no longer allowed to carry laptops and other larger electronic devices into the cabin. Many news media reported over the last weeks that this policy may be expanded to flight from Europe, or to all flights entering the US. But even if you get to keep your laptop with you during your flight, it is difficult to keep it at your site when you travel. So regardless if this ban materializes or not (right now it looks like it will [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22462 *** Malware: Der unvollständige Ransomware-Schutz von Windows 10 S *** --------------------------------------------- Windows 10 S soll vor Ransomware schützen - sagt Microsoft. Einem Sicherheitsforscher gelang es trotzdem, innerhalb weniger Stunden Zugriff auf Systemprozesse zu bekommen. --------------------------------------------- https://www.golem.de/news/malware-der-unvollstaendige-ransomware-schutz-von… *** Look, But Dont Touch: One Key to Better ICS Security *** --------------------------------------------- Better visibility is essential to improving the cybersecurity of industrial control systems and critical infrastructure, but the OT-IT cultural divide must be united. --------------------------------------------- https://www.darkreading.com/vulnerabilities---threats/look-but-dont-touch-o… *** Blocks and Chains now available *** --------------------------------------------- Our book has just been published: Blocks and Chains: Introduction to Bitcoin, Cryptocurrencies, and Their Consensus Mechanisms. Aljosha Judmayer, Nicholas Stifter, Katharina Krombholz, and Egar Weippl --------------------------------------------- https://www.sba-research.org/2017/06/24/blocks-and-chains-now-available/ *** DFN-CERT-2017-1100: Microsoft Malware Protection Engine: Eine Schwachstelle ermöglicht die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1100/ *** Security Advisories Relating to Symantec Products - Symantec Messaging Gateway Multiple Vulnerabilities *** --------------------------------------------- Symantec has released an update to address three issues that were discovered in the Symantec Messaging Gateway (SMG). --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** Vuln: Multiple Pivotal Products CVE-2017-4974 SQL Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/99254 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: API security restrictions can be bypassed in IBM API Connect (CVE-2017-1328) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003867 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Cross Site Scripting. (CVE-2017-1234) *** http://www.ibm.com/support/docview.wss?uid=swg22004948 --------------------------------------------- *** IBM Security Bulletin: Docker and Python as used in IBM QRadar SIEM is vulnerable to various CVEs. *** http://www.ibm.com/support/docview.wss?uid=swg22004947 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Global Mailbox in IBM Sterling B2B Integrator (CVE-2015-5262, CVE-2014-3577) *** http://www-01.ibm.com/support/docview.wss?uid=swg22005149 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM has weak password requirements. (CVE-2016-9738) *** http://www.ibm.com/support/docview.wss?uid=swg22004926 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is missing HSTS header. (CVE-2016-9972) *** http://www.ibm.com/support/docview.wss?uid=swg22004925 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003998 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator *** http://www.ibm.com/support/docview.wss?uid=swg22004713 --------------------------------------------- *** IBM Security Bulletin: Vulnerability affects WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000300 --------------------------------------------- *** IBM Security Bulletin: October 2015 Java Platform Standard Edition Vulnerabilities in Multiple N Series Products *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009992 --------------------------------------------- *** IBM Security Bulletin: July 2014 Java Runtime Environment (JRE) Vulnerabilities in Multiple N series Products *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009972 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 23-06-2017
by Daily end-of-shift report 23 Jun '17

23 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 22-06-2017 18:00 − Freitag 23-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Getting ready for the European Cyber Security Month 2017 *** --------------------------------------------- 100 days left for the launch of the European Cyber Security Month, the EU annual advocacy campaign which takes place in October supported by ENISA and EC DG CONNECT with the participation of many partners from all over Europe. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/getting-ready-for-the-european-… *** Microsoft Says Fireball Threat ‘Overblown’ *** --------------------------------------------- Check Point has toned down its initial estimates on the number of Fireball malware infections from 250 million machines and 20 percent of corporate networks to 40 million computers. --------------------------------------------- http://threatpost.com/microsoft-says-fireball-threat-overblown/126472/ *** DSA-3894 graphite2 - security update *** --------------------------------------------- Multiple vulnerabilities have been found in the Graphite font rendering engine which might result in denial of service or the execution of arbitrary code if a malformed font file is processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3894 *** ZDI-17-441: Apple Safari Node Use-After-Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-441/ *** DSA-3896 apache2 - security update *** --------------------------------------------- Several vulnerabilities have been found in the Apache HTTPD server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3896 *** Smart burglars will ride the surf of inter-connected hackability *** --------------------------------------------- Let’s invent a dustbin that throws itself away Something for the Weekend, Sir? What the world needs now is an intelligent dustbin. It would be the pinnacle of achievement for the Internet of Things sector. --------------------------------------------- www.theregister.co.uk/2017/06/23/smart_burglars_will_ride_the_surf_of_inter… *** Mutmaßlich russische Hacker stahlen Daten britischer Politiker *** --------------------------------------------- http://derstandard.at/2000059699661 *** Deutsches Sicherheitsamt warnt vor Cyber-Attacken auf Verwaltung *** --------------------------------------------- Ähnlich wie auf US-Demokraten und französische Partei von Präsident Macron --------------------------------------------- http://derstandard.at/2000059699049 *** Node.js: Hälfte der NPM-Pakete durch schwache Passwörter verwundbar *** --------------------------------------------- Der NPM-Dienst hat vor zwei Wochen Passwörter von Entwicklern zurückgezogen. Jetzt ist klar warum: Ein Hacker konnte schwache Passwörter sammeln und hätte damit wohl die Hälfte des .. --------------------------------------------- https://www.golem.de/news/node-js-haelfte-der-npm-pakete-durch-schwache-pas… *** Microsoft weist Vorwürfe von Antivirenhersteller zurück *** --------------------------------------------- Microsoft betont in einem Blogpost die Bedeutung der Zusammenarbeit mit Antivirenherstellern im Rahmen der Microsoft Virus Initiative. Die Veröffentlichung kann als direkte Reaktion auf die Beschwerde von Kaspersky bei Kartellwächtern verstanden werden. --------------------------------------------- https://heise.de/-3754148 *** Video: So kaperten Hacker ein Stromkraftwerk *** --------------------------------------------- 2015 haben Hacker den Strom für über 200.000 Personen in der Ukraine ausfallen lassen. Ein Video zeigt, wie sie die Steuer-PCs übernommen haben. --------------------------------------------- https://futurezone.at/digital-life/video-so-kaperten-hacker-ein-stromkraftw… *** FBI: Extortion, CEO Fraud Among Top Online Fraud Complaints in 2016 *** --------------------------------------------- Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBIs Internet Crime Complaint Center (IC3). The IC3 report released .. --------------------------------------------- https://krebsonsecurity.com/2017/06/fbi-extortion-ceo-fraud-among-top-onlin…

1 0

Tageszusammenfassung - Donnerstag 22-06-2017
by Daily end-of-shift report 22 Jun '17

22 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 21-06-2017 18:00 − Donnerstag 22-06-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Cisco WebEx Network Recording Player Multiple Buffer Overflow Vulnerabilities *** --------------------------------------------- Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious ARF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Multiple vulnerabilities in Cisco Prime Infrastructure *** --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Multiple vulnerabilities in Cisco Identity Services *** --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Multiple vulnerabilities in Cisco IOS XR *** --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco Firepower Management Center Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Kritischer Bug in Kompressions-Bibliothek RAR gefährdet AV-Software *** --------------------------------------------- Fehler beim Auspacken von Archiven sind kritisch, weil sie sich besonders einfach ausnutzen lassen – etwa wenn die Antiviren-Software nach Schadcode sucht. Umso bitterer ist es, wenn die sich fünf Jahre nach ihrer Entdeckung noch ausnutzen lassen. --------------------------------------------- https://heise.de/-3751528 *** Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003 *** --------------------------------------------- https://www.drupal.org/SA-CORE-2017-003 *** TeslaWare Plays Russian Roulette with your Files *** --------------------------------------------- I was told about a new ransomware called TeslaWare that is being promoted on a black hat criminal site. After a quick search, I was able to find a sample that was compiled yesterday .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/teslaware-plays-russian-roul… *** Locky Ransomware Returns, but Targets Only Windows XP & Vista *** --------------------------------------------- The Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the campaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS versions, locking .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but… *** NSA-Backed OpenC2.org Aims to Defend Systems at Machine Speed *** --------------------------------------------- Security experts, vendors, business and the NSA are developing a standardized language that rather than autonomously understands threats, acts on them. --------------------------------------------- http://threatpost.com/nsa-backed-openc2-org-aims-to-defend-systems-at-machi… *** Web Application Pentest Guide Part-I *** --------------------------------------------- In this article, we are going to pentest a web application which was developed by HP for scanner evaluation purpose. We will be demonstrating the complete process .. --------------------------------------------- http://resources.infosecinstitute.com/web-application-pentest-guide-part/ *** Windows-Trojaner nutzt NSA-Hintertür um verdeckt Kryptowährungen zu schürfen *** --------------------------------------------- Die DOUBLEPULSAR-Hintertür der NSA wird momentan missbraucht, um ungeschützte Windows-Rechner mit einem Trojaner zu infizieren, der heimlich die Kryptowährung Monero (XMR) schürft. --------------------------------------------- https://heise.de/-3751247 *** [2017-06-22] Multiple vulnerabilities in Cisco Prime Infrastructure *** --------------------------------------------- Multiple security vulnerabilities in Cisco Prime Infrastructure < 3.1.6 could allow local low-privileged user to read arbitrary files such as wireless access point configurations, read the hashed passwords of all the users including the administrator from database and infect other users with JavaScript trojan. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Understanding the true size of “Fireball” *** --------------------------------------------- ... when recent reports of the “Fireball” cybersecurity threat operation were presented as a new discovery, our teams knew .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/22/understanding-the-true-… *** IBM Security Bulletin: Multiple vulnerabilities in EBICS client in IBM Sterling B2B Integrator (CVE-2017-1132, CVE-2017-1347, CVE-2017-1348) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004199 *** IBM Security Bulletin: HTTP verb tampering vulnerability affects IBM Sterling B2B Integrator (CVE-2017-1131) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004270 *** Why So Many Top Hackers Hail from Russia *** --------------------------------------------- Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information .. --------------------------------------------- https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russi… *** DSA-3892 tomcat7 - security update *** --------------------------------------------- Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet andJSP engine, static error pages used the original requests HTTP methodto serve content, instead of systematically using .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3892 *** DSA-3891 tomcat8 - security update *** --------------------------------------------- Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet andJSP engine, static error pages used the original requests HTTP methodto serve content, instead of systematically .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3891

1 0

Tageszusammenfassung - Mittwoch 21-06-2017
by Daily end-of-shift report 21 Jun '17

21 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 20-06-2017 18:00 − Mittwoch 21-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Partnering with the AV ecosystem to protect our Windows 10 customers *** --------------------------------------------- On Friday May 12th, and for several days afterwards, more than a quarter-million computers around the world fell victim to the ransomware known .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/20/partnering-with-the-av-… *** Unwanted “Shorte St” Ads in Unpatched Newspaper Theme *** --------------------------------------------- Unwanted ads are one of the most common problems that site owners ask us to solve. Recently, we’ve noticed quite a few requests to remove intrusive “shorte st” ads that they never installed on their sites themselves. My colleague Denis Sinegubko of UnmaskParasites .. --------------------------------------------- https://blog.sucuri.net/2017/06/unwanted-shorte-st-ads-in-unpatched-newspap… *** Hacker exposed bank loophole to buy luxury cars and a face tattoo *** --------------------------------------------- ♪ Im gonna wait... til the midnight hour, when theres no one else around A UK hacker who stole £100,000 from his bank after spotting a loophole in its systems has been jailed for 16 months. --------------------------------------------- www.theregister.co.uk/2017/06/20/face_tattoo_bank_hacker/ *** More Android apps from dangerous Ztorg family sneak into Google Play *** --------------------------------------------- Almost 100 such apps, with >1 million downloads, found so far (but not by Google). --------------------------------------------- https://arstechnica.com/security/2017/06/more-android-apps-from-dangerous-z… *** Minimalist Alina PoS Variant Starts Using SSL *** --------------------------------------------- More than four years ago, we published a series of blogs discussing in-depth analysis of Alina Point of Sale (PoS) malware. And for the past four years, it is interesting to see .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Minimalist-Alina-PoS-Variant… *** Nach Leak: Studio zahlte "Orange Is the New Black"-Erpresser *** --------------------------------------------- Hacker hatten etwa 50.000 US-Dollar gefordert --------------------------------------------- http://derstandard.at/2000059577414 *** Wannacry: Honda stoppt Autobau wegen Ransomware *** --------------------------------------------- Autowerk im japanischen Sayana setzt vorübergehend Produktion aus --------------------------------------------- http://derstandard.at/2000059583968 *** Decline in Rig Exploit Kit *** --------------------------------------------- Unit 42 investigates recent developments in the EITest & psuedo-Darkleech campaigns contributing to the decline of Rig exploit kits. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-expl…

1 0

Tageszusammenfassung - Dienstag 20-06-2017
by Daily end-of-shift report 20 Jun '17

20 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 19-06-2017 18:00 − Dienstag 20-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Apache HTTPD Bugs Let Remote Users Deny Service and Bypass Authentication in Certain Cases *** --------------------------------------------- Fix Available: Yes Vendor Confirmed: Yes Version(s): 2.2.0 - 2.2.32, 2.4.0 - 2.4.25 Description: Several vulnerabilities were reported in Apache HTTPD. A remote user can cause the target service to crash. A remote user can bypass authentication. --------------------------------------------- http://www.securitytracker.com/id/1038711 *** Bugtraq: [security bulletin] HPESBGN03758 rev.2 - HPE UCMDB, Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/540745 *** McAfee Labs Threats Report Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit *** --------------------------------------------- We got a little carried away in the McAfee Labs Threats Report: June 2017, published today. This quarter's report has expanded to a rather hefty 83 pages! It contains three highly educational topics, in addition to the usual set of threats statistics: We broadly examine evasion techniques and how malware authors use them to accomplish... --------------------------------------------- https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-threats-report-… *** Glibc Stack/Heap Memory Allocation Error Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A local user can supply specially crafted LD_LIBRARY_PATH values to trigger a stack memory allocation flaw in certain cases and execute arbitrary code on the target system with elevated privileges. The stack guard-page memory gap can be "jumped" in cases where heap memory and stack memory are adjacent. --------------------------------------------- http://www.securitytracker.com/id/1038712 *** [2017-06-20] Multiple Reflected Cross Site Scripting (XSS) issues in Ubiquiti Networks products *** --------------------------------------------- Multiple Ubiquiti Networks products with firmware XM v6.0, SW v1.3.3 and AF24 v3.2 are affected by a POST-request based cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user and cookies can be stolen. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** DFN-CERT-2017-1052/">Exim: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- Betroffene Software: Exim <= 4.89 In Exim existiert eine Schwachstelle, weil durch die Mehrfachverwendung von '-p' als Befehlszeilenargument Speicher reserviert werden kann, der nicht wieder freigegeben wird. Ein lokaler, nicht authentisierter Angreifer kann dies nur in Verbindung mit einer anderen Schwachstelle ausnutzen, um beliebigen Programmcode zur Ausführung zu bringen und möglicherweise auch eine Rechteerweiterung auf Root-Privilegien durchzuführen. Debian stellt für die stabile Distribution Stretch und die alte stabile Distribution Jessie jeweils Backport-Sicherheitsupdates bereit. CVE-2017-1000369 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1052/ *** Oracle Security Alert for CVE-2017-3629 *** --------------------------------------------- This Security Alert addresses CVE-2017-3629 and two other vulnerabilities affecting Oracle Solaris. These are local privilege escalation vulnerabilities that may only be exploited over a network with a valid username and password. Together, these vulnerabilities may allow privilege escalation to root. --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-375… *** Vuln: SAP Business Objects DS Open Redirection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/99143 *** Xen Security Advisories *** --------------------------------------------- XSA-216: blkif responses leak backend stack data XSA-217: page transfer may allow PV guest to elevate privilege XSA-218: Races in the grant table unmap code XSA-219: x86: insufficient reference counts during shadow emulation XSA-220: x86: PKRU and BND* leakage between vCPU-s XSA-221: NULL pointer deref in event channel poll XSA-222: stale P2M mappings due to insufficient error checking XSA-223: ARM guest disabling interrupt may crash Xen XSA-224: grant table operations mishandle reference --------------------------------------------- https://lists.xen.org/archives/html/xen-announce/2017-06/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i. *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1022142 --------------------------------------------- *** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2017-1304) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010230 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ Internet Pass-Thru *** http://www.ibm.com/support/docview.wss?uid=swg22001701 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Security Directory Suite (CVE-2016-0378, CVE-2016-5983 and CVE-2016-5986) *** http://www.ibm.com/support/docview.wss?uid=swg22002049 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 19-06-2017
by Daily end-of-shift report 19 Jun '17

19 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 16-06-2017 18:00 − Montag 19-06-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Bugtraq: ESA-2017-041: EMC VNX1 and VNX2 Family Multiple Vulnerabilities in VNX Control Station *** --------------------------------------------- http://www.securityfocus.com/archive/1/540738 *** VU#768399: HPE SiteScope contains multiple vulnerabilities *** --------------------------------------------- HPEs SiteScope is vulnerable to several cryptographic issues, insufficiently protected credentials, and missing authentication. Description HPEs SiteScope is vulnerable to several vulnerabilities. --------------------------------------------- http://www.kb.cert.org/vuls/id/768399 *** Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security *** --------------------------------------------- On April 14, a group calling themselves the Shadow Brokers caught the attention of the security community by releasing a set of weaponized exploits. Shortly thereafter, one of these exploits .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-… *** DSA-3884 gnutls28 - security update *** --------------------------------------------- Hubert Kario discovered that GnuTLS, a library implementing the TLS and SSL protocols, does not properly decode a status response TLS extension,allowing a remote attacker to cause an application using the GnuTLS library to crash (denial of service). --------------------------------------------- https://www.debian.org/security/2017/dsa-3884 *** In eigener Sache: Umstellung der Tageszusammenfassungen *** --------------------------------------------- In eigener Sache: Umstellung der Tageszusammenfassungen19. Juni 2017In der Woche vom 3.-7. 7. 2017 werden wir das Format unserer Tageszusammenfassungen anpassen. Inhaltlich bleibt alles wie gewohnt, wir werden aber der besseren Übersichtlichkeit halber den Inhalt in mehrere Sektionen unterteilen. Damit sollte es .. --------------------------------------------- http://www.cert.at/services/blog/20170619121641-2037.html *** D-Link DSL-2640U - Unauthenticated DNS Change *** --------------------------------------------- The vulnerability exist in the web interface, which is accessible without authentication. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with .. --------------------------------------------- https://www.exploit-db.com/exploits/42195/ *** -Link DSL-2640B - Unauthenticated Remote DNS Change *** --------------------------------------------- The vulnerability exist in the web interface, which is accessible without authentication. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with .. --------------------------------------------- https://www.exploit-db.com/exploits/42197/ *** IBM Security Bulletin: IBM MQ Trace enablement could cause denial of service (CVE-2017-1117) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22001468 *** IoT Malware Activity Already More Than Doubled 2016 Numbers *** --------------------------------------------- The number of new malware samples in the wild this year targeting connected internet-of-things (IoT) devices has already more than doubled last year’s total. --------------------------------------------- http://threatpost.com/iot-malware-activity-already-more-than-doubled-2016-n…

1 0

Tageszusammenfassung - Freitag 16-06-2017
by Daily end-of-shift report 16 Jun '17

16 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 14-06-2017 18:00 − Freitag 16-06-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a *** Former Major Player Neutrino Exploit Kit Has Gone Dark *** --------------------------------------------- The Neutrino exploit kit, a former leader of the exploit kit market, appears to have shut down, with the last activity recorded at the start of April, well over two months ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/former-major-player-neutrino… *** SAP Security Patch Day - June 2017 *** --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. --------------------------------------------- https://blogs.sap.com/2017/06/13/sap-security-patch-day-june2017/ *** Entschlüsselungstool für Erpressungstrojaner Jaff veröffentlicht *** --------------------------------------------- Ein Sicherheitsforscher von Kaspersky hat eine Schwachstelle im Code der Ransomware Jaff entdeckt. Nun können Betroffene ihre Daten mit einem kostenlosen Tool entschlüsseln. --------------------------------------------- https://heise.de/-3744042 *** New cyber security information service launched today by ENISA *** --------------------------------------------- ENISA launched today its new cyber security information service "Cyber Security Info Notes" with the aim to provide timely key information and recommendations on cyber security topics and incidents. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/new-cyber-security-information-… *** Wikileaks Unveils Cherry Blossom - Wireless Hacking System Used by CIA *** --------------------------------------------- WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a framework - which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices. --------------------------------------------- https://thehackernews.com/2017/06/cia-wireless-router-hacking-tool.html *** Samsung-Domain abgelaufen: Millionen Smartphones waren laut Experten für Hacker offen *** --------------------------------------------- Laut Sicherheitsforscher hätten Hacker Malware einschleusen können - Samsung dementiert --------------------------------------------- http://derstandard.at/2000059348103 *** Developer Creates Rootkit That Hides in PHP Server Modules *** --------------------------------------------- A Dutch web developer has created a rootkit that hides inside a PHP module and can be used to take over web servers via a rarely used attack vector: Apache modules. --------------------------------------------- https://www.bleepingcomputer.com/news/security/developer-creates-rootkit-th… *** Kein Patch für Denial-of-Service-Lücke in Windows Server *** --------------------------------------------- Im Windows Internet Name Service (WINS) von Windows Server klafft eine Denial-of-Service-Lücke, die Microsoft nicht patchen wird - der Aufwand sei zu groß. Wer den Dienst noch nutzt, soll stattdessen auf DNS ausweichen. --------------------------------------------- https://heise.de/-3744148 *** Cyber Security Notification - MicroSCADA Pro SYS600 and CRASHOVERRIDE *** --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A0857&Lang… *** Bugtraq: ESA-2017-043: EMC ESRS Virtual Edition Authentication Bypass Vulnerability *** --------------------------------------------- ESA-2017-043: EMC ESRS Virtual Edition Authentication Bypass Vulnerability --------------------------------------------- http://www.securityfocus.com/archive/1/540721 *** DFN-CERT-2017-1030 ISC BIND: Zwei Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1030/ *** Siemens *** --------------------------------------------- *** Siemens devices using the PROFINET Discovery and Configuration Protocol (Update A) *** https://ics-cert.us-cert.gov/advisories/ICSA-17-129-01A --------------------------------------------- *** Siemens devices using the PROFINET Discovery and Configuration Protocol (Update A) *** https://ics-cert.us-cert.gov/advisories/ICSA-17-129-02A --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010301 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ntp affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025390 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in curl affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025395 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025389 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024890 --------------------------------------------- *** IBM Security Bulletin: Vulnerability CVE-2017-7494 in Samba affects IBM i *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1022134 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-7494) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010317 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg22004599 --------------------------------------------- *** IBM Security Bulletin: IBM MQ and IBM MQ Appliance Open Source zlib is vulnerable to a denial of service (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001520 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 14-06-2017
by Daily end-of-shift report 14 Jun '17

14 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 13-06-2017 18:00 − Mittwoch 14-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Internet hygiene still stinks despite botnet and ransomware flood *** --------------------------------------------- Millions of must-be-firewalled services sitting wide open Network security has improved little over the last 12 months - millions of vulnerable devices are still exposed on the open internet, leaving them defenceless to the next big malware attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/06/14/rapid7_devi… *** June 2017 security update release *** --------------------------------------------- Microsoft releases additional updates for older platforms to protect against potential nation-state activity Today, as part of our regular Update Tuesday schedule, we have taken action to provide additional critical security updates to address vulnerabilities that are at heighted risk of exploitation due to past nation-state activity and disclosures. Some of the releases today are... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/06/13/june-2017-security-upda… *** When Your Plugins Turn Against You *** --------------------------------------------- Every day we face countless cases of sites getting compromised and infected by an attacker. From there, the sites can be used for various operations like spam campaigns, malware spreading or simply to damage your SEO ranking among other events. The threat may not always come from outside though. There are occasions where we are indirectly the ones responsible for the infection and may never find out until we get blacklisted by a search engine, or alerted of malicious code from our users. --------------------------------------------- https://blog.sucuri.net/2017/06/when-your-plugins-turn-against-you.html *** MSRT June 2017: Removing sneaky Xiazai *** --------------------------------------------- In the June release of the Microsoft Software Removal Tool (MSRT), we're adding Xiazai, a widespread family of browser modifiers that we have blocked and removed from millions of computers since 2015. Xiazai is a software bundler that can sneak in additional changes. Xiazai does not install itself or make autostart registry entries, but the... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/13/msrt-june-2017-removing… *** ZDI-17-396: Trend Micro Maximum Security tmusa Time-Of-Check/Time-Of-Use Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to escalate privilege on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/FQzTY0SrpbU/ *** ZDI-17-395: Trend Micro Maximum Security tmusa Kernel Driver Untrusted Pointer Dereference Denial of Service Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to deny service on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/hoecBsyhda4/ *** Nmap 7.50 released: New NSE scripts, 300+ fingerprints, new Npcap *** --------------------------------------------- Nmap 7.50 is the first big release since last December and has hundreds of improvements. One of the things the developers have worked on recently is the Npcap packet capturing driver and library for Windows. It is a replacement for WinPcap, which is no longer maintained. Npcap uses newer APIs for better performance and compatibility, including Windows 10 support. Developers also added loopback packet capture and injection, raw wireless sniffing, and extra security features ... --------------------------------------------- https://www.helpnetsecurity.com/2017/06/14/nmap-7-50-released/ *** Patchday: Microsoft sichert XP und Vista ab, warnt vor neuem WannaCry *** --------------------------------------------- In einem bisher nicht dagewesenen Schritt hat Microsoft am Patchday Updates für Windows-Versionen ausgeliefert, die nicht mehr unterstützt werden. Die Firma entschloss sich dazu, da sie weitere WannaCry-ähnliche Attacken befürchtet. --------------------------------------------- https://heise.de/-3743004 *** Gefälschte Netflix-Nachricht: Problem with your Membership *** --------------------------------------------- In einer gefälschten Netflix-Nachricht behaupten Kriminelle, dass es Probleme mit den Kreditkartendaten von Kund/innen gäbe. Aus diesem Grund sollen sie auf einer Website ihre Zahlungsmethode erneuern. Kund/inenn, die der Aufforderung nachkommen, übermitteln ihre Bankdaten an Kriminelle und werden Opfer eines Datendiebstahls. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-netflix-nachricht-pr… *** Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Obtain Potentially Sensitive Information, and Execute Arbitrary Code and Let Local Users Gain Elevated Privileges *** --------------------------------------------- A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system. A local user can obtain elevated privileges on the target system. A local user can modify files on the target system. A remote user can obtain files on the target system. A remote user can spoof the address bar. Solution: The vendor has issued a fix (ESR 52.2; 54.0). --------------------------------------------- http://www.securitytracker.com/id/1038689 *** Wegen Sicherheitsproblemen: Kein SMB1 in Windows-Neuinstallationen *** --------------------------------------------- Microsoft plant den nächsten Schritt zur Abschaffung des SMB1-Protokolls. Nach den Updates im Herbst soll das über 30 Jahre alte Protokoll in Neuinstallationen von Windows standardmäßig deaktiviert sein. --------------------------------------------- https://heise.de/-3743127 *** Security Advisory - Permission Control Vulnerability in Smart Phones *** --------------------------------------------- Some Huawei Smart phones have a permission control vulnerability. Due to improper authorization on specific processes, an attacker with the root privilege of a mobile Android system can exploit this vulnerability to obtain some information of the user. CVE-2017-8216 --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170614-… *** DDoS-Drohungen *** --------------------------------------------- Seit gestern werden weltweit E-Mails mit einem Erpressungsversuch und einer angedrohten Denial of Service-Attacke verschickt. Diese E-Mails stammen von einer Gruppe, die sich HACKER TEAM - Meridian Collective nennt ... Es kann davon ausgegangen werden, dass - wie in der Vergangenheit - diesen Drohungen keinerlei tatsächliche Angriffe folgen werden. Den Forderungen sollte daher nicht nachgekommen werden. --------------------------------------------- https://www.dfn-cert.de/aktuell/ddos-drohungen.html *** FIRST Releases Framework for Product Security Incident Response Teams *** --------------------------------------------- The leading association of incident response and security teams released a draft of the Product Security Incident Response Teams (PSIRT) Services Framework for public input. This is a formal list of services a PSIRT may consider implementing to address the needs of their constituency. Public input is welcomed until August 31, 2017 via psirt-comments(a)first.org. --------------------------------------------- https://www.first.org/newsroom/releases/20170614 *** HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure *** --------------------------------------------- ... DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea's distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders ... --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA17-164A *** EMC *** --------------------------------------------- *** Vuln: EMC RSA BSAFE Cert-C CVE-2017-4981 Denial of Service Vulnerability *** http://www.securityfocus.com/bid/99044 --------------------------------------------- *** Vuln: EMC Secure Remote Services Virtual Edition CVE-2017-4986 Authentication Bypass Vulnerability *** http://www.securityfocus.com/bid/99036 --------------------------------------------- *** Vuln: EMC VNX1/VNX2 OE for File CVE-2017-4984 Remote Code Execution Vulnerability *** http://www.securityfocus.com/bid/99039 --------------------------------------------- *** Vuln: EMC VNX1/VNX2 OE for File CVE-2017-4985 Local Privilege Escalation Vulnerability *** http://www.securityfocus.com/bid/99037 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Algo One Counterparty Credit Risk (CVE-2016-8745) *** http://www.ibm.com/support/docview.wss?uid=swg22000795 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. *** http://www.ibm.com/support/docview.wss?uid=isg3T1025202 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express. *** http://www.ibm.com/support/docview.wss?uid=swg22002268 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 13-06-2017
by Daily end-of-shift report 13 Jun '17

13 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 12-06-2017 18:00 − Dienstag 13-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Security Bulletins posted *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-17), Adobe Shockwave Player (APSB17-18), Adobe Captivate (APSB17-19) and Adobe Digital Editions (APSB17-20). Adobe recommends users update their product installations to the latest versions... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1469 *** SAP Security Patch Day - June2017 *** --------------------------------------------- On 13th of June 2017, SAP Security Patch Day saw the release of 18 security notes. Additionally, there were 3 updates to previously released security notes. --------------------------------------------- https://blogs.sap.com/2017/06/13/sap-security-patch-day-june2017/ *** Analyzing Xavier: An Information-Stealing Ad Library on Android *** --------------------------------------------- We have recently discovered a Trojan Android ad library called Xavier that steals and leaks a user's information silently. Xavier's impact has been widespread, with more than 800 applications embedding the ad library's SDK having been downloaded millions of times from Google Play. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Vlm6uUCaCKU/ *** [2017-06-13] Access Restriction Bypass in Atlassian Confluence *** --------------------------------------------- An attacker can manually subscribe to pages of Atlassian Confluence which he is not able to view and he then receive any further comments made on the restricted page. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** FIN7 Hitting Restaurants with Fileless Malware *** --------------------------------------------- A campaign attributed to the FIN7 attackers targets restaurants with phishing emails and infected RTF Word documents that carry out fileless malware attacks. --------------------------------------------- http://threatpost.com/fin7-hitting-restaurants-with-fileless-malware/126213/ *** More Bypassing of Malware Anti-Analysis Techniques *** --------------------------------------------- For last few articles, we have seen how malware employs some anti-analysis techniques and how we can bypass those techniques. Now, let's raise the bar a bit more and look out for more advanced anti-analysis techniques. In this article, we will look at how we can reach the Original Entry Point of a packed Exe ... --------------------------------------------- http://resources.infosecinstitute.com/bypassing-malware-anti-analysis-techn… *** Learning Pentesting with Metasploitable3 - Part 2 *** --------------------------------------------- Introduction: This is the second part in this series of articles on Learning Pentesting with Metasploitable3. We have prepared our lab setup in our previous article. This article shows the Information Gathering techniques that are typically used during Penetration Testing by using Metasploitable3 VM. This phase is crucial during a penetration test as we will ... --------------------------------------------- http://resources.infosecinstitute.com/learning-pentesting-metasploitable3-p… *** Multiple (0day) vulnerabilities in Schneider Electric U.motion Builder *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-383/ http://www.zerodayinitiative.com/advisories/ZDI-17-384/ http://www.zerodayinitiative.com/advisories/ZDI-17-385/ http://www.zerodayinitiative.com/advisories/ZDI-17-386/ http://www.zerodayinitiative.com/advisories/ZDI-17-387/ http://www.zerodayinitiative.com/advisories/ZDI-17-388/ http://www.zerodayinitiative.com/advisories/ZDI-17-389/ http://www.zerodayinitiative.com/advisories/ZDI-17-390/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM API Connect is affected by an information disclosure vulnerability (CVE-2017-1379). *** http://www.ibm.com/support/docview.wss?uid=swg22004714 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-2619) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010155 --------------------------------------------- *** IBM Security Bulletin: Weak default password lockout policy in IBM BigFix Compliance Analytics (CVE-2017-1197) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004170 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by security vulnerabilities in OpenStack (CVE-2015-1852 and CVE-2015-7546) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010157 --------------------------------------------- *** IBM Security Bulletin: A Cross-site scripting vulnerability in IBM Websphere Application Server, affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-8934) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996989 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2016-5986) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000200 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 12-06-2017
by Daily end-of-shift report 12 Jun '17

12 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 09-06-2017 18:00 − Montag 12-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Banking trojan executes when targets hover over link in PowerPoint doc *** --------------------------------------------- Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file. The method - which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit - is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload. --------------------------------------------- https://arstechnica.com/security/2017/06/malicious-powerpoint-files-can-inf… *** RSA Identity Management and Governance Input Validation Flaws Let Remote and Remote Authenticated Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1038648 *** FIRST announces availability of new Common Vulnerability Scoring System (CVSS) release *** --------------------------------------------- Third version aims to make the system more applicable to modern concerns --------------------------------------------- https://www.first.org/newsroom/releases/20150610 *** [remote] Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution *** --------------------------------------------- https://www.exploit-db.com/exploits/42158/?rss *** DFN-CERT-2017-0993/">libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer, der den EdDSA-Sitzungsschlüssel während eines Signaturprozesses in einer Seitenkanalattacke abgreifen kann, kann daraus den 'Long Term Secret Key' rekonstruieren und nachfolgend die Sicherheitsvorkehrung der Sitzungsverschlüsselung umgehen, um Informationen aus Sitzungen auszuspähen. Der Hersteller stellt libgcrypt 1.7.7 als Sicherheitsupdate bereit. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0993/ *** Bugtraq: [security bulletin] HPESBUX03759 rev.1 - HP-UX CIFS Sever using Samba, Multiple Remote Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE HP-UX CIFS server using Samba. The vulnerabilities can be exploited remotely to allow authentication bypass, code execution, and unauthorized access. References: CVE-2017-7494 --------------------------------------------- http://www.securityfocus.com/archive/1/540701 *** Bugtraq: [SECURITY] [DSA 3877-1] tor security update *** --------------------------------------------- Package : tor CVE ID : CVE-2017-0376 Debian Bug : 864424 It has been discovered that Tor, a connection-based low-latency anonymous communication system, contain a flaw in the hidden service code when receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. A remote attacker can take advantage of this flaw to cause a hidden service to crash with an assertion failure (TROVE-2017-005). --------------------------------------------- http://www.securityfocus.com/archive/1/540705 *** Bugtraq: [security bulletin] HPESBHF03730 rev.2 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE Aruba ClearPass Policy Manager. The vulnerabilities could be remotely exploited to allow access restriction bypass, arbitrary command execution, cross site scripting (XSS), escalation of privilege and disclosure of information. References: CVE-2017-5824, CVE-2017-5825, CVE-2017-5826, CVE-2017-582, CVE-2017-5828, CVE-2017-5829, CVE-2017-5647 --------------------------------------------- http://www.securityfocus.com/archive/1/540704 *** Security Advisory - Memory Double Free Vulnerability in Touch Panel Driver of Some Huawei Smart Phones *** --------------------------------------------- The Touch Panel (TP) driver of some Huawei smart phones has a memory double free vulnerability. An attacker with the root privilege of the Android system tricks a user into installing a malicious application, and the application can start multiple threads and try to free specific memory, which could triggers double free and causes a system crash or arbitrary code execution. (Vulnerability ID: HWPSIRT-2017-04111) CVE-2017-8141. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-… *** Security Advisory - Multiple Vulnerabilities in UMA Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-… *** Linux Muldrop.14: Cryptomining-Malware befällt ungeschützte Raspberry Pi *** --------------------------------------------- Eine neue Malware befällt ausschließlich Raspberry Pi und nutzt die Geräte, um Cryptowährungen zu minen. Nutzer können sich relativ leicht dagegen schützen. (Security, Malware) --------------------------------------------- https://www.golem.de/news/linux-muldrop-14-cryptomining-malware-befaellt-un… *** Vuln: VMware Horizon View Client CVE-2017-4918 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98984 *** DFN-CERT-2017-1012/">Sophos UTM: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- Mehrere Schwachstellen in den Komponenten BIND, Kernel, NTP, OpenSSL und OpenVPN ermöglichen einem entfernten, in vielen Fällen nicht authentisierten Angreifer verschiedene Denial-of-Service (DoS)-Angriffe auf Sophos UTM. Sophos veröffentlicht die Sophos UTM Software in Version 9.501 als Maintenance Release zur Behebung der genannten Schwachstellen. Darüber hinaus werden verschiedene weitere Programmfehler aus den Bereichen AWS, Basesystem, Confd, Email, Network, Reporting, RESTD, Sandboxd, WAF, Web, WebAdmin und WiFi behoben. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1012/ *** Pwn2Own: Safari sandbox part 1 - Mount yourself a root shell *** --------------------------------------------- Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year's Pwn2Own competition. --------------------------------------------- https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc *** Industroyer: Fortgeschrittene Malware soll Energieversorgung der Ukraine gekappt haben *** --------------------------------------------- Sicherheitsforscher haben nach eigenen Angaben eine Art zweites Stuxnet entdeckt: Einen Trojaner, der auf die Steuerung von Umspannwerken zugeschnitten ist. Er soll für Angriffe auf den ukrainischen Stromversorger Ukrenergo verantwortlich sein. --------------------------------------------- https://heise.de/-3740606 *** CSIRT maturity evaluation process - How is CSIRT maturity assessed? *** --------------------------------------------- ENISA has published a new practical guide for CSIRTs so that they are better prepared to protect their constituencies and improve teams maturity. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/csirt-maturity-evaluation-proce… *** Vuln: D-Link DIR-615 Wireless N 300 Router CVE-2017-9542 Authentication Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98992 *** Healthcare Industry Cybersecurity Report *** --------------------------------------------- New US government report: "Report on Improving Cybersecurity in the Health Care Industry." Its pretty scathing, but nothing in it will surprise regular readers of this blog.Its worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas.The Task Force identified six high-level imperatives by which to organize its recommendations and action items. The imperatives are:Define and streamline leadership, governance, and expectations for --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/healthcare_indu.html *** Behind the CARBANAK Backdoor *** --------------------------------------------- In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK (aka Anunak). Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution. With these details, we will then draw some conclusions about the operators of CARBANAK. For some additional background on the CARBANAK backdoor, see the papers by Kaspersky and Group-IB and Fox-It. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-bac… *** Erste SambaCry-Angriffe: Trojaner schürft Kryptowährung auf Linux-Servern *** --------------------------------------------- Sicherheitsforscher haben einen Trojaner entdeckt, der durch die vor kurzem entdeckte Samba-Lücke in Linux-Server einbricht und dann mit deren Hardware Kryptogeld erzeugt. --------------------------------------------- https://heise.de/-3740976 *** OSX/MacRansom; analyzing the latest ransomware to target macs *** --------------------------------------------- Looks like somebody on the dark web is offering Ransomware as a Service...that's designed to infect Macs! --------------------------------------------- https://objective-see.com/blog/blog_0x1E.html *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg22004534 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Insight *** http://www-01.ibm.com/support/docview.wss?uid=swg22003367 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Reporting for Development Intelligence *** http://www-01.ibm.com/support/docview.wss?uid=swg22003366 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Management Module (IMM) for System x & BladeCenter *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) for System x & BladeCenter *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Quality Manager *** http://www.ibm.com/support/docview.wss?uid=swg22004428 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote authenticated attacker to execute arbitrary commands on the system as administrator (CVE-2016-9984) *** http://www.ibm.com/support/docview.wss?uid=swg21998608 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg21998779 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-9736, CVE-2016-8934, CVE-2016-8919) *** http://www.ibm.com/support/docview.wss?uid=swg21999544 --------------------------------------------- *** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0636) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010085 --------------------------------------------- *** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0603) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010086 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 9-06-2017
by Daily end-of-shift report 09 Jun '17

09 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 08-06-2017 18:00 − Freitag 09-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Is WannaCry Really Ransomware? *** --------------------------------------------- This post summarizes the significant efforts of a McAfee threat research team that has been relentless in its efforts to gain a deeper understanding of the WannaCry ransomware. We would like to specifically acknowledge Christiaan Beek, Lynda .. --------------------------------------------- https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-… *** Phishing Leveraging the Sucuri Brand *** --------------------------------------------- We are always on guard for phishing emails and websites that might try to compromise our customers or employees, so that we can be on top of the issue and warn as many people as possible. Targeted .. --------------------------------------------- https://blog.sucuri.net/2017/06/phishing-leveraging-sucuri-brand.html *** Windows 10 Creators Update provides next-gen ransomware protection *** --------------------------------------------- Multiple high-profile incidents have demonstrated that ransomware can have catastrophic effects on all of us. From personally losing access to your own digital property, to being .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-upd… *** Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan *** --------------------------------------------- We found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard… *** Hacker stehlen "Cyberpunk 2077"-Daten und erpressen Hersteller CD Projekt *** --------------------------------------------- "The Wicher 3"-Entwickler gab Diebstahl in einer Stellungnahme bekannt --------------------------------------------- http://derstandard.at/2000059016376 *** In eigener Sache: Umstellung auf wöchentliches Wartungsfenster *** --------------------------------------------- Um die Administration zu erleichtern, werden wir ab 22. 6. 2017 auf ein wöchentliches Wartungsfenster umstellen: dieses wird jeweils am Donnerstag von 19-22h sein. Falls also .. --------------------------------------------- http://www.cert.at/services/blog/20170609114214-2029.html *** Android-Trojaner Dvmap kompromittiert Systeme wie kein anderer *** --------------------------------------------- Sicherheitsforscher warnen vor einem Schädling in Google Play, der Android-Geräte mit bisher unbekannten Methoden komplett in seine Gewalt bringen kann. --------------------------------------------- https://heise.de/-3739451 *** Steirische WK richtet Hotline für Firmen gegen Cyberangriffe ein *** --------------------------------------------- Pilotversuch startet in der Steiermark – Mehr als jedes fünfte Unternehmen bereits Opfer von Angriffen aus dem Netz --------------------------------------------- http://derstandard.at/2000059028695 *** SSA-023589 (Last Update 2017-06-09): SMBv1 Vulnerabilities in Advanced Therapy Products from Siemens Healthineers *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-023589… *** Microsoft: OpenBSD kommt für die Azure-Cloud *** --------------------------------------------- Das Unix-Betriebssystem OpenBSD gilt als besonders sicher und stabil. Microsoft erkennt dessen Potential und macht es für Azure verfügbar. Dazu kooperiert das Unternehmen mit .. --------------------------------------------- https://www.golem.de/news/microsoft-openbsd-kommt-fuer-die-azure-cloud-1706… *** DomainTools 101: DNS Shadow Hack-Attacked *** --------------------------------------------- In this article we will dive into the attack vector known as domain shadowing, and how it can land an .. --------------------------------------------- https://blog.domaintools.com/2017/06/domaintools-101-dns-shadow-hack-attack…

1 0

Tageszusammenfassung - Donnerstag 8-06-2017
by Daily end-of-shift report 08 Jun '17

08 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 07-06-2017 18:00 − Donnerstag 08-06-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz *** Deceptive Advertisements: What they do and where they come from *** --------------------------------------------- About a week ago, a reader asked for help with a nasty typo squatting incident: The site, yotube.com, at the time redirected to fake tech support sites. These sites typically pop up a message alerting the user of a made-up problem and offer a phone number for tech support. Investigating the site, I found ads, all of which can be characterized as deceptive. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22494 *** SSTIC 2017 Wrap-Up Day #1 *** --------------------------------------------- I’m in Rennes, France to attend my very first edition of the SSTIC conference. SSTIC is an event organised in France, by and for French people. The acronym means “Symposium sur la sécurité des technologies de l’information et des communications“. The event has a good reputation about its content but is also known to have a very strong policy to sell tickets. --------------------------------------------- https://blog.rootshell.be/2017/06/08/sstic-2017-wrap-day-1/ *** Summer STEM for Kids *** --------------------------------------------- Its summertime and your little hackers need something to keep them busy! Let look at some of the options for kids to try out. Ive tried out each of these programs and have had good luck with them. Please post in comments any site you have been successful with your kids in teaching them STEM or IT Security. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22496 *** Sicherheitsupdates: VMware vSphere Data Protection angreifbar *** --------------------------------------------- In einer Komponente von vSphere klaffen zwei als kritisch eingestufte Lücken, über die Angreifer beliebige Befehle ausführen und Log-in-Daten abziehen können. --------------------------------------------- https://heise.de/-3737673 *** Foscam: IoT-Hersteller ignoriert Sicherheitslücken monatelang *** --------------------------------------------- Die IoT-Apokalypse hört nicht auf: Erneut wurden zahlreiche Schwachstellen in einer IP-Kamera dokumentiert. Der Hersteller reagiert mehrere Monate lang nicht auf die Warnungen. --------------------------------------------- https://www.golem.de/news/foscam-iot-hersteller-ignoriert-sicherheitsluecke… *** A new Linux Malware targets Raspberry Pi devices to mine Cryptocurrency *** --------------------------------------------- Security researchers at Dr. Web discovered two new Linux Malware, one of them mines for cryptocurrency using Raspberry Pi Devices. Malware researchers at the Russian antivirus maker Dr.Web have discovered a new Linux trojan, tracked as Kinux.MulDrop.14, that is infecting Raspberry Pi devices with the purpose of mining cryptocurrency. --------------------------------------------- http://securityaffairs.co/wordpress/59842/malware/linux-malware-raspberry-p… *** The Reigning King of IP Camera Botnets and its Challengers *** --------------------------------------------- Early this month we discussed a new Internet of Things (IoT) botnet called Persirai (detected by Trend Micro as ELF_PERSIRAI.A), which targets over 1000 Internet Protocol (IP) camera models. Currently, through Shodan and our own research, we see that 64% of tracked IP cameras with custom http servers are infected with Persirai. But, because these cameras are such common targets, there is some competition between malware. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XMVX_tvNlNw/ *** Versehentlich aktiviertes Debugging-Tool gefährdet Cisco Data Center Network Manager *** --------------------------------------------- Sicherheitsupdates schließen zum Teil als kritisch eingestufte Lücken in Cisco AnyConnect, DCNM und TelePresence. --------------------------------------------- https://heise.de/-3737633 *** Cisco Prime Data Center Network Manager Debug Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco Context Service SDK Arbitrary Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the update process for the dynamic JAR file of the Cisco Context Service software development kit (SDK) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected device with the privileges of the web server.The vulnerability is due to insufficient validation of the update JAR files signature. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…

1 0

Tageszusammenfassung - Mittwoch 7-06-2017
by Daily end-of-shift report 07 Jun '17

07 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 06-06-2017 18:00 − Mittwoch 07-06-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz *** Rockwell Automation PanelView Plus 6 700-1500 *** --------------------------------------------- This advisory contains mitigation details for a missing authorization vulnerability in Rockwell Automation's PanelView Plus 6 700-1500. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-157-01 *** Digital Canal Structural Wind Analysis *** --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Digital Canal Structural's Wind Analysis. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02 *** Curiosity Kills Security When it Comes to Phishing *** --------------------------------------------- The results of an academic experiment reveal that recipients of Facebook messages are much more likely to click on suspicious links. --------------------------------------------- http://threatpost.com/curiosity-kills-security-when-it-comes-to-phishing/12… *** Privileges and Credentials: Phished at the Request of Counsel *** --------------------------------------------- Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-… *** Russische Hacker erteilen Befehle über Britney Spears Instagram *** --------------------------------------------- Adresse von Kontrollserver wurde in Nutzerkommentar zu Foto des Popstars versteckt. --------------------------------------------- http://derstandard.at/2000058853606 *** VMware-Admins aufgepasst: Es gibt wichtige Updates für ESXi *** --------------------------------------------- Wer Version 6.0 des ESXi-Hypervisors von VMware einsetzt, sollte Zeit zum Patchen einplanen. Einige Bugs und Sicherheitslücken wollen ausgebügelt werden. --------------------------------------------- https://heise.de/-3736872 *** [2017-06-07] Various WiMAX CPEs Authentication Bypass *** --------------------------------------------- Various WiMAX routers by GreenPacket, Huawei, MADA, MitraStar, ZTE and ZyXEL are affected by an authentication bypass vulnerability that allows an attacker to take over the web interface. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Ghosts from the past: Authentication bypass and OEM backdoors in WiMAX routers *** --------------------------------------------- SEC Consult has found a vulnerability in several WiMAX routers, distributed by WiMAX ISPs to subscribers. The vulnerability allows an attacker to change the password of the admin user. --------------------------------------------- http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.… *** PLATINUM continues to evolve, find ways to maintain invisibility *** --------------------------------------------- Back in April 2016, we released the paper PLATINUM: Targeted attacks in South and Southeast Asia, where we detailed the tactics, techniques, and procedures of the PLATINUM activity group. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-e… *** VMSA-2017-0010 *** --------------------------------------------- vSphere Data Protection (VDP) updates address multiple security issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0010.html

1 0

Tageszusammenfassung - Dienstag 6-06-2017
by Daily end-of-shift report 06 Jun '17

06 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 02-06-2017 18:00 − Dienstag 06-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Hack Brief: Dangerous ‘Fireball’ Adware Infects a Quarter Billion PCs *** --------------------------------------------- A widespread adware infection hides the ability to inflict far worse than spammy browser tweaks. --------------------------------------------- https://www.wired.com/2017/06/hack-brief-dangerous-fireball-adware-infects-… *** FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry *** --------------------------------------------- Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/FakeGlobe-and-Cerber-Ransomw… *** Wie Hacker mit ihren Smartphones beim Glücksspiel betrügen *** --------------------------------------------- Russische Mafia konnte Automaten durch Reverse Engineering durchschauen und per Vibrationsalarm richtigen Moment zum Drücken festlegen --------------------------------------------- http://derstandard.at/2000052237768 *** DSA-3873 perl - security update *** --------------------------------------------- The cPanel Security Team reported a time of check to time of use(TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3873 *** 53 Percent of Enterprise Flash Installs are Outdated *** --------------------------------------------- More than half of enterprises are exposing themselves to unnecessary risk by running out-of-date versions of Flash. --------------------------------------------- http://threatpost.com/53-percent-of-enterprise-flash-installs-are-outdated/… *** 40,000 Subdomains Tied to RIG Exploit Kit Shut Down *** --------------------------------------------- GoDaddy, along with researchers from RSA Security and other companies, shut down tens of thousands of illegal established subdomains tied to the RIG Exploit Kit. --------------------------------------------- http://threatpost.com/40000-subdomains-tied-to-rig-exploit-kit-shut-down/12… *** Passwortmanager: Kundendaten von Onelogin gehackt *** --------------------------------------------- Ein Passwortmanager soll Nutzern helfen, sichere Passwörter zu generieren und sicher zu speichern. Bei dem Betreiber Onelogin wurden jedoch zahlreiche Informationen von Nutzern durch .. --------------------------------------------- https://www.golem.de/news/passwortmanger-kundendaten-von-onelogin-gehackt-1… *** Security Advisory 2017-03: Security Update for all OTRS Versions *** --------------------------------------------- https://www.otrs.com/security-advisory-2017-03-security-update-otrs-version… *** Security Advisory 2017-02: Security Update for all OTRS Versions *** --------------------------------------------- https://www.otrs.com/security-advisory-2017-02-security-update-otrs-version… *** Erpressungstrojaner WannaCry: Mängel im Code steigern Chancen für Opfer *** --------------------------------------------- Sicherheitsforscher haben sich den Code der Ransomware angeschaut und diverse Schnitzer gefunden. Mit etwas Glück können Opfer wieder Zugriff auf ihre Dateien bekommen. --------------------------------------------- https://heise.de/-3734698 *** Patchday: Fehlerbereinigte Android-Versionen für Nexus, Pixel & Co. veröffentlicht *** --------------------------------------------- Google hat mehrere Sicherheitslücken in Android gestopft – darunter auch kritische. Wer ein Google-Gerät besitzt, sollte es zügig aktualisieren. Auch Besitzer von Geräten anderer Hersteller sollten prüfen, ob es eine Aktualisierung gibt. --------------------------------------------- https://heise.de/-3735188

1 0

Tageszusammenfassung - Freitag 2-06-2017
by Daily end-of-shift report 02 Jun '17

02 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 01-06-2017 18:00 − Freitag 02-06-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller *** --------------------------------------------- This advisory contains mitigation details for a use of hard-coded password vulnerability in the Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-152-01 *** Passwords at the Border *** --------------------------------------------- The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesnt make much sense. To enable it, you have to create a list of passwords you feel safe traveling with, and then you can turn on the mode .. --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/passwords_at_th.html *** Financial malware more than twice as prevalent as ransomware *** --------------------------------------------- Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate .. --------------------------------------------- https://www.symantec.com/connect/blogs/financial-malware-more-twice-prevale… *** CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB *** --------------------------------------------- After taking last week off, WikiLeaks came back today and released documentation on another .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cia-malware-can-switch-clean… *** DSA-3872 nss - security update *** --------------------------------------------- Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or information disclosure. --------------------------------------------- https://www.debian.org/security/2017/dsa-3872 *** DSA-3871 zookeeper - security update *** --------------------------------------------- It was discovered that Zookeeper, a service for maintaining configuration information, didn't restrict access to the computationally expensive wchp/wchc commands which could result in denial of service by elevated CPU consumption. --------------------------------------------- https://www.debian.org/security/2017/dsa-3871 *** Riverbed SteelHead VCX 9.6.0a Arbitrary File Read *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2017060017 *** Weak DevOps cryptographic policies increase financial services cyber risk *** --------------------------------------------- Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications. This is a particular issue for financial services organizations, which have .. --------------------------------------------- https://www.helpnetsecurity.com/2017/06/02/weak-devops-cryptographic-polici… *** Phishing Campaigns Follow Trends *** --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22482 *** WannaCry and Vulnerabilities *** --------------------------------------------- There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which .. --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/wannacry_and_vu.html *** Hadoop Servers Expose Over 5 Petabytes of Data *** --------------------------------------------- Improperly configured HDFS-based servers, mostly Hadoop installs, are exposing over five petabytes of information, according to John Matherly, founder of Shodan, a .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hadoop-servers-expose-over-5… *** IBM Security Bulletin: Vulnerability in Samba affects IBM Netezza Host Management *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003112 *** Check-Point-Bericht: Gefährliche Backdoor in jedem zehnten deutschen Unternehmensnetz *** --------------------------------------------- Die Fireball getaufte Adware ist mit über 250 Millionen Installationen nicht nur sehr verbreitet, sondern auch sehr gefährlich: Laut Check Point kann sie beliebigen Code auf dem System ausführen und so auch Malware nachladen. --------------------------------------------- https://heise.de/-3732893

1 0

Tageszusammenfassung - Donnerstag 1-06-2017
by Daily end-of-shift report 01 Jun '17

01 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 31-05-2017 18:00 − Donnerstag 01-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Aufgepasst: Googles AMP wird zur Tarnung von Phishing-Angriffen missbraucht *** --------------------------------------------- Russische Hacker benutzen Googles AMP-Dienst, um böse URLs als Google-Dienste zu tarnen. Es ist nur eine Frage der Zeit, bis das Schule macht. --------------------------------------------- https://heise.de/-3731578 *** Cisco, Netgear Readying Patches for Samba Vulnerability *** --------------------------------------------- Cisco is prepping fixes for two of its products affected by last weeks Samba vulnerability. Netgear has also pushed out a fix for NAS devices that were affected. --------------------------------------------- http://threatpost.com/cisco-netgear-readying-patches-for-samba-vulnerabilit… *** Sharing Private Data with Webcast Invitations, (Thu, Jun 1st) *** --------------------------------------------- Last week, at a customer, we received a forwarded emailin a shared mailbox. It was somebody from another department that shared an invitation for a webcast that could be interesting for you, guys!. This time, no phishing attempt, no malware, just a regular email sent from a well-known security vendor. A colleague was interested in the webcast and clicked on the registration link. He was redirected to a page and was surprised to see all the fields already prefilled with the personal details of [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22478&rss *** Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers *** --------------------------------------------- An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a [...] --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/xYKBhycly0Q/motorcycle-gang… *** An Elegant Way to Ruin Your Company's Day - Introduction to Public AWS EBS Snapshots *** --------------------------------------------- TL;DR Creating public (unencrypted) EBS Snapshots might not be a great idea. Even if you are going to share them "just for a second". A lot can be fished out of these snapshots: ssh keys, tls/ssl certificates, aws credentials, private source code and internal (extremely) valuable HR/Accounting/IT documents. --------------------------------------------- https://www.nvteh.com/news/problems-with-public-ebs-snapshots *** Credit Card Breach at Kmart Stores. Again. *** --------------------------------------------- For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in comment: They were all used at Kmart locations. Ask to respond to rumors about a card breach, [...] --------------------------------------------- https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-agai… *** NCSC releases factsheet Indicators of Compromise *** --------------------------------------------- In order to observe malicious digital activities within an organisation, Indicators of Compromise (IoCs) are a valuable asset. With IoCs, organisations can gain quick insights at central points in the network into malicious digital activities. When your organisation observes these activities, it is important to know what you can do to trace back which system is infected. Obtain as much contextual information with an IoC as possible, so that you get a clear picture of what is happening and how --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-releases-factsheet-ind… *** WannaCry Development Errors Enable File Recovery *** --------------------------------------------- Researchers at Kaspersky Lab have found a number of programming errors in the WannaCry ransomware code that put file recovery within reach of sysadmins. --------------------------------------------- http://threatpost.com/wannacry-development-errors-enable-file-recovery/1260… *** OneLogin suffers data breach, again *** --------------------------------------------- OneLogin, a popular single sign-on service that allows users to access thousands of popular cloud-based apps with just one password, has suffered what seems to be a serious data breach. According to a short blog post by the company's Chief Information Security Officer Alvaro Hoyos, they discovered the breach when, on Wednesday, they detected unauthorized access to OneLogin data in their US data region. --------------------------------------------- https://www.helpnetsecurity.com/2017/06/01/onelogin-data-breach/ *** [webapps] OV3 Online Administration 3.0 - Remote Code Execution *** --------------------------------------------- OV3 Online Administration 3.0 - Remote Code Execution --------------------------------------------- https://www.exploit-db.com/exploits/42096/?rss *** Indicators Associated With WannaCry Ransomware (Update H) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01G Indicators Associated With WannaCry Ransomware that was published May 30, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01H *** Security Advisory - Multiple Security Vulnerabilities in HedEx product *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… *** DFN-CERT-2017-0945: Red Hat CloudForms Management Engine: Zwei Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0945/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier (CVE-2016-9977) *** http://www.ibm.com/support/docview.wss?uid=swg22003981 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in expat, nss, bind , policycoreutils, sudo shipped with SmartCloud Entry Appliance *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025119 --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-6816, CVE-2016-6817, CVE-2016-8735 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009962 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Protect (formerly Tivoli Storage Manager) Windows Client password exposure (CVE-2016-8939) *** http://www.ibm.com/support/docview.wss?uid=swg22003738 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003673 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004078 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Storage FlashCopy Manager VMware (CVE-2016-6303, CVE-2016-2182, CVE-2016-2177, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-2178, CVE-2016-6306) *** http://www.ibm.com/support/docview.wss?uid=swg22000589 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit library affects IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004075 --------------------------------------------- *** IBM Security Bulletin: Multiple Security vulnerabilities in WebSphere Application Server Community Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg22002267 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010243 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004074 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004077 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows *** http://www-01.ibm.com/support/docview.wss?uid=swg22002135 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM RackSwitch Products *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer *** http://www-01.ibm.com/support/docview.wss?uid=swg22003418 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2017-3731, CVE-2016-7055) *** http://www.ibm.com/support/docview.wss?uid=swg22003793 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libX11 affect IBM BladeCenter Advanced Management Module (AMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BladeCenter Advanced Management Module (AMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL/libcurl affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects MegaRAID Storage Manager (CVE-2016-8610) *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in dosfstools affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: IBM Development Package for Apache Spark update of IBM SDK Java Technology Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg22003200 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www.ibm.com/support/docview.wss?uid=swg22004036 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 31-05-2017
by Daily end-of-shift report 31 May '17

31 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 30-05-2017 18:00 − Mittwoch 31-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Personal Security Guide - WiFi Network *** --------------------------------------------- This is the third part in our series on personal security that offers methods to strengthen your overall security posture. By taking a holistic approach to security, you are protecting your website against attack vectors due to poor security practices in various aspects of your digital life. This post shares some insight on how to secure your network. When we talk about a network, we mean the way you connect to the internet. --------------------------------------------- https://blog.sucuri.net/2017/05/personal-security-guide-network-connection.… *** Kritische Infrastruktur: Meldepflicht für IT-Vorfälle deutlich erweitert *** --------------------------------------------- Die Meldepflicht für IT-Sicherheitsvorfälle ist auf weitere Branchen ausgedehnt worden. Damit steigt die Gesamtzahl auf mehr als 1.600 Einrichtungen in ganz Deutschland. --------------------------------------------- https://www.golem.de/news/kritische-infrastruktur-meldepflicht-fuer-it-vorf… *** HospitalGown: Appthority Discovers Backend Exposure of 43TB of Enterprise Data *** --------------------------------------------- [...] It's understandable that in mobile security we focus on the device, the apps it runs, and the networks it connects to. But what happens to the data from there? Cloud computing and storage are ubiquitous, advertising networks are the default revenue model for many apps, and analytics frameworks are driving design and implementation decisions. We can't ignore where the data goes. Like any other component of the larger system, these backend servers can introduce additional risk, [...] --------------------------------------------- https://www.appthority.com/mobile-threat-center/blog/hospitalgown-appthorit… http://info.appthority.com/hubfs/website-LEARN-content/Appthority%20Q2-17%2… *** XData Ransomware Master Decryption Keys Released. Kaspersky Releases Decryptor. *** --------------------------------------------- In what has become a welcome trend, today another ransomware master decryption key was released on BleepingComputer.com. This time the key that was released is for the XData Ransomware that was targeting the Ukraine around May 19th 2017. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/xdata-ransomware-master-decr… *** Indicators Associated With WannaCry Ransomware (Update G) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01F Indicators Associated With WannaCry Ransomware that was published May 25, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01G *** WannaCry: Two Weeks and 16 Million Averted Ransoms Later *** --------------------------------------------- [...] What WannaCry does has been extensively documented by others, as seen in reports by BAE Systems, MalwareBytes, Endgame, and Talos. Rather than focusing on the technical functionality of the malware, this article will open a window into our recent experience with managing, mitigating, and tracking the propagation and evolution of the WannaCry outbreak, and the true extent of its reach. --------------------------------------------- https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-later.html *** Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2), (Wed, May 31st) *** --------------------------------------------- Introduction In my previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22470&rss *** [webapps] Trend Micro Deep Security version 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution *** --------------------------------------------- https://www.exploit-db.com/exploits/42089/?rss *** Vulnerability in Samba Affecting Cisco Products: May 2017 *** --------------------------------------------- On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system.This vulnerability has been assigned CVE ID CVE-2017-7494This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/… On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Command Injection Vulnerability in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Command Injection Vulnerability in the NetEco *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Buffer Overflow Vulnerability in The GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Four Command Injection Vulnerabilities in The FusionSphere OpenStack *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Authentication Bypass Vulnerability in the Backup Function of GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Two Buffer Overflow Vulnerabilities in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Two Privilege Escalation Vulnerabilities in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in tcpdump affect AIX *** http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager appliances *** http://www.ibm.com/support/docview.wss?uid=swg22003237 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct FTP+ *** http://www-01.ibm.com/support/docview.wss?uid=swg22003752 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java affect IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments. *** http://www.ibm.com/support/docview.wss?uid=swg22004048 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. *** http://www-01.ibm.com/support/docview.wss?uid=swg22002991 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web *** http://www.ibm.com/support/docview.wss?uid=swg22003236 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect Tivoli Storage Manager (IBM Spectrum Protect) for Virtual Environments: Data Protection for VMware and FlashCopy Manager (IBM Spectrum Protect Snapshot) for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22000212 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances may be affected by a kernel vulnerability known as the Dirty COW bug (CVE-2016-5195) *** http://www.ibm.com/support/docview.wss?uid=swg21997991 --------------------------------------------- *** IBM Security Bulletin: MQ Explorer directory created with owner '555' on Linux x86-64 vulnerability affects IBM MQ (CVE-2016-6089) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003509 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003620 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003480 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 30-05-2017
by Daily end-of-shift report 30 May '17

30 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-05-2017 18:00 − Dienstag 30-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Chrome Bug Allows Sites to Record Audio and Video Without a Visual Indicator *** --------------------------------------------- Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-bug-allows-sites-to-r… *** 5 incident response practices that keep enterprises from adapting to new threats *** --------------------------------------------- Security analysts within enterprises are living a nightmare that never ends. 24 hours a day, their organizations are being attacked by outside (and sometimes inside) perpetrators - hackers, hacktivists, competitors, disgruntled employees, etc. Attacks range in scope and sophistication, but are always there, haunting the security teams tasked with guarding against them. To cope with this never-ending, ever-changing slew of threats, most organizations rely on established best practices to [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/30/incident-response-practices/ *** Darauf sollen Unternehmer bei der IT-Sicherheit achten *** --------------------------------------------- Nahezu jeden Tag werden Cyberangriffe auf Unternehmen publik. Der Schaden ist oft erheblich. Wer ein paar einfache Tipps beachtet, kann das Risiko deutlich reduzieren. --------------------------------------------- https://futurezone.at/b2b/darauf-sollen-unternehmer-bei-der-it-sicherheit-a… *** Erpressungstrojaner Jaff: Vorsicht vor Mails mit PDF-Anhang *** --------------------------------------------- Derzeit landen vermehrt E-Mails mit einem manipulierten PDF-Dokument in Posteingängen. Wer das Dokument unter Windows öffnet, kann sich die Ransomware Jaff einfangen. Diese verschlüsselt Daten und versieht sie mit der Dateiendung .wlc. --------------------------------------------- https://heise.de/-3728073 *** FreeRADIUS: Anmelde-Server dank Sicherheitslücke viel zu gutgläubig *** --------------------------------------------- Bei der Wiederaufnahme von TLS-Verbindungen überprüft der Anmelde-Server FreeRADIUS unter Umständen nicht, ob der Nutzer sich jemals richtig angemeldet hat. Für eine Software, die Anmeldungen prüfen soll, ist das fatal. --------------------------------------------- https://heise.de/-3728535 *** SANS Securing the Human Security Awareness Report 2017 *** --------------------------------------------- [...] The report highlights what successful programs do right to change behavior and what lagging programs can do to improve and move beyond compliance. --------------------------------------------- https://securingthehuman.sans.org/resources/security-awareness-report-2017 https://securingthehuman.sans.org/media/resources/STH-SecurityAwarenessRepo… *** The Most Common Social Engineering Attacks *** --------------------------------------------- Many years ago, one of the world's most popular hacker Kevin Mitnick explained in his book "The Art of Deception" the power of social engineering techniques, today we are aware that social engineering can be combined with hacking to power insidious attacks. Let's consider for example social media and mobile platforms; they are considered powerful attack [...] --------------------------------------------- http://resources.infosecinstitute.com/common-social-engineering-attacks/ *** Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution *** --------------------------------------------- The version of Serviio installed on the remote Windows/Linux host is affected by an unauthenticated password modification vulnerability due to improper access control enforcement of the Configuration REST API. A remote attacker can exploit this, via a specially crafted request, to change the login password for the mediabrowser protected page. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php *** IBM Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001029 *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2016-5597) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003602

1 0

Tageszusammenfassung - Montag 29-05-2017
by Daily end-of-shift report 29 May '17

29 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-05-2017 18:00 − Montag 29-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw *** --------------------------------------------- Microsoft quietly patched a critical vulnerability found by Googles Project Zero team in the Malware Protection Engine. --------------------------------------------- http://threatpost.com/microsoft-quietly-patches-another-critical-malware-pr… *** Crysis ransomware master keys posted to Pastebin *** --------------------------------------------- Why would someone release the keys to victims? Who knows, but as the poster who uploaded them says, Enjoy! --------------------------------------------- https://nakedsecurity.sophos.com/2017/05/26/crysis-ransomware-master-keys-p… *** File2pcap - A new tool for your toolkit!, (Fri, May 26th) *** --------------------------------------------- One of our readers, Gebhard, submitted a pointer to a tool today, released byTalos, that I wasnt familiar with. However, when I realized it could generate packets, I had to try it out. Its called File2pcap. The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see. You get a nice pcap in the end. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22456&rss *** CyberChef a Must Have Tool in your Tool bag!, (Sun, May 28th) *** --------------------------------------------- This multipurpose and feature rich tool has been available for a while now and is updated regularly. What I find the most interesting is the number of features that are available this tool. CyberChef is fully portable and can be downloaded locally as an simple HTML self-contained page that can run in any browsers or if you prefer, you can download the package from Github and compile it yourself[2] but why bother. Since the code is updated regularly, I find the first option more practical. It [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22458&rss *** Analysis of Competing Hypotheses (ACH part 1), (Sun, May 28th) *** --------------------------------------------- In threat intelligence, by definition, an analyst will most of the times have to perform assessments in an environment of incomplete information, and/or with information that is being produced with the purpose of misleading the analyst. One of the well-known methodologies is the Analysis of Competing Hypotheses (ACH) [1], developed by Richards J. Heuer, Jr., a former CIA veteran. ACH is an analytic process that identifies a set of alternative hypotheses, and assesses whether data available are [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22460&rss *** Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience *** --------------------------------------------- [Primary authors: Dan Simon and Nir Ben Zvi] The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run. These defaults were... --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/05/29/guidance-on-disabli… *** Network Time Protocol updated to spook-harden user comms *** --------------------------------------------- Network time lords decide we dont need IP address swaps The Internet Engineering Task Force has taken another small step in protecting everybodys privacy - this time, in making the Network Time Protocol a bit less spaffy. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/29/network_tim… *** CFP Time *** --------------------------------------------- We decided to create a website for a clearer view of what conferences are happening all around the world. The project is still in beta and after seeing how the community takes it, we might take it one step further. --------------------------------------------- https://cfptime.org/cfps/about *** Dirty COW and why lying is bad even if you are the Linux kernel *** --------------------------------------------- [...] There have been plenty of articles and blog posts about the exploit, but none of them give a satisfactory explanation on exactly how Dirty COW works under the hood from the kernel's perspective. The following analysis is based on this attack POC, although the idea applies to all other similar attacks. --------------------------------------------- https://chao-tic.github.io/blog/2017/05/24/dirty-cow *** DFN-CERT-2017-0928: Microsoft Malware Protection Engine: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0928/ *** DFN-CERT-2017-0913: WebKitGTK+: Mehrere Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0913/ https://webkitgtk.org/security/WSA-2017-0004.html *** DFN-CERT-2017-0925: FortiOS: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0925/ *** Security Advisory - Multiple Vulnerabilities in MTK Platform *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170527-… *** Bugtraq: Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Key and Token *** --------------------------------------------- http://www.securityfocus.com/archive/1/540636 *** Bugtraq: [security bulletin] HPESBHF03730 rev.1 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540635 *** Bugtraq: [security bulletin] HPESBHF03754 rev.1 - HPE ML10 Gen 9 Server using Intel Xeon E3-1200 v5 Processor, Remote Access Restriction Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/540634 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is affected by vulnerability in OpenStack Nova (CVE-2017-7214) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1022011 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in Red Hat Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) (CVE-2017-6462 CVE-2017-6463 CVE-2017-6464) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 - January 2017 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010245 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM Virtual Fabric 10Gb Switch Module *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 26-05-2017
by Daily end-of-shift report 26 May '17

26 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-05-2017 18:00 − Freitag 26-05-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Reflections on reflection (attacks) *** --------------------------------------------- Recently Akamai published an article about CLDAP reflection attacks. This got us thinking. We saw attacks from Conectionless LDAP servers back in November 2016 but totally ignored them because our systems were automatically dropping the attack .. --------------------------------------------- https://blog.cloudflare.com/reflections-on-reflections/ *** Cloak & Dagger *** --------------------------------------------- Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks .. --------------------------------------------- http://cloak-and-dagger.org/ *** Trump’s Dumps: ‘Making Dumps Great Again’ *** --------------------------------------------- Its not uncommon for crooks who peddle stolen credit cards to seize on iconic American figures of wealth and power in the digital advertisements for these shops that run continuously on various .. --------------------------------------------- https://krebsonsecurity.com/2017/05/trumps-dumps-making-dumps-great-again/ *** Österreichs Unternehmen sind bei IT-Sicherheit Nachzügler *** --------------------------------------------- Investitionen in die Sicherheit als Chance verstehen --------------------------------------------- http://derstandard.at/2000058280565 *** 83% of Security Pros Waste Time Fixing Co-Workers Non-Security Problems *** --------------------------------------------- Security personnel in many organizations waste time every week helping co-workers with general IT problems, rather than doing their own work, which in the long run, .. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/83-percent-of-security-pro… *** Schwere Sicherheitslücke in Samba gefunden *** --------------------------------------------- Exploits bereits im Netz – Updates sollten rasch eingespielt werden --------------------------------------------- http://derstandard.at/2000058287863 *** DSA-3863 imagemagick - security update *** --------------------------------------------- This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3863 *** DSA-3862 puppet - security update *** --------------------------------------------- It was discovered that unrestricted YAML deserialisation of data sent from agents to the server in the Puppet configuration management .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3862 *** Manipulierte Webseiten legen Windows lahm *** --------------------------------------------- Problem mit Dateinamen verlangsamt System bis zum Stillstand – Windows 7, 8 und Vista betroffen --------------------------------------------- http://derstandard.at/2000058292526 *** Tanze (aktualisierten) Samba mit mir *** --------------------------------------------- Die Erinnerung an CVE-2017-0144, und die Auswirkungen von WannaCry, ist bei uns allen noch frisch im Gedächtnis verankert, und damit keine Langeweile aufkommt, hat Samba nun ein Advisory bezüglich einer kritischen Schwachstelle veröffentlicht: All versions of Samba .. --------------------------------------------- http://www.cert.at/services/blog/20170526134531-2020.html *** FileZilla FTP Client Adds Support for Master Password That Encrypts Your Logins *** --------------------------------------------- Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password .. --------------------------------------------- https://www.bleepingcomputer.com/news/software/filezilla-ftp-client-adds-su…

1 0

Tageszusammenfassung - Mittwoch 24-05-2017
by Daily end-of-shift report 24 May '17

24 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-05-2017 18:00 − Mittwoch 24-05-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** FIRST releases version 1.1 of the CSIRT Services Framework *** --------------------------------------------- The leading association of incident response and security teams released a new version of its CSIRT Services Framework. This is a formal list of services a Computer Security Incident Response Team (CSIRT) may consider implementing to address the needs of their constituency. --------------------------------------------- https://www.first.org/newsroom/releases/20170524 *** B. Braun Medical SpaceCom Open Redirect Vulnerability *** --------------------------------------------- This advisory was originally posted to the NCCIC Portal on March 23, 2017, and is being released to the ICS-CERT web site. This advisory contains mitigation details for an open redirect vulnerability in B. Braun Medical's SpaceCom module, which is integrated into the SpaceStation docking station. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-02 *** Trend Micro ServerProtect for Linux Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks and Let Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1038548 *** OpenVPN Access Server Input Validation Flaw Lets Remote Users Conduct Session Fixation Attacks to Hijack a Target Users Session *** --------------------------------------------- A remote user can create a specially crafted URL containing the '%0A' character that, when loaded by the target user prior to authentication, will inject headers and set the session cookie to a specified value. After the target user authenticates to the target OpenVPN Access Server, the remote user can hijack the target user's session. --------------------------------------------- http://www.securitytracker.com/id/1038547 *** DFN-CERT-2017-0901/">Puppet, Puppet Enterprise: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- Betroffene Software Puppet < 4.10.1 Puppet Enterprise < 2016.4.5 Puppet Enterprise < 2017.2.1 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0901/ *** [Announce] Samba 4.6.4, 4.5.10 and 4.4.14 Available for Download *** --------------------------------------------- CVE-2017-7494: All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. --------------------------------------------- https://lists.samba.org/archive/samba-announce/2017/000406.html *** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones *** --------------------------------------------- There is Factory Reset Protection (FRP) bypass security vulnerability in some Huawei smart phones. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can perform some operations to update the Google account. As a result, the FRP function is bypassed. (Vulnerability ID: HWPSIRT-2017-02036). This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2710. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170524-… *** Jaff ransomware gets a makeover *** --------------------------------------------- With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now. --------------------------------------------- https://isc.sans.edu/diary/Jaff+ransomware+gets+a+makeover/22446 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Security Guardium Data Redaction. . *** http://www-01.ibm.com/support/docview.wss?uid=swg22003466 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management generates error messages that could reveal sensitive information that could be used in further attacks against the system (CVE-2017-1292) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003414 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to HTTP response splitting attacks (CVE-2017-1291) *** http://www.ibm.com/support/docview.wss?uid=swg22003413 --------------------------------------------- *** IBM Security Bulletin: Fix Available for IBM iNotes Cross-Site Scripting Vulnerability (CVE-2017-1325) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003497 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Notes *** http://www-01.ibm.com/support/docview.wss?uid=swg22000602 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino *** http://www-01.ibm.com/support/docview.wss?uid=swg22000516 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 23-05-2017
by Daily end-of-shift report 23 May '17

23 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-05-2017 18:00 − Dienstag 23-05-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** EU security think tank ENISA looks for IoT security, cant find any *** --------------------------------------------- Proposes baseline security spec, plus stickers to prove thing-makers have complied European network and infosec agency ENISA has taken a look at Internet of Things security, and doesnt much like what it sees. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/23/enisa_propo… *** Biometrie: Iris-Scanner des Galaxy S8 kann einfach manipuliert werden *** --------------------------------------------- Schon wieder zeigt sich: Biometrische Merkmale sind praktisch zum Entsperren von Geräten - sicher sind sie hingegen nicht. Ein Hacker hat gezeigt, dass sich der Irisscanner des Galaxy S8 von Samsung mit einem einfachen Foto und einer Kontaktlinse austricksen lässt. --------------------------------------------- https://www.golem.de/news/biometrie-iris-scanner-des-galaxy-s8-kann-einfach… *** Preloading in Internet Explorer 11 sends complete browsing history to Microsoft *** --------------------------------------------- Your entire browsing history will periodically be sent to Microsoft. The data sent includes all addresses you visit and when you visited them (derived from that is also how long you spent on each page), and the address of the page that referred you to each page. --------------------------------------------- https://ctrl.blog/entry/ie11-flip-out-privacy *** Windows 10 UAC Bypass Uses "Apps & Features" Utility *** --------------------------------------------- Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-uac-bypass-uses-a… *** Hackers can use subtitles to take over millions of devices running VLC, Kodi, Popcorn Time and Stremio *** --------------------------------------------- Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/ *** [2017-05-23] Arbitrary File Upload & Stored XSS in InvoicePlane *** --------------------------------------------- Multiple high risk vulnerabilities, such as arbitrary file upload and stored cross site-scripting, within the InvoicePlane software allow an attacker to compromise the affected server. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** BIG-IP Azure cloud vulnerability CVE-2017-6131 *** --------------------------------------------- BIG-IP Azure cloud vulnerability CVE-2017-6131. Security Advisory. Security Advisory Description. In some circumstances ... --------------------------------------------- https://support.f5.com/csp/article/K61757346 *** Cisco Integrated Management Controller Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the web-based GUI of Cisco Integrated Management Controller (CIMC) could allow an unauthenticated, remote attacker to perform unauthorized remote command execution on the affected device.The vulnerability exists because the affected software does not sufficiently sanitize specific values that are received as part of a user-supplied HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. Successful exploitation... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco Integrated Management Controller Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the web-based GUI of Cisco Integrated Management Controller (CIMC) could allow an authenticated, remote attacker to elevate the privileges of user accounts on the affected device.The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected device. Successful exploitation could allow an authenticated attacker to elevate the privileges of user accounts configured on the device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in xorg-x11-libX11 affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect MegaRAID Storage Manager *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in tcpdump affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Web Experience Factory *** http://www.ibm.com/support/docview.wss?uid=swg22003695 --------------------------------------------- *** IBM Security Bulletin: Directory Traversal vulnerabilities impact IBM Network Advisor. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009700 --------------------------------------------- *** IBM Security Bulletin: Rational DOORS Web Access is affected by Apache Tomcat vulnerability (CVE-2016-6816) *** http://www.ibm.com/support/docview.wss?uid=swg22003660 --------------------------------------------- *** IBM Security Bulletin: Open Source cURL Libcurl, used by BigFix Platform, has security vulnerabilities (CVE-2016-8617 CVE-2016-8624 CVE-2016-8621) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001818 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager (CVE-2016-5597, CVE-2016-5554) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002446 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web (CVE-2016-5597, CVE-2016-5554) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002445 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 22-05-2017
by Daily end-of-shift report 22 May '17

22 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-05-2017 18:00 − Montag 22-05-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Terror Exploit Kit Evolves Into Larger Threat *** --------------------------------------------- The Terror exploit kit has matured into a greater threat and carefully crafts attacks based on a users browser environment. --------------------------------------------- http://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/ *** DSA-3859 dropbear - security update *** --------------------------------------------- https://www.debian.org/security/2017/dsa-3859 *** DSA-3858 openjdk-7 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in privilege escalation, denial of service, newline injection in SMTP or use of insecure cryptography. --------------------------------------------- https://www.debian.org/security/2017/dsa-3858 *** WannaCry: Fast nur Windows-7-PCs infiziert *** --------------------------------------------- Mehr als 98 Prozent aller mit WannaCry infizierten PCs laufen nach Zahlen von Kaspersky Lab unter Windows 7. --------------------------------------------- https://heise.de/-3719145 *** Nordkorea unterhält offenbar Spezialeinheit für Cyberangriffe auf Banken *** --------------------------------------------- Soll angeblich hauptsächlich Devisen beschaffen --------------------------------------------- http://derstandard.at/2000058034871 *** Netgear fixes router by adding phone-home features that record your IP and MAC address *** --------------------------------------------- Yeah, that'll be secure for sure Netgear NightHawk R7000 users who ran last weeks firmware upgrade need to check their settings, because the company added a remote data collection feature to the units. --------------------------------------------- www.theregister.co.uk/2017/05/21/netgear_updates_router_with_phone_home_fea… *** "Athena": Mächtiges CIA-Tool knackt alle Windows-Versionen seit XP *** --------------------------------------------- Wikileaks publiziert Dokumente - Umfassende Überwachungsmöglichkeiten, Malware kann auch Daten löschen --------------------------------------------- http://derstandard.at/2000058071298 *** IT threat evolution Q1 2017. Statistics *** --------------------------------------------- According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world. File antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/78475/it-threat-ev… *** Operation "Porto": 159 Dealer im Darknet ausgeforscht *** --------------------------------------------- Ermittlungsverfahren gegen 697 Personen - 35 kg Suchtgift sowie 4.500 Tabletten sichergestellt --------------------------------------------- http://derstandard.at/2000058084813 *** Achtung, Abzocke: Microsoft warnt erneut vor betrügerischen Anrufen *** --------------------------------------------- Mit angeblichen Support-Anrufen von Unternehmen wie Microsoft oder Dell versuchen Betrüger, PC-Besitzer abzuzocken. Trotz einiger Erfolge der Ermittler bleibt das Problem virulent. --------------------------------------------- https://heise.de/-3720168 *** The Problem with OCSP Stapling and Must Staple and why Certificate Revocation is still broken *** --------------------------------------------- Today the OCSP servers from Let's Encrypt were offline for a while. This has caused far more trouble than it should have, because in theory we have all the technologies available to handle such an incident. However due to failures in how they are implemented they don't really work. --------------------------------------------- https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must… *** Was die Datenschutzverordnung bringt: Sammelklagen, Beauftragte *** --------------------------------------------- Nutzer können ab Mai 2018 ihre Rechte leichter durchsetzen, sagt IT-Anwalt Lukas Feiler --------------------------------------------- http://derstandard.at/2000058102109 *** Yahoo schmeisst ImageMagick nach Sicherheitslücke aus eigenem Webmail-Code *** --------------------------------------------- Durch die Schwachstelle konnten Angreifer Speicherinhalte der Yahoo-Server auslesen und so die E-Mail-Anhänge anderer Nutzer ausspionieren. Yahoo schloss die Lücke innerhalb eines selbstverordneten 90-Tage-Ultimatums. --------------------------------------------- https://heise.de/-3720803

1 0

Tageszusammenfassung - Freitag 19-05-2017
by Daily end-of-shift report 19 May '17

19 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-05-2017 18:00 − Freitag 19-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** How did the WannaCry Ransomworm spread? *** --------------------------------------------- Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. How did it all happen? --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomwor… *** Who's responsible for fixing SS7 security issues? *** --------------------------------------------- The WannaCry ransomware onslaught has overshadowed some of the other notable happenings this month, including the spectacular Google-themed phishing/spamming attack, and the news that attackers have managed to exploit vulnerabilities in the SS7 protocol suite to bypass German banks' two-factor authentication and drain their customers' bank accounts. According to the reports, the attackers were able to pull this scheme off by gaining access to the network of a foreign mobile network [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/19/ss7-security-issues/ *** Number of HTTPS phishing sites triples *** --------------------------------------------- When, in January 2017, Mozilla and Google made Firefox and Chrome flag HTTP login pages as insecure, the intent was to make phishing pages easier to recognize, as well as push more website owners towards deploying HTTPS. But while the latter aim was achieved, and the number of phishing sites making use of HTTPS has increased noticeably, the move also had one unintended consequence: the number of phishing sites with HTTPS has increased, too. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/19/number-https-phishing-sites-trip… *** Hintergrund: Chrome blockt ab sofort Zertifikate mit Common Name *** --------------------------------------------- Wenn der seit Jahren etablierte, hauseigene Dienst plötzlich den HTTPS-Zugang verwehrt, liegt das vermutlich an einer Neuerung der aktuellen Chrome-Version: Google erzwingt den Einsatz der RFC-konformen "Subject Alt Names" und viele Admins müssen deshalb jetzt Hand anlegen. --------------------------------------------- https://heise.de/-3717594 *** Bypassing Application Whitelisting with BGInfo *** --------------------------------------------- TL;DR: BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server. --------------------------------------------- https://msitpros.com/?p=3831 *** "Four Keys to Effective ICS Incident Response" *** --------------------------------------------- While incident response in Information Technology (IT) and Operational Technology (OT) or Industrial Control Systems (ICS) may appear to be very similar, incident response in an ICS environment has different considerations and priorities. Many organizations leverage their existing IT incident response capabilities in an OT environment which may not be ideal for successful incident response [...] --------------------------------------------- http://ics.sans.org/blog/2017/05/19/four-keys-to-effective-ics-incident-res… *** ETERNALBLUE vs Internet Security Suites and nextgen protections *** --------------------------------------------- Due to the recent #wannacry ransomware events, we initiated a quick test in our lab. Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010). Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)! --------------------------------------------- https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nex… *** Forensik-Tool soll gelöschte Notizen aus iCloud auslesen können *** --------------------------------------------- Der Softwareanbieter Elcomsoft hat seine App "Phone Breaker" um eine Funktion erweitert, die den Umstand ausnutzt, dass Apple offenbar auch vom Nutzer eigentlich vernichtete Notizen länger aufbewahrt. --------------------------------------------- https://heise.de/-3718361 *** MS17-010 (Ransomware WannaCry) Impact to Cisco Products *** --------------------------------------------- The Cisco PSIRT Team is continuing to investigate the impact of this vulnerability on Cisco products that have not reached end of software maintenance support and that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. Investigation is expected to be completed by Friday, May 19th. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco… *** HPESBGN03748 rev.1 - HPE Cloud Optimizer, Remote Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified in HPE Cloud Optimizer. The vulnerability could be remotely exploited resulting in disclosure of information. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn037… *** Bugtraq: Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages *** --------------------------------------------- http://www.securityfocus.com/archive/1/540569 *** DSA-3855 jbig2dec - security update *** --------------------------------------------- Multiple security issues have been found in the JBIG2 decoder library,which may lead to denial of service, disclosure of sensitive informationfrom process memory or the execution of arbitrary code if a malformedimage file (usually embedded in a PDF document) is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3855 *** Indicators Associated With WannaCry Ransomware (Update C) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01B Indicators Associated With WannaCry Ransomware that was published May 17, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01C *** McAfee Network Data Loss Prevention Multiple Bugs Let Remote Users Conduct Session Hijacking and Cross-Site Scripting Attacks and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1038523 *** VMSA-2017-0009 *** --------------------------------------------- VMware Workstation update addresses multiple security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0009.html *** DFN-CERT-2017-0885: Red Hat JBoss Enterprise Application Platform, RESTEasy: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0885/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2125, CVE-2016-2126) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010052 --------------------------------------------- *** IBM Security Bulletin: IBM Cisco Switches and Directors vulnerable to Sweet32 Birthday attacks (CVE-2016-2183 CVE-2016-6329). *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010239 --------------------------------------------- *** IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability *** http://www-01.ibm.com/support/docview.wss?uid=swg22002356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Network Security Services (NSS) component affect SAN Volume Controller, Storwize family and FlashSystem V9000 products. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010118 --------------------------------------------- *** IBM Security Bulletin: Open redirect vulnerability in IBM Business Process Manager (CVE-2017-1159) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000253 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affect IBM SONAS (CVE-2017-3731) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010136 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 18-05-2017
by Daily end-of-shift report 18 May '17

18 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-05-2017 18:00 − Donnerstag 18-05-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048 *** --------------------------------------------- This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value .. --------------------------------------------- https://www.drupal.org/node/2879177 *** 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3 *** --------------------------------------------- Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates. This scenario may affect customers who installed .. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4022345 *** iPrint Appliance 2.0 Patch 5 *** --------------------------------------------- iPrint Appliance 2.0 Patch 5 includes bug fixes, security fixes and a consolidation of previously released patches and hot patches for the iPrint Appliance 2.0. --------------------------------------------- https://download.novell.com/Download?buildid=nKiTte1j9yM~ *** iPrint Appliance 2.1 Patch 3 *** --------------------------------------------- iPrint Appliance 2.1 Patch 3 is a cumulative patch including fixes from all the previous 2.1 patches and hot fixes. --------------------------------------------- https://download.novell.com/Download?buildid=4QmSWkUlwrA~ *** Indicators Associated With WannaCry Ransomware (Update B) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01A Indicators Associated With WannaCry Ransomware that was published May 16, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01B *** My Little CVE Bot *** --------------------------------------------- The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22432 *** Handbrake-Trojaner: Quellcode des Mac-Entwicklerstudios Panic entwendet *** --------------------------------------------- Die auf Mac-Nutzer abzielene Malware “Proton” hat ein erstes prominentes Opfer gefordert: Unbekannte klauten den Quelltext zu mehreren Apps des Entwicklerstudios Panic. Kundendaten sind nicht betroffen, betont das Unternehmen. --------------------------------------------- https://heise.de/-3716479 *** Why the most successful Retefe spam campaign never paid off *** --------------------------------------------- Switzerland is one of the main targets of the Retefe banking trojan since its first appearance in November 2013. At .. --------------------------------------------- https://securityblog.switch.ch/2017/05/18/why-the-most-successful-retefe-sp… *** SSB-412479 (Last Update 2017-05-17): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479… *** [2017-05-18] Multiple critical vulnerabilities in Western Digital TV Media Player *** --------------------------------------------- Multiple critical vulnerabilities, such as unauthenticated arbitrary file upload or local file inclusion, within the WDTV Media Player devices allow an attacker to take over the device over the network. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Security Alert: BlueDoom Worm Caught Spreading through EternalBlue, Integrates Batch of Leaked NSA Exploits *** --------------------------------------------- Unfortunately for users who haven’t patched their systems yet after the WannaCry ransomware campaign, there has been an increase in attempts to abuse the EternalBlue exploit in the past few .. --------------------------------------------- https://heimdalsecurity.com/blog/bluedoom-worm-eternablue-nsa-exploits/ *** ATM Black Box attacks: 27 arrested all over Europe *** --------------------------------------------- The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM Black Box attacks across .. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/18/black-box-attacks/ *** 22 Cisco Security Advisories 2017-05-17 *** --------------------------------------------- 1 Critical, 3 High, 18 Medium --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x

1 0

Tageszusammenfassung - Mittwoch 17-05-2017
by Daily end-of-shift report 17 May '17

17 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-05-2017 18:00 − Mittwoch 17-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Jetzt patchen: Gerfährliche Sicherheitslücke in Joomla *** --------------------------------------------- Das Joomla-Team schließt mit Version 3.7.1 eine SQL-Injection-Lücke, die fatale Folgen haben kann. Joomla-Admins sollten zügig reagieren. --------------------------------------------- https://heise.de/-3716175 *** WordPress-Update 4.7.5 schließt sechs Sicherheitslücken *** --------------------------------------------- Zwar werden keine der Lücken als kritisch eingestuft, Admins sollten sich aber trotzdem um die XSS- und CSRF-Lücken kümmern. --------------------------------------------- https://heise.de/-3716055 *** Extending Microsoft Edge Bounty Program *** --------------------------------------------- Over the past 10 months, we've paid out more than $200,000 USD in bounties to researchers reporting vulnerabilities through the Microsoft Edge Bounty Program. Partnering with the research community has helped improve Microsoft Edge security, and to continue this collaboration, today we're extending the end date of the Edge on Windows Insider Preview (WIP) bounty... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/05/16/extending-microsoft-edg… *** BSI veröffentlicht Mindeststandard für Mobile Device Management *** --------------------------------------------- Der Mindeststandard definiert in 40 technischen und organisatorischen Regeln die Anforderungen an MDM-Systeme des Bundes sowie deren Betrieb. Er definiert, welche Richtlinien ein System umsetzen können muss, lässt aber Spielraum bei deren Ausgestaltung. --------------------------------------------- https://heise.de/-3715500 *** Basic Best Practices for Securing LDAP and Active Directory with Red Hat *** --------------------------------------------- In the enterprise, its very popular to manage Windows client PCs through Red Hat servers. This sort of configuration is especially common in healthcare and the financial services industries. Red Hat Enterprise Linux (RHEL) has good software for working with Windows Active Directory. Red Hat Enterprise Linux can also manage clients with multiple platforms, such as Windows, OS X, Android, and other Linux distributions with OpenLDAP, an opensource implementation of the Lightweight Directory Access [...] --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/basic-best-practices-f… *** Gefälschtes easybank-Schreiben: Konto gesperrt *** --------------------------------------------- Kriminelle versenden eine gefälschte easybank-Nachricht. Darin heißt es, dass Unbekannte auf das Konto zugegriffen haben. Deshalb sollen Kund/innen eine Website aufrufen, persönliche Bankdaten bekannt geben und ihr Konto bestätigen. Wer die verlangten Informationen Preis gibt, übermittelt sie an Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschtes-easybank-schreiben-… *** Why Phishing Attacks Succeed *** --------------------------------------------- The first time I received a "secure" email message from my bank, I was a bit suspicious of what I was actually seeing. It looked too much like a phishing attempt for my comfort. The message in my inbox was from my banker's email address, not from Chase 1 directly. It also included an attached HTML page and instructions to "open the attached page in an browser for instructions on how to proceed." --------------------------------------------- https://ttmm.io/tech/why-phishing-attacks-succeed/ *** How Big Fuzzing helps find holes in open source projects *** --------------------------------------------- Googles beta project, OSS-Fuzz, has found 264 vulnerabilities in 47 open-source projects - so is it an idea whose time has come? --------------------------------------------- https://nakedsecurity.sophos.com/2017/05/17/how-big-fuzzing-helps-find-hole… *** Security Advisory - DoS Vulnerability in Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170517-… *** SSB-412479 (Last Update 2017-05-16): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-421479… *** Indicators Associated With WannaCry Ransomware (Update A) *** --------------------------------------------- This updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01A *** FortiOS stored XSS vulnerability in the policy global-label parameter *** --------------------------------------------- FortiOS is subject to a Cross-Site Scripting vulnerability, due to an improperly sanitized parameter in a hidden CLI configuration setting named global-label . This can however only be exploited by an administrator with write privileges. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-057 *** NTP vulnerability CVE-2017-6463 *** --------------------------------------------- NTP vulnerability CVE-2017-6463. Security Advisory. Security Advisory Description. NTP before 4.2.8p10 and 4.3.x before ... --------------------------------------------- https://support.f5.com/csp/article/K02951273 *** Linux kernel vulnerability CVE-2017-8106 *** --------------------------------------------- Linux kernel vulnerability CVE-2017-8106. Security Advisory. Security Advisory Description. The handle_invept function ... --------------------------------------------- https://support.f5.com/csp/article/K34886212 *** Schneider Electric VAMPSET *** --------------------------------------------- This advisory contains mitigation details for a memory corruption vulnerability in Schneider Electric's VAMPSET. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-04 *** Detcon SiteWatch Gateway *** --------------------------------------------- This advisory contains mitigation details for authentication bypass and plaintext storage of a password vulnerabilities in Detcon's SiteWatch Gateway. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-01 *** Hanwha Techwin SRN-4000 *** --------------------------------------------- This advisory contains mitigation details for an unauthenticated access vulnerability in Hanwha Techwin's SRN-4000. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-03 *** Schneider Electric SoMachine HVAC *** --------------------------------------------- This advisory contains mitigation details for buffer overflow and DLL hijack vulnerabilities in Schneider Electric's SoMachine HVAC. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-136-02 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg21999513 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM Algo One Algo Risk Application and Core (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22000818 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility *** http://www-01.ibm.com/support/docview.wss?uid=swg22003157 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring *** http://www.ibm.com/support/docview.wss?uid=swg22002865 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer and WebSphere Integration Developer *** http://www-01.ibm.com/support/docview.wss?uid=swg22002555 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One Core (CVE-2016-8745) *** http://www.ibm.com/support/docview.wss?uid=swg22001932 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSH affects IBM Security Network Protection (CVE-2015-8325) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999248 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime IBM affect IBM Decision Optimization Center and IBM ILOG ODM Enterprise *** http://www-01.ibm.com/support/docview.wss?uid=swg22003304 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio *** http://www-01.ibm.com/support/docview.wss?uid=swg22003305 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GNU C library (glibc) affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg22001907 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Protection (CVE-2016-8610, and CVE-2017-3731) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999162 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in NTP affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg21999246 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 16-05-2017
by Daily end-of-shift report 16 May '17

16 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 15-05-2017 18:00 − Dienstag 16-05-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter *** WannaCry? Do your own data analysis., (Tue, May 16th) *** --------------------------------------------- In God we trust. All others must bring data ~Bob Rudis With endless amounts of data, technical detail, and insights on WannaCrypt/WannaCry, and even more FUD, speculation, and even downright trolling, herein is a proposal for you to do your own data-driven security analysis. My favorite book to help you scratch that itch? Data Driven Security: Analysis, Visualization and Dashboards, by Jay Jacobs Bob Rudis. A few quick samples, using WannaCry data and R, the open source programming language and [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22424&rss *** Digital signature service DocuSign hacked and email addresses stolen *** --------------------------------------------- Digital signature service DocuSign said Monday that an unnamed third-party had got access to email addresses of its users after hacking into its systems.The hackers gained temporary access to a peripheral sub-system for communicating service-related announcements to users through email, the company said. It confirmed after what it described as a complete forensic analysis that only email addresses were accessed, and not other details such as names, physical addresses, passwords, social security [...] --------------------------------------------- http://www.cio.com/article/3196854/security/digital-signature-service-docus… *** Apple-Updates schließen unangenehme Sicherheitslücken in iCloud, iTunes und iOS *** --------------------------------------------- Patchday bei Apple: Das BSI warnt vor mehreren Sicherheitslücken in iTunes und iCloud auf Windows, sowie dem Mobilbetriebssystem iOS, die es Angreifern ermöglichen, Code auszuführen. Anwender sollten sicherstellen, dass die Updates installiert wurden --------------------------------------------- https://heise.de/-3715077 *** Chrome Browser Hack Opens Door to Credential Theft *** --------------------------------------------- Researchers at DefenseCode claim a vulnerability in Google's Chrome browser allows hackers to steal credentials and launch SMB relay attacks. --------------------------------------------- http://threatpost.com/chrome-browser-hack-opens-door-to-credential-theft/12… *** Cisco Snort++ Protocol Decoder Denial of Service Vulnerabilities *** --------------------------------------------- Two vulnerabilities in the protocol decoders of Snort++ (Snort 3) could allow an unauthenticated, remote attacker to create a Denial of Service (DoS) condition.The vulnerabilities are due to lack of validation in the protocol decoders. An attacker could exploit these vulnerabilities by crafting a malicious packet and sending it through the targeted device. A successful exploit could allow the attacker to cause a DoS condition if the Snort process restarts and traffic inspection is bypassed or [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Indicators Associated With WannaCry Ransomware *** --------------------------------------------- This alert is a follow-up to US-CERT alert TA17-132A Indicators Associated With WannaCry Ransomware, which was originally posted to the US-CERT web site on May 12, 2017. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01 *** Novell Messenger 3.0.3 P3 *** --------------------------------------------- Abstract: Novell Messenger 3.0.3 P3 has been released. This release only includes fixes for the Linux platform. Please view the Change Log for modifications made to the program. There have also been changes to update security issues with the product. Please see the Security Fix section for details. NOTE: This version is not designed to work with eDir 9. If you require eDir 9 support, contact Micro Focus Technical Support. Document ID: 5296730Security Alert: YesDistribution Type: --------------------------------------------- https://download.novell.com/Download?buildid=U3MFbmzMet0~ *** IDM 4.6 RACF Driver 4.0.3.1 *** --------------------------------------------- Abstract: IDM 4.6 Bi-Directional RACF Driver Version 4.0.3.1. This patch is for the Identity Manager 4.6 RACF Driver. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, RACFEXEC.XMTDocument ID: 5297291Security Alert: YesDistribution Type: Field Test FileEntitlement Required: YesFiles:idm46racf-patch1.tar.gz (2.66 MB)Products:Identity Manager 4.5Identity Manager 4.6Superceded Patches:IDM 4.0.2 RACF Driver Version 4.0.0.11 Patch 3 --------------------------------------------- https://download.novell.com/Download?buildid=LSTFMkrcRo0~ *** Apple Security Updates *** --------------------------------------------- *** macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite *** https://support.apple.com/kb/HT207797 --------------------------------------------- *** iOS 10.3.2 *** https://support.apple.com/kb/HT207798 --------------------------------------------- *** watchOS 3.2.2 *** https://support.apple.com/kb/HT207800 --------------------------------------------- *** tvOS 10.2.1 *** https://support.apple.com/kb/HT207801 --------------------------------------------- *** iCloud for Windows 6.2.1 *** https://support.apple.com/kb/HT207803 --------------------------------------------- *** Safari 10.1.1 *** https://support.apple.com/kb/HT207804 --------------------------------------------- *** iTunes 12.6.1 for Windows *** https://support.apple.com/kb/HT207805 --------------------------------------------- *** IBM Security Bulletin *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM SPSS Statistics (CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22002966 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU Jan 2017 Includes Oracle Jan 2017 CPU affect Content Collector for SAP Applications *** https://www-01.ibm.com/support/docview.wss?uid=swg22001462 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010199 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the zlib component affect IBM SPSS Statistics (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) *** http://www.ibm.com/support/docview.wss?uid=swg22003212 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025160 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Informix Dynamic Server and Informix Open Admin Tool *** http://www.ibm.com/support/docview.wss?uid=swg22002897 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Expat affects HTTP Server shipped with Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-4472, CVE-2016-0718) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000234 --------------------------------------------- *** IBM Security Bulletin: Apache Commons FileUpload Vulnerabilities IBM WebSphere MQ (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg22001563 --------------------------------------------- *** IBM Security Bulletin: Vulnerability CVE-2017-2619 in Samba affects IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1022009 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by a missing secure attribute in the encrypted session (SSL) cookie (CVE-2017-1319) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002871 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by a cross-site scripting vulnerability (CVE-2017-1320) *** http://www.ibm.com/support/docview.wss?uid=swg22002877 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GnuTLS and OpenSSL affect IBM Flex System Manager (FSM) (CVE-2016-8610) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024887 --------------------------------------------- *** IBM Security Bulletin: A Vulnerability in IBM Java SDK affects IBM Streams (CVE-2016-5546, CVE-2017-3253, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002804 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 15-05-2017
by Daily end-of-shift report 15 May '17

15 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-05-2017 18:00 − Montag 15-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Ransomware: Experten warnen vor Zahlung der Wanna-Crypt-Erpressersumme *** --------------------------------------------- Experten raten davon ab, im Falle einer Infektion mit Wanna Crypt die geforderten Bitcoins zu zahlen, denn offenbar sind die Angreifer vom Erfolg ihrer Operation überrascht. Ein kostenloses Werkzeug zum Wiederherstellen der Daten ist bislang auch nicht verfügbar. --------------------------------------------- https://www.golem.de/news/ransomware-experten-warnen-vor-zahlung-der-wanna-… *** WannaCry & Co.: So schützen Sie sich *** --------------------------------------------- Nach WannaCry ist vor dem nächsten Erpressungstrojaner. Was Gefährdete jetzt tun sollten, wie Sie sich vor Nachahmern schützen können und welche Optionen bleiben, wenn der Verschlüsselungstrojaner schon zugeschlagen hat. --------------------------------------------- https://heise.de/-3714596 *** Customer Guidance for WannaCrypt attacks *** --------------------------------------------- Microsoft solution available to protect additional products Today many of our customers around the world and the critical systems they depend on were victims of malicious "WannaCrypt" software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-w… *** Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry *** --------------------------------------------- WannaCry distribution may have dropped, but the ransomware pandemic is not over. As we feared in yesterday's alert, another ransomware variant, known as Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have huge potential of infection, [...] --------------------------------------------- https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware/ *** Microsoft posts PowerShell script that spawns pseudo security bulletins *** --------------------------------------------- A Microsoft manager this week offered IT administrators a way to replicate -- in a fashion -- the security bulletins the company discarded last month."If you want a report summarizing todays #MSRC security bulletins, heres a script that uses the MSRC Portal API," John Lambert, general manager of the Microsoft Threat Intelligence Center, said in a Tuesday message on Twitter.Lamberts tweet linked to code depository GitHub, where he posted a PowerShell script that polled data using a new [...] --------------------------------------------- http://www.cio.com/article/3196254/windows/microsoft-posts-powershell-scrip… *** WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th) *** --------------------------------------------- The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago in April when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow]. A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22420&rss *** Ein paar Gedanken zu WannaCry *** --------------------------------------------- Wir haben heute unsere offizielle Warnung bezüglich der WannaCry Ransomware veröffentlicht. Ich will in diesem Blogbeitrag ein bisschen Kontext liefern, und etwas strategischer denken. --------------------------------------------- http://www.cert.at/services/blog/20170514232126-2007.html *** DSA-3852 squirrelmail - security update *** --------------------------------------------- Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, awebmail application, incorrectly handled a user-supplied value. Thiswould allow a logged-in user to run arbitrary commands on the server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3852 *** EMC Isilon OneFS NFS Export Upgrade *** --------------------------------------------- Topic: EMC Isilon OneFS NFS Export Upgrade Risk: Medium Text:ESA-2017-027: EMC Isilon OneFS NFS Export Upgrade Vulnerability EMC Identifier: ESA-2017-027 CVE Identifier: CVE-2017-49... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017050087 *** Security Advisory - WannaCry ransomware Vulnerabilities in Microsoft Windows Systems *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170513-… *** Security Notice - Statement on "WannaCry ransomware" attacks *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170513-01-… *** DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-047Project: DRD agent (third-party module)Version: 6.x, 7.x, 8.xDate: 2017-May-10Security risk: 19/25 ( Critical) AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Cross Site Request Forgery, Open RedirectDescriptionThe Drupal Remote Dashboard (DRD) module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites.The module doesnt [...] --------------------------------------------- https://www.drupal.org/node/2877392 *** DSA-3854 bind9 - security update *** --------------------------------------------- Several vulnerabilities were discovered in BIND, a DNS serverimplementation. The Common Vulnerabilities and Exposures projectidentifies the following problems: --------------------------------------------- https://www.debian.org/security/2017/dsa-3854 *** FortiPortal Multiple Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities impacting FortiPortal were disclosed to Fortinet with details as follows:CVE-2017-7337: Improper Access Control allows a user to potentially view firewall policies and objects from a VDOM s/he is not authorized to, enumerate other customer ADOMs and view other customers dataCVE-2017-7338: Application returns password hashes, and passwords for associated FortiAnalyzer devices via the UICVE-2017-7339: Persistent XSS via the Name and Description fields in the pop-up to add [...] --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-114 *** DFN-CERT-2017-0842: Moodle: Mehrere Schwachstellen ermöglichen u.a. einen Cross-Site-Request-Forgery-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0842/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM SONAS (CVE-2016-2125, CVE-2016-2126 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010051 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009957 --------------------------------------------- *** IBM Security Bulletin: Tomcat apache vulnerability affects IBM Storwize V7000 Unified *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009993 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Storwize V7000 Unified (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009995 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SONAS (CVE-2016-5597 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009963 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache Struts Vulnerabilities affect IBM Enterprise Records *** https://www-01.ibm.com/support/docview.wss?uid=swg22000471 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Enterprise Records *** https://www-01.ibm.com/support/docview.wss?uid=swg22000469 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by an XML External Entity vulnerability (CVE-2016-2908) *** http://www.ibm.com/support/docview.wss?uid=swg22001175 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 12-05-2017
by Daily end-of-shift report 12 May '17

12 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-05-2017 18:00 − Freitag 12-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter *** Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak *** --------------------------------------------- A ransomware outbreak is wreaking havoc all over the world, but especially in Spain, where Telefonica - one of the countrys biggest telecommunications companies - has fallen victim, and its IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomwares reach. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-t… *** NHS hit by ransomware attack, hospitals across country shutting down *** --------------------------------------------- GP told of National hack of the computer health care system Updated Multiple NHS hospitals have shut down systems and are telling patients not to come in due to what is being described as a massive nationwide cyber attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/12/nhs_hospita… *** Jaff argh snakes: 5m emails/hour ransomware floods inboxes *** --------------------------------------------- Locky-style nasty will squeeze you for two whole bitcoins The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff". --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/12/jaff_ransom… *** When Bad Guys are Pwning Bad Guys..., (Fri, May 12th) *** --------------------------------------------- A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. Theyre plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip'd) PHP file that can be simply dropped on a compromised computer. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22410 *** Sicherheitslücke: Fehlerhaft konfiguriertes Git-Verzeichnis bei Redcoon *** --------------------------------------------- Was haben der Online-Händler Redcoon und die Volksverschlüsselung gemeinsam? Ein unsicher konfiguriertes Git-Repository. Immer wieder machen Webseitenbetreiber denselben Fehler. (Security, API) --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-fehlerhaft-konfiguriertes-git-v… *** HP Releases Driver Update to Remove Accidental Keylogger *** --------------------------------------------- HP has issued an update to remove a keylogging mechanism found in the audio drivers included with some of its high-end laptops. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/hardware/hp-releases-driver-update-to… *** Phoenix Contact GmbH mGuard *** --------------------------------------------- This advisory contains mitigation details for resource exhaustion and improper authentication vulnerabilities in Phoenix Contact GmbH's mGuard network device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-131-01 *** Satel Iberia SenNet Data Logger and Electricity Meters *** --------------------------------------------- This advisory contains mitigation details for a command injection vulnerability in Satel Iberia's SenNet Data Logger and Electricity Meters. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02 *** HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution *** --------------------------------------------- HPESBHF03743 rev.1 - A potential security vulnerability has been identified in HPE Intelligent Management Center (iMC) PLAT. The vulnerability could be exploited remotely to allow execution of code. --------------------------------------------- http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf0374… *** DSA-3849 kde4libs - security update *** --------------------------------------------- Several vulnerabilities were discovered in kde4libs, the core librariesfor all KDE 4 applications. The Common Vulnerabilities and Exposuresproject identifies the following problems: --------------------------------------------- https://www.debian.org/security/2017/dsa-3849 *** PostgreSQL 2017-05-11 Security Update Release *** --------------------------------------------- Three security vulnerabilities have been closed by this release: CVE-2017-7484: selectivity estimators bypass SELECT privilege checks, CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable, CVE-2017-7486: pg_user_mappings view discloses foreign server passwords --------------------------------------------- https://www.postgresql.org/about/news/1746/ *** IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services potential Cross Site Scripting vulnerabilities (CVE-2017-1160) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001575 *** IBM Security Bulletin: Vulnerability in the OpenSSL library affects IBM Tealeaf Customer Experience PCA (CVE-2017-3730). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22000513 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Financial Transaction Manager for Corporate Payment Services *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001540 *** IBM Security Bulletin: Information disclosure vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-9735) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003064 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003204

1 0

Tageszusammenfassung - Donnerstag 11-05-2017
by Daily end-of-shift report 11 May '17

11 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-05-2017 18:00 − Donnerstag 11-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl *** Cisco WebEx Meetings Server Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in Cisco WebEx Meetings Server could allow unauthenticated, remote attackers to gain information that could allow them to access scheduled customer meetings. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Google Wont Patch A Critical Android Flaw Before 'Android O' Release *** --------------------------------------------- Millions of Android smartphones are at serious risk of "screen hijack" vulnerability that allows hackers to steal your passwords, bank details, as well as helps ransomware apps extort money from victims. The worse thing is that Google says it wont be patched until the release of Android O version .. --------------------------------------------- http://thehackernews.com/2017/05/android-permissions-vulnerability.html *** Microsoft Bans SHA-1 Certificates in Edge and Internet Explorer *** --------------------------------------------- Starting yesterday, via updates delivered in the May 2017 Patch Tuesday, Microsoft browsers such as Edge and Internet Explorer, have begun flagging websites as insecure if they use SSL/TLS certificates signed with the SHA-1 algorithm. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-bans-sha-1-certifi… *** Most companies falsely believe their Active Directory is secure *** --------------------------------------------- A majority of companies falsely believe their Active Directory (AD) is secure, according to a new survey conducted jointly by Skyport Systems and Redmond Magazine. The response from more than 300 IT professionals located in North America revealed that AD security is in fact underperforming at those companies participating in the survey, leaving organizations open to attack from outside hackers and insider threats. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/11/active-directory-insecurity/ *** Bugtraq: ESA-2017-017: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540552 *** HP-Notebooks: Audio-Treiber belauscht Tastatur *** --------------------------------------------- Bei der Sicherheits-Analyse von HP-Business-Notebooks stießen Sicherheitsforscher auf ein merkwürdiges Keylogging. Dabei schreibt der Audio-Treiber alle Tastatureingaben einschließlich der Passwörter des Anwenders in eine öffentlich lesbare Datei. --------------------------------------------- https://heise.de/-3710250 *** Chainsaw of Custody: Manipulating forensic evidence the easy way *** --------------------------------------------- When it comes to computer forensics, or for that matter forensics in general, one of the main challenges is to ensure that evidence that is collected is not tampered with. To achieve this, computer forensic experts adhere to a strict protocol and use many specialized .. --------------------------------------------- http://blog.sec-consult.com/2017/05/chainsaw-of-custody-manipulating.html *** DFN-CERT-2017-0825/">NVIDIA GPU-Treiber: Mehrere Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0825/ *** Edge Security Flaw Allows Theft of Facebook and Twitter Credentials *** --------------------------------------------- Argentinian security researcher Manuel Caballero has discovered another vulnerability in Microsofts Edge browser that can be exploited to bypass a security protection feature and steal data such as passwords from other sites, or cookie files that contain sensitive information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edge-security-flaw-allows-th… *** Analyzing the doublepulsar kernel dll injection technique *** --------------------------------------------- Like many in the security industry, we have been busy the last few days investigating the implications of the Shadow Brokers leak with regard to attack detection. Whilst there is a lot of interesting content, one particular component that attracted our attention initially was the DOUBLEPULSAR payload. This is because it .. --------------------------------------------- https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-… *** Asus-Router können beim Vorbeisurfen im Netz gekapert werden *** --------------------------------------------- Eine ganze Reihe Router der RT-Serie von Asus beinhalten eine CSRF-Lücke und weitere Schwachstellen, die es unter Umständen möglich machen, die Einstellungen des Gerätes aus dem Web zu ändern. Updates stehen bereit. --------------------------------------------- https://heise.de/-3712001 *** OpenVPN 2.4.1: Quarkslab and Cryptography Engineering LCC audit overview *** --------------------------------------------- OpenVPN 2.4.1 was simultaneously reviewed by Quarkslab (funded by OSTIF) and Cryptography Engineering LCC (funded by Private Internet Access). The reports have been published on OSTIFs and PIAs web pages [..] This page lists the findings in their respective reports and shows how the issues were resolved. --------------------------------------------- https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineer…

1 0

Tageszusammenfassung - Mittwoch 10-05-2017
by Daily end-of-shift report 10 May '17

10 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-05-2017 18:00 − Mittwoch 10-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl *** EPS Processing Zero-Days Exploited by Multiple Threat Actors *** --------------------------------------------- In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-day… *** Persirai: Mehr als 100.000 IP-Kameras für neues IoT-Botnetz verwundbar *** --------------------------------------------- Derzeit entsteht ein neues IoT-Botnetz, das bislang aber noch keine Angriffe durchgeführt hat. Die Malware zur Infektion nutzt eine im März veröffentlichte Sicherheitslücke aus. --------------------------------------------- https://www.golem.de/news/persirai-mehr-als-100-000-ip-kameras-fuer-neues-i… *** Git Shell Bypass By Abusing Less (CVE-2017-8386) *** --------------------------------------------- The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows .. --------------------------------------------- https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-83… *** [2017-05-10] Insecure Handling Of URI Schemes in Microsoft OneDrive iOS App *** --------------------------------------------- Due to the lack of URI scheme validation, any external URI scheme can be invoked by the Microsoft OneDrive iOS application with out any user interaction. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Patchday: Internet Explorer, Office und Windows im Visier von Hackern *** --------------------------------------------- Nach dem Notfall-Patch für Windows stellt Microsoft zum gewohnten Termin weitere als kritisch eingestufte Sicherheitsupdates bereit. Angreifer nutzen derzeit diverse Lücken aktiv aus. --------------------------------------------- https://heise.de/-3709022 *** Cisco: Kritische Sicherheitslücke in mehreren Switches behoben *** --------------------------------------------- Dank CIA-Tools auf Wikileaks ein Leichtes: Über einen Fehler in IOS-Switches konnte Schadcode selbst von Amateuren direkt auf dem Gerät ausgeführt werden. Damit ist jetzt Schluss, denn Cisco hat diesen Fehler offenbar behoben. --------------------------------------------- https://www.golem.de/news/cisco-kritische-sicherheitsluecke-in-mehreren-swi… *** Feature, not bug: DNSAdmin to DC compromise in one line *** --------------------------------------------- In addition to implementing their own DNS server, Microsoft has also implemented their own management protocol for that server, to allow for easy management and integration with Active Directory domains [...] We will shallowly delve into the protocol's implementation and detail a cute feature (certainly not a bug!) which allows us, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin. --------------------------------------------- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-… *** Identifying Sources of Leaks with the Gmail "+" Feature *** --------------------------------------------- For years, Google is offering two nice features with his gmail.com platform to gain more power of your email address. You can play with the "+" (plus) sign or "." (dot) to create more email addresses linked to your primary one. Let's take an example with John who's the owner .. --------------------------------------------- https://blog.rootshell.be/2017/05/10/identifying-sources-leaks-gmail-featur… *** IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021999 --------------------------------------------- *** IBM Security Bulletin: Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009964 --------------------------------------------- *** IBM Security Bulletin: Multiple Apache Tomcat vulnerabilities affect IBM SONAS. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009960 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerabilities *** http://www-01.ibm.com/support/docview.wss?uid=swg22002522 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 9-05-2017
by Daily end-of-shift report 09 May '17

09 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-05-2017 18:00 − Dienstag 09-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** SAP Security Patch Day - May 2017 *** --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/05/09/sap-security-patch-day-may-2017/ *** Project Zero: Microsofts Antivirensoftware gefährdet Windows-Nutzer *** --------------------------------------------- Googles Project Zero hat eine schwerwiegende Sicherheitslücke in der Anti-Viren-Engine von Microsoft entdeckt. Schuld daran ist die simulierte Ausführung von Javascript-Code ohne Sandbox. --------------------------------------------- https://www.golem.de/news/project-zero-microsofts-antivirensoftware-gefaehr… *** Defeating Magento security mechanisms: Attacks used in the real world *** --------------------------------------------- DefenseCode recently discovered and reported multiple stored cross-site scripting and cross-site request forgery vulnerabilities in Magento 1 and 2 which will be addressed in one of the future patches. In light of these findings, this article describes examples of several attacks used in the real world that combine common vulnerabilities with faulty security mechanisms in Magento, leading to an unfavourable outcome. Examples will be aimed at Magento 2, but most of them can be applied [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/09/defeating-magento-security/ *** Zeit für eine AMTshandlung? *** --------------------------------------------- Letzte Woche veröffentlichte Intel ein Advisory über eine Schwachstelle in "Intel Active Management Technology", kurz AMT. Besagte Schwachstelle erlaubt einem Angreifer, auf einem Rechner mit aktiviertem AMT, die Zugriffskontrollen für eben jenes auszuhebeln, und so administrativen Zugriff zu erlangen - [...] --------------------------------------------- http://www.cert.at/services/blog/20170508175554-1982.html *** [2017-05-09] Multiple vulnerabilities in I, Librarian PDF manager *** --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Bugtraq: ESA-2017-035: EMC Mainframe Enablers ResourcePak Base privilege management vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540531 *** Security Update for Microsoft Malware Protection Engine *** --------------------------------------------- The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4022344 *** Security Bulletin posted for Adobe Flash Player and Adobe Experience Manager Forms *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-15) and Adobe Experience Manager Forms (APSB17-16). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1465 *** Vuln: Trend Micro Threat Discovery Appliance CVE-2016-8591 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98343 *** Vuln: Trend Micro Threat Discovery Appliance CVE-2016-8592 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98345 *** Cisco IOS and IOS XE Software Simple Network Management Protocol Subsystem Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition.The vulnerability is due to a race condition that could occur when the affected software processes an SNMP read request that contains certain criteria for a specific object ID (OID) and an active crypto session is disconnected on an affected device. An attacker who can authenticate [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** F5 Security Advisories *** --------------------------------------------- *** NTP vulnerability CVE-2017-6451 *** https://support.f5.com/csp/article/K32262483 --------------------------------------------- *** NTP vulnerability CVE-2017-6462 *** https://support.f5.com/csp/article/K07082049 --------------------------------------------- *** NTP vulnerability CVE-2017-6458 *** https://support.f5.com/csp/article/K99254031 --------------------------------------------- *** NTP vulnerability CVE-2017-6460 *** https://support.f5.com/csp/article/K31310492 --------------------------------------------- *** NTP vulnerability CVE-2017-6464 *** https://support.f5.com/csp/article/K96670746 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition *** https://www.ibm.com/support/docview.wss?uid=swg22002169 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2017-1095) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001006 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2017-1094) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001002 --------------------------------------------- *** IBM Security Bulletin: There are multiple vulnerabilities in IBM Java Runtime and Apache Tomcat that affect IBM Cognos Business Viewpoint *** http://www.ibm.com/support/docview.wss?uid=swg22003122 --------------------------------------------- *** IBM Security Bulletin: Secure properties can be shown in plain text in IBM UrbanCode Deploy (CVE-2016-9007) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000236 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer *** http://www.ibm.com/support/docview.wss?uid=swg22002667 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software *** http://www-01.ibm.com/support/docview.wss?uid=swg22003145 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the SQLite component of the Response Time agent affects IBM Performance Management products (CVE-2016-6153) *** http://www.ibm.com/support/docview.wss?uid=swg22000836 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 8-05-2017
by Daily end-of-shift report 08 May '17

08 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-05-2017 18:00 − Montag 08-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Intels ME-Sicherheitslücke: Tipps und Links *** --------------------------------------------- Praxistipps zu der am 1. Mai von Intel gemeldeten Sicherheitslücke in der Firmware der Management Engine vieler Desktop-PCs, Server und Notebooks. --------------------------------------------- https://heise.de/-3704563 *** Researchers Disclose Intel AMT Flaw Research *** --------------------------------------------- Security firm Embedi releases further details on the Intel AMT flaw, revealing how it can be exploited and how potentially dangerous it can be. --------------------------------------------- http://threatpost.com/researchers-disclose-intel-amt-flaw-research/125503/ *** Dell patches AMT-vulnerable systems *** --------------------------------------------- BIOS fixes for most boxen landed Friday Dell, which last week was scrambling to work out which of its systems are affected by the Intel AMT vulnerability, has caught up with peers HP Inc, Lenovo and Fujitsu. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/07/dell_patche… *** Hacker-Wettbewerb: Cyber Security Challenge startet *** --------------------------------------------- Zahlreiche Teilnehmer der vergangenen Jahre haben über den Hacker-Wettbewerb Jobs in der Security-Branche gefunden. Heuer wird erstmals auch eine Starter Challenge angeboten. --------------------------------------------- https://futurezone.at/digital-life/hacker-wettbewerb-cyber-security-challen… *** Emsisoft Releases a Decryptor for the Amnesia Ransomware *** --------------------------------------------- On Satruday, Emsisofts CTO and malware researcher Fabian Wosar released a decryptor for the Amnesia Ransomware. This ransomware was first spotted in early May and has had one other variant released. It was named Amnesia based on the extension appended to encrypted files by the first variant. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decrypto… *** Exploring a P2P Transient Botnet - From Discovery to Enumeration, (Mon, May 8th) *** --------------------------------------------- [This is a guest diary by Renato Marinho of Morphus Labs. If you are interested in writing a guest diary: please send suggestions to us via our contact page] 1. Introduction We recently deployed a high interaction honeypotsexpecting it to be compromised by a specific malware. But in the first few days, instead of getting infected by the expected malware, it received a variety of attacks ranging from SSH port forwarding to Viagra and Cialis SPAM to XORDDoS failed deployment attempts. By the [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22392&rss *** Phishingversuch bei willhaben-Kunden *** --------------------------------------------- Nutzer/innen von willhaben erhalten eine WhatsApp-Nachricht, die angeblich von der Kleinanzeigenplattform stammt. --------------------------------------------- https://www.watchlist-internet.at/phishing/phishingversuch-bei-willhaben-ku… *** In eigener Sache: CERT.at sucht Verstärkung *** --------------------------------------------- Für unser "Daily Business" suchen wir derzeit 1 Berufsein- oder -umsteiger/in mit ausgeprägtem Interesse an IT-Security, welche/r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich [...] --------------------------------------------- http://www.cert.at/services/blog/20170508172334-1993.html *** DFN-CERT-2017-0796: Nextcloud: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0796/ *** Vuln: Panda Mobile Security for iOS CVE-2017-8060 TLS Certificate Validation Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98327 *** HPESBGN03740 rev.1 - HPE Network Automation, Multiple Remote Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE Network Automation. The vulnerabilities could be remotely exploited to allow SQL injection, code execution, information disclosure, authentication bypass, elevated privilege execution, and invalid session management. --------------------------------------------- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn0374… *** BlackBerry powered by Android Security Bulletin - May 2017 *** --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (May 2017) and addresses issues in that bulletin that affect [...] --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… *** Bugtraq: CA20170504-01: Security Notice for CA Client Automation OS Installation Management *** --------------------------------------------- http://www.securityfocus.com/archive/1/540524 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Explorer for z/OS V3.0.1 (CVE-2016-5548 and CVE-2016-5549) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002413 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5597, CVE-2016-5542) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21994526 *** Siemens Security Advisories *** --------------------------------------------- *** SSA-701708 (Last Update 2017-05-08): Local Privilege Escalation in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708… --------------------------------------------- *** SSA-156872 (Last Update 2017-05-08): Vulnerability in SIMATIC WinCC and SIMATIC WinCC Runtime Professional *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-156872… --------------------------------------------- *** SSA-275839 (Last Update 2017-05-08): Denial-of-Service Vulnerability in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… --------------------------------------------- *** SSA-293562 (Last Update 2017-05-08): Vulnerabilities in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562… --------------------------------------------- *** SSA-731239 (Last Update 2017-05-08): Vulnerabilities in SIMATIC S7-300 and S7-400 CPUs *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-731239… --------------------------------------------- *** F5 Security Advisories *** --------------------------------------------- *** BIG-IP APM redirect vulnerability CVE-2017-0302 *** https://support.f5.com/csp/article/K87141725 --------------------------------------------- *** Insufficient validation of ICMP error messages CVE-2004-0790 (11.x - 13.x) *** https://support.f5.com/csp/article/K23440942 --------------------------------------------- *** BIG-IP management vulnerability CVE-2017-9250 *** https://support.f5.com/csp/article/K55792317 --------------------------------------------- *** iControl REST vulnerability CVE-2016-9251 *** https://support.f5.com/csp/article/K41107914 --------------------------------------------- *** Linux kernel vulnerability CVE-2017-2647 *** https://support.f5.com/csp/article/K32115847 --------------------------------------------- *** Websocket profile vulnerability CVE-2016-9253 *** https://support.f5.com/csp/article/K51351360 --------------------------------------------- *** TMM vulnerability CVE-2017-6137 *** https://support.f5.com/csp/article/K82851041 --------------------------------------------- *** BIG-IP APM XSS vulnerability CVE-2016-9257 *** https://support.f5.com/csp/article/K43523962 --------------------------------------------- *** Multiple Oracle MySQL vulnerabilities *** https://support.f5.com/csp/article/K77508618 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 5-05-2017
by Daily end-of-shift report 05 May '17

05 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 04-05-2017 18:00 − Freitag 05-05-2017 18:00 Handler: Robert Waldner Co-Handler: Petr Sikuta *** Bondnet botnet goes after vulnerable Windows servers *** --------------------------------------------- A botnet consisting of some 2,000 compromised servers has been mining cryptocurrency for its master for several months now, "earning" him around $1,000 per day. GuardiCore researchers first spotted it in December 2016, and have been mapping it out and following its evolution since then. The've dubbed it Bondnet, after the handle its herder uses online [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/04/compromised-windows-servers/ *** Unpatched WordPress Password Reset Vulnerability Lingers *** --------------------------------------------- A zero day vulnerability exists in WordPress Core that in some instances, could allow an attacker to reset a users password and in turn, gain access to their account. --------------------------------------------- http://threatpost.com/unpatched-wordpress-password-reset-vulnerability-ling… *** 1 Million Gmail Users Impacted by Google Docs Phishing Attack *** --------------------------------------------- Researchers said good social engineering and users' trust in the convenience afforded by the OAUTH mechanism guaranteed Wednesday's Google Docs phishing attacks would spread quickly. --------------------------------------------- http://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishin… *** New Mac Malware Manages to Spy on Encrypted Browser Traffic *** --------------------------------------------- This blog was written by Douglas McKee. There's a new cyberattack targeted at Mac OS users'a malware program called OSX/Dok. Discovered late last week primarily in Europe, the program is capable of spying on encrypted browser traffic to steal sensitive information. You heard correctly: it can eavesdrop on all of your web browsing. How does [...] --------------------------------------------- https://securingtomorrow.mcafee.com/business/new-mac-malware-manages-spy-en… *** Dridex and Locky Return Via PDF Attachments in Latest Campaigns *** --------------------------------------------- Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new large campaigns. While the PDF downloader described in this post is responsible for spreading both Dridex and Locky, for the purposes of this blog, we will be discussing the PDF downloader and the Dridex [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/05/dridex_and_lockyret.html *** Intel ME-Firmware: Hersteller kündigen Patches für Intel-Exploit an *** --------------------------------------------- Bald sollen die ersten Updates für die Schwachstelle in der Management Engine von Intel-Systemen erscheinen. Derweil gibt es Unklarheit über Details zu der Sicherheitslücke. --------------------------------------------- https://www.golem.de/news/intel-me-firmware-hersteller-kuendigen-patches-fu… *** Carbanak Attackers Devise Clever New Persistence Trick *** --------------------------------------------- Hackers behind the Carbanak criminal gang have devised a clever way to gain persistence on targeted systems to more effectively pull off financially motivated crimes. --------------------------------------------- http://threatpost.com/carbanak-attackers-devise-clever-new-persistence-tric… *** [SANS ISC] HTTP Headers' the Achilles' heel of many applications *** --------------------------------------------- When browsing a target web application, a pentester is looking for all "entry" or "injection" points present in the pages. Everybody knows that a static website with pure HTML code is less juicy compared to a [...] --------------------------------------------- https://blog.rootshell.be/2017/05/05/sans-isc-http-headers-achilles-heel-ma… *** Snake malware ported from Windows to Mac *** --------------------------------------------- Snake, also known as Turla and Uroburos, is backdoor malware that has been around and infecting Windows systems since at least 2008. It is thought to be Russian governmental malware and on Windows is highly-sophisticated. It was even seen infecting Linux systems in 2014. Now, it appears to have been ported to Mac.Categories: MacThreat analysisTags: Adobe Flash PlayerApplemacMac TrojanmalwareSnaketrojanTurlaUroburos [...] --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-… *** More Android phones than ever are covertly listening for inaudible sounds in ads *** --------------------------------------------- Your Android phone may be listening to ultrasonic ad beacons without your knowledge. --------------------------------------------- https://arstechnica.com/security/2017/05/theres-a-spike-in-android-apps-tha… *** DFN-CERT-2017-0790: LibreSSL : Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0790/ *** Linux kernel vulnerability CVE-2017-7308 *** --------------------------------------------- Linux kernel vulnerability CVE-2017-7308. Security Advisory. Security Advisory Description. The packet_set_ring function ... --------------------------------------------- https://support.f5.com/csp/article/K82224417 *** Apache Tomcat vulnerability CVE-2017-5647 *** --------------------------------------------- Apache Tomcat vulnerability CVE-2017-5647. Security Advisory. Security Advisory Description. A bug in the handling of ... --------------------------------------------- https://support.f5.com/csp/article/K49000195 *** Hikvision Cameras *** --------------------------------------------- This advisory contains mitigation details for use of improper authentication and password in configuration file vulnerabilities in Hikvision's cameras. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01 *** Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras *** --------------------------------------------- This advisory contains mitigation details for use of password hash instead of password for authentication and password in configuration file vulnerabilities in Dahua Technology Co., Ltd digital video recorders and IP cameras. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-124-02 *** Advantech WebAccess *** --------------------------------------------- This advisory contains mitigation details for an absolute path traversal vulnerability in Advantech's WebAccess. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-124-03 *** Rockwell Automation ControlLogix 5580 and CompactLogix 5380 *** --------------------------------------------- This advisory was originally posted to the NCCIC Portal on April 4, 2017, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for use a resource exhaustion vulnerability in Rockwell Automations ControlLogix 5580 and CompactLogix 5380. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-094-05 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in bind affects SmartCloud Entry (CVE-2016-9147) *** http://www.ibm.com/support/docview.wss?uid=isg3T1025133 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in memcached affects SmartCloud Entry (CVE-2016-8704, CVE-2016-8705) *** http://www.ibm.com/support/docview.wss?uid=isg3T1025081 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Algo Risk Application (CVE-2016-8745) *** http://www.ibm.com/support/docview.wss?uid=swg22000781 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities affect IBM Rational Quality Manager and IBM Rational Team Concert with potential for security attacks *** http://www.ibm.com/support/docview.wss?uid=swg22002429 --------------------------------------------- *** IBM Security Bulletin: Cross Site Scripting (XSS) vulnerability affects Cognos Analytics *** https://www-01.ibm.com/support/docview.wss?uid=swg21999791 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Net-SNMP affects IBM Tivoli Composite Application Manager for Transactions (CVE-2015-5621) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000624 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 4-05-2017
by Daily end-of-shift report 04 May '17

04 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 03-05-2017 18:00 − Donnerstag 04-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Petr Sikuta Co-Handler: Robert Waldner *** Researcher: "Baseless Assumptions" Exist About Intel AMT Vulnerability *** --------------------------------------------- Embedi, which is behind the Intel AMT vulnerability revealed Monday, seeks to clarify "baseless assumptions" being made about the flaw. --------------------------------------------- http://threatpost.com/researcher-baseless-assumptions-exist-about-intel-amt… *** Intel-ME-Sicherheitslücke: Erste Produktliste, noch keine Updates *** --------------------------------------------- Zu der am 1. Mai von Intel gemeldeten Sicherheitslücke in der Management Engine (ME) gibt es einige neue Informationen, aber noch keine Updates. --------------------------------------------- https://heise.de/-3703356 *** WordPress 4.6 Unauthenticated Remote Code Execution (RCE) PoC Exploit *** --------------------------------------------- This advisory reveals details of exploitation of the PHPMailer vulnerability (CVE-2016-10033) in WordPress Core which (contrary to what was believed and announced by WordPress security team) was affected by the vulnerability. --------------------------------------------- https://cxsecurity.com/issue/WLB-2017050014 *** Kazuar: Multiplatform Espionage Backdoor with API Access *** --------------------------------------------- Unit 42 researchers have uncovered Kazuar, a backdoor Trojan used in an espionage campaign.The post Kazuar: Multiplatform Espionage Backdoor with API Access appeared first on Palo Alto Networks Blog. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatf… *** A set of tutorials about code injection for Windows. *** --------------------------------------------- Injectopi is a set of tutorials that Ive decided to write down in order to learn about various injection techniques in the Windows environment. --------------------------------------------- https://github.com/peperunas/injectopi *** Master-Fingerabdruck: Forscher können fast alle Smartphones entsperren *** --------------------------------------------- Mithilfe von Maschinenlernen Trefferquote von 65 Prozent erreicht - Aktuelle Scanner zu niedrig aufgelöst --------------------------------------------- http://derstandard.at/2000056971421 *** Checker ATM Security: Sicherheitslücke ermöglicht Übernahme von Geldautomaten *** --------------------------------------------- Eine Sicherheitslücke in einer Sicherheitslösung für Geldautomaten konnte von Angreifern ausgenutzt werden, um illegal Geld auszuzahlen. Der Hersteller beschwichtigt und hat einen Patch bereitgestellt. --------------------------------------------- https://www.golem.de/news/checker-atm-security-sicherheitsluecke-ermoeglich… *** DFN-CERT-2017-0775/">LibTIFF: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- Mehrere Schwachstellen in LibTIFF ermöglichen einem entfernten, nicht authentisierten Angreifer die Ausführung beliebigen Programmcodes, die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe und das Ausspähen von Informationen mit Hilfe speziell präparierter Bilddateien. Betroffene Plattformen Debian Linux 8.7 Jessie Debian Linux 9.0 Stretch --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0775/ *** USB-Sticks: IBM liefert Installationsmedien mit Malware aus *** --------------------------------------------- Vom USB-Stick auf das Betriebssystem: Eine Schadsoftware verteilt sich von IBM-Produkten selbstständig. Betroffen sind die mitgelieferten Sticks mehrerer Storwize-Geräte. IBM rät, den USB-Stick zu formatieren oder gleich zu zerstören. --------------------------------------------- https://www.golem.de/news/usb-sticks-ibm-liefert-installationsmedien-mit-ma… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco CVR100W Wireless-N VPN Router Universal Plug-and-Play Buffer Overflow Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Aironet 1800, 2800, and 3800 Series Access Points Plug-and-Play Arbitrary Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wide Area Application Services SMART-SSL Accelerator Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Firepower Threat Defense and Cisco ASA with FirePOWER Module Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Finesse for Cisco Unified Contact Center Enterprise Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco CVR100W Wireless-N VPN Router Remote Management Security Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unity Connection ImageID Parameter Unauthorized Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco TelePresence ICMP Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco CallManager Express Unauthorized Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability has been discovered in 40-GbE network interface modules for the IBM QRadar Network Security XGS 7100 appliance (CVE-2016-8106) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002624 --------------------------------------------- *** IBM Security Bulletin: A vulnerability has been discovered in 40-GbE network interface modules for the IBM Security Network Protection XGS 7100 appliance (CVE-2016-8106) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002507 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2017-5638) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001731 --------------------------------------------- *** IBM Security Bulletin: Potential security vulnerability in WebSphere Application Server Administrative Console (CVE-2017-1137) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998469 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM B2B Advanced Communications *** http://www.ibm.com/support/docview.wss?uid=swg22002517 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Security Network Controller (CVE-2016-7055) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002309 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Security Network Active Bypass (CVE-2016-7055) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002310 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSource ICU4C may affect IBM Streams (CVE-2016-6293, CVE-2016-7415) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002225 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in SQLite affects IBM Tivoli Composite Application Manager for Transactions (CVE-2016-6153 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996590 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the BigFix Platform (CVE-2016-2177 CVE-2016-6304 CVE-2016-6305 CVE-2016-2182 CVE-2016-6306 CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002870 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 3-05-2017
by Daily end-of-shift report 03 May '17

03 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 02-05-2017 18:00 − Mittwoch 03-05-2017 18:00 Handler: Olaf Schwarz Co-Handler: Petr Sikuta Co-Handler: Stephan Richter *** Malware Hunter - Shodans new tool to find Malware C&C Servers *** --------------------------------------------- Rapidly growing, insecure internet-connected devices are becoming albatross around the necks of individuals and organizations with malware authors routinely hacking them to form botnets that can be further used as weapons in DDoS and other cyber attacks. But now finding malicious servers, hosted by attackers, that control botnet of infected machines gets a bit easier. Thanks to Shodan and [...] --------------------------------------------- https://thehackernews.com/2017/05/shodan-malware-hunter.html *** Disambiguate "Zero-Day" Before Considering Countermeasures *** --------------------------------------------- "Zero-day" is the all-powerful boogieman of the information security industry. Too many of us invoke it when discussing scary threats against which we feel powerless. We need to define and disambiguate this term before attempting to determine whether we've accounted for the associated threats when designing security programs. Avoid Zero-Day Confusion I've seen "zero-day" used to describe two related, but independent concepts. First,... Read more --------------------------------------------- https://zeltser.com/zero-day-terminology/ *** Outlook Forms and Shells *** --------------------------------------------- I set out to try and find another way to get a shell through Outlook, in the case of us having valid credentials[...] Fortunately for us, Outlook has a massive attack surface and provides several other interesting automation features. One of these is Outlook Forms. --------------------------------------------- https://sensepost.com/blog/2017/outlook-forms-and-shells/ *** Compromising Industrial Robots: The Fallacy of Industrial Routers in the Industry 4.0 Ecosystem *** --------------------------------------------- The increased connectivity of computer and robot systems in the industry 4.0. ecosystem, is, and will be exposing robots to cyber attacks in the future. Indeed, industrial robots - originally conceived to be isolated - have evolved, and are now exposed to corporate networks and the internet.While this provides synergy effects and higher efficiency in production, the security posture is not on par. In our latest report Rogue Robots: Testing the Limits of an Industrial Robot's [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/6F0kroJASMA/ *** Steps to Stronger Passwords *** --------------------------------------------- A journey of password The utilization of passwords is known to be old. Sentries would challenge those wishing to enter a territory or moving toward it to supply a secret word, and would just enable a man or gathering to pass if they knew the secret key. In present day times, username and passwords are [...] --------------------------------------------- http://resources.infosecinstitute.com/steps-make-stronger-passwords/ *** Deutsche Bankkonten über UMTS-Sicherheitslücken ausgeräumt *** --------------------------------------------- Kriminelle Hacker haben Konten von deutschen Bankkunden über Sicherheitslücken im Mobilfunknetz ausgeräumt, die seit Jahren bekannt sind. Eigentlich wollten die Provider schon 2014 entsprechende Gegenmaßnahmen ergreifen. --------------------------------------------- https://heise.de/-3702194 *** Diskurs|Digital - Einblicke in gelebte Partizipation *** --------------------------------------------- May 23, 2017 - 6:00 pm - 8:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/diskursdigital-einblicke-in-gelebte-par… *** Linuxwochen gastieren wieder in Wien *** --------------------------------------------- Sowohl technische als auch netzpolitische Vorträge - Von Open Source bis Softwarepatenten --------------------------------------------- http://derstandard.at/2000056925982 *** DFN-CERT-2017-0755: Intel Active Management Technology (AMT), Intel Small Business Technology (SBT), Intel Standard Manageability (ISM): Eine Schwachstelle ermöglicht die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0755/ *** Android Security Bulletin—May 2017 *** --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update. The Google device firmware images have also been released to the Google Developer site. Security patch levels of May 05, 2017 or later address all of these issues. Refer to the Pixel and Nexus update schedule to learn how to check a device's security patch level. --------------------------------------------- https://source.android.com/security/bulletin/2017-05-01 *** Schneider Electric Wonderware Historian Client *** --------------------------------------------- This advisory contains mitigation details for an improper XML parser configuration vulnerability in Schneider Electric's Wonderware Historian Client. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-122-01 *** CyberVision Kaa IoT Platform *** --------------------------------------------- This advisory contains mitigation details for a code injection vulnerability in CyberVision's Kaa IoT Platform. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-122-02 *** Advantech B+B SmartWorx MESR901 *** --------------------------------------------- This advisory contains mitigation details for a use of client-side authentication vulnerability in the Advantech B+B SmartWorx MESR901 Modbus gateway. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-122-03 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Open Redirect Vulnerability in IBM WebSphere Portal (CVE-2017-1156) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000153 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Identity Governance (CVE-2016-8610 CVE-2017-3731) *** http://www.ibm.com/support/docview.wss?uid=swg22002387 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM JAVA Runtime affect AppScan Source (CVE-2016-5547 CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22002633 --------------------------------------------- *** IBM Security Bulletin: A Vulnerability in IBM Java SDK affects IBM Streams (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=swg22002189 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg22002242 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Open Source openSSL affect IBM Security Identity Governance Appliance *** http://www.ibm.com/support/docview.wss?uid=swg22002397 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions *** http://www-01.ibm.com/support/docview.wss?uid=swg22002374 --------------------------------------------- *** IBM Security Bulletin: Privilege escalation vulnerability affects IBM DB2 LUW (CVE-2017-1134) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002573 --------------------------------------------- *** IBM Security Bulletin: Cross Site Scripting vulnerability in IBM Marketing Platform (CVE-2016-0255) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001950 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 2-05-2017
by Daily end-of-shift report 02 May '17

02 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 28-04-2017 18:00 − Dienstag 02-05-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Exploiting .NET Managed DCOM *** --------------------------------------------- Posted by James Forshaw, Project ZeroOne of the more interesting classes of security vulnerabilities are those affecting interoperability technology. This is because these vulnerabilities typically affect any application using the technology, regardless of what the application actually does. Also in many cases they’re difficult .. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.h… *** 2017 Verizon DBIR: Sex Sells, But the Basics Get It Done *** --------------------------------------------- This year’s Verizon Data Breach Investigations Report has been published, and as with its prior nine incarnations, the report is .. --------------------------------------------- https://www.beyondtrust.com/blog/2017-verizon-dbir-sex-sells-basics-get-don… *** DSA-3838 ghostscript - security update *** --------------------------------------------- Several vulnerabilities were discovered in Ghostscript, the GPLPostScript/PDF interpreter, which may lead to the execution of arbitrary code or denial of service if a specially crafted Postscript file is processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3838 *** 7 Reasons Why IoT Hacks Will Keep Happening *** --------------------------------------------- Hacks happen almost on a daily basis, if not every minute of every day. In fact, some say that .. --------------------------------------------- https://safeandsavvy.f-secure.com/2017/04/28/7-reasons-why-iot-device-hacks… *** DSA-3839 freetype - security update *** --------------------------------------------- Several vulnerabilities were discovered in Freetype. Opening malformed fonts may result in denial of service or the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3839 *** Forschern gelingt Autohack für 20 Euro *** --------------------------------------------- Billige Gadgets kopieren Entsperrsignal des Schlüssels – immer noch viele Autos betroffen --------------------------------------------- http://derstandard.at/2000056487404 *** Orange is the new Black: Hacker leaken Staffel 5 *** --------------------------------------------- Laut den Hackern ist dies nur der Vorgeschmack. Sie drohen damit weitere Filme und Serien zu veröffentlichen, die offiziell erst in Monaten erscheinen. --------------------------------------------- https://futurezone.at/digital-life/orange-is-the-new-black-hacker-leaken-st… *** "Dok": Neue Mac-Malware spioniert Browser aus *** --------------------------------------------- Kann gesamte Browser-Kommunikation belauschen – derzeit vor allem europäische User im Visier --------------------------------------------- http://derstandard.at/2000056812916 *** Carbanak Continues To Evolve: Quietly Creeping into Remote Hosts *** --------------------------------------------- Introduction I recently engaged in an investigation involving two new Carbanak campaigns targeting the hospitality .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Carbanak-Continues-To-E… *** Intels remote AMT vulnerablity *** --------------------------------------------- Intel just announced a vulnerability in their Active Management Technology stack. Heres what we know so far.Background Intel chipsets for some years have included a Management Engine, a small microprocessor that runs independently of the main CPU and operating .. --------------------------------------------- http://mjg59.dreamwidth.org/48429.html *** IBM Warns Customers That Some of Its USB Flash Drives May Contain Malware *** --------------------------------------------- IBM has issued a security alert last week, warning customers that some USB flash drives shipped with IBM Storwize products may contain malicious code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ibm-warns-customers-that-som… *** Sicherheitsupdates: Jenkins vielfältig angreifbar *** --------------------------------------------- Unter gewissen Voraussetzungen könnten Angreifer sich höhere Rechte erschleichen oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-3700838 *** Spam and phishing in Q1 2017 *** --------------------------------------------- Although the beginning of Q1 2017 was marked by a decline in the amount of spam in overall global email traffic, in March the situation became more stable, and the average share of .. --------------------------------------------- http://securelist.com/analysis/quarterly-spam-reports/78221/spam-and-phishi… *** Cerber Version 6 Shows How Far the Ransomware Has Come (and How Far it’ll Go) *** --------------------------------------------- Cerber set itself apart from other file-encrypting malware when its developers commoditized the malware, adopting a business model where fellow cybercriminals can buy the ransomware as a service. The developers earn through commissions—as much as 40%—for every .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-ransomwar… *** New Shodan Tool Can Find Malware Command and Control (C&C) Servers *** --------------------------------------------- Shodan and Recorded Future have launched today a search engine for discovering malware command-and-control (C&C) servers. Named Malware Hunter, this new tool is integrated into .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shodan-tool-can-find-mal… *** Security Scoring and Grading for Containers and Images *** --------------------------------------------- We have just rolled out an update to the interface of the Red Hat Container Catalog that helps provide the answer to the question of whether or not a particular container image we provide .. --------------------------------------------- https://access.redhat.com/blogs/product-security/posts/container-security-s… *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security issues have been identified within Citrix XenServer. These issues could, if exploited, allow a malicious .. --------------------------------------------- https://support.citrix.com/article/CTX223291

1 0

Tageszusammenfassung - Freitag 28-04-2017
by Daily end-of-shift report 28 Apr '17

28 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 27-04-2017 18:00 − Freitag 28-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** GE Multilin SR Protective Relays *** --------------------------------------------- This advisory contains mitigation details for a weak cryptography for passwords vulnerability in GEs Multilin SR protective relays. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01 *** Chrome to Mark More HTTP Pages ‘Not Secure’ *** --------------------------------------------- Starting with Chrome 62, Google will start marking any HTTP page where users may enter data, .. --------------------------------------------- http://threatpost.com/chrome-to-mark-more-http-pages-not-secure/125255/ *** Russian-controlled telecom hijacks financial services’ Internet traffic *** --------------------------------------------- Visa, MasterCard, and Symantec among dozens affected by "suspicious" BGP mishap. --------------------------------------------- https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks… *** DSA-3836 weechat - security update *** --------------------------------------------- It was discovered that weechat, a fast and light chat client, is proneto a buffer overflow vulnerability in the IRC plugin, allowing a remote attacker to cause a denial-of-service by sending a specially crafted filename via DCC. --------------------------------------------- https://www.debian.org/security/2017/dsa-3836 *** DSA-3837 libreoffice - security update *** --------------------------------------------- It was discovered that a buffer overflow in processing Windows Metafiles may result in denial of service or the execution of arbitrary code if a malformed document is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3837 *** New MacOS Malware, Signed With Legit Apple ID, Found Spying On HTTPS Traffic *** --------------------------------------------- Many people believe that they are much less likely to be bothered by malware if they use a Mac computer, but is it really true? Unfortunately, No. According to the McAfee Labs, malware attacks on Apples Mac computers were up 744% in 2016, and its researchers .. --------------------------------------------- https://thehackernews.com/2017/04/apple-mac-malware.html *** Http 81 Botnet: the Comparison against MIRAI and New Findings *** --------------------------------------------- OverviewIn our previous blog, we introduced a new IoT botnet spreading over http 81. We will name it in this blog the http81 IoT botnet, while some anti-virus software name it Persirai, and some .. --------------------------------------------- http://blog.netlab.360.com/http-81-botnet-the-comparison-against-mirai-and-… *** Facebook und Google überwiesen Betrüger 100 Millionen Dollar *** --------------------------------------------- Litauer gab sich als Vertreter von Hardware-Zulieferer aus, Beträge zu großem Teil zurückgeholt --------------------------------------------- http://derstandard.at/2000056723656

1 0

Tageszusammenfassung - Donnerstag 27-04-2017
by Daily end-of-shift report 27 Apr '17

27 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 26-04-2017 18:00 − Donnerstag 27-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Picture this: Senate staffers’ ID cards have photo of smart chip, no security *** --------------------------------------------- https://arstechnica.com/information-technology/2017/04/picture-this-senate-… *** FIRST TC Amsterdam 2017 Wrap-Up *** --------------------------------------------- Here is my quick wrap-up of the FIRST Technical Colloquium hosted by Cisco in Amsterdam. This is my first participation to a FIRST event. FIRST is .. --------------------------------------------- https://blog.rootshell.be/2017/04/26/first-tc-amsterdam-2017-wrap/ *** A vigilante is putting a huge amount of work into infecting IoT devices *** --------------------------------------------- https://arstechnica.com/security/2017/04/a-vigilante-is-putting-huge-amount… *** Homebrew crypto SNAFU on electrical grid sees GE rush patches *** --------------------------------------------- Boffins turned up hard-coded password in ancient controllers General Electric is pushing patches for protection .. --------------------------------------------- www.theregister.co.uk/2017/04/27/ge_rushing_patches_to_grid_systems_ahead_o… *** DSA-3835 python-django - security update *** --------------------------------------------- Several vulnerabilities were discovered in Django, a high-level Pythonweb development framework. The Common .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3835 *** Cyberkriminalität: So machen Sie Ihr Unternehmen sicher *** --------------------------------------------- Bei der Roadshow "IT-Sicherheit und Datenschutz" der WKÖ und des BMI im Rahmen von "Gemeinsam.Sicher mit .. --------------------------------------------- https://futurezone.at/b2b/cyberkriminalitaet-so-machen-sie-ihr-unternehmen-… *** Peace in our time! Symantec says it can end Google cert spat *** --------------------------------------------- Its basically a promise to do better and not mess things up Symantec is hoping to get its certificates back on Googles trust list. --------------------------------------------- www.theregister.co.uk/2017/04/27/symantec_ca_proposal_for_google/ *** Ransomware up. Breaches up. What do hackers want? Research, prototypes... all your secrets *** --------------------------------------------- Verizon super depressing reports in Cyberespionage and ransomware attacks are on the increase, according .. --------------------------------------------- www.theregister.co.uk/2017/04/27/verizon_breach_report/ *** nomx: The worlds most (in)secure communications protocol *** --------------------------------------------- I was recently invited to take part in some research by BBC Click, alongside Professor Alan Woodward, to analyse a device that had quite a lot of people all excited. With slick marketing, .. --------------------------------------------- https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protoco… *** APT Trends report, Q1 2017 *** --------------------------------------------- Kaspersky Lab is currently tracking more than a hundred threat actors and sophisticated malicious operations in over 80 countries. During the first quarter of 2017, there were 33 private .. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/78169/apt-trends-r… *** StringBleed ist kein zweites Heartbleed *** --------------------------------------------- Es wird mal wieder eine benamste Schwachstellen-Kuh durch die IT-Security Community getrieben. Der Name soll offensichtlich an Heartbleed erinnern, aber soweit wir das jetzt einschätzen können, .. --------------------------------------------- http://www.cert.at/services/blog/20170427115946-1972.html *** Cracking APT28 traffic in a few seconds *** --------------------------------------------- Security experts from security firm Redsocks published an interesting report on how to crack APT28 traffic in a few seconds. Introduction APT28 is a hacking group involved in many recent cyber incidents. The most recent attack allegedly .. --------------------------------------------- http://securityaffairs.co/wordpress/58435/apt/cracking-apt28-traffic.html *** Windows 10: Microsoft liefert Updates auch außerhalb des Patchdays *** --------------------------------------------- Microsoft will Windows 10 nach dem Creators Update nun auch außerhalb des Patchdays mit Updates versorgen. Allerdings .. --------------------------------------------- https://heise.de/-3698302 *** Broadcom-Sicherheitslücken: Samsung schützt Nutzer nicht vor WLAN-Angriffe *** --------------------------------------------- Googles Project Zero hat kürzlich in Broadcom-Chips und -Treibern zahlreiche kritische Sicherheitslücken gefunden, mit denen sich Smartphones übernehmen lassen. Wir haben .. --------------------------------------------- https://www.golem.de/news/broadcom-sicherheitsluecken-samsung-schuetzt-nutz…

1 0

Tageszusammenfassung - Mittwoch 26-04-2017
by Daily end-of-shift report 26 Apr '17

26 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 25-04-2017 18:00 − Mittwoch 26-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** FortiOS XSS via srcintf during Firewall Policy Creation *** --------------------------------------------- An XSS vulnerability caused by the scrintf parameter input during Firewall Policy Creation can be exploited to load and run a remote (malicious) Javascript in a logged in browser. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-017 *** Analyzing Cyber Insurance Policies *** --------------------------------------------- Theres a really interesting new paper analyzing over 100 different cyber insurance policies. From the abstract:In this research paper, we seek to answer .. --------------------------------------------- https://www.schneier.com/blog/archives/2017/04/analyzing_cyber.html *** Kritische Lücken: VMware sichert Anwendungen gegenüber Schadcode ab *** --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in verschiedenen VMware-Anwendungen zum Umgang mit virtuellen Maschinen und für den Fernzugriff. Davon sind alle Betriebssysteme betroffen. --------------------------------------------- https://heise.de/-3696740 *** BrickerBot vs Mirai: Malware-Wettstreit um Internetkameras und Co. *** --------------------------------------------- Neue Generationen von BrickerBot versuchen schlecht geschützte Geräte zu beschädigen, und entziehen so Mirai die Grundlage --------------------------------------------- http://derstandard.at/2000056608656 *** Terror EK going ‘pro’? Not quite yet *** --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/04/terror-ek-going-pro-not-qu… *** AIT beim Citizen Science Award 2017 *** --------------------------------------------- [...] Im Rahmen des Citizen Science Awards 2017 sind Schulklassen der Unter- und Oberstufe sowie Einzelpersonen eingeladen, aktiv an der Erarbeitung möglicher Strategien gegen Cyberattacken mitzuwirken und gemeinsam das digitale Minispiel „Phishing Wars“ weiterzuentwickeln. Anhand dieses Spiels wird trainiert, worauf es beim Erkennen von Phishing-Mails ankommt, um nicht Opfer von Cyberattacken zu werden. --------------------------------------------- http://science.apa.at/site/kultur_und_gesellschaft/detail.html?key=SCI_2017… *** If there are some unexploited MSSQL Servers With Weak Passwords Left: They got you now (again), (Wed, Apr 26th) *** --------------------------------------------- Setting up a Microsoft SQL server with a stupid simple password like sa for the sa user is hard. First of all, Microsoft implemented a default password policy .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22346

1 0

Tageszusammenfassung - Dienstag 25-04-2017
by Daily end-of-shift report 25 Apr '17

25 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 24-04-2017 18:00 − Dienstag 25-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Frankreich-Wahl: Russische Hacker sollen Macron ins Visier nehmen *** --------------------------------------------- Experten bringen Gruppe mit russischen Militärgeheimdienst in Verbindung --------------------------------------------- http://derstandard.at/2000056465269 *** The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence *** --------------------------------------------- Roman Seleznev, a 32-year-old Russian cybercriminal and prolific credit card thief, was sentenced Friday to 27 years in federal prison. That is a record .. --------------------------------------------- https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-kingpin-rom… *** Analysis of the Shadow Z118 PayPal phishing site, (Mon, Apr 24th) *** --------------------------------------------- [This is a guest post submitted by Remco Verhoef. Got something interesting to share? Please use our contact form to suggest your topic] Today I got lucky walking around within a phishing site and found some left-over .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22338 *** Alert: If youre running SquirrelMail, Sendmail... why? And oh yeah, remote code vuln found *** --------------------------------------------- This is nuts Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project. --------------------------------------------- www.theregister.co.uk/2017/04/24/squirrelmail_vuln/ *** AV provider Webroot melts down as update nukes hundreds of legit files *** --------------------------------------------- https://arstechnica.com/security/2017/04/av-provider-webroot-melts-down-as-… *** BrickerBot, the permanent denial-of-service botnet, is back with a vengeance *** --------------------------------------------- https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of… *** Western Digital My Cloud 2.21.126 Authentication Bypass *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2017040164 *** Bis zu 100.000 Rechner mit geleakter NSA-Malware infiziert *** --------------------------------------------- Sicherheitsforscher finden "Doublepulsar" auf zigtausenden Maschinen, darunter auch Rechner in Österreich --------------------------------------------- http://derstandard.at/2000056481284 *** Angreifer könnten Drupal-Webseiten ausspionieren *** --------------------------------------------- Im Versionsstrang 8.x klafft eine als kritisch eingestufte Sicherheitslücke. Abgesicherte Versionen schließen die Schwachstelle. --------------------------------------------- https://heise.de/-3693082 *** Doskozil: Bundesheer soll Gegner im Cyberwar auch angreifen *** --------------------------------------------- Minister: Angriffe sollen nicht nur abgewehrt werden – Wöchentlich fünf bis sechs ernste Attacken --------------------------------------------- http://derstandard.at/2000056452452 *** Sicherheitspatches in Sicht: Zehn Lücken gefährden Linksys-Router *** --------------------------------------------- Verschiedene Modelle der Smart-Wi-Fi-Serie von Linksys sind laut Sicherheitsforschern angreifbar. Unter gewissen Voraussetzungen sollen Angreifer Befehle auf Routern ausführen können. --------------------------------------------- https://heise.de/-3693136 *** New IoT Botnet Rises Feeding on Vulnerable Security Cameras *** --------------------------------------------- A new botnet is slowly building critical mass on the back of unsecured webcams and IP cameras, .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-iot-botnet-rises-feeding… *** Hard Target: Fileless Malware *** --------------------------------------------- Researchers say fileless in-memory malware attacks have become a major nuisance to businesses and have become even harder to detect and defend. --------------------------------------------- http://threatpost.com/hard-target-fileless-malware/125054/ *** DSA-3833 libav - security update *** --------------------------------------------- Several security issues have been corrected in multiple demuxers anddecoders of the libav multimedia library. A full list of the changes is available .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3833 *** Ashley Madison users blackmailed again *** --------------------------------------------- Criminals are still trying to shake down users of the Ashley Madison dating/cheating online service. As you might remember, the service was hacked in 2015, and the attackers .. --------------------------------------------- https://www.helpnetsecurity.com/2017/04/25/ashley-madison-blackmail/ *** SAP NetWeaver durch Lücken gefährdet *** --------------------------------------------- In verschiedenen Komponenten der NetWeaver-Plattform klaffen Sicherheitslücken. Sicherheitsforschern zufolge könnten Angreifer über die Schlupflöcher unter anderem an Log-in-Daten kommen. --------------------------------------------- https://heise.de/-3693658 *** Security Bulletin Posted for ColdFusion (APSB17-14) *** --------------------------------------------- Adobe has published a Security Bulletin (APSB17-14) announcing the availability of hotfixes for ColdFusion versions 2016, 11 and 10. These hotfixes resolve an input validation .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1460 *** Hackers uncork experimental Linux-targeting malware *** --------------------------------------------- SSH... its Shishiga Hackers have unleashed a new malware strain that targets Linux-based systems. --------------------------------------------- www.theregister.co.uk/2017/04/25/linux_malware/ *** [2017-04-25] Portrait Display SDK Service privilege escalation *** --------------------------------------------- The Portrait Display SDK Service (PdiService.exe) configuration was found to be writable for every authenticated user in a default installation. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** [20170402] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/684-20170402-core-xss-vulnerab… *** [20170403] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/685-20170403-core-xss-vulnerab… *** [20170404] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/686-20170404-core-xss-vulnerab… *** [20170405] - Core - XSS Vulnerability *** --------------------------------------------- https://developer.joomla.org/security-centre/687-20170405-core-xss-vulnerab…

1 0

Tageszusammenfassung - Montag 24-04-2017
by Daily end-of-shift report 24 Apr '17

24 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 21-04-2017 18:00 − Montag 24-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Eingebauter Node.js-Server: Per Nvidia-Treiber lassen sich Schädlinge einschleusen *** --------------------------------------------- Nvidia-Treiber enthalten einen Node.js-Server - keine gute Idee: Damit lassen sich Sicherungsmechanismen wie Application Whitelisting umgehen. --------------------------------------------- https://heise.de/-3691119 *** OWASP Top 10: Die zehn wichtigsten Sicherheitsrisiken bekommen ein Update *** --------------------------------------------- Risiken durch Injections, Fehler beim Session Management und XSS bleiben weiterhin hoch. Im vorliegenden Entwurf finden sich neben bekannten Sicherheitslücken .. --------------------------------------------- https://www.golem.de/news/owasp-top-10-die-zehn-wichtigsten-sicherheitsrisi… *** SquirrelMail < 1.4.22 - Remote Code Execution *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2017040157 *** Shellcode Analysis- Basics *** --------------------------------------------- In this article, we will look at how what shellcode is, what is its purpose and various shellcode patterns, etc. Please note that this article will not cover how a shellcode is .. --------------------------------------------- http://resources.infosecinstitute.com/shellcode-analysis-basics/ *** FIN7 Evolution and the Phishing LNK *** --------------------------------------------- FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, .. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html *** Amazon: Phishing-Kampagne ködert mit Datenschutzgrundverordnung *** --------------------------------------------- Angebliche von Amazon versendete Mails sind derzeit häufig im E-Mail-Postfach zu finden. Nach gefälschten Umsatzsteuerrechnungen gibt es neuerdings eine Phishing-Kampagne, die .. --------------------------------------------- https://www.golem.de/news/amazon-phishing-kampagne-koedert-mit-datenschutzg… *** Sicherheitsupdate: Angreifer könnten Inhalte von Confluence-Wikis einsehen *** --------------------------------------------- Wer Confluence einsetzt, sollte eine der ab sofort verfügbaren abgesicherte Version installieren. --------------------------------------------- https://heise.de/-3692816

1 0

Tageszusammenfassung - Freitag 21-04-2017
by Daily end-of-shift report 21 Apr '17

21 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 20-04-2017 18:00 − Freitag 21-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** 20 Linksys Router Models Vulnerable To Attack *** --------------------------------------------- Researchers say more than 100,000 Linksys routers in use today could be vulnerable to 10 flaws found in 20 separate router models made by the company. --------------------------------------------- http://threatpost.com/20-linksys-router-models-vulnerable-to-attack/125085/ *** The History of Fileless Malware - Looking Beyond the Buzzword *** --------------------------------------------- What's the deal with "fileless malware"? Though many security professionals cringe when they hear this term, lots of articles and product brochures mention fileless malware in the context of threats that are difficult to resist and investigate. Below is my attempt to look beyond the buzzword, tracing the origins of this term and outlining the malware samples that influenced how we use... Read more --------------------------------------------- https://zeltser.com/fileless-malware-beyond-buzzword/ *** Archive.org Abused to Deliver Phishing Pages *** --------------------------------------------- The Internet Archive is a well-known website and more precisely for its "WaybackMachine" service. It allows you to search for and display old versions of websites. The current Alexa ranking is 262 which makes it a "popular and trusted" website. Indeed, like I explained in a recent SANS ISC diary, whitelists [...] --------------------------------------------- https://blog.rootshell.be/2017/04/20/archive-org-abused-deliver-phishing-pa… *** Analysis of a Maldoc with Multiple Layers of Obfuscation, (Fri, Apr 21st) *** --------------------------------------------- Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called Invoice_6083.doc (which was delivered in a zip archive). I had a quick look [...] --------------------------------------------- https://isc.sans.edu/diary/Analysis+of+a+Maldoc+with+Multiple+Layers+of+Obf… *** TLS-Interception: Sophos-Firewall wird von Chrome-Änderung überrascht *** --------------------------------------------- Nutzer, die den Chrome-Browser hinter einer Firewall von Sophos nutzen, sehen zur Zeit nur Zertifikatswarnungen. Die neue Chrome-Version ignoriert den sogenannten CommonName, der schon seit 17 Jahren als veraltet gilt. (Sophos, Browser) --------------------------------------------- https://www.golem.de/news/tls-interception-sophos-firewall-wurd-von-chrome-… *** Domain Fronting *** --------------------------------------------- In this article, we are going to learn about a very interesting and powerful technique known as Domain Fronting which is a circumvention technique based on HTTPS that hides the true destination from the censor. What is Domain Fronting? Domain fronting is a technique to circumvent the censorship employed for certain domains(censorship may be for [...] --------------------------------------------- http://resources.infosecinstitute.com/domain-fronting/ *** Top-ranked programming Web tutorials introduce vulnerabilities into software *** --------------------------------------------- Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. The process The researchers identified popular tutorials by inputing search terms such as "mysql tutorial", [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabil… *** Security vulnerability in unmaintained Drupal contrib module puts 120000 sites at risk *** --------------------------------------------- [...] The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38: [...] --------------------------------------------- http://drupal.sh/vulnerable-drupal-contrib-module-puts-120000-sites-at-risk *** References - Unsupported - SA-CONTRIB-2017-38 *** --------------------------------------------- [...] Updates: 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2 --------------------------------------------- https://www.drupal.org/node/2869138 *** cURL/libcurl TLS Session Resumption Client Certificate Bug Lets Remote Users Bypass Security Restrictions on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1038341 *** SSHD vulnerability CVE-2017-6128 *** --------------------------------------------- https://support.f5.com/csp/article/K92140924 *** DFN-CERT-2017-0704: FreeType: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0704/ *** Security Advisory - Buffer Overflow vulnerability in the GaussDB *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170420-… *** Security updates available in Foxit Reader 8.3 and Foxit PhantomPDF 8.3 *** --------------------------------------------- Foxit has released Foxit Reader 8.3 and Foxit PhantomPDF 8.3, which address potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php *** Vuln: Linux Kernel CVE-2017-7645 Multiple Denial of Service Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/97950 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274) *** http://www.ibm.com/support/docview.wss?uid=swg22002280 --------------------------------------------- *** IBM Security Bulletin: Plugin Uploads in IBM UrbanCode Deploy Vulnerable to XML Injection (CVE-2016-9007) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000289 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM BigFix Remote Control. *** http://www-01.ibm.com/support/docview.wss?uid=swg22000544 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions(CVE-2016-5556, CVE-2016-5597 and CVE-2016-5542) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996985 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerability in IBM Java Runtime affect IBM Security SiteProtector System (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000580 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Pivotal Spring Framework affects IBM Marketing Software products suite (CVE-2014-3625) *** http://www.ibm.com/support/docview.wss?uid=swg22002110 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect InfoSphere Optim Performance Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002204 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 20-04-2017
by Daily end-of-shift report 20 Apr '17

20 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 19-04-2017 18:00 − Donnerstag 20-04-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** DFN-CERT-2017-0683/">GnuTLS: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes mit den Rechten des Dienstes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0683/ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASA Software DNS Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unified Communications Manager Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Network Registrar DNS Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XE Software Simple Network Management Protocol Subsystem Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Firepower Detection Engine Pragmatic General Multicast Protocol Decoding Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco FindIT Network Probe Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Infrastructure Web Framework Code Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller Arbitrary Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller User Session Hijacking Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Software Internet Key Exchange Version 1 XAUTH Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Software SSL/TLS Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Software and Cisco FTD Software TCP Normalizer Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Software IPsec Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Bereiten Sie sich schon 2017 auf die Datenschutz-Grundverordnung vor: Wichtige Fragen *** --------------------------------------------- Die neue Datenschutz-Grundverordnung wird in diesem Jahr in vielen Branchen bei Entscheidungen zu Sicherheitslösungen eine wichtige Rolle spielen. Die Höhe der möglichen Geldbußen .. --------------------------------------------- https://securingtomorrow.mcafee.com/languages/german/bereiten-sie-sich-scho… *** Drupal Core - Critical - Access Bypass - SA-CORE-2017-002 *** --------------------------------------------- https://www.drupal.org/SA-CORE-2017-002 *** Organizations are not effectively dealing with open source security threats *** --------------------------------------------- Black Duck conducts hundreds of open source code audits annually, primarily related to Merger & Acquisition transactions. Its Center for Open Source Research & Innovation .. --------------------------------------------- https://www.helpnetsecurity.com/2017/04/20/open-source-security-threats/ *** DNS Query Length... Because Size Does Matter, (Thu, Apr 20th) *** --------------------------------------------- In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass securitycontrols. DNS tunnelling is a common way to establish .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22326 *** Malware: Schadsoftware bei 1.200 Holiday-Inn- und Crown-Plaza-Hotels *** --------------------------------------------- Wer im vergangenen Jahr auf Geschäftsreise oder im Urlaub in den USA gewesen ist, sollte seine Kreditkartenabrechnungen prüfen: Zahlungsterminals zahlreicher .. --------------------------------------------- https://www.golem.de/news/malware-schadsoftware-bei-1-200-holiday-inn-und-c… *** Spyware Disguised as System Update Survived on Play Store for Almost Three Years *** --------------------------------------------- An Android app named "System Update" that secretly contained a spyware family named SMSVova, survived on the official .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spyware-disguised-as-system-… *** [R2] Tenable Appliance 4.5.0 Fixes Multiple Vulnerabilities *** --------------------------------------------- On 2017-04-18, security researcher "agix" published an exploit for the remote command execution flaw (VulnDB 153135). As such, customers are more strongly encouraged to upgrade immediately. --------------------------------------------- https://www.tenable.com/security/tns-2017-07 *** Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) *** --------------------------------------------- In the last few months, I have been testing several Trend Micro products with Steven Seeley (@steventseeley). Together, we have found more than 200+ RCE (Remote Code Execution) vulnerabilities .. --------------------------------------------- http://blog.malerisch.net/2017/04/trend-micro-threat-discovery-appliance-se… *** Stealing sensitive browser data with the W3C Ambient Light Sensor API *** --------------------------------------------- In this post we describe and demonstrate a neat trick to exfiltrate sensitive information from your // --------------------------------------------- https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c… *** Combating a spate of Java malware with machine learning in real-time *** --------------------------------------------- In recent weeks, we have seen a surge in emails carrying fresh malicious Java (.jar) malware that use new techniques to evade antivirus protection. But with our research team’s automated expert .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/04/20/combating-a-wave-of-jav… *** Browser-Updates für Chrome und Firefox stopfen kritische Lücken *** --------------------------------------------- Sowohl Google als auch Mozilla haben kritische Sicherheitslücken in ihren Web-Browsern gestopft. Diese können von Angreifern für Drive-By-Attacken missbraucht werden. --------------------------------------------- https://heise.de/-3689571 *** Abusing NVIDIAs node.js to bypass application whitelisting *** --------------------------------------------- Application WhitelistingApplication whitelisting is an important security concept which can be found in many environments during penetration testing. The basic idea is to create a .. --------------------------------------------- http://blog.sec-consult.com/2017/04/application-whitelisting-application.ht… *** DNSSEC: ISC läutet Schlüsseltausch für BIND9 ein *** --------------------------------------------- Das Update ist für alle BIND9-Betreiber wichtig, die die Software zum Validieren von signierten DNS-Antworten einsetzen, aber kein automatisches Schlüssel-Update eingerichtet haben. --------------------------------------------- https://heise.de/-3689170

1 0

Tageszusammenfassung - Mittwoch 19-04-2017
by Daily end-of-shift report 19 Apr '17

19 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 18-04-2017 18:00 − Mittwoch 19-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Trojaner greift gezielt österreichische Banken-Apps an *** --------------------------------------------- Eine kürzlich im Play Store entdeckte Malware versucht Bankdaten von 400 Apps abzugreifen, darunter Bawag, Erste Bank und Volksbank. --------------------------------------------- https://futurezone.at/digital-life/trojaner-greift-gezielt-oesterreichische… *** Hajime IoT worm infects devices to head off Mirai *** --------------------------------------------- Mirai is the name of the worm that has taken control of many IoT devices around the world and used them to mount DDoS attacks, the most high-profile of which was directed against US-based DNS provider Dyn and resulted in many websites and online services being inaccessible for hours on end. Its source code was leaked by the author, which lead to the creation of more botnets, and an increased fear that [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/04/19/hajime-iot-worm/ *** Firmware-Status von AVM-Routern checken: Kritisches Sicherheitsloch in Fritzbox-Firmware gestopft *** --------------------------------------------- Durch eine kritische Sicherheitslücke in FritzOS könnten Angreifer beliebte Fritzbox-Modelle wie die 7490 aus der Ferne kapern. AVM hat die Lücke in den Routern bereits mit Firmware-Version 6.83 geschlossen - allerdings ohne es zu wissen. --------------------------------------------- https://heise.de/-3687437 *** Hunting for Malicious Excel Sheets, (Wed, Apr 19th) *** --------------------------------------------- Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros: But below, around the 1000th row, some cells were hidden: Once expanded, they revealed interesting values: The macro code used the contain of those cells: [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22322&rss *** Owncloud/Nextcloud: Passwörter im Bugtracker *** --------------------------------------------- Wer bei Owncloud oder Nextcloud einen Bugreport melden möchte, wird nach dem Inhalt seiner Konfigurationsdatei gefragt. Viele Nutzer kamen dem nach - und gaben damit ihre Passwörter öffentlich preis. --------------------------------------------- https://www.golem.de/news/owncloud-nextcloud-passwoerter-im-bugtracker-1704… *** A Remote Attack on the Bosch Drivelog Connector Dongle *** --------------------------------------------- In this blog post, I discuss the vulnerabilities of the Bosch Drivelog Connector OBD-II dongle found by the Argus Research Team. The vulnerabilities allowed us to stop the engine of a moving vehicle using the Drivelog platform. --------------------------------------------- https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/ *** Internet routing weakness could cost Bitcoin users *** --------------------------------------------- A flaw in the underlying design of the Internet could be very expensive for Bitcoin users, researchers find. --------------------------------------------- https://nakedsecurity.sophos.com/2017/04/18/internet-routing-weakness-could… *** Meet PINLogger, the drive-by exploit that steals smartphone PINs *** --------------------------------------------- Sensors in phones running both iOS and Android reveal all kinds of sensitive info. --------------------------------------------- https://arstechnica.com/security/2017/04/meet-pinlogger-the-drive-by-exploi… *** BrickerBot Permanent Denial-of-Service Attack (Update A) *** --------------------------------------------- This updated alert is a follow-up to the original alert titled ICS-ALERT-17-102-01A BrickerBot Permanent Denial-of-Service Attack that was published April 12, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of open-source reports of "BrickerBot" attacks, which exploit hard-coded passwords in IoT devices in order to cause a permanent denial of service (PDoS). This family of botnets, which consists of BrickerBot.1 and BrickerBot.2, was described in a Radware Attack Report. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A *** Cryptographic security risks are amplified in DevOps settings *** --------------------------------------------- Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications, according to a study conducted by Dimensional Research. According to the study, many organizations fail to enforce vital cryptographic security measures in their DevOps environments. These problems are especially acute among organizations that are in the midst of adopting DevOps practices, but even organizations that say their [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/04/19/devops-settings/ *** What is File Integrity Monitoring and Why You Need It *** --------------------------------------------- The news is rife with stories of successful attacks against servers, point-of-sale (POS) systems, IoT devices and more where an attacker has gained access to an organization's IT assets and changed or inserted new files and data to do something malicious. Just a search on malware highlights a seemingly-endless list of variants including the recent exposure of NSA-backed malware that exploits Windows systems, the re-emergence of Dridex (designed to capture banking credentials), new malware [...] --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/what-is-file-integrity… *** HPESBGN03734 rev.1 - HPE Vertica Analytics Platform, Remote Gain Privileged Access *** --------------------------------------------- A potential security vulnerability has been identified in HPE Vertica Analytics Platform. This vulnerability could be remotely exploited to gain privileged access. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn037… *** VMSA-2017-0008 *** --------------------------------------------- VMware Unified Access Gateway, Horizon View and Workstation updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0008.html *** Oracle Critical Patch Update - April 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html *** Solaris Third Party Bulletin - April 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinapr2017-3680911.h… *** Oracle Linux Bulletin - April 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2017-3664… *** Oracle VM Server for x86 Bulletin - April 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinapr2017-366462… *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** Security Advisory - OpenSSL Montgomery multiplication may produce incorrect results Vulnerability *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** Security Advisory - DoS Vulnerability in Some Huawei Products *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** Security Advisory - Input Validation Vulnerability in Multiple Huawei Products *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** Security Advisory - Plaintext Storage of Users' Safe Passwords in the Files APP in Huawei Mobile Phones *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170419-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in zlib affect IBM SDK for Node.js (CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843) *** http://www.ibm.com/support/docview.wss?uid=swg22001567 --------------------------------------------- *** IBM Security Bulletin: Privilege escalation vulnerability affects IBM Security Guardium (CVE-2017-1122) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997868 --------------------------------------------- *** IBM Security Bulletin: Fix available for Sensitive Data Exposure Vulnerability in IBM Cúram Social Program Management (CVE-2016-9978) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001782 --------------------------------------------- *** IBM Security Bulletin: Fix available for DOM based Cross Site Scripting (XSS) Vulnerability in IBM Cúram Social Program Management (CVE-2016-9979) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001780 --------------------------------------------- *** IBM Security Bulletin: Fix available for Reflected Cross Site Scripting (XSS) Vulnerability in IBM Cúram Social Program Management (CVE-2016-9980) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001779 --------------------------------------------- *** IBM Security Bulletin: Fix available for a Privilege Escalation Vulnerability in IBM Cúram Social Program Management (CVE-2016-8923) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001774 --------------------------------------------- *** IBM Security Bulletin: Access Manager Client in IBM DataPower Gateways is vulnerable to a denial of service attack. *** http://www.ibm.com/support/docview.wss?uid=swg22001789 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM FlashSystem models 840 and 900 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010111 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM FlashSystem model V840 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010112 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 18-04-2017
by Daily end-of-shift report 18 Apr '17

18 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 14-04-2017 18:00 − Dienstag 18-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Protecting customers and evaluating risk *** --------------------------------------------- Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation. When a potential vulnerability is reported to... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-an… *** Ab sofort keine Updates mehr für Windows 7 und 8.1-Nutzer mit neuer Hardware *** --------------------------------------------- Es bleibt den Usern somit nur mehr das Upgrade auf Windows 10 --------------------------------------------- http://derstandard.at/2000056017223 *** Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers *** --------------------------------------------- Microsoft fixed critical vulnerabilities in uncredited update released in March. --------------------------------------------- https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-wer… *** Warnung - Betrugsversuche *** --------------------------------------------- Wir weisen darauf hin, dass E-Mails im Umlauf sind, die von gefälschten OeNB-Absende-Adressen aus verschickt werden. [...] Die versendeten E-Mails beinhalten Schadsoftware [...] --------------------------------------------- https://www.oenb.at/Ueber-Uns/Rechtliche-Grundlagen/warnung-betrugsversuche… *** Email Tracking Pixels Used for Pre-Hack Info Gathering *** --------------------------------------------- A simple email marketing trick is also abused by cyber-criminals, who are employing a technique known as "pixel tracking" to gather information on possible targets or to improve the efficiency of phishing attacks. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/email-tracking-pixels-used-f… *** FIRST releases twenty years of conference materials *** --------------------------------------------- The leading association of incident response and security teams publishes its repository of twenty years of incident response learnings. --------------------------------------------- https://www.first.org/newsroom/releases/20170418 *** Edge Plagued by Various Security Flaws, Not as Secure as Microsoft Boasts *** --------------------------------------------- Microsoft never shied away from claiming that Edge is a much more secure browser than Chrome. Even some third-party tests have sustained its claims. Nonetheless, there are currently three different issues affecting Edge, which Microsoft might not like you knowing about. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/edge-plagued-by-various-secu… *** Wartungsarbeiten Donnerstag, 20. 4. 2017 *** --------------------------------------------- Am Donnerstag, 20. April 2017, ab etwa 19h, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu kurzen Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen,... --------------------------------------------- http://www.cert.at/services/blog/20170418151642-1969.html *** VU#676632: IBM Lotus Domino server IMAP EXAMINE command stack buffer overflow *** --------------------------------------------- Vulnerability Note VU#676632 IBM Lotus Domino server IMAP EXAMINE command stack buffer overflow Original Release date: 17 Apr 2017 | Last revised: 17 Apr 2017 Overview IBM Lotus Domino server, versions IMAP service contains a stack-based buffer overflow vulnerability in the EXAMINE command. This can allow a remote, authenticated attacker to execute arbitrary code with the privileges of the Domino server Description IBM Lotus Domino includes an IMAP server. This server contains a stack buffer... --------------------------------------------- http://www.kb.cert.org/vuls/id/676632 *** NETGEAR ProSAFE Plus Configuration Utility vulnerable to improper access control *** --------------------------------------------- ProSAFE Plus Configuration Utility is vulnerable to improper access control. --------------------------------------------- http://jvn.jp/en/jp/JVN08740778/ *** Security Notice - Statement on Command Injection Vulnerability in Huawei HG532n Product *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170418-01-… *** 2107-04 Security Bulletin: Multiple Vulnerabilities in NorthStar Controller Application before version 2.1.0 Service Pack 1. *** --------------------------------------------- Multiple vulnerabilities have been resolved in the NorthStar Controller Application starting from version 2.1.0 Service Pack 1 and all subsequent releases. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10783&cat=SIRT_1… *** cURL and libcurl vulnerabilities in F5 products *** --------------------------------------------- https://support.f5.com/csp/article/K84940705 https://support.f5.com/csp/article/K85235351 https://support.f5.com/csp/article/K17742627 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Tealeaf Customer Experience (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000439 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-8610 and CVE-2017-3731 ) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021869 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Systems Director Platform Agent (CVE-2017-3731, CVE-2017-3732) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025103 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA (CVE-2016-5597, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000386 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Docs is Vulnerable to a Denial of Service (CVE-2016-4483) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001680 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010105 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem model V840 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010106 --------------------------------------------- *** IBM Security Bulletin: Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On *** http://www-01.ibm.com/support/docview.wss?uid=swg22000445 --------------------------------------------- *** IBM Security Bulletin: Multiple ZLIB vulnerabilities affect IBM Mobile Connect *** http://www.ibm.com/support/docview.wss?uid=swg22000094 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the Firefox component of the Synthetic Playback agent affects IBM Performance Management products. *** http://www-01.ibm.com/support/docview.wss?uid=swg22000816 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring Basic Services component. (CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22001712 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect the IBM FlashSystem models 840 and 900 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010012 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Campaign, IBM Contact Optimization *** http://www.ibm.com/support/docview.wss?uid=swg21992598 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 14-04-2017
by Daily end-of-shift report 14 Apr '17

14 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 13-04-2017 18:00 − Freitag 14-04-2017 18:02 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Zero Day Exploit: Magento-Onlineshops sind wieder gefährdet *** --------------------------------------------- Wer eine Magento-basierte Onlineshop-Lösung verwendet, sollte dringend seine Einstellungen überprüfen. Ein Sicherheitslücke erlaubt die Kompromittierung der Installation und bringt die Kunden in Gefahr. Der Hersteller arbeitet wohl an einem Patch, kommuniziert dies jedoch nicht vernünftig. --------------------------------------------- https://www.golem.de/news/zero-day-exploit-magento-onlineshops-sind-wieder-… *** Exploit Kit Activity Quiets, But Is Far From Silent *** --------------------------------------------- Here are the exploit kits to watch for over the next three to six months. --------------------------------------------- http://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/12… *** Shadow Brokers Release New Batch of Files Containing Windows and SWIFT Exploits *** --------------------------------------------- On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsofts Windows OS and the SWIFT banking system. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/shadow-brokers-release-new-b… *** BSI definiert Mindeststandard für sichere Web-Browser *** --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat Mindestanforderungen für sichere Web-Browser veröffentlicht. In einer Tabelle vergleicht die Behörde vier aktuelle Browser - einer wies demnach eine schwerwiegende Einschränkung auf. --------------------------------------------- https://heise.de/-3686044 *** Phishing with Unicode Domains *** --------------------------------------------- If I told you this could be a phishing site, would you believed me? tl;dr: check out the proof-of-concept --------------------------------------------- https://www.xudongz.com/blog/2017/idn-phishing/ *** Critical Patch Update - April 2017 - Pre-Release Announcement *** --------------------------------------------- Critical Patch Update - April 2017 - Pre-Release Announcement --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html *** 2017-04 Security Bulletin: EX Series: Crafted IPv6 NDP packet causing a slow memory leak on EX Series Switches (CVE-2017-2315) *** --------------------------------------------- A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet destined to an EX Series Ethernet Switches to cause a slow memory leak. A malicious network-based packet flood of these crafted IPv6 NDP packets may eventually lead to resource exhaustion and a denial of service. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10781 *** Heap Overflow Vulnerability in Citrix NetScaler Gateway Could Result in Arbitrary Code Execution *** --------------------------------------------- A heap overflow vulnerability has been identified in Citrix NetScaler Gateway that could allow a remote, authenticated user to execute arbitrary commands on the NetScaler Gateway appliance as a root user. --------------------------------------------- https://support.citrix.com/article/CTX222657 *** cURL and libcurl vulnerability CVE-2016-8622 *** --------------------------------------------- cURL and libcurl vulnerability CVE-2016-8622. Security Advisory. Security Advisory Description. ** RESERVED ** This candidate ... --------------------------------------------- https://support.f5.com/csp/article/K23391972 *** VMSA-2017-0007 *** --------------------------------------------- VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0007.html *** Wecon Technologies LEVI Studio HMI Editor *** --------------------------------------------- This advisory contains mitigation details for heap-based buffer overflow and stack-based buffer overflow vulnerabilities in the Wecon Technologies LEVI Studio HMI Editor. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-103-01 *** Schneider Electric Modicon M221 PLCs and SoMachine Basic *** --------------------------------------------- This advisory contains mitigation details for use of hard-coded cryptographic key and protection mechanism failure vulnerabilities in Schneider Electric's Modicon M221 PLCs and SoMachine Basic. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services potential Cross Site Scripting vulnerabilities (CVE-2017-1160) *** http://www.ibm.com/support/docview.wss?uid=swg22001574 --------------------------------------------- *** IBM Security Bulletin: IBM API Connect Developer Portal is vulnerable to unauthenticated remote code execution (CVE-2017-1161) *** http://www.ibm.com/support/docview.wss?uid=swg22000316 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services *** http://www.ibm.com/support/docview.wss?uid=swg22001536 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by tar vulnerabilities (CVE-2010-0624 CVE-2016-6321) *** http://www.ibm.com/support/docview.wss?uid=isg3T1025085 --------------------------------------------- *** IBM Security Bulletin: Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2016-6816) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998864 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Insight *** http://www.ibm.com/support/docview.wss?uid=swg21999652 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos TM1 *** http://www.ibm.com/support/docview.wss?uid=swg21999649 --------------------------------------------- *** IBM Security Bulletin: Unvalidated redirection URL vulnerability in IBM Marketing Platform (CVE-2016-0228) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001952 --------------------------------------------- Next End-of-Shift report: 2017-04-18

1 0

Tageszusammenfassung - Donnerstag 13-04-2017
by Daily end-of-shift report 13 Apr '17

13 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 12-04-2017 18:00 − Donnerstag 13-04-2017 18:02 Handler: Alexander Riepl Co-Handler: n/a *** BrickerBot Permanent Denial-of-Service Attack *** --------------------------------------------- NCCIC/ICS-CERT is aware of open-source reports of “BrickerBot” attacks, which exploit hard-coded passwords in IoT devices in order to cause a permanent denial of .. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01 *** India to world+dog: Go ahead, please hack our elections ... if you can *** --------------------------------------------- Не волнуйтесь. Мы уже это сделали, товарищи Following demands for an investigation into the security of Indias electronic voting machines, the countrys .. --------------------------------------------- www.theregister.co.uk/2017/04/12/india_electronic_election_hacking/ *** Hintergrund: Forensik-Tools patzen bei neuer Windows-Kompression *** --------------------------------------------- Mit Hilfe einer noch weitgehend unbekannten Dateikompression namens 'Compact OS' könnten sich Schad-Programme und andere Beweismittel einer forensischen Untersuchung eines PCs entziehen. Wir haben sechs Standard-Forensik-Tools getestet. --------------------------------------------- https://heise.de/-3676075 *** WordPress plugin "WP Statistics" vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN62392065/ *** SAP schließt kritische Lücke in der Search Engine TREX *** --------------------------------------------- TREX ist in über einem Dutzend SAP-Produkten verbaut und erlaubte fast zwei Jahre das Einschleusen und Ausführen von Code. Diese und 14 weitere Lücken schließt der Hersteller im Rahmen des April-Patchdays. --------------------------------------------- https://heise.de/-3685632 *** Akamai reports UDP DDOS Using C-LDAP reaching 24Gbps, (Thu, Apr 13th) *** --------------------------------------------- Akamai researchers Jose Arteaga Wilber Mejia have posted details on a new reflected DDOS apprach, using the Connectionless LDAP protocol (on udp/389). Reflected UDP attacks arent new, but using CLDAP seems to be. Which made me wonder who are the folks that decided that their AD (or other LDAP directory) .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22300 *** Samsung: Keine Sicherheitslücken in Smart-TVs *** --------------------------------------------- Der Elektronikkonzern will die Sicherheit seines in die Kritik geratenen Betriebssystems Tizen ins rechte Licht rücken und verkündet, dass weder Smart TVs noch Smartwatches .. --------------------------------------------- https://heise.de/-3685732

1 0

Tageszusammenfassung - Mittwoch 12-04-2017
by Daily end-of-shift report 12 Apr '17

12 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 11-04-2017 18:00 − Mittwoch 12-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Fake News at Work in Spam Kingpin’s Arrest? *** --------------------------------------------- Over the past several days, many Western news media outlets have predictably devoured thinly-sourced reporting from a Russian publication that the arrest last week of a Russian spam kingpin in Spain was related to hacking attacks linked to last year’s U.S. election. While there .. --------------------------------------------- https://krebsonsecurity.com/2017/04/fake-news-at-work-in-spam-kingpins-arre… *** Schneider Electric Modicon Modbus Protocol *** --------------------------------------------- This advisory contains mitigation details for authentication bypass by capture-replay and violation of secure design principles vulnerabilities in Schneider Electric’s Modicon Modbus protocol. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01 *** Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2) *** --------------------------------------------- Posted by Gal Beniamini, Project ZeroIn this blog post well continue our journey into gaining remote kernel code execution, by means of Wi-Fi communication alone. Having previously developed a remote code execution exploit .. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms… *** CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler *** --------------------------------------------- FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability .. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handl… *** Patchday: Adobe stopft kritische Lücken in Acrobat, Reader, Flash und Photoshop *** --------------------------------------------- Kritische Lücken in Flash sowie in Adobe Acrobat und Reader benötigen sofortige Aufmerksamkeit. Auf ungepatchten Systemen können Angreifer Schadcode aus der Ferne ausführen. Photoshop ist diesmal auch mit Sicherheitslücken beim Patchday dabei. --------------------------------------------- https://heise.de/-3682970 *** Malicious Image Defacement Hidden from Search Engines *** --------------------------------------------- After carefully designing a theme and images that represent your brand, nothing is worse than seeing a malicious image suddenly associated with your business or website. In a recent blog post, we discussed a case in which a .. --------------------------------------------- https://blog.sucuri.net/2017/04/malicious-image-defacement-hidden-from-sear… *** JSA10753 - 2016-07 Security Bulletin: SRX Series: Upgrades using partition option may allow unauthenticated root login (CVE-2016-1278) *** --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10753 *** Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns *** --------------------------------------------- With another player out at the moment, we take a look at a rebranded exploit kit in current malware .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/04/sundown-ek-gone-missi… *** IT-Sicherheit: Wie ich mein Passwort im Stack Trace fand *** --------------------------------------------- Unser Autor hat versehentlich das MySQL-Passwort seiner Webseite veröffentlicht. Hier schreibt er, wie es dazu kam. Er berichtet, warum Fehler selbst dann passieren, wenn .. --------------------------------------------- https://www.golem.de/news/it-sicherheit-wie-ich-mein-passwort-im-stack-trac… *** Patchday: Microsoft sichert Office gegen aktive Angriffe ab *** --------------------------------------------- Im April verteilt Microsoft zwölf Sicherheitsupdates und stopft mehrere als kritisch eingestufte Schwachstellen. Aktuell haben es Angreifer gezielt auf eine Office-Lücke abgesehen. --------------------------------------------- https://heise.de/-3683358 *** Investigation Finds Inmates Built Computers, Hid Them In Prison Ceiling *** --------------------------------------------- An anonymous reader quotes a report from WRGB: The discovery of two working computers hidden in a ceiling at the Marion Correctional Institution prompted an investigation by the state into how inmates got access. In late .. --------------------------------------------- https://hardware.slashdot.org/story/17/04/12/0328239/investigation-finds-in… *** Kelihos.E *** --------------------------------------------- Kelihos.E Botnet – Law Enforcement Takedown On Monday April 10th 2017, The US Department of Justice (DOJ) announced a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator. The .. --------------------------------------------- http://blog.shadowserver.org/2017/04/12/kelihos-e/ *** New NAS Vulnerabilities are as Bad as they Get *** --------------------------------------------- If you have a QNAP network attached storage (NAS) device, you’d better make sure the firmware is updated. Earlier this year, F-Secure Senior Security .. --------------------------------------------- https://safeandsavvy.f-secure.com/2017/04/12/new-nas-vulnerabilities-are-pr…

1 0

Tageszusammenfassung - Dienstag 11-04-2017
by Daily end-of-shift report 11 Apr '17

11 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 10-04-2017 18:00 − Dienstag 11-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Longhorn: Tools used by cyberespionage group linked to Vault 7 *** --------------------------------------------- Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its .. --------------------------------------------- https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-g… *** Mirai Botnet Temporarily Adds Bitcoin Mining Component, Removes It After a Week *** --------------------------------------------- For around a week at the end of March, one of the many versions of the Mirai malware was spotted delivering a Bitcoin-mining module to its infected .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mirai-botnet-temporarily-add… *** Support-Ende erreicht: Tschüss, Vista *** --------------------------------------------- Am heutigen 11. April endet der Support für Windows Vista. Eine Träne wird deswegen wohl kaum jemand vergießen, dabei steckten viele tolle Neuerungen darin. --------------------------------------------- https://heise.de/-3675983 *** Understanding and Discovering Open Redirect Vulnerabilities *** --------------------------------------------- One of the most common and largely overlooked vulnerabilities by web developers is Open Redirect (also known as "Unvalidated Redirects and Forwards"). A website is vulnerable to .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Understanding-and-Disco… *** Microsoft Word 0day used to push dangerous Dridex malware on millions *** --------------------------------------------- Blast could give a boost to Dridex, one of the Internets worst bank-fraud threats. --------------------------------------------- https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-d… *** Malware belauscht Sensoren und knackt Handysperre *** --------------------------------------------- Von Forschern geschriebener Schädling nutzt Browserleck und neuronales Netzwerk, um Sperrcode zu errechnen --------------------------------------------- http://derstandard.at/2000055738573 *** Breaking Signal: A Six-Month Journey *** --------------------------------------------- Researchers spent six months poking holes in Signal and urge a bigger spotlight on security testing. --------------------------------------------- http://threatpost.com/breaking-signal-a-six-month-journey/124888/ *** DSA-3828 dovecot - security update *** --------------------------------------------- It was discovered that the Dovecot email server is vulnerable to adenial of service attack. When the dict passdb and userdb are usedfor user authentication, the .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3828 *** Security Bulletins posted *** --------------------------------------------- Adobe has published security bulletins for Adobe Campaign (APSB17-09), Adobe Flash Player (APSB17-10), Adobe Acrobat and Reader (APSB17-11), Adobe Photoshop (APSB17-12) and the Creative Cloud Desktop Application (APSB17-13). Adobe recommends users update their product installations to the .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1457 *** Nach Hacker-Festnahme: FBI will Kelihos-Botnetz endgültig stilllegen *** --------------------------------------------- Schon kurz nachdem der mutmaßlich verantwortliche Cyberkriminelle in Spanien festgenommen wurde, haben US-Behörden offenbar mehrere Maßnahmen eingeleitet, um das Botnetz Kelihos ein für alle mal außer Gefecht zu setzen. --------------------------------------------- https://heise.de/-3682746

1 0

Tageszusammenfassung - Montag 10-04-2017
by Daily end-of-shift report 10 Apr '17

10 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 07-04-2017 18:00 − Montag 10-04-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Sicherheitsforscher: IoT-Hersteller machen es Bugjägern unnötig schwer *** --------------------------------------------- Ein Sicherheitsexperte hat nicht nur diverse Bugs in Kameras, NAS-Laufwerken, mobilen Routern oder einem Retinascanner gefunden, sondern auch dokumentiert, wie wenig die betroffenen Hersteller mit solchen Meldungen anfangen können. --------------------------------------------- https://heise.de/-3678493 *** Apache Struts 2 Exploits Installing Cerber Ransomware *** --------------------------------------------- Attackers are attempting to exploit the recent Apache Struts vulnerability on Windows servers and the payload is a variant of the Cerber ransomware. --------------------------------------------- http://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware… *** Matrix Ransomware Spreads to Other PCs Using Malicious Shortcuts *** --------------------------------------------- The Matrix Ransomware gears up for higher distribution by using EITest, the Rig Exploit kit, while .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/matrix-ransomware-spreads-to… *** Baseband Zero Day Exposes Millions of Mobile Phones to Attack *** --------------------------------------------- A previously undisclosed baseband vulnerability impacting Huawei smartphones, laptop WWAN modules .. --------------------------------------------- http://threatpost.com/baseband-zero-day-exposes-millions-of-mobile-phones-t… *** Malware auf Zerstörungsjagd: BrickerBot legt unsichere IoT-Geräte still *** --------------------------------------------- Unsichere IoT-Geräte werden meist im Stillen gekapert und als Hilfsarmee für DDoS-Attacken eingesetzt. Jetzt .. --------------------------------------------- https://heise.de/-3678861 *** A quick look at the Ikea Trådfri lighting platform *** --------------------------------------------- Ikea recently launched their Trådfri smart lighting platform in the US. The idea of Ikea plus internet security together at last seems like a pretty terrible one, but having taken a look its surprisingly competent. Hardware-wise, .. --------------------------------------------- http://mjg59.dreamwidth.org/47803.html *** Equation Group: Die Shadow Brokers veröffentlichen NSA-Geheimnisse *** --------------------------------------------- Die Shadow Brokers haben keine Lust mehr - oder sind von Donald Trump wirklich enttäuscht. Das Passwort zum verschlüsselten Archiv ist jetzt im Netz. Die Gruppe hatte Exploits .. --------------------------------------------- https://www.golem.de/news/equation-group-die-shadow-brokers-veroeffentliche… *** Apple finally teaches Android music app to validate certificates *** --------------------------------------------- Cupertinos so keen on Android it took eight months to repair interception bug If youre so .. --------------------------------------------- www.theregister.co.uk/2017/04/10/apple_music_vulnerability/ *** Hackers set off Dallas’ 156 emergency sirens over a dozen times *** --------------------------------------------- https://arstechnica.com/security/2017/04/hackers-set-off-dallas-156-emergen… *** Alleged Spam King Pyotr Levashov Arrested *** --------------------------------------------- Authorities in Spain have arrested a Russian computer programmer thought to be one of the worlds most notorious spam kingpins. Spanish police arrested Pyotr .. --------------------------------------------- https://krebsonsecurity.com/2017/04/alleged-spam-king-pyotr-levashov-arrest… *** WP Statistics <= 12.0.4 - Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8794 *** Telekom Austria war von NSA-Angriff betroffen *** --------------------------------------------- Laut Daten der Hackergruppe Shadow Brokers hat die NSA vor Jahren Rechner der Telekom Austria unter ihre Kontrolle gebracht. Die Telekom untersucht dies. --------------------------------------------- https://futurezone.at/digital-life/telekom-austria-war-von-nsa-angriff-betr… *** Schwerwiegende Microsoft Word-Lücke erlaubt Fremdzugriff *** --------------------------------------------- McAfee berichtet von Exploit, mit dem Angreifer Code auf Zielcomputer ausführen kann --------------------------------------------- http://derstandard.at/2000055670310 *** SQL Injection in extension "Event management and registration" (sf_event_mgt) *** --------------------------------------------- https://typo3.org/news/article/sql-injection-in-extension-event-management-… *** SQL Injection in extension "News system" (news) *** --------------------------------------------- https://typo3.org/news/article/sql-injection-in-extension-news-system-news/ *** Hacker nehmen zunehmend Amazon-Händler ins Visier *** --------------------------------------------- Drittanbieter auf der Handelsplattform Amazon geraten zunehmend ins Visier von Cyber-Betrügern. --------------------------------------------- https://futurezone.at/digital-life/hacker-nehmen-zunehmend-amazon-haendler-… *** Notes on Windows Uniscribe Fuzzing *** --------------------------------------------- Posted by Mateusz Jurczyk of Google Project ZeroAmong the total of 119 vulnerabilities with CVEs fixed by Microsoft in the March Patch Tuesday a few weeks ago, .. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/04/notes-on-windows-uniscribe-fu… *** Symantec dokumentiert Verbindung zwischen angeblichen CIA-Tools und weltweiten Attacken *** --------------------------------------------- In mindestens 16 Ländern attackierte eine Gruppe namens Longhorn Firmen, Organisationen und Regierungen. Und Longhorn nutzte dabei die jetzt von Wikileaks als Vault 7 veröffentlichten, angeblichen CIA-Tools, stellt Symantec fest. --------------------------------------------- https://heise.de/-3680265

1 0

Tageszusammenfassung - Freitag 7-04-2017
by Daily end-of-shift report 07 Apr '17

07 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 06-04-2017 18:00 − Freitag 07-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Ransomware Gang Made Over $100,000 by Exploiting Apache Struts Zero-Day *** --------------------------------------------- For more than a month, at least ten groups of attackers have been compromising systems running applications built with Apache Struts and installing backdoors, DDoS bots, cryptocurrency miners, or ransomware, depending if the machine is running Linux or Windows. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-made-over-10… *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB17-11) *** --------------------------------------------- A prenotification Security Advisory (APSB17-11) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, April 11, 2017. We will continue to provide updates on the upcoming releases via the Security Advisory as well as the... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1454 *** Tracking Website Defacers with HTTP Referers, (Fri, Apr 7th) *** --------------------------------------------- In a previous diary, I explained how pictures may affect your website reputation[1]. Although asuggestedrecommendation was to prevent cross-linking by using the HTTP referer, this is a control that I do not implement on my personal blog, purely for research purposes. And it successfully worked! My website and all its components are constantly monitored but Im also monitoring online services like pastebin.com to track references to... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22268&rss *** Brickerbot: Hacker zerstören das Internet of Insecure Things *** --------------------------------------------- Unbekannte versuchen zurzeit, sich in ungesicherte IoT-Geräte zu hacken und diese aktiv zu zerstören. Offenbar ein Versuch, die Geräte unschädlich zu machen, bevor sie Teil von Botnetzen wie Mirai werden. --------------------------------------------- https://www.golem.de/news/brickerbot-hacker-zerstoeren-das-internet-of-inse… *** Global DDoS Threat Landscape: What's new? *** --------------------------------------------- The Current Global DDoS Threat Landscape In this post, we analyze the current Global DDoS threat landscape focusing on the economic aspect of this kind of criminal activity. The extortion crimes continue to represent a serious threat to businesses and organizations worldwide; ransomware infections and DDoS attacks are becoming daily problems. Security experts at Imperva... --------------------------------------------- http://resources.infosecinstitute.com/global-ddos-threat-landscape-whats-ne… *** QNAP NAS devices open to remote command execution *** --------------------------------------------- If you're using one of the many QNAP NAS devices and you haven't yet upgraded the QTS firmware to version 4.2.4, you should do so immediately if you don't want it to fall prey to attackers. Among the vulnerabilities fixed by QNAP in this latest firmware version, released on March 21, are three command injection flaws in the web user interface that can be exploited to gain remote command execution on a vulnerable device as... --------------------------------------------- https://www.helpnetsecurity.com/2017/04/07/qnap-nas-vulnerability/ *** ClearEnergy - The "In the Wild" SCADA Ransomware Attacks That Never Were *** --------------------------------------------- A mini-controversy broke out this week in the infosec community after cyber-security firm CRITIFENCE led journalists and other security experts to believe that theyve detected in-the-wild attacks with a new ransomware called ClearEnergy, specialized in targeting ICS/SCADA industrial equipment. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/clearenergy-the-in-the-wild-… *** Sathurbot: Distributed WordPress password attack *** --------------------------------------------- This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts. --------------------------------------------- https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-p… *** New IoT/Linux Malware Targets DVRs, Forms Botnet *** --------------------------------------------- Unit 42 researchers have identified a new variant of the IoT/Linux botnet "Tsunami", which we are calling "Amnesia". The Amnesia botnet targets an unpatched remote code execution vulnerability that was publicly disclosed over a year ago in March 2016 in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide. Based on our scan data shown below in Figure 1, this [...] --------------------------------------------- http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malw… *** [2017-04-07] Server-Side Request Forgery in MyBB forum *** --------------------------------------------- The "Change Avatar" function in MyBB allows an attacker to perform server-side request forgery (SSRF) attacks if the cURL functions are disabled. It is possible to send requests to internal networks and perform port scans. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** IBM Security Bulletin: IBM Connections Docs is Vulnerable to a Denial of Service ( CVE-2016-3627 ) *** --------------------------------------------- DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by an error in the xmlStringGetNodeList() function when parsing xml files while in recover mode. An attacker could exploit this vulnerability to exhaust the stack and cause a segmentation fault. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22001676

1 0

Tageszusammenfassung - Donnerstag 6-04-2017
by Daily end-of-shift report 06 Apr '17

06 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-04-2017 18:00 − Donnerstag 06-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Forscher warnen vor Gefahr durch Viren-Signaturen *** --------------------------------------------- Mit Hilfe der von Antiviren-Software eingesetzten Signaturen könnten Angreifer gezielt Fehlalarme auslösen. Im schlimmsten Fall kann das ein Opfer das komplette Mail-Archiv kosten. --------------------------------------------- https://heise.de/-3675819 *** Teenager Arrested in Austria for Spreading Philadelphia Ransomware *** --------------------------------------------- Austrian police arrested a 19-year-old teenager from Linz for infecting the network of a local company with the Philadelphia ransomware. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/teenager-arrested-in-austria… *** Trust issues: Know the limits of SSL certificates *** --------------------------------------------- Certificate authorities (CAs) have given themselves a black eye lately, making it hard for users to trust them. Google stopped trusting Symantec after discovering the CA had mis-issued thousands of certificates over several years, and researchers found that phishing sites were using PayPal-labeled certificates issued by Linux Foundation's Let's Encrypt CA. Even with these missteps, the CAs play a critical role in establishing trust on the internet.To read this article in full or to... --------------------------------------------- http://www.cio.com/article/3187881/internet/trust-issues-know-the-limits-of… *** Cisco Access Points: Zugriff mit offenen Default-Accounts *** --------------------------------------------- Bis zum Mittwoch konnten sich Angreifer mittels Default-Zugangsdaten Zugriff auf Cisco WLAN Access Points der Aeronet-Serie verschaffen. Ein Sicherheits-Update fixt das. Drei weitere schließen Einfallstore für DoS-Angriffe auf WLAN-Controller. --------------------------------------------- https://heise.de/-3677288 *** Wie Sie verschlüsselte Dateien wiederherstellen können *** --------------------------------------------- Mit einem Verschlüsselungstrojaner können Kriminelle Dateien von Opfern unbrauchbar machen. Sie verlangen Geld dafür, dass sie den Schaden beseitigen. Die Website nomoreransom.org/de hilft Opfern, die Dateien selbstständig wiederherzustellen, ohne dass sie dafür Geld an die Verbrecher/innen zahlen müssen. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/wie-sie-verschluesselte-dat… *** Moodle Bugs Let Remote Users Conduct Cross-Site Scripting Attacks and Remote Authenticated Users Obtain Usernames and Conduct SQL Injection Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1038174 *** Bugtraq: Trend Micro Enterprise Mobile Security Android Application - MITM SSL Certificate Vulnerability (CVE-2016-9319) *** --------------------------------------------- http://www.securityfocus.com/archive/1/540375 *** SECURITY BULLETIN: Trend Micro Smart Protection Server (Standalone) 3.x Command Injection Remote Code Execution Vulnerability *** --------------------------------------------- Trend Micro has released new Critical Patches (CP) for Trend Micro Smart Protection Server (Standalone) versions 3.0 and 3.1. These CPs resolve a vulnerability in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations. --------------------------------------------- https://success.trendmicro.com/solution/1117033 *** BlackBerry powered by Android Security Bulletin - April 2017 *** --------------------------------------------- http://support.blackberry.com/kb/articleDetail?articleNumber=000039276 *** Certec EDV GmbH atvise scada *** --------------------------------------------- This advisory contains mitigation details for cross-site scripting and header injection vulnerabilities in the Certec EDV GmbH atvise scada. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-096-01 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services session identifier vulnerability (CVE-2017-1152) *** http://www.ibm.com/support/docview.wss?uid=swg22001551 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition, affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5549) (CVE-2016-5548) (CVE-2016-5547) (CVE-2016-5546) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999271 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Mobile Connect (CVE-2017-3272,CVE-2017-5548,CVE-2017-3261,CVE-2017-3231,CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22000443 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX *** http://aix.software.ibm.com/aix/efixes/security/java_jan2017_advisory.asc --------------------------------------------- *** Novell Patches *** --------------------------------------------- *** eDirectory 8.8 SP8 Patch 10 *** https://download.novell.com/Download?buildid=VYtYu65T21Y~ --------------------------------------------- *** iManager 3.0.3 *** https://download.novell.com/Download?buildid=3jd0pzoyux0~ --------------------------------------------- *** iManager 2.7 Support Pack 7 - Patch 10 *** https://download.novell.com/Download?buildid=5NqajLP7bSo~ --------------------------------------------- *** eDirectory 9.0.3 *** https://download.novell.com/Download?buildid=D1U-cCj1YEs~ --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Mobility Express 2800 and 3800 Series Wireless LAN Controllers Shell Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wireless LAN Controller Management GUI Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Aironet 1800, 2800, and 3800 Series Access Point Platforms Shell Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wireless LAN Controller IPv6 UDP Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wireless LAN Controller RADIUS Change of Authorization Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wireless LAN Controller 802.11 WME Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco UCS Director Virtual Machine Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance Debug Plug-in Privilege Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unified Communications Manager Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unified Communications Manager SQL Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Registered Envelope Service Open Redirect Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XE Software Startup Script Local Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Web Interface Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance local-mgmt CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Integrated Management Controller Redirection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Firepower Detection Engine SSL Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Firepower Detection Engine SSL Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASR 903 and ASR 920 Series Devices IPv6 Packet Processing Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Aironet 1830 Series and 1850 Series Access Points Mobility Express Default Credential Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 5-04-2017
by Daily end-of-shift report 05 Apr '17

05 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-04-2017 18:00 − Mittwoch 05-04-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** WordPress Security - Unwanted Redirects via Infected JavaScript Files *** --------------------------------------------- We've been watching a specific WordPress infection for several months and would like to share details about it. The attacks inject malicious JavaScript code into almost every .js file it can find. Previous versions of this malware injected only jquery.js files, but now we remove this code from hundreds of infected files. Due to a bug in the injector code, it also infects files whose extensions contain ".js" (such as .js.php or .json). --------------------------------------------- https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-i… *** Encryption inside Utility Industrial Control Systems (ICS) communication protocols: a must to preserve the confidentiality of information and reliability of the industrial process, (Tue, Apr 4th) *** --------------------------------------------- Industrial control systems are sensitive systems that must make decisions in real time to ensure the operation of the industrial process they govern. The latency and reliability in packet transmission is fundamental, since the protocols are connection-oriented but because of the main speed goal, many of them do not have included error recovery schemes other than those included in the TCP / IP stack. Where is it possible to use encryption without affecting the operation of the industrial control... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22260&rss *** Schneider Electric still shipping passwords in firmware *** --------------------------------------------- Youd think a vendor of critical infrastructure would at least pretend to care about security That "dont use hard-coded passwords" infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electrics developers eyes so they dont forget it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/schneider_i… *** Internetplattform unterstützt Opfer von digitaler Erpressung *** --------------------------------------------- Für Betroffene von digitaler Erpressung ist es besonders wichtig, ihre Dateien schnell und einfach wiederherzustellen. Unter www.nomoreransom.org können verschiedene Entschlüsselungstools nun auch auf Deutsch aufgerufen werden. --------------------------------------------- http://www.bmi.gv.at/cms/bmi/_news/bmi.aspx?id=537A58584930536354666F3D&pag… *** 500.000 US-Dollar Lösegeld: Ransomware-Gangs nehmen Unternehmen aufs Korn *** --------------------------------------------- Sicherheitsforscher haben mindestens acht Gruppen ausgemacht, die sich auf Ransomware-Attacken auf Unternehmen spezialisiert haben. Je nach Anzahl der infizierten PCs und Server steigt das Lösegeld. Summen von bis zu 500.000 US-Dollar sind im Spiel. --------------------------------------------- https://heise.de/-3675612 *** Whitelists: The Holy Grail of Attackers, (Wed, Apr 5th) *** --------------------------------------------- As a defender, take the time to put yourself in the place of a bad guy for a few minutes. Youre writing some malicious code and you need to download payloads from the Internet or hide your code on a website. Once your malicious code spread in the wild, it will be quickly captured by honeypots, IDS, ... (name your best tool) and analysed automatically of manually by the good guys. Their goal of this is to extract abehavioural analysis of the code and generate indicators (IOCs) which will help to... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22262&rss *** Broadcom-Sicherheitslücke: Angriff über den WLAN-Chip *** --------------------------------------------- Googles Project Zero zeigt, wie man ein Smartphone per WLAN übernehmen kann. WLAN-Chips haben heute eigene Betriebssysteme, denen jedoch alle modernen Sicherheitsmechanismen fehlen. --------------------------------------------- https://www.golem.de/news/broadcom-sicherheitsluecke-angriff-ueber-den-wlan… *** Report: 30% of malware is zero-day, missed by legacy antivirus *** --------------------------------------------- At least 30 percent of malware today is new, zero-day malware that is missed by traditional antivirus defenses, according to a new report."Were gathering threat data from hundreds of thousands of customers and network security appliances," said Corey Nachreiner, CTO at WatchGuard Technologies. "We have different types of malware detection services, including a signature and heuristic-based gateway antivirus. What we found was that 30 percent of the malware would have been missed... --------------------------------------------- http://www.cio.com/article/3187734/network-security/report-30-of-malware-is… *** Changes coming to TLS: Part Two *** --------------------------------------------- In the first part of this two-part blog we covered certain performance improving features of TLS 1.3, namely 1-RTT handshakes and 0-RTT session resumption. In this part we shall discuss some security and privacy improvements.Remove Obsolete and insecure cryptographic primitivesRemove RSA HandshakesWhen RSA is used for key establishment there is no forward secrecy, which basically means that an adversary can record the encrypted conversation between the client and the server and later if it is... --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2978671 *** Broadcom: Heap overflow in TDLS Teardown Request while handling Fast Transition IE *** --------------------------------------------- [...] Then, if the IE is present, its contents are copied into a heap-allocated buffer of length 256. The copy is performed using the length field present in the IE, and at a fixed offset from the buffers start address. Since the length of the FTIE is not verified prior to the copy, this allows an attacker to include a large FTIE (e.g., with a length field of 255), causing the memcpy to overflow the heap-allocated buffer. --------------------------------------------- https://bugs.chromium.org/p/project-zero/issues/detail?id=1046 *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security issues have been identified within Citrix XenServer. The most significant of these issues could, if exploited, allow a malicious administrator of a 64-bit PV guest VM to compromise the host. --------------------------------------------- https://support.citrix.com/article/CTX222565 *** Django Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting and Open Redirect Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1038177 *** HPE Business Process Monitor Unspecified Flaw Lets Remote Users Access Data on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1038176 *** Asterisk Buffer Overflow in Processing CDR User Data Lets Remote Authenticated Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1038175 *** Security Advisory - Multiple Buffer Overflow Vulnerabilities in Bastet of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170405-… *** Security Advisory - Information Leak Vulnerability in Some Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170405-… *** Schneider Electric Interactive Graphical SCADA System Software *** --------------------------------------------- This advisory contains mitigation details for a DLL hijacking vulnerability in Schneider Electric's Interactive Graphical SCADA System Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01 *** Marel Food Processing Systems *** --------------------------------------------- This advisory contains mitigation details for hard-coded passwords and unrestricted upload vulnerabilities in Marel's Food Processing Systems. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02 *** Rockwell Automation Allen-Bradley Stratix and Allen-Bradley ArmorStratix *** --------------------------------------------- This advisory contains mitigation details for an improper input validation vulnerability in Rockwell Automation's Allen-Bradley Stratix and ArmorStratix Industrial Ethernet and Distribution switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-094-03 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Opportunity Detect (CVE-2017-5638) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001388 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by Open Source Oracle MySQL Vulnerability (CVE-2017-3302) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999203 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by Open Source Oracle MySQL Vulnerabilities (multiple CVEs) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999202 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Database Activity Monitor *** http://www-01.ibm.com/support/docview.wss?uid=swg21999580 --------------------------------------------- *** Fortinet PSIRT Advisories *** --------------------------------------------- *** FortiClient SSLVPN Linux - Root privilege escalation with subproc *** http://fortiguard.com/psirt/FG-IR-16-041 --------------------------------------------- *** FortiClient SSLVPN Linux - Arbitrary write to log file *** http://fortiguard.com/psirt/FG-IR-16-069 --------------------------------------------- *** Multiple vulnerabilities in Linux kernels through 4.6.3 *** http://fortiguard.com/psirt/FG-IR-16-052 --------------------------------------------- *** Unauthenticated XSS (Cross Site Scripting) in FortiMail *** http://fortiguard.com/psirt/FG-IR-17-011 --------------------------------------------- *** Linux kernel - challenge ack information leak *** http://fortiguard.com/psirt/FG-IR-16-047 --------------------------------------------- *** F5 Security Advisories *** --------------------------------------------- *** BIG-IP file validation vulnerability CVE-2015-8022 *** https://support.f5.com/csp/article/K12401251 --------------------------------------------- *** OpenSSL vulnerability CVE-2015-3195 *** https://support.f5.com/csp/article/K12824341 --------------------------------------------- *** OpenSSH vulnerability CVE-2016-6210 *** https://support.f5.com/csp/article/K14845276 --------------------------------------------- *** Expat XML library vulnerability CVE-2015-1283 *** https://support.f5.com/csp/article/K15104541 --------------------------------------------- *** glibc vulnerability CVE-2016-3075 *** https://support.f5.com/csp/article/K15439022 --------------------------------------------- *** libxml2 vulnerability CVE-2016-1834 *** https://support.f5.com/csp/article/K16712298 --------------------------------------------- *** glibc vulnerability CVE-2016-4429 *** https://support.f5.com/csp/article/K17075474 --------------------------------------------- *** TMM vulnerability CVE-2016-5023 *** https://support.f5.com/csp/article/K19784568 --------------------------------------------- *** Linux kernel vulnerability CVE-2013-7446 *** https://support.f5.com/csp/article/K20022580 --------------------------------------------- *** OpenSSH vulnerability CVE-2015-8325 *** https://support.f5.com/csp/article/K20911042 --------------------------------------------- *** NTP vulnerability CVE-2015-7976 *** https://support.f5.com/csp/article/K21230183 --------------------------------------------- *** Linux kernel vulnerability CVE-2011-5321 *** https://support.f5.com/csp/article/K21632201 --------------------------------------------- *** TMM vulnerability CVE-2016-9245 *** https://support.f5.com/csp/article/K22216037 --------------------------------------------- *** glibc vulnerability CVE-2015-8776 *** https://support.f5.com/csp/article/K23946311 --------------------------------------------- *** OpenSSL vulnerability CVE-2016-0800 *** https://support.f5.com/csp/article/K23196136 --------------------------------------------- *** libarchive vulnerability CVE-2016-5844 *** https://support.f5.com/csp/article/K24036027 --------------------------------------------- *** ISC DHCP vulnerability CVE-2016-2774 *** https://support.f5.com/csp/article/K30409575 --------------------------------------------- *** Java commons-collections library vulnerability CVE-2015-4852 *** https://support.f5.com/csp/article/K30518307 --------------------------------------------- *** PHP vulnerability CVE-2016-4070 *** https://support.f5.com/csp/article/K42065024 --------------------------------------------- *** NTP vulnerability CVE-2016-2519 *** https://support.f5.com/csp/article/K41613034 --------------------------------------------- *** GnuPG vulnerability CVE-2013-4402 *** https://support.f5.com/csp/article/K40131068 --------------------------------------------- *** libarchive vulnerability CVE-2016-8688 *** https://support.f5.com/csp/article/K35263486 --------------------------------------------- *** PHP vulnerability CVE-2016-3074 *** https://support.f5.com/csp/article/K34958244 --------------------------------------------- *** OpenSSL vulnerability CVE-2016-7056 *** https://support.f5.com/csp/article/K32743437 --------------------------------------------- *** OpenSSH vulnerability CVE-2016-10009 *** https://support.f5.com/csp/article/K31440025 --------------------------------------------- *** BIG-IP APM access logs vulnerability CVE-2016-1497 *** https://support.f5.com/csp/article/K31925518 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 4-04-2017
by Daily end-of-shift report 04 Apr '17

04 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-04-2017 18:00 − Dienstag 04-04-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Lazarus Under The Hood *** --------------------------------------------- Today wed like to share some of our findings, and add something new to whats currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank. --------------------------------------------- http://securelist.com/blog/sas/77908/lazarus-under-the-hood/ *** APT10 - Operation Cloud Hopper *** --------------------------------------------- Written by Adrian Nish and Tom RowlesBACKGROUNDFor many businesses the network now extends to suppliers who provide management of applications, cloud storage, helpdesk, and other functions. With the right integration and service levels Managed Service Providers (MSPs) can become a key enabler for businesses by allowing them to focus on their core mission while suppliers take care of background tasks. However, the network connectivity which exists between MSPs and their customers also provides a... --------------------------------------------- http://baesystemsai.blogspot.com/2017/04/apt10-operation-cloud-hopper_3.html *** WLAN-Lücke: Apple reicht Bugfix-Update für iOS 10.3 nach *** --------------------------------------------- iOS 10.3.1 behebt einen schwerwiegenden Fehler, über den ein Angreifer Code auf dem WLAN-Chip ausführen könnte. Außerdem lassen sich 32-Bit-Versionen nun wieder direkt auf dem Gerät installieren. --------------------------------------------- https://heise.de/-3674340 *** NSO Group: Pegasus-Staatstrojaner für Android entdeckt *** --------------------------------------------- Nach der iOS-Version des Staatstrojaners Pegasus haben Sicherheitsforscher auch eine Version für Android gefunden. Diese nutzt keine Zero-Day-Exploits und kann auch ohne vollständige Infektion Daten übertragen. --------------------------------------------- https://www.golem.de/news/nso-group-pegasus-staatstrojaner-fuer-android-ent… *** Cloudmark kündigt überraschend DANE/TLSA für Mail-Sicherheit an *** --------------------------------------------- Der überraschende Schritt des Internet-Schwergewichts erscheint bedeutsam, weil er die Mail-Sicherheitstechnik stärkt und zugleich als eine deutliche Absage an das Konzept der Certification Authorities gelesen werden kann. --------------------------------------------- https://www.heise.de/newsticker/meldung/Cloudmark-kuendigt-ueberraschend-DA… *** Betriebssystem Tizen für Samsung-Geräte von Sicherheitslücken durchsiebt *** --------------------------------------------- Ein Sicherheitsforscher hat den Code von Samsungs Tizen analysiert und zieht ein desaströses Resümee. Das Betriebssystem dient als Basis für mobile Geräte und Fernseher des Herstellers. --------------------------------------------- https://heise.de/-3674713 *** Kaspersky: Geldautomaten mit 15-US-Dollar-Bastelcomputer leergeräumt *** --------------------------------------------- Am Ende bleibt nur ein golfballgroßes Loch und das Geld ist weg: Kaspersky hat einen neuen Angriff auf Geldautomaten vorgestellt. Bei dem Angriff werden physische Beschädigung und Hacking kombiniert. Betroffen sind weit verbreitete Modelle aus den 90er Jahren. --------------------------------------------- https://www.golem.de/news/kaspersky-geldautomaten-mit-15-us-dollar-bastelco… *** How Hackers Hijacked a Bank's Entire Online Operation *** --------------------------------------------- Researchers at Kaspersky say a Brazilian banks entire online footprint was commandeered in a five-hour heist. --------------------------------------------- https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operatio… *** Workshop on Software Security in industrial area *** --------------------------------------------- May 09, 2017 - 4:00 pm - 6:30 pm Bachmann electronic GmbH Kreuzäckerweg 33 Feldkirch --------------------------------------------- https://www.sba-research.org/events/workshop-on-software-security-in-indust… *** CVE-2017-7228 - x86: broken check in memory_exchange() permits PV guest breakout *** --------------------------------------------- A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-212.html *** Bugtraq: The password for the project protection of the Schneider Modicon TM221CE16R is hard-coded and cannot be changed. *** --------------------------------------------- http://www.securityfocus.com/archive/1/540365 *** Bugtraq: OS-S-2017-01: The password for the application protection of the Schneider Modicon TM221CE16R can be retrieved without authentication. Subsequently the application may be arbitrarily downloaded, uploaded and modified. CVSS 10. *** --------------------------------------------- http://www.securityfocus.com/archive/1/540364 *** VU#307983: AMF3 Java implementations are vulnerable to insecure deserialization and XML external entities references *** --------------------------------------------- Vulnerability Note VU#307983 AMF3 Java implementations are vulnerable to insecure deserialization and XML external entities references Original Release date: 04 Apr 2017 | Last revised: 04 Apr 2017 Overview Several Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references. Description Several Java implementations of AMF3 are vulnerable to one or more of the following implementation errors:CWE-502: Deserialization of Untrusted DataSome Java... --------------------------------------------- http://www.kb.cert.org/vuls/id/307983 *** DFN-CERT-2017-0569: Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0569/ *** DFN-CERT-2017-0571: Red Hat JBoss A-MQ, JBoss Fuse: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0571/ *** Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection *** --------------------------------------------- Topic: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection Risk: High Text:# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection # Date: 2017-04-02 # Exploit Author: Fluffy Huffy (t... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017040006 *** D-Link DIR 615 HW T1 FW 20.09 Cross-Site Request Forgery *** --------------------------------------------- Topic: D-Link DIR 615 HW T1 FW 20.09 Cross-Site Request Forgery Risk: Medium Text:*Title:* = D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability *Credit... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017040008 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9 and IBM BigFix Inventory v9 *** http://www-01.ibm.com/support/docview.wss?uid=swg21999999 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Control Center (CVE-2016-6810) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001326 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to view incorrect item sets that they should not have access to view (CVE-2016-8987) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996255 --------------------------------------------- *** IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server in Bluemix MQ JCA Resource adapter (CVE-2016-0360) *** http://www.ibm.com/support/docview.wss?uid=swg22000834 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in krb5, giflib and freetype2 affect IBM BladeCenter Advanced Management Module (AMM) and IBM Flex System Chassis Management Module (CMM) *** http://wwwbeta-sso.toronto.ca.ibm.com:81/support/entry2/portal/docdisplay?l… ---------------------------------------------

1 0

Tageszusammenfassung - Montag 3-04-2017
by Daily end-of-shift report 03 Apr '17

03 Apr '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 31-03-2017 18:00 − Montag 03-04-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** EvilEye: Malware kapert Webcam, um Werbung zu personalisieren *** --------------------------------------------- Eine auf "EvilEye" getaufte Spyware sucht per übernommener Webcam nach Produkten des Computernutzers, um ihm gezielt personalisierte Werbung anzuzeigen und daran .. --------------------------------------------- https://heise.de/-3664941 *** Gigabyte Firmware Flaws Allow the Installation of UEFI Ransomware *** --------------------------------------------- Yesterday, at the BlackHat Asia 2017 security conference, researchers from cyber-security firm Cylance disclosed .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gigabyte-firmware-flaws-allo… *** Weitere Lücke in LastPass geschlossen, neue Version verfügbar *** --------------------------------------------- Lastpass hat eine vor wenigen Tagen gefundene Sicherheitslücke in seinen Erweiterungen für diverse Browser geschlossen. Anwender sollten umgehend aktualisieren. --------------------------------------------- https://heise.de/-3672957 *** Vuln: Moodle CVE-2017-7298 Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/97182 *** Angriffswerkzeug Metasploit hackt jetzt auch Zombie-IIS *** --------------------------------------------- Etwa ein Prozent der weltweiten Webserver laufen mit einer verwundbaren Version von Microsofts Internet .. --------------------------------------------- https://heise.de/-3673038 *** Miele Professional PG 8528 Vulnerability *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a directory traversal vulnerability with proof-of-concept .. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-089-01 *** Smart-TV-Hack: Schadcode über DVB-T ermöglicht Übernahme aus der Ferne *** --------------------------------------------- Einem Sicherheitsexperten ist es gelungen, volle Kontrolle über einen Fernseher zu übernehmen, in dem er in das DVB-T-Signal Code einschleuste, der eine Sicherheitslücke in der HbbTV-Applikation des Geräts ausnutzt. --------------------------------------------- https://www.heise.de/newsticker/meldung/Smart-TV-Hack-Schadcode-ueber-DVB-T… *** Tech support scams persist with increasingly crafty techniques *** --------------------------------------------- Millions of users continue to encounter technical support scams. Data from Windows Defender SmartScreen (which is used .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/04/03/tech-support-scams-pers… *** IBM Security Bulletin:Open Source Apache Poi Vulnerability in IBM eDiscovery Manager *** --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21992041 *** IBM Security Bulletin:Open Source Apache Tomcat,Commons FileUpload Vulnerabilities affects WebSphere App Server in IBM eDiscovery Manager *** --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21991962 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect PowerKVM *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1024915 *** IBM Security Bulletin: Persistent cross-site scripting vulnerability in IBM Business Process Manager (CVE-2017-1140) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21999133 *** IBM Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1021837 *** IBM Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1024825 *** Skype: Bösartige Werbung verteilt Fake-Flash-Update *** --------------------------------------------- Anwender berichten davon, in Skype Werbebanner untergeschoben bekommen zu haben, die beim Klick ein gefälschtes Flash-Update herunterladen. Dabei handelt es sich um Schadcode. --------------------------------------------- https://heise.de/-3674229 *** Cryptowars: Ahnungslose EU-Kommissarin redet über Whatsapp-Daten *** --------------------------------------------- EU-Justizkommissarin Vera Jourová will der Polizei ermöglichen, leichter Zugang zu Daten von Internetdienstleistern .. --------------------------------------------- https://www.golem.de/news/cryptowars-ahnungslose-eu-kommissarin-redet-ueber…

1 0

Tageszusammenfassung - Freitag 31-03-2017
by Daily end-of-shift report 31 Mar '17

31 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 30-03-2017 18:00 − Freitag 31-03-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22000768 *** IBM Security Bulletin: IBM Cognos Analytics is affected by multiple vulnerabilities *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21998887 *** Spotting a Hidden SEO Hack: “Play One” *** --------------------------------------------- SEO hacks continue to plague websites as attackers abuse SERP rankings for their own gain. The time and effort spent by the website owner creating content, optimizing pages and building .. --------------------------------------------- https://blog.sucuri.net/2017/03/spotting-a-hidden-seo-hack-play-one.html *** Schneider Electric Modicon PLCs *** --------------------------------------------- This advisory contains mitigation details predictable value range from previous values, use of insufficiently random values, and insufficiently protected credentials vulnerabilities in Schneider Electrics Modicon PLCs. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02 *** Researchers steal data from shared cache of two cloud VMs *** --------------------------------------------- All of a sudden dedicated instances are looking a lot better than multi-tenancy A group of researchers, one .. --------------------------------------------- www.theregister.co.uk/2017/03/31/researchers_steal_data_from_shared_cache_o… *** Novell: Sentinel 8.0 SP1 (Sentinel 8.0.1.0) Build 3512 *** --------------------------------------------- https://download.novell.com/Download?buildid=M7_yJE9WOXE~ *** Celebrate World Backup Day the Smarter Way *** --------------------------------------------- In an effort to help the community be more cyber aware, WorldBackupDay.com celebrates on March 31st .. --------------------------------------------- https://www.webroot.com/blog/2017/03/31/celebrate-world-backup-day-smarter-… *** Samsung Galaxy S8s Facial Unlocking Feature Can Be Fooled With A Photo *** --------------------------------------------- All users need to do is simply hold their Galaxy S8 or S8 Plus in front of their eyes or their entire .. --------------------------------------------- http://thehackernews.com/2017/03/samsung-galaxy-s8-facial-unlocking.html *** Studie: TK-Infrastruktur hoffnungslos unsicher – Verschlüsselung Fehlanzeige *** --------------------------------------------- Der amerikanische Pendant zur Bundesnetzagentur hat die Sicherheit des für die Telekommunikations-Infrastruktur unverzichtbaren SS7-Protokolls untersucht. Die Bilanz ist haarsträubend; die Arbeitsgruppe empfiehlt Ende-zu-Ende-Verschlüsselung. --------------------------------------------- https://heise.de/-3671794 *** l+f: Flash für eine Handvoll Dollar *** --------------------------------------------- FedEx Office macht seinen Kunden ein unmoralisches Angebot. --------------------------------------------- https://heise.de/-3672139 *** Pornhub und Youporn stellen auf https um *** --------------------------------------------- Die beiden Pornoseiten wollen ihren Nutzern mehr Datenschutz ermöglichen --------------------------------------------- http://derstandard.at/2000055192256

1 0

Tageszusammenfassung - Donnerstag 30-03-2017
by Daily end-of-shift report 30 Mar '17

30 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 29-03-2017 18:00 − Donnerstag 30-03-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Tech support scammers and their banking woes *** --------------------------------------------- We all know about tech support scams by this point. Unfortunately for the scammers, banks know this as well, making it quite difficult at times to maintain an account to store the criminal's ill-gotten gains. So how does the enterprising criminal cash out with your money? Let's take a look. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/03/tech-support-scammers-and-… *** Security Advisory - Exposed System Interface Vulnerability on Huawei Smart Phones *** --------------------------------------------- There is a exposed system interface vulnerability on smart phones. The software provides a system interface for interaction with external applications, but calling the interface is not properly restricted. An attacker could trick the user into installing a malicious application to call the interface and modify the system properties. CVE-2017-2735 --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170329-… *** Widespread Email Scam Targets Github Developers with Dimnie Trojan *** --------------------------------------------- Open source developers who use the popular code-sharing site GitHub were put on alert after the discovery of a phishing email campaign that attempts to infect their computers with an advanced malware trojan. Dubbed Dimnie, the reconnaissance and espionage trojan has the ability to harvest credentials, download sensitive files, take screenshots, log keystrokes on 32-bit and 64-bit ... --------------------------------------------- http://thehackernews.com/2017/03/github-email-scam.html *** Vuln: EMC Isilon OneFS CVE-2017-4980 Directory Traversal Vulnerability *** --------------------------------------------- EMC Isilon OneFS is prone to a directory-traversal vulnerability. A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. --------------------------------------------- http://www.securityfocus.com/bid/97222 *** [SANS ISC] Diverting built-in features for the bad *** --------------------------------------------- I published the following diary on isc.sans.org: 'Diverting built-in features for the bad'. Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code --------------------------------------------- https://blog.rootshell.be/2017/03/30/sans-isc-diverting-built-features-bad/ *** Trend Micro InterScan Web Security Virtual Appliance Unspecified Flaws Let Remote Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1038161 *** Mirai-Botnetz lernt neue Tricks *** --------------------------------------------- Das IoT-Botnetz Mirai beherrscht neuerdings auch DDoS-Angriffe auf dem Application Layer. Diese sind schwer zu entdecken und damit auch relativ schwer abzuwehren. --------------------------------------------- https://heise.de/-3670226 *** Hashfunktion: Der schwierige Abschied von SHA-1 *** --------------------------------------------- Die Hashfunktion SHA-1 ist seit kurzem endgültig gebrochen. Doch an vielen Stellen ist SHA-1 noch im Einsatz. Beispielsweise in Git, in Bittorrent und - was manche überraschen wird - auch in TLS. (SHA-1, Google) --------------------------------------------- https://www.golem.de/news/hashfunktion-der-schwierige-abschied-von-sha-1-17… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Algo One - Algo Risk Application (ARA) could allow retrieval of restricted files *** http://www.ibm.com/support/docview.wss?uid=swg21999892 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale packaged the Elastic Storage Server and the GPFS Storage Server *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010042 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in the GSKit component of Tivoli Netcool/OMNIbus (CVE-2016-2183) *** https://www-01.ibm.com/support/docview.wss?uid=swg22001105 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring Basic Services component. (CVE-2012-6702, CVE-2016-5300) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998701 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Expat affect Intel (R) Manycore Platform Software Stack (MPSS) for Linux and Windows *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5… --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Document Manager Privilege Escalation (CVE-2017-1180) *** http://www.ibm.com/support/docview.wss?uid=swg22001084 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in data server connection and product integration shipped with InfoSphere Optim Query Workload Tuner [for LUW, z/OS *** http://www.ibm.com/support/docview.wss?uid=swg22000601 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition *** http://www.ibm.com/support/docview.wss?uid=swg22000398 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM WebSphere MQ and IBM MQ Appliance (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000904 --------------------------------------------- *** IBM Security Bulletin: IBM Disposal and Governance Management for IT and IBM Global Retention Policy and Schedule Management vulnerable to cross-site request forgery (CSRF) *** http://www.ibm.com/support/docview.wss?uid=swg22000771 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 29-03-2017
by Daily end-of-shift report 29 Mar '17

29 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 28-03-2017 18:00 − Mittwoch 29-03-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** World Backup Day is as good as any to back up your data *** --------------------------------------------- In today’s security landscape, there are more threats to data than ever before. Beyond corruption caused by hardware or human failure, malware and cyberattacks can put data in serious danger. That’s why it’s .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/03/28/world-backup-day-is-as-… *** Siemens RUGGEDCOM ROX I *** --------------------------------------------- This advisory contains mitigation details for improper authorization, cross-site scripting, and cross-site request forgery vulnerabilities in the Siemens RUGGEDCOM ROX I. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-087-01 *** 3S-Smart Software Solutions GmbH CODESYS Web Server *** --------------------------------------------- This advisory contains mitigation details for arbitrary file upload and stack buffer overflow vulnerabilities in the 3S-Smart Software Solutions GmbH CODESYS Web Server. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-087-02 *** FBI warns of attacks on anonymous FTP servers *** --------------------------------------------- The FBI warns that attackers are targeting vulnerable FTP servers used by small medical and dental .. --------------------------------------------- http://www.cio.com/article/3185882/security/fbi-warns-of-attacks-on-anonymo… *** About the security content of iCloud for Windows 6.2 *** --------------------------------------------- https://support.apple.com/en-us/HT207607 *** Ransomware: Scammer erpressen Besucher von Pornoseiten *** --------------------------------------------- Über einen Fehler in Apples Safari für iPhone blockieren Unbekannte den Browser mit einem immer .. --------------------------------------------- https://www.golem.de/news/ransomware-scammer-erpressen-besucher-von-porno-s… *** Benutzt hier jemand JSON Encryption?If you are using ... *** --------------------------------------------- Benutzt hier jemand JSON Encryption?If you are using go-jose, node-jose, jose2go, Nimbus JOSE+JWT or jose4 with ECDH-ES please update to the latest version. RFC 7516 aka JSON Web .. --------------------------------------------- http://blog.fefe.de/?ts=a6254421 *** Vuln: ImageMagick Incomplete Fix CVE-2017-7275 Memory Corruption Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/97166 *** "Cyber-Angriff" im Bundestag: Anscheinend eine gewöhnliche Malvertising-Kampagne *** --------------------------------------------- Deutsche Medien berichten von einem erneuten Hackerangriff auf den Bundestag. Dabei scheint es sich um Abgeordnete zu handeln, die Opfer von verseuchter Werbung auf der Webseite einer israelischen Zeitung geworden sind. Infektionen gab es keine. --------------------------------------------- https://heise.de/-3668761 *** Escaping a Python sandbox with a memory corruption bug *** --------------------------------------------- https://medium.com/@gabecpike/python-sandbox-escape-via-a-memory-corruption… *** DFN-CERT-2017-0543: AppArmor: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer kann eine speziell präparierte Anwendung uneingeschränkt auf einem betroffenen System einsetzen, da über AppArmor .. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0543/ *** Ausbruch aus der VM: VMware schließt kritische Pwn2Own-Lücken *** --------------------------------------------- VMware hat Sicherheitslücken in VMware Workstation, Fusion und ESXi geschlossen, mit deren Hilfe Sicherheitsforscher beim Pwn2Own-Wettbewerb aus virtuellen Maschinen ausgebrochen und das Host-System gekapert hatten. --------------------------------------------- https://heise.de/-3669902 *** PMASA-2017-8 *** --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2017-8/ *** Ebury-Rootkit: Russischer Hacker bekennt sich schuldig *** --------------------------------------------- Ein russsischer Staatsbürger hat in den USA seine Beteiligung am Auf- und Ausbau des Ebury-Botnetzes eingestanden. Ebury befällt vor allem Linux-Server und greift SSH-Logins ab. --------------------------------------------- https://heise.de/-3669617 *** Browser-Plug-in Crusader injiziert falsche Support-Telefonnummern in Webseiten *** --------------------------------------------- Eine neue Schadcode-Variante integriert sich in den Browser und tauscht Suchergebnisse aus. Dadurch kann der Anwender auf Affiliate-Seiten umgelenkt werden. Außerdem ist es möglich, ihm falsche Support-Telefonnummern unterzuschieben. --------------------------------------------- https://heise.de/-3670102 *** GitHub Users Targeted with Dimnie Trojan *** --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-users-targeted-with-d…

1 0

Tageszusammenfassung - Dienstag 28-03-2017
by Daily end-of-shift report 28 Mar '17

28 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 27-03-2017 18:00 − Dienstag 28-03-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Bugtraq: APPLE-SA-2017-03-27-1 Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac; Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS *** --------------------------------------------- http://www.securityfocus.com/archive/1/540325 *** APT29 Used Domain Fronting, Tor to Execute Backdoor *** --------------------------------------------- APT29, a/k/a Cozy Bear, has used Tor and a technique called domain fronting in order to secure backdoor access to targets for nearly two years running. --------------------------------------------- http://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/12… *** New Clues Surface on Shamoon 2’s Destructive Behavior *** --------------------------------------------- Researchers report new connections between Magic Hound and Shamoon 2, along with descriptions of how the Disttrack malware component of campaigns moves laterally within infected networks. --------------------------------------------- http://threatpost.com/new-clues-surface-on-shamoon-2s-destructive-behavior/… *** Vuln: GnuTLS GNUTLS-SA-2017-3 Multiple Security Vulnerabilities *** --------------------------------------------- GnuTLS GNUTLS-SA-2017-3 Multiple Security Vulnerabilities --------------------------------------------- http://www.securityfocus.com/bid/97040 *** Neue Sicherheitslücke im Passwort-Manager LastPass *** --------------------------------------------- Bereits zum zweiten Mal innerhalb kurzer Zeit ist der populäre Passwort-Manager mit einer Schwachstelle konfrontiert. --------------------------------------------- https://futurezone.at/produkte/neue-sicherheitsluecke-im-passwort-manager-l… *** Symantec API Flaws reportedly let attackers steal Private SSL Keys and Certificates *** --------------------------------------------- A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers to deliver and manage Symantec SSL .. --------------------------------------------- https://thehackernews.com/2017/03/symantec-ssl-certificates.html *** Threat Landscape for Industrial Automation Systems, H2 2016 *** --------------------------------------------- On average, in the second half of 2016 Kaspersky Lab products across the globe blocked attempted attacks on 39.2% of protected computers that Kaspersky Lab ICS CERT classifies as being part of industrial enterprise technology infrastructure. --------------------------------------------- http://securelist.com/analysis/publications/77842/threat-landscape-for-indu… *** From DDoS to Server Ransomware: APACHE STRUTS 2 - CVE-2017-5638 Campaign *** --------------------------------------------- As soon as a zero-day remote code execution vulnerability is disclosed, it is common to see many scans in the wild. Some of these scans are researchers, but many of .. --------------------------------------------- https://f5.com/labs/articles/threat-intelligence/malware/from-ddos-to-serve… *** This book reads you - using JavaScript *** --------------------------------------------- Apple just released a fix for one issue I reported last year in iBooks that allowed access to files on a users system when a book was opened. iBooks on El Capitan would .. --------------------------------------------- https://s1gnalcha0s.github.io/ibooks/epub/2017/03/27/This-book-reads-you-us… *** Gefahr durch Exploit für Zombie-IIS *** --------------------------------------------- Microsofts Internet Information Services 6.0 sind eigentlich Alteisen, für das es nicht einmal Sicherheits-Updates gibt. Trotzdem gibt es noch über 30.000 allein in Deutschland. Und die sind durch einen öffentlich bekannten Exploit akut bedroht. --------------------------------------------- https://heise.de/-3666599 *** Verschlüsselung: Schwachstellen in zahlreichen VoIP-Anwendungen entdeckt *** --------------------------------------------- Das ZRT-Protokoll soll für sichere Verbindungen und verschlüsselte VoIP-Telefonate sorgen. Forscher haben Schwachstellen in zahlreichen ZRTP-Anwendungen .. --------------------------------------------- https://www.golem.de/news/verschluesselung-schwachstellen-in-zahlreichen-vo… *** IronWASP – Part 1 *** --------------------------------------------- Considering not all vulnerability scanners are open source, a great deal of them are available such as: IronWASP OpenVAS Retina CS Community W3af Grabber, etc. In this article, we shall be discussing more about IronWASP. --------------------------------------------- http://resources.infosecinstitute.com/ironwasp-part-1-2/ *** Docs.com-Nutzer teilen Kennwörter und vieles mehr mit der Welt *** --------------------------------------------- Über Microsofts Dienst Docs.com lassen sich Dokumente teilen. Allerdings sind diese oft öffentlich einsehbar. Viele Anwender scheinen sich dem nicht bewusst zu sein – zu einfach finden sich Informationen wie Kennwörter. --------------------------------------------- https://heise.de/-3665975 *** Apache / ModSecurity Tutorials *** --------------------------------------------- This is a series of Apache web server tutorials that will span from the basics to advanced topics like ModSecurity and logfile visualization. --------------------------------------------- https://www.netnea.com/cms/apache-tutorials/ *** Xen Security Advisory XSA-206 - xenstore denial of service via repeated update *** --------------------------------------------- Unprivileged guests may be able to stall progress of the control domain or driver domain, possibly leading to .. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-206.txt *** With iOS 10.3, iDevices get new Apple File System with native encryption support *** --------------------------------------------- On Monday, Apple released updates for its various products. As usual, they fix flaws and add capabilities, but the iOS update (v10.3) is more noteworthy than usual, .. --------------------------------------------- https://www.helpnetsecurity.com/2017/03/28/apple-file-system-encryption/ *** Ransomware: Scammer erpressen Besucher von Porno-Seiten *** --------------------------------------------- Über einen Fehler in Apples Safari für iPhone blockieren Unbekannte den Browser mit einem immer wiederkehrenden Javascript-Popup. Darin werden Nutzer aufgefordert, Lösegeld zu zahlen. Mit einem einfachen Trick lässt sich der Falle aber entgehen. --------------------------------------------- https://www.golem.de/news/ransomware-scammer-erpressen-besucher-von-porno-s…

1 0

Tageszusammenfassung - Montag 27-03-2017
by Daily end-of-shift report 27 Mar '17

27 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 24-03-2017 18:00 − Montag 27-03-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** SAP NetWeaver J2EE Platform Security *** --------------------------------------------- In the previous article, we discussed SAP NetWeaver ABAP Platform and its vulnerabilities. Today's topic is the J2EE platform, its architecture, vulnerabilities, and the latest trends in its cyber security. --------------------------------------------- http://resources.infosecinstitute.com/sap-netweaver-j2ee-platform-security/ *** [Update] Ungepatchte SAP-Systeme angreifbar für Remote Code Execution *** --------------------------------------------- Wenn die im Rahmen des SAP Security Patch Day im März 2017 veröffentlichten Patches nicht umgehend eingespielt werden, droht die Kompromittierung zentraler Datenbestände, warnen SAP-Kenner. --------------------------------------------- https://heise.de/-3664479 *** Amazon-Phishingmail: Rechnung über Ihre Verkäufergebühren *** --------------------------------------------- In einer angeblichen Nachricht von "Europe Amazon" erhalten Kund/innen die Information, dass ihr "Duplikat der elektronisch erzeugten Steuerrechnung" verfügbar sei. Sie können es in einem beigefügten Dokument, das den Login-Bereich von Amazon imitiert, herunterladen. Es handelt sich um einen Phishingversuch. --------------------------------------------- https://www.watchlist-internet.at/phishing/amazon-phishingmail-rechnung-ueb… *** Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005 *** --------------------------------------------- On March 14, 2017, Microsoft released security bulletin MS17-013 to address CVE-2017-0005, a vulnerability in the Windows Win32k component that could potentially allow elevation of privileges. A report from a trusted partner identified a zero-day exploit for this vulnerability. The exploit targeted older versions of Windows and allowed attackers to elevate process privileges on these platforms. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigatin… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Dashboard Framework *** http://www-01.ibm.com/support/docview.wss?uid=swg22000663 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Web Experience Factory *** http://www-01.ibm.com/support/docview.wss?uid=swg22000643 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition *** http://www.ibm.com/support/docview.wss?uid=swg22000871 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in zlib affect IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) *** http://www.ibm.com/support/docview.wss?uid=swg22000608 --------------------------------------------- *** IBM Security Bulletin: Privilege Escalation vulnerability affects Cognos Business Intelligence (CVE-2016-8960) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993718 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects LCM8 & LCM16 KVM Switch Firmware and GCM16 & GCM32 KVM Switch Firmware (CVE-2016-8610) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSH affect IBM DataPower Gateways (CVE-2016-10009, CVE-2016-10012) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000413&myns=swgws&mynp=O… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH and OpenSSL affect GPFS for Windows V3.5 *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024968 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Selling and Fulfillment Foundation is affected by Cross Site Scripting (XSS) Vulnerability (CVE-2016-8917) *** http://www.ibm.com/support/docview.wss?uid=swg22000943 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology *** https://www.ibm.com/support/docview.wss?uid=swg22000784 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in GSKit affects IBM Sterling Connect:Direct for UNIX (CVE-2016-2183) *** https://www-01.ibm.com/support/docview.wss?uid=swg22000927 --------------------------------------------- *** IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2016-9990) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998824 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 24-03-2017
by Daily end-of-shift report 24 Mar '17

24 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 23-03-2017 18:00 − Freitag 24-03-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** TROOPERS 2017 Day #4 Wrap-Up *** --------------------------------------------- I'm just back from Heidelberg so here is the last wrap-up for the TROOPERS 2017 edition. --------------------------------------------- https://blog.rootshell.be/2017/03/23/troopers-2017-day-4-wrap/ *** Google slaps Symantec for sloppy certs, slow show of SNAFUs *** --------------------------------------------- Certs will keep working, but Chrome will be suspicious, soon Googles Chrome development team has posted a stinging criticism of Symantecs certificate-issuance practices, saying it has lost confidence in the companys practices and therefore in the safety of sessions hopefully-secured by Symantec-issued certificates. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/03/24/google_slap… *** Referrer spoofing with iframe injection *** --------------------------------------------- Last year we've been playing with a very simple method to spoof the referrer on Edge, which allowed us of course to spoof the referrer and -as a bonus- other neat things like bypass the XSS filter. Today I found out that it was patched, so I decided to give it a try and find a way around the patch. Honestly I don't feel it's a bypass but clearly a variation. From a practical point of view, it works again and bypasses the patch... --------------------------------------------- https://www.brokenbrowser.com/referer-spoofing-patch-bypass/ *** VMSA-2017-0004.6 *** --------------------------------------------- VMware product updates resolve remote code execution vulnerability via Apache Struts 2 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0004.html *** Betrugsnetzwerk: Kinox.to-Nutzern Abofallen andrehen *** --------------------------------------------- Eine Betrugskampagne nutzt Sicherheitslücken im Stock-Browser von Android aus, um Nutzern Abofallen und Premiumdienste zuzuschieben. Die Betrüger bauen gefälschte Webshops auf, um legitim zu erscheinen. (Abofallen, Server) --------------------------------------------- https://www.golem.de/news/betrugsnetzwerk-mit-fake-webshops-kinox-to-nutzer… *** DFN-CERT-2017-0524/">F5 Networks BIG-IP Protocol Security Module (PSM): Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer kann eine Schwachstelle im Traffic Management Microkernel (TMM) auf BIG-IP-Systemen durch die Versendung präparierten Netzwerkverkehrs für einen Denial-of-Service (DoS)-Angriff ausnutzen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0524/ *** Erpressung durch iCloud-Fernlöschung: Wie Sie Ihr iPhone schützen *** --------------------------------------------- Unbekannte drohen damit, wahllos iPhones zu löschen - wenn Apple nicht zahlt. Die Angreifer sind offenbar in Besitz von iCloud-Zugangsdaten. Mac & i erklärt, wie man sich gegen einen derartigen Angriff wappnen kann. --------------------------------------------- https://heise.de/-3663802 *** LCDS - Leão Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA *** --------------------------------------------- This advisory contains mitigation details for a path traversal vulnerability in the LCDS - Leão Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-082-01 *** BD Kiestra PerformA and KLA Journal Service Applications Hard-Coded Passwords Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a hard-coded password vulnerability in the Becton, Dickinson and Company (BD) Kiestra PerformA and KLA Journal Service applications that access the BD Kiestra Database. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-01 *** Vuln: libpcre Multiple Security Vulnerabilities *** --------------------------------------------- libpcre is prone to the following multiple security vulnerabilities: 1. A denial-of-service vulnerability 2. Multiple stack-based buffer-overflow vulnerabilities Attackers can exploit these issues to run arbitrary code within the context of the affected application. Failed exploit attempts may result in denial-of-service conditions. libpcre1 in PCRE 8.40 is vulnerable; other versions may also be affected. --------------------------------------------- http://www.securityfocus.com/bid/97067 *** DFN-CERT-2017-0526/">F5 Networks BIG-IP Protocol Security Module (PSM): Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- Ein lokaler, einfach authentisierter Angreifer mit erweiterten Privilegien kann sensitive Daten ausspähen, die seit dem letzten Neustart betroffener Geräte angefallen sind. Dazu gehören beispielsweise die Passwörter zu kürzlich erstellten Benutzerkonten. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0526/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in NTP affect Power Hardware Management Console *** http://www.ibm.com/support/docview.wss?uid=nas8N1021868 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities CVE-2016-5636 and CVE-2016-5699 in Python affect IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1021926 --------------------------------------------- *** IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1120) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000152 --------------------------------------------- *** IBM Security Bulletin: A cross-site scripting vulnerablity has been addressed in IBM Kenexa LMS on Cloud 5.1 *** http://www.ibm.com/support/docview.wss?uid=swg21999483 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilties have been addressed in LCMS Premier on Cloud 11.0 *** http://www.ibm.com/support/docview.wss?uid=swg21998874 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect LCM8 & LCM16 KVM Switch Firmware and GCM16 & GCM32 KVM Switch Firmware *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5… ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 23-03-2017
by Daily end-of-shift report 23 Mar '17

23 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 22-03-2017 18:00 − Donnerstag 23-03-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Google: Die Hälfte aller Android-Geräte erhält unsere Sicherheitspakete nicht *** --------------------------------------------- Google macht Fortschritte im Kampf gegen Malware im Play Store, muss aber eingestehen, dass mehr als eine halbe Milliarde Android-Geräte die regelmäßigen Sicherheitsupdates der Firma nicht erhält. Viele dieser Geräte haben eklatante Sicherheitslücken. --------------------------------------------- https://heise.de/-3662665 *** AIX for Penetration Testers *** --------------------------------------------- This was my first encounter with privilege escalation on AIX and I was pretty surprised by how little information I found online on enumerating AIX systems. ... It took me a little time going through various AIX system administration guides and command cheatsheets (links at the bottom of the post) and putting together a list of various post-exploitation techniques to use on the box. I decided to put this blog-post up with the hope that it will one day help another clueless pentester/red teamer. --------------------------------------------- https://thevivi.net/2017/03/19/aix-for-penetration-testers/ *** Avatar Rootkit: Decryption of the Key and Data *** --------------------------------------------- In this second article on the dropper, we will resume our analysis right where we left off: the decryption of the key and data. After the decryption, two structures are initialized. The equivalent pseudo-code is presented below. --------------------------------------------- http://resources.infosecinstitute.com/avatar-rootkit-dropper-analysis-part-… *** [R1] LCE 5.0.1 Fixes Two Third-party Library Vulnerabilities *** --------------------------------------------- Log Correlation Engine (LCE) 5.0.0 is impacted by multiple vulnerabilities reported in a third-party library and an encryption algorithm. LCE was errantly using 3DES on TCP port 1243. --------------------------------------------- http://www.tenable.com/security/tns-2017-09 *** Vuln: libavcodec CVE-2017-7206 Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/97006 *** VMware AirWatch Input Validation Flaw in Shared Filenames Lets Remote Authenticated Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1038116 *** Security Advisory - Bluetooth Unlock Bypassing Vulnerability in Some Huawei Mobile Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170323-… *** DFN-CERT-2017-0508/">Apple iTunes: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0508/ *** Vuln: NfSen CVE-2017-6972 Unspecified Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/97016 *** DFN-CERT-2017-0506/">NTP: Mehrere Schwachstellen ermöglichen u.a. die Auführung beliebigen Programmcodes mit den Rechten des Dienstes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0506/ *** DFN-CERT-2017-0518/">Samba: Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0518/ *** DFN-CERT-2017-0515/">Git: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0515/ *** DFN-CERT-2017-0520/">BIG-IP Protocol Security Module (PSM): Eine Schwachstelle ermöglicht einen Denial-of-Service Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0520/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Privilege Escalation (CVE-2017-1153) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999563 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg21999820 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ and IBM MQ Appliance *** http://www.ibm.com/support/docview.wss?uid=swg22000304 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Cross-Site Scripting (XSS) (CVE-2016-9737) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996200 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Mozilla Network Security Services (NSS) affect IBM MQ Appliance (CVE-2016-2834, CVE-2016-5285, CVE-2016-8635) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996836 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Storage FlashCopy Manager Unix (CVE-2016-6303, CVE-2016-2182, CVE-2016-2177, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-2178, CVE-2016-6306) *** http://www.ibm.com/support/docview.wss?uid=swg22000209 --------------------------------------------- *** IBM Security Bulletin: IBM Jazz for Service Management (Jazz SM) is affected by a code execution vulnerability in IBM Tivoli Common Reporting (TCR) (CVE-2016-5983) *** http://www.ibm.com/support/docview.wss?uid=swg22000719 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 22-03-2017
by Daily end-of-shift report 22 Mar '17

22 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 21-03-2017 18:00 − Mittwoch 22-03-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Cybellum verkauft Autostart-Funktion als Zero-Day *** --------------------------------------------- Mit kräftigen Worten, einem eigenen Namen und Logo und dem Prädikat "Zero-Day" stellt Cybellum eine Technik vor, mit der sich Malware in einem Windows-System verankern lässt -- nachdem es bereits die Kontrolle übernommen hat. --------------------------------------------- https://heise.de/-3662090 *** QNAP Storage Devices Multiple Flaws Let Remote Users Inject SQL Commands, Steal Cookies, Conduct Cross-Site Scripting and Clickjacking Attacks, Obtain Potentially Sensitive Informaiton, and Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1038091 *** Vuln: Malware Information Sharing Platform CVE-2017-7215 Multiple Cross Site Scripting Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/96997 *** Vuln: Rockwell Automation FactoryTalk Activation CVE-2017-6015 Local Privilege Escalation Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96996 *** Security Advisory - Information Leak Vulnerability in Huawei Hilink APP *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-… *** Security Advisory - Phone Finder Bypass Vulnerability in Some Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-… *** Phishingversuch bei der FH Oberösterreich *** --------------------------------------------- In einer gefälschten FH OOE IT-SERVICE DESK-Nachricht heißt es, dass Empfänger/innen ihr Webmail-Konto bestätigen müssen. Dazu sollen sie eine Website aufrufen und ihre Zugangsdaten bekannt geben. Es handelt sich um einen Phishingversuch. Wer der Aufforderung nachkommt, übermittelt Kriminellen die Zugangsdaten des FH OÖ-Webmailkontos. --------------------------------------------- https://www.watchlist-internet.at/phishing/phishingversuch-bei-der-fh-obero… *** Avatar Rootkit: Dropper Analysis Part 2 *** --------------------------------------------- In this second article on the dropper, we will resume our analysis right where we left off: the decryption of the key and data. After the decryption, two structures are initialized. The equivalent pseudo-code is presented below. --------------------------------------------- http://resources.infosecinstitute.com/avatar-rootkit-dropper-analysis-part-… *** Security Advisory - Sixteen OpenSSL Vulnerabilities on Some Huawei products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-… *** Intermediate Mitigation Measures May be Required for Apache Struts Vulnerabilities *** --------------------------------------------- The general consensus among InfoSec professionals is to patch critical vulnerabilities such as Apache Struts as soon as a patch is made available by the vendor. So why mightn't your company simply patch Apache Struts and go on your merry way? Not all events can be remediated immediately. Very often, intermediate mitigation measures must be taken to lower the risk of exploit and protect assets very quickly. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/intermediate-mitigatio… *** Passwortklau-Lücke in Lastpass geschlossen (oder auch nicht) *** --------------------------------------------- Eine Sicherheitslücke im Passwort-Manager Lastpass erlaubt das Auslesen von Passwörtern. Unter Umständen kann der Angreifer auch Code ausführen. Es gibt Berichte, dass der Fix von Lasspass die Lücke bisher nicht erfolgreich geschlossen hat. --------------------------------------------- https://heise.de/-3661616 *** Code Execution Vulnerability Found in Libpurple IM Library *** --------------------------------------------- A severe vulnerability has been disclosed in libpurple, the library used in the development of a number of popular instant messaging clients, including Pidgin and Adium for the macOS platform. Adium 1.5.10.2 is vulnerable and can be exploited to run arbitrary code remotely. ... Pidgin has been patched in version 2.12.0. --------------------------------------------- https://threatpost.com/code-execution-vulnerability-found-in-libpurple-im-l… *** Vuln: D-Link DIR-600M CVE-2017-5874 Cross Site Request Forgery Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96999 *** Apple-Erpressung: Hacker drohen angeblich mit Fernlöschung von iPhones *** --------------------------------------------- Das Ändern der PIN aus der Ferne ist bei iPhone und iPad allerdings nur möglich, wenn der Nutzer keine Code-Sperre für sein Gerät eingerichtet hat - die Aktivierung der Code-Sperre ist auch deshalb dringend zu empfehlen. Um den Zugriff auf die eigenen iCloud-Daten besser zu schützen, sollte Apples Zwei-Faktor-Authentifizierung aktiviert werden. Die Sicherheitsfunktion hilft allerdings nicht gegen das Fernsperren und Fernlöschen... --------------------------------------------- https://www.heise.de/mac-and-i/meldung/Apple-Erpressung-Hacker-drohen-angeb… *** SAP Vulnerability Puts Business Data at Risk for Thousands of Companies *** --------------------------------------------- Researchers at ERPScan today disclosed details and a proof-of-concept exploit for a SAP GUI remote code execution vulnerability patched last week. --------------------------------------------- http://threatpost.com/sap-vulnerability-puts-business-data-at-risk-for-thou… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XE Software for Cisco ASR 920 Series Routers Zero Touch Provisioning Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XE Software HTTP Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XE Software Web User Interface Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOx Data in Motion Stack Overflow Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Application-Hosting Framework Directory Traversal Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Application-Hosting Framework Arbitrary File Creation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-6056) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010022 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for HP NonStop (CVE-2016-7055, CVE-2017-3732) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000456 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access *** http://www.ibm.com/support/docview.wss?uid=swg21999797 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities CVE-2016-0736, CVE-2016-2161 and CVE-2016-8743 in IBM i HTTP Server *** http://www.ibm.com/support/docview.wss?uid=nas8N1021918 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Open Source Samba, NTP and ISC BIND affect IBM Netezza Host Management *** http://www-01.ibm.com/support/docview.wss?uid=swg21997024 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 21-03-2017
by Daily end-of-shift report 21 Mar '17

21 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 20-03-2017 18:00 − Dienstag 21-03-2017 18:00 Handler: Petr Sikuta Co-Handler: Robert Waldner *** Kritische Sicherheitslücken in E-Learning-Plattform Moodle geschlossen *** --------------------------------------------- Moodle-Admins aufgepasst: Die Open-Source E-Learning-Plattform enthält Sicherheitslücken, welche es Angreifern ermöglichen, einen Moodle-Server zu kapern. --------------------------------------------- https://heise.de/-3660119 *** Personalized spam campaign targets Germany *** --------------------------------------------- The key detail of each message was the fact that the recipient's full name, mailing address, and telephone number were embedded in the middle of the message. --------------------------------------------- https://www.symantec.com/connect/blogs/personalized-spam-campaign-targets-g… *** Workaround? Abdrehen! *** --------------------------------------------- Langsam gibt es erste Details zu den 0-days, die im Vault-7-Leak enthalten sind.Betroffen sind u.A. Switche von Cisco. Patches sind noch nicht für alle Modelle verfügbar, laut Heise gibt es aber folgenden Workaround:Bis dahin empfiehlt der Hersteller Telnet auf betroffenen Geräte zu deaktivieren und bis zum Erscheinen des Patches auf SSH zu setzen. Das ist meiner Meinung nach viel zu kurz gegriffen. --------------------------------------------- http://www.cert.at/services/blog/20170321100440-1957.html *** OpenSSH Bugs Let Remote Users Decrypt Messages in Certain Cases and Let Remote Authenticated Users Create or Modify Files on the Target System *** --------------------------------------------- Impact: A remote authenticated server can create or modify files on the connected target user's system. A remote user may be able to decrypt messages in certain cases. Solution: The vendor has issued a fix (7.5). --------------------------------------------- http://www.securitytracker.com/id/1038071 *** Google: Zahl der gehackten Webseiten steigt rapide *** --------------------------------------------- Im Jahr 2016 wurden 32 Prozent mehr Webseiten gehackt, als im Jahr zuvor. Das geht aus den von Google erhobenen Daten zu infizierten Servern hervor. Die Firma gibt Webmastern deswegen Hilfestellung beim Verhindern von Hackerangriffen. --------------------------------------------- https://heise.de/-3660903 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Release *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000285 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Release *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000283 --------------------------------------------- *** IBM Security Bulletin: IBM Call Center for Commerce is affected by Cross Site Scripting (XSS) Vulnerability (CVE-2016-6056) *** http://www.ibm.com/support/docview.wss?uid=swg22000442 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 20-03-2017
by Daily end-of-shift report 20 Mar '17

20 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 17-03-2017 18:00 − Montag 20-03-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Malicious Subdirectories Strike Again *** --------------------------------------------- In a previous post, we illustrated how attackers were fetching information from compromised sites under their control to display spam content on other hacked websites. By adding malicious files into a directory and using the victim's database structure, attackers were able to inject ads and promote their products. This time, attackers used a similar technique with a little bit more sophistication to achieve their goals. Essay Spam Campaign This technique is now being used to distribute --------------------------------------------- https://blog.sucuri.net/2017/03/malicious-subdirectories-strike-again.html *** Mimikatz: Walkthrough *** --------------------------------------------- Security researchers have been obsessed with Windows security since the beginning of time. Various tools have been released over the years which try to weaken the security/bypass it in some way or the other. Mimikatz is a tool written in `C` as an attempt to play with Windows security. --------------------------------------------- http://resources.infosecinstitute.com/mimikatz-walkthrough/ *** Doctor Web: It is possible to decrypt files encrypted with Trojan.Encoder.10465 *** --------------------------------------------- March 17, 2017 Doctor Web has developed an algorithm that successfully decrypts files encrypted by Trojan.Encoder.10465. Trojan.Encoder.10465 poses a threat to Windows computers. The Trojan is written in Delphi. The encoder appends the extension .crptxxx to the infected files and also saves to the disk a text file named HOW_TO_DECRYPT.txt, which contains the following content: Warning!!! All your files are encrypted with AESalgorithm! --------------------------------------------- http://news.drweb.com/show/?i=11211&lng=en&c=9 *** Sicherheitsupdate in Sicht: Gravierende Telnet-Lücke bedroht zahlreiche Cisco-Switches *** --------------------------------------------- Offensichtlich hat Cisco den Vault-7-Leak analysiert und ist auf eine kritische Lücke in über 300 Modellen seiner Switch-Reihe mit IOS-Betriebsystem gestoßen. Bislang gibt es nur einen Workaround - ein Patch soll folgen. --------------------------------------------- https://heise.de/-3658915 *** RIPS - Finding vulnerabilities in PHP application *** --------------------------------------------- The biggest fear of any developer has always been that their site may get hacked and occasionally it does end up being hacked. For a very long time, the most popular stack being used for the development of website has been the LAMP Stack (Linux, MySQL, PHP/Perl/Python). --------------------------------------------- http://resources.infosecinstitute.com/rips-finding-vulnerabilities-php-appl… *** Browser: Update der Ask.com-Toolbar verteilt Malware *** --------------------------------------------- Die meisten Nutzer dürften sich ohnehin nur fragen, wie sie die Ask.com-Toolbar im Browser am schnellsten wieder loswerden. Doch es gibt ein weiteres Problem: Der Update-Prozess des Programms ist notorisch für Sicherheitslücken anfällig. (Malware, Virus) --------------------------------------------- https://www.golem.de/news/browser-update-der-ask-com-toolbar-verteilt-malwa… *** Gefälschte Virenwarnung auf dem Smartphone *** --------------------------------------------- Während der mobilen Nutzung des Smartphones erscheinen angebliche Virenwarnungen. Sie geben vor, dass das Endgerät mit Schadsoftware infiziert sei. Abhilfe schafft ein Schutzprogramm aus einer unbekannten Quelle. Es kann Schadsoftware installieren oder zu einem Abovertrag führen. --------------------------------------------- https://www.watchlist-internet.at/handy-abzocke/gefaelschte-virenwarnung-au… *** Low Orbit Ion Cannon: Star-Trek-Ransomware tarnt sich als DDoS-Tool *** --------------------------------------------- Wer einen DDoS-Angriff starten will, sollte seine Werkzeuge gut auswählen. Bestimmte Versionen der Low Orbit Ion Cannon starten derzeit keinen Überlastungsangriff, sondern die Verschlüsselung der eigenen Festplatte. Teuer wird es auch, wenn Spock die Festplatte entschlüsseln soll. (Star Trek, Applikationen) --------------------------------------------- https://www.golem.de/news/low-orbit-ion-cannon-star-trek-ransomware-tarnt-s… *** Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Registrar Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Autonomic Networking Infrastructure (ANI) registrar feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.The vulnerability is due to incomplete input validation on certain crafted packets. An attacker could exploit this vulnerability by sending a crafted autonomic network channel discovery packet to a device that has all the following characteristics: --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco IOS and IOS XE Software IPv6 Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Autonomic Networking Infrastructure (ANI) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.The vulnerability is due to incomplete input validation on certain crafted packets. An attacker could exploit this vulnerability by sending a crafted IPv6 packet to a device that is running a Cisco IOS Software or Cisco IOS XE Software release that --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by bash vulnerabilities *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024962 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, and v1.0.2. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5547,CVE-2016-5548, CVE-2016-5549) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000014 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by php5 vulnerabilities (CVE-2016-9933, CVE-2016-9935) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024961 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by an International Components for Unicode (ICU) vulnerability (CVE-2014-9911) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024958 --------------------------------------------- *** IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by Query Parameter in SSL Request (CVE-2016-6102) *** http://www.ibm.com/support/docview.wss?uid=swg22000359 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg22000536 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 17-03-2017
by Daily end-of-shift report 17 Mar '17

17 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-03-2017 18:00 − Freitag 17-03-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Bugtraq: CVE-2017-6805 MobaXterm Personal Edition v9.4 Path Traversal Remote File Disclosure *** --------------------------------------------- http://www.securityfocus.com/archive/1/540291 *** SSA-603476 (Last Update 2017-03-16): Web Vulnerabilities in SIMATIC CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476… *** Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy *** --------------------------------------------- Nearly three years ago, I wrote a post named “Pass-the-Hash is Dead: Long Live Pass-the-Hash” that detailed some operational implications of Microsoft’s KB2871997 patch. A specific sentence in the security advisory, “Changes to this feature .. --------------------------------------------- http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-loca… *** Chamois: Google deckt betrügerisches Werbenetzwerk auf *** --------------------------------------------- Adfraud ist ein weit verbreitetes Problem auf Android-Geräten. Google hat Details zu einem neu entdeckten Netzwerk bekanntgegeben, es soll das größte bislang bekannte sein. --------------------------------------------- https://www.golem.de/news/chamois-google-deckt-betruegerisches-werbenetzwer… *** Winzige Kameras auf Bankomaten spähen PINs aus *** --------------------------------------------- Die Londoner Polizei hat innerhalb kurzer Zeit mehrere Mini-Kameras entdeckt, die an Geldautomaten angebracht waren. --------------------------------------------- https://futurezone.at/digital-life/winzige-kameras-auf-bankomaten-spaehen-p… *** GitHub Code Execution Bug Fetches $18,000 Bounty *** --------------------------------------------- GitHub awarded $18,000 to a researcher after he came across a remote code execution bug in the company’s enterprise management console. --------------------------------------------- http://threatpost.com/github-code-execution-bug-fetches-18000-bounty/124378/ *** BSI: Schützt euer Owncloud vor Feuer und Wasser! *** --------------------------------------------- Das BSI beklagt, dass Nutzer von Owncloud und Nextcloud ihre Installationen nicht aktualisieren. Das liegt aber auch daran, dass die Updatefunktion oft fehlschlägt. Und die .. --------------------------------------------- https://www.golem.de/news/bsi-schuetzt-euer-owncloud-vor-feuer-und-wasser-1… *** Sieben Jahre alte Lücke im Linux-Kernel erlaubt Rechteausweitung *** --------------------------------------------- Über die Lücke können Angreifer außerdem den Kernel lahmlegen. Da die Lücke schon so lange im Code des Kernels schlummert, betrifft sie sehr viele Systeme. --------------------------------------------- https://heise.de/-3657912 *** Wettbewerb: Windows, MacOS, Linux und Browser gehackt *** --------------------------------------------- Bei der Veranstaltung Pwn2Own hacken IT-Security-Teams um die Wette. Insgesamt winken eine Million US-Dollar Preisgeld. --------------------------------------------- https://futurezone.at/digital-life/wettbewerb-windows-macos-linux-und-brows… *** Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Low Orbit Ion Cannon: Star-Trek-Ransomware tarnt sich als DDos-Tool *** --------------------------------------------- Wer einen DDoS-Angriff starten will, sollte seine Werkzeuge gut auswählen. Bestimmte Versionen der Low Orbit Ion Cannon starten derzeit keinen Überlastungsangriff, sondern die Verschlüsselung der eigenen Festplatte. Teuer wird es .. --------------------------------------------- https://www.golem.de/news/low-orbit-ion-cannon-star-trek-ransomware-tarnt-s…

1 0

Tageszusammenfassung - Donnerstag 16-03-2017
by Daily end-of-shift report 16 Mar '17

16 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-03-2017 18:00 − Donnerstag 16-03-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Attackers target dozens of global banks with new malware *** --------------------------------------------- Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or 'watering holes' to infect pre-selected targets with previously unknown malware. --------------------------------------------- https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks… *** SEO Spam Campaign Exploiting WordPress REST API Vulnerability *** --------------------------------------------- Just over a week ago, WordPress released version 4.7.3 to patch multiple security issues. Despite the automatic update feature provided by many hosting companies, there are still many WordPress websites that have not been updated. In fact, we are seeing quite a few sites that are still using versions 4.7 and 4.7.1, which are vulnerable to the WordPress REST API vulnerability patched in early February (version 4.7.2). This more serious vulnerability allows attackers to create, delete, and modify .. --------------------------------------------- https://blog.sucuri.net/2017/03/seo-spam-via-wp-rest-api-vulnerability.html *** Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001 *** --------------------------------------------- Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.Download Drupal 8.2.7Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. --------------------------------------------- https://www.drupal.org/SA-2017-001 *** Ransomware operators are hiding malware deeper in installer packages *** --------------------------------------------- We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code. These changes are observed in installers that drop ransomware like Cerber, Locky, and others. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/03/15/ransomware-operators-ar… *** DFN-CERT-2017-0429/">Roundcube Webmail: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff *** --------------------------------------------- Ein entfernter, nicht authentifizierter Angreifer kann mit Hilfe einer Email, die ein speziell präpariertes SVG-Element enthält, einen Cross-Site-Scripting (XSS)-Angriff gegen Benutzer von Roundcube Webmail durchführen. Der Hersteller stellt Roundcube Webmail 1.1.8 und 1.2.4 zur Behebung der Schwachstelle bereit. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0429/ *** Using Intels SGX to Attack Itself *** --------------------------------------------- Researchers have demonstrated using Intels Software Guard Extensions to hide malware and steal cryptographic keys from inside SGXs protected enclave:Malware Guard Extension: Using SGX to Conceal Cache AttacksAbstract:In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. --------------------------------------------- https://www.schneier.com/blog/archives/2017/03/using_intels_sg.html *** [2017-03-16] Authenticated Command Injection in multiple Ubiquiti Networks products *** --------------------------------------------- The firmware of various Ubiquiti Networks devices contains a command injection vulnerability which can be exploited by luring an authenticated user to click on a malicious link or surf to a malicious website. Low privileged users can elevate their rights and use the vulnerability for further attacks. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Moodle 2.7.19 release notes *** --------------------------------------------- A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version. --------------------------------------------- https://docs.moodle.org/dev/Moodle_2.7.19_release_notes *** NexusLogger: A New Cloud-based Keylogger Enters the Market *** --------------------------------------------- NexusLogger is a cloud-based keylogger that uses the Microsoft .NET Framework and has a low level of sophistication. NexusLogger collects keystrokes, system information, stored passwords and will take screenshots. It also specifically seeks to harvest game credentials for UPlay, Minecraft, Steam, and Origin. ... All NexusLogger samples require communications with the nexuslogger[.]com domain via HTTPS, which makes it trivial for defenders to block. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-c… *** Penetration Testing Node.Js Applications - Part-2 *** --------------------------------------------- This article covers the left-over vulnerabilities from Part-1. In this article, we will have an in-depth look at some uncommon flaws and how to find them while doing performing code review of node.js applications. --------------------------------------------- http://resources.infosecinstitute.com/penetration-testing-node-js-applicati… *** Vuln: Palo Alto Networks Terminal Services CVE-2017-6356 Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96925 *** Alert (TA17-075A) HTTPS Interception Weakens TLS Security *** --------------------------------------------- Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA17-075A *** Code Review of Node.Js Applications: Uncommon Flaws *** --------------------------------------------- This article covers the left-over vulnerabilities from Part-1. In this article, we will have an in-depth look at some uncommon flaws and how to find them while doing performing code review of node.js applications. --------------------------------------------- http://resources.infosecinstitute.com/penetration-testing-node-js-applicati… *** (Twitter) Keep Calm and Revoke Access *** --------------------------------------------- For the last 24 hours, the Twitter landscape has seen several official accounts hacked. ... How to protect against this kind of attack? First, do not link your Twitter account to untrusted or suspicious applications. ... Finally, the best advice is to visit the following link at regular interval: https://twitter.com/settings/applications. During your first visit, you could be surprised to find so many applications linked to your account! --------------------------------------------- https://blog.rootshell.be/2017/03/15/keep-calm-revoke-access/ *** BSI warnt vor gefährdeten Cloud-Servern: über 20.000 deutsche ownCloud- und Nextcloud-Installationen veraltet *** --------------------------------------------- Das BSI ist auf viele veraltete Installationen von ownCloud und Nextcloud gestoßen. Obwohl die Betroffenen Bescheid wissen, haben bislang die wenigsten reagiert. --------------------------------------------- https://heise.de/-3656458 *** Microsoft To End Support For Windows Vista In Less Than a Month *** --------------------------------------------- In less than a months time, Microsoft will put Windows Vista to rest once and for all. If youre one of the few people still using it, you have just a few weeks to find another option before time runs out. (I mean, nobody will uninstall it from your computer, but.) From a report on PCWorld: After April 11, 2017, Microsoft will no longer support Windows Vista: no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/9XgfNI5PoWc/microsoft-to-en… *** Warnung vor kaufhaus-guenther.de *** --------------------------------------------- Kaufhaus Günther ist ein 'Online Kaufhaus'. Es wirbt mit Produkten für Haushalt, Technik und Möbel. Die verlangten Preise sind sehr günstig. Eine Bezahlung der Ware ist nur im Voraus möglich. Wer sie bezahlt, verliert Geld, denn kaufhaus-guenther.de ist ein Fake-Shop. Er liefert trotz Bezahlung keine Ware. Darüber hinaus droht ein Identitätsdiebstahl. --------------------------------------------- https://www.watchlist-internet.at/fake-shops/warnung-vor-kaufhaus-guentherd… *** DFN-CERT-2017-0479/">McAfee Advanced Threat Defence (ATD): Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- Ein einfach authentisierter Angreifer im benachbarten Netzwerk mit erweiterten Privilegien kann die SQL-Abfragelogik der Advanced Threat Defense über speziell präparierte HTTP-Anfragen so manipulieren, dass unautorisierte Aktionen im Kontext der unterliegenden Datenbank möglich sind (SQL-Injection). Intel Security erwähnt die Möglichkeit, auf diese Weise Produktinformationen auszuspähen. Die Ausführung beliebigen SQL-Programmcodes ist ebenfalls denkbar, aber nicht bestätigt. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0479/ *** Hackers Take Down Reader, Safari, Edge, Ubuntu Linux at Pwn2Own 2017 *** --------------------------------------------- On the first day of Pwn2Own 2017 hackers poked holes in Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux. --------------------------------------------- http://threatpost.com/hackers-take-down-reader-safari-edge-ubuntu-linux-at-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational ClearQuest *** http://www-01.ibm.com/support/docview.wss?uid=swg21994995 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Netezza Host Management (CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997019 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Expat component shipped with IBM Rational ClearCase (CVE-2016-0718, CVE-2015-1283, CVE-2016-4472, CVE-2015-2716) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998042 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Expat component shipped with IBM Rational ClearQuest (CVE-2016-0718, CVE-2015-1283, CVE-2016-4472, CVE-2015-2716) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998866 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Perl component shipped with IBM Rational ClearQuest (CVE-2015-8608, CVE-2015-8853, CVE-2016-2381) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998868 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Perl component shipped with IBM Rational ClearCase (CVE-2015-8608, CVE-2015-8853, CVE-2016-2381) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998046 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Bluemix January 2017 CPU *** http://www-01.ibm.com/support/docview.wss?uid=swg22000092 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL component shipped with IBM Rational ClearCase (CVE-2016-8624, CVE-2016-8625) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996857 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Insight *** http://www-01.ibm.com/support/docview.wss?uid=swg22000124 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Reporting for Development Intelligence *** http://www-01.ibm.com/support/docview.wss?uid=swg22000123 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 15-03-2017
by Daily end-of-shift report 15 Mar '17

15 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-03-2017 18:00 − Mittwoch 15-03-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Sicherheitsupdates: Microsoft veranstaltet zwei Patchdays an einem Tag *** --------------------------------------------- Im März holt Microsoft den aus unbekannten Gründen verschobenen Patchday aus dem Februar nach, stellt zudem die Patches für den aktuellen Monat bereit und schließt insgesamt 140 Sicherheitslücken. --------------------------------------------- https://heise.de/-3653806 *** March 2017 security update release *** --------------------------------------------- Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month's security updates can be found on the Security Update Guide. Security bulletins were also published this month to give customers extra time to ensure they are... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/03/14/march-2017-security-upd… *** Propaganda auf Twitter *** --------------------------------------------- Der echte Groundhog Day ist noch nicht lange her, und manchmal kommt es einem so vor, als wäre im Internet jeden Tag "Groundhog Day": manche Sachen wiederholen sich einfach viel zu oft.Aktuell geht es um missbrauchte Twitter-Accounts. Das hatte wir schon im November: twittercounter.com hatte ein Problem, und schon werden Tweets unter falschem Namen verteilt. Das gleiche ist gerade wieder passiert... --------------------------------------------- http://www.cert.at/services/blog/20170315114231-1952.html *** Patchday: Adobe umsorgt Flash und Shockwave Player *** --------------------------------------------- Wie gewohnt flickt Adobe den Flash Player - darüber hinaus bekommt diesen Monat auch der Shockwave Player ein Sicherheitsupdate serviert. --------------------------------------------- https://heise.de/-3653924 *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- Two security issues have been identified within Citrix XenServer. These issues could, if exploited, allow the administrator ... --------------------------------------------- https://support.citrix.com/article/CTX220771 *** VMware Workstation and Fusion Memory Access Error in Drag and Drop Function Lets Local Users on a Guest System Gain Elevated Privileges on the Host System *** --------------------------------------------- http://www.securitytracker.com/id/1038025 *** DNSSEC-Schlüsseltausch 2017: ICANN setzt Testseite für Resolver auf *** --------------------------------------------- Sollte es Angreifern gelingen, einen DNSSEC-Schlüssel zu knacken, können sie glaubwürdig aussehende, aber falsche DNS-Replys verbreiten. Deshalb müssen Schlüssel ab und zu gewechselt werden. Bei der Root-Zone ist das eine heikle Sache. --------------------------------------------- https://www.heise.de/newsticker/meldung/DNSSEC-Schluesseltausch-2017-ICANN-… *** Petya ransomware returns, wrapped in extra VX nastiness *** --------------------------------------------- PetrWrap tries to blame its predecessor for attacks Researchers have spotted a variant of last years Petya ransomware, now with updated crypto and ransomware models. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/03/15/petya_retur… *** Gefälschte Rechnung auf dropboxusercontent.com *** --------------------------------------------- In einer E-Mail mit dem Betreff "Zahlungsdetails" erhalten Internet-Nutzer/innen angeblich eine Rechnung. Sie steht unter dem Link "dl.dropboxusercontent.com/" als ZIP-Datei zum Download bereit. In Wahrheit handelt es sich bei dem Dokument um Schadsoftware. Aus diesem Grund dürfen Empfänger/innen die angebliche Rechnung nicht öffnen. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-rechnu… *** Konsumentenschützer wollen Update-Verpflichtung *** --------------------------------------------- Verbraucherorganisationen aus aller Welt fordern die 20 führenden Industrie- und Schwellenländer (G20) zum grenzüberschreitenden Schutz der Konsumenten im Internet auf. --------------------------------------------- https://futurezone.at/digital-life/konsumentenschuetzer-wollen-update-verpf… *** Schwere Sicherheitslücke in den Web-Oberflächen von WhatsApp und Telegram geschlossen *** --------------------------------------------- Eine Lücke bei WhatsApp Web und Telegram Web erlaubt es Angreifern, die Web-Sessions der Messenger zu kapern. Auf diesem Wege können sie Nachrichten mitlesen, Adressbücher kopieren und Schadcode an Kontakte verschicken. --------------------------------------------- https://heise.de/-3653793 *** Where Have All The Exploit Kits Gone? *** --------------------------------------------- For a long time, exploit kits were the most prolific malware distribution vehicle available to attackers. Where did they go and what's replaced them? --------------------------------------------- http://threatpost.com/where-have-all-the-exploit-kits-gone/124241/ *** Vorsicht Fake: Betrüger locken mit Emulator für Nintendos Switch *** --------------------------------------------- Derzeit kursiert im Internet eine Anwendung, die Spiele von Nintendos aktueller Konsole Switch auf PCs emulieren können soll: Die "Entwickler" hinter dem vermeintlichen Emulator verfolgen aber ein ganz anderes Ziel. --------------------------------------------- https://heise.de/-3654299 *** PowerShell Remoting Artifacts: An Introduction *** --------------------------------------------- Since PowerShell usage by malware is on the rise, in this article series, we will learn about the various artifacts related to PowerShell remoting that can be very beneficial during the investigation and during building stories around Attack Chain. --------------------------------------------- http://resources.infosecinstitute.com/powershell-remoting-artifacts-part-1/ *** Gaps in NIS standardisation: Mapping the requirements of the NIS Directive to specific standards *** --------------------------------------------- ENISA publishes a report on European standardisation within the context of the NIS Directive. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/gaps-in-nis-standardisation-map… *** VU#553503: D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials *** --------------------------------------------- Vulnerability Note VU#553503 D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials --------------------------------------------- http://www.kb.cert.org/vuls/id/553503 *** An Introduction to Penetration Testing Node.js Applications *** --------------------------------------------- In this article, we will have a look at how to proceed when penetration testing Node.js applications or looking for Node.js specific issues. --------------------------------------------- http://resources.infosecinstitute.com/penetration-testing-node-js-applicati… *** SAP pushes to patch risky HANA security flaws before hackers strike *** --------------------------------------------- Europes top software maker SAP said on Tuesday it had patched vulnerabilities in its latest HANA software that had a potentially high risk of giving hackers control over databases and business applications used to run big multinational firms. --------------------------------------------- http://www.reuters.com/article/us-cyber-sap-idUSKBN16L1FH *** JSON Libraries Patched Against Invalid Curve Crypto Attack *** --------------------------------------------- JSON libraries using the JWE specification to create, sign and encrypt access tokens have been patched against an attack that allows for the recovery of a private key. --------------------------------------------- http://threatpost.com/json-libraries-patched-against-invalid-curve-crypto-a… *** Security Advisory - DoS Vulnerability in Vibrator Service of Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170315-… *** Vuln: SAP NetWeaver Visual Composer Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96865 *** JSA10759 - 2016-10 Security Bulletin: OpenSSL security updates *** --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759&actp=RSS *** Vuln: SAP ERP Remote Authorization Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96871 *** Vuln: Trend Micro InterScan Messaging Security CVE-2017-6398 Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96859 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Algo One ARA reports can be accessed by another user *** http://www.ibm.com/support/docview.wss?uid=swg21999754 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Java SDK that affect IBM Security Directory Suite (CVE-2016-5597) October 2016 CPU *** http://www-01.ibm.com/support/docview.wss?uid=swg21994296 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem model V840 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010008 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem models 840 and 900 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010007 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Struts affect the IBM FlashSystem models 840 and 900 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010009 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Struts affect the IBM FlashSystem model V840 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010010 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg21999965 --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Mobility Express 1800 Access Point Series Authentication Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Web Security Appliance URL Filtering Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco WebEx Meetings Server XML External Entity Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Meshed Wireless LAN Controller Impersonation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco WebEx Meetings Server Authentication Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco UCS Director Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unified Communications Manager Cross-Site Request Forgery Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unified Communications Manager Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unified Communications Manager Web Interface Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco TelePresence Server API Privilege Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Workload Automation and Tidal Enterprise Scheduler Client Manager Server Arbitrary File Read Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Service Catalog Multiple Cross-Site Scripting Vulnerabilities *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Nexus 9000 Series Switches Remote Login Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Nexus 9000 Series Switches Telnet Login Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Optical for Service Providers RADIUS Secret Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Infrastructure API Credentials Management Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Nexus 7000 Series Switches Access-Control Filtering Mechanisms Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco StarOS SSH Privilege Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Adaptive Security Appliance BGP Bidirectional Forwarding Detection ACL Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 14-03-2017
by Daily end-of-shift report 14 Mar '17

14 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-03-2017 18:00 − Dienstag 14-03-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Stored XSS in WordPress Core *** --------------------------------------------- As you might remember, we recently blogged about a critical Content Injection Vulnerability in WordPress which allowed attackers to deface vulnerable websites. While our original disclosure only described one vulnerability, .. --------------------------------------------- https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.htm *** DSA-3808 imagemagick - security update *** --------------------------------------------- This update fixes several vulnerabilities in imagemagick: Various memoryhandling problems and cases of missing or incomplete input sanitisingmay result in denial of service or the execution of arbitrary code if malformed TGA, Sun or PSD files are processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3808 *** VMSA-2017-0004 *** --------------------------------------------- VMware product updates resolve remote code execution vulnerability via Apache Struts 2 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0004.html *** Hintergrund: Vom Leben und Sterben der 0days *** --------------------------------------------- Viele diskutieren über Zero-Day-Exploits, doch die wenigsten haben je ein lebendiges Exemplar gesehen. Zwei interessante Studien bringen überraschende Erkenntnisse zur Lebenserwartung dieser gefährlichen Spezies. --------------------------------------------- https://heise.de/-3651392 *** Privatsphäre: Verschleiern der MAC-Adresse bei WLAN ist fast nutzlos *** --------------------------------------------- Die eigene MAC-Adresse beim WLAN zu verschleiern, gilt als eine der zentralen Funktionen zum Schutz der Privatsphäre. Auf mobilen Geräten ist dieser Schutz weitgehend nutzlos. --------------------------------------------- https://www.golem.de/news/privatsphaere-verschleiern-der-mac-adresse-bei-wl… *** Security Bulletins posted for Flash Player and Adobe Shockwave Player *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-07) and Adobe Shockwave Player (APSB17-08). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1449 *** Betreiber kritischer Infrastruktur erhalten Zugang zu Behörden-Funk *** --------------------------------------------- "Direkter Draht" zu Behörden im Falle eines kompletten "Blackouts" – Innenministerium stellt Funkgeräte .. --------------------------------------------- http://derstandard.at/2000054157780 *** Red Hat Product Security Risk Report 2016 *** --------------------------------------------- At Red Hat, our dedicated Product Security team analyzes threats and vulnerabilities against all our products and provides relevant advice and updates .. --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2957221

1 0

Tageszusammenfassung - Montag 13-03-2017
by Daily end-of-shift report 13 Mar '17

13 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 10-03-2017 18:00 − Montag 13-03-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl *** Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products *** --------------------------------------------- On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system using a .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Bugtraq: [security bulletin] HPESBGN03707 rev.1 - HPE ConvergedSystem 700 2.0 VMware Kit, Remote Increase of Privilege *** --------------------------------------------- http://www.securityfocus.com/archive/1/540252 *** Bugtraq: [security bulletin] HPESBHF03716 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Remote Authentication Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/540251 *** SF9 Realex Magento Module Targeted by Credit Card Scrapers *** --------------------------------------------- Attackers are constantly developing new techniques to compromise ecommerce websites and steal sensitive data. Over the last several weeks, we tracked .. --------------------------------------------- https://blog.sucuri.net/2017/03/sf9-realex-magento-module-targeted-by-credi… *** Letzter Support-Monat für Windows Vista *** --------------------------------------------- Am 11. April will Microsoft zum letzten Mal Sicherheits-Updates für Windows Vista veröffentlichen. Alle nach diesem Termin gefundenen Lücken bleiben ungefixt. Vista an sich läuft zwar weiter, sollte danach aber besser nicht mehr ans Internet. --------------------------------------------- https://www.heise.de/newsticker/meldung/Letzter-Support-Monat-fuer-Windows-… *** Studie: Viele Webseiten setzen verwundbare JavaScript-Bibliotheken ein *** --------------------------------------------- Sicherheitsforscher haben über 100.000 Domains gescannt und herausgefunden, dass auf fast 40 Prozent veraltete und unsichere JavaScript-Bibliotheken zum Einsatz kommen. --------------------------------------------- https://heise.de/-3650648 *** Security Notice - Statement on Remote Code Execution Vulnerability in Apache Struts2 *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170313-01-… *** Betrügerischer Support der US Software Solutions Inc *** --------------------------------------------- Eine vermeintliche Systembenachrichtigung informiert Nutzer/innen darüber, dass ihr Computer mit Schadsoftware befallen sei. Die US Software Solutions Inc .. --------------------------------------------- https://www.watchlist-internet.at/scamming/betruegerischer-support-der-us-s… *** 13 Google Play Store Apps Caught Stealing Instagram Credentials *** --------------------------------------------- Instagram users are once again the targets of malicious Android apps hosted on the Play Store, apps which steal .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/13-google-play-store-apps-ca… *** IBM Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21999293 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22000120 *** Nintendo Switch: Hacker baut iOS-Exploit um und nutzt Schwachstelle im Browser *** --------------------------------------------- Im Webbrowser der Switch klafft eine Sicherheitslücke, für deren Ausnutzung es bereits Proof-of-Concept-Code gibt. Zudem sind Hacker in den Recovery-Modus der Spielkonsole eingestiegen. --------------------------------------------- https://heise.de/-3650977 *** Vorinstallierte Malware auf Smartphones von LG und Samsung *** --------------------------------------------- Sicherheitsforscher haben Schadsoftware auf neuen Smartphones und Tablets entdeckt. Die Geräte wurden auf dem Vertriebsweg infiziert. --------------------------------------------- https://futurezone.at/digital-life/vorinstallierte-malware-auf-smartphones-…

1 0

Tageszusammenfassung - Freitag 10-03-2017
by Daily end-of-shift report 10 Mar '17

10 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 09-03-2017 18:00 − Freitag 10-03-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter *** After CIA leak, Intel Security releases detection tool for EFI rootkits *** --------------------------------------------- Intel Security has released a tool that allows users to check if their computers low-level system firmware has been modified and contains unauthorized code.The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apples Macbooks. A rootkit is a malicious program that runs with high privileges -- typically in the kernel -- and hides the existence of other malicious components and activities.The documents from... --------------------------------------------- http://www.cio.com/article/3179345/security/after-cia-leak-intel-security-r… *** Over a Third of Websites Use Outdated and Vulnerable JavaScript Libraries *** --------------------------------------------- More than a third of the websites you visit online may include an outdated JavaScript library thats vulnerable to one or more security flaws. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-a-third-of-websites-use… *** Middle East Government organizations hit with RanRan Ransomware *** --------------------------------------------- Palo Alto Networks discovered a new strain of ransomware, dubbed RanRan ransomware, that has been used in targeted attacks in Middle East. Malware researchers at Palo Alto Networks have spotted a new strain of ransomware, dubbed RanRan, that has been used in targeted attacks against government organizations in the Middle East. --------------------------------------------- http://securityaffairs.co/wordpress/57031/malware/ranran-ransomware.html *** Sicherheit: Tails 2.11 und 3.0 Beta2 freigegeben *** --------------------------------------------- Nur zwei Tage auseinander liegen die Veröffentlichungen von Tails 2.11 und 3.0 Beta. Während 2.11 eine der letzten Aktualisierungen der Distribution auf der Basis von Debian 8 "Jessie" ist, wird Tails 3.0 bei seinem Erscheinen im Juni auf Debian 9 "Stretch" setzen. --------------------------------------------- https://www.golem.de/news/sicherheit-tails-2-11-und-3-0-beta2-freigegeben-1… *** Firefox stellt Support für Windows XP und Vista ein *** --------------------------------------------- Die aktuelle Version 52 des Browsers ist die letzte, die die veralteten Windows-Betriebsysteme unterstützt. --------------------------------------------- https://futurezone.at/produkte/firefox-stellt-support-fuer-windows-xp-und-v… *** How Dutch Police Decrypted BlackBerry PGP Messages For Criminal Investigation *** --------------------------------------------- The Dutch police have managed to decrypt a number of PGP-encrypted messages sent by criminals using their custom security-focused PGP BlackBerry phones and identified several criminals in an ongoing investigation. PGP, or Pretty Good Privacy, an open source end-to-end encryption standard that can be used to cryptographically sign emails, files, documents, or entire disk partitions in order to... --------------------------------------------- https://thehackernews.com/2017/03/decrypt-pgp-encryption.html *** Why the SHA-1 collision means you should stop using the algorithm *** --------------------------------------------- Realistically speaking, if your software or system uses the SHA-1 hashing algorithm, it is unlikely that it will be exploited in the foreseeable future. But it is also extremely difficult to be certain that your system wont be the exception. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/03/why-sha-1-collision-means-yo… *** CryptoBlock ransomware and its C2 *** --------------------------------------------- CryptoBlock is an interesting ransomware to keep an eye on. We expect this to be a ransomware that is in development to eventually develop into a RaaS (Ransomware as a Service).Categories: MalwareThreat analysisTags: CryptoBlockraasransomwareRansomware as a Servicevirustotal(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/03/cryptoblock-and-its-c… *** DSA-3806 pidgin - security update *** --------------------------------------------- It was discovered a vulnerability in Pidgin, a multi-protocol instantmessaging client. A server controlled by an attacker can send an invalidXML that can trigger an out-of-bound memory access. This might lead to acrash or, in some extreme cases, to remote code execution in theclient-side. --------------------------------------------- https://www.debian.org/security/2017/dsa-3806 *** Schneider Electric ClearSCADA *** --------------------------------------------- This advisory contains mitigation details for an input validation vulnerability in Schneider Electrics ClearSCADA. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-068-01 *** Security Advisory: Apache Struts 2 vulnerability CVE-2017-5638 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43451236.html?… *** NetIQ Privileged User Manager 2.4.1 HF2 (2.4.1-2) *** --------------------------------------------- Abstract: NetIQ Privileged User Manager 2.4.1 Hot Fix 2 (2.4.1.2). The purpose of the patch is to provide an upgrade of OpenSSL to eliminate potential security vulnerabilities. This release does not contain new features.Document ID: 5276651Security Alert: YesDistribution Type: PublicEntitlement Required: YesFiles:netiq-npum-packages-2.4.1-2.tar.gz (139.85 MB)Products:Privileged User Manager 2.4.1Superceded Patches:PUM2.4.1HF... --------------------------------------------- https://download.novell.com/Download?buildid=88wYDI-5uRA~ *** VMware Workstation update addresses multiple security issues *** --------------------------------------------- a. VMware Workstation DLL loading vulnerability b. VMware Workstation SVGA driver vulnerability c. VMware Workstation NULL pointer dereference vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0003.html *** Vuln: F-Secure Anti-Virus CVE-2017-6466 Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96784 *** IBM Security Bulletin: Vulnerabilities in Nagios Core affect IBM Pure Power Integrated Manager (PPIM) (CVE-2016-9565, CVE-2016-9566) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1024796 *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Insight (CVE-2016-6816, CVE-2016-8735) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21997359 *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Reporting for Development Intelligence (CVE-2016-6816, CVE-2016-8735) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21997358

1 0

Tageszusammenfassung - Donnerstag 9-03-2017
by Daily end-of-shift report 09 Mar '17

09 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 08-03-2017 18:00 − Donnerstag 09-03-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Jetzt patchen! Apache Struts 2 im Visier von Hackern *** --------------------------------------------- Derzeit nutzen Angreifer gehäuft eine kritische Sicherheitslücke in dem Framework aus und versuchen so Web-Server zu übernehmen. Neue Versionen und Workarounds schaffen Abhilfe. --------------------------------------------- https://heise.de/-3648065 *** Uncovering cross-process injection with Windows Defender ATP *** --------------------------------------------- Windows Defender Advanced Threat Protection (Windows Defender ATP) is a post-breach solution that alerts security operations (SecOps) personnel about hostile activity. As the nature of attacks evolve, Windows Defender ATP must advance so that it continues to help SecOps personnel uncover and address the attacks. With increasing security investments from Microsoft... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/03/08/uncovering-cross-proces… *** #APF17: Call for Papers *** --------------------------------------------- ENISA's Annual Privacy Forum (APF) is to be held in Vienna on the 7th and 8th June 2017, in collaboration with the Law Faculty of the University of Vienna. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/apf17-call-for-papers *** 185.000 unsichere Webcams könnten Hackern private Einblicke gewähren *** --------------------------------------------- Ein Sicherheitsforscher stieß auf kritische Sicherheitslücken in einer chinesischen Webcam. Das Problem ist, viele Hersteller setzen auf die verwendete Software und verkaufen angreifbare Kameras unter ihrer Marke. --------------------------------------------- https://heise.de/-3648458 *** Emsisoft Releases a Decryptor for the CryptON Ransomware *** --------------------------------------------- Yesterday, Emsisofts CTO and malware researcher Fabian Wosar? released a decryptor for the CryptON Ransomware. This ransomware has been around since the end of February and has had a few variants released. It was named CryptON based on a string found within the executable. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decrypto… *** SECURITY BULLETIN: Multiple Vulnerabilities in Trend Micro Deep Discovery Email Inspector 2.5.1 *** --------------------------------------------- Trend Micro has released a Critical Patch for Deep Discovery Email Inspector (DDEI) 2.5.1. This Critical Patch resolves multiple vulnerabilities related to the user interface (UI) and authentication. --------------------------------------------- https://success.trendmicro.com/solution/1116750 *** Security Notice - Statement on Security Researcher Revealing XSS Security Vulnerability in Huawei HG658 V2 on Packet Storm Website *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170308-01-… *** VU#305448: D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability *** --------------------------------------------- D-Link DIR-850L, firmware versions 1.14B07, 2.07.B05, and possibly others, contains a stack-based buffer overflow vulnerability in the web administration interface HNAP service. Other models may also be affected. --------------------------------------------- http://www.kb.cert.org/vuls/id/305448 *** Bugtraq: [security bulletin] HPESBHF03713 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Deserialization of Untrusted Data, Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/540239 *** Bugtraq: [security bulletin] HPESBHF03714 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Local Arbitrary File Download *** --------------------------------------------- http://www.securityfocus.com/archive/1/540241 *** Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-029Project: Services (third-party module)Version: 7.xDate: 2017-March-08Security risk: 21/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescriptionThis module provides a standardized solution for building APIs so that external clients can communicate with Drupal.The module accepts user submitted data in PHPs serialization format ("Content-Type: application/vnd.php.serialized") --------------------------------------------- https://www.drupal.org/node/2858847 *** PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-030Project: Password Reset Landing Page (PRLP) (third-party module)Version: 8.xDate: 2017-March-08Security risk: 16/25 ( Critical) AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypass, Privilege escalationDescriptionThis module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process.The module does not sufficiently validate all access tokens, which allows an attacker to... --------------------------------------------- https://www.drupal.org/node/2858880 *** Vuln: Apache NiFi CVE-2017-5636 Remote Code Injection Vulnerability *** -------------------------------------------- http://www.securityfocus.com/bid/96731 *** Vuln: Apache NiFi CVE-2017-5635 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96730 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities affect Rational Rhapsody Design Manager with potential for security attacks *** http://www.ibm.com/support/docview.wss?uid=swg21999960 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability affects IBM Sterling B2B Integrator (CVE-2016-5986) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998463 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Order Management is affected by Apache Struts 2 security vulnerabilities (CVE-2016-3093 , CVE-2016-4436) *** http://www.ibm.com/support/docview.wss?uid=swg21999781 --------------------------------------------- *** IBM Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996748 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 8-03-2017
by Daily end-of-shift report 08 Mar '17

08 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 07-03-2017 18:00 − Mittwoch 08-03-2017 18:00 Handler: Olaf Schwarz Co-Handler: Petr Sikuta Co-Handler: Stephan Richter *** Little Monsters: Nutzerdaten aus Lady Gagas Social Network sollen geleakt sein *** --------------------------------------------- Bei Lady Gagas App Little Monsters scheinen Nutzerdaten abhanden gekommen zu sein. Im Netz kursiert eine Datenbank mit privaten Daten von knapp einer Million Nutzer. --------------------------------------------- https://heise.de/-3646447 *** Payments Giant Verifone Investigating Breach *** --------------------------------------------- Credit and debit card payments giant Verifone [NYSE: PAY] is investigating a breach of its corporate computer networks that could impact companies running its point-of-sale solutions, according to multiple sources. Verifone says the extent of the breach was "limited" and that its payment services network was not impacted. San Jose, Calif.-based Verifone is the largest maker of credit card terminals used in the United States. It sells point-of-sale terminals and services to support the... --------------------------------------------- https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-b… *** The HTTPS interception dilemma: Pros and cons *** --------------------------------------------- HTTPS is the bread-and-butter of online security. Strong cryptography that works on all devices without complicating things for users. Thanks to innovative projects like Let's Encrypt, adoption of HTTPS is rising steadily: in mid-2015 it was at 39%, now it's at 51% of HTTPS requests. Recent research shows however that HTTPS interception happens quite often. In fact, about 10% of connections to CloudFlare are intercepted, and the main culprits are enterprise network monitoring... --------------------------------------------- https://www.helpnetsecurity.com/2017/03/08/https-interception-dilemma/ *** Start of the Android Security Symposium 2017 *** --------------------------------------------- Today starts the Android Security Symposium at the Technical University of Vienna, courtesy of the Josef Ressel Center u'smile. The upcoming three days are packed with presentations surrounding the entire Android security ecosystem, ranging from presentations about the security architecture of Android by Google and AT&T right this morning, to secure app development, novel attacks,... --------------------------------------------- https://www.sba-research.org/2017/03/08/start-of-the-android-security-sympo… *** 21% of websites still use insecure SHA-1 certificates *** --------------------------------------------- New research from Venafi Labs shows that 21 percent of the world's websites are still using certificates signed with the vulnerable Secure Hash Algorithm, SHA-1. On February 23, 2017, Google affiliated security researchers announced they cracked the SHA-1 security standard using a collision attack. The incident proved that the deprecated cryptographic secure hash algorithm still used to sign many website digital certificates can be manipulated. Newly issued certificates using the SHA-2... --------------------------------------------- https://www.helpnetsecurity.com/2017/03/08/insecure-sha-1-certificates-usag… *** NetIQ Access Manager Directory Traversal Flaw Lets Remote Authenticated Admin Users Download Arbitrary Files on the Target Admin Console System *** --------------------------------------------- http://www.securitytracker.com/id/1037935 *** Bugtraq: Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in GoAhead *** --------------------------------------------- http://www.securityfocus.com/archive/1/540234 *** Bugtraq: [security bulletin] HPESBHF03710 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540233 *** [2017-03-08] Multiple vulnerabilities in Navetti PricePoint *** --------------------------------------------- Navetti PricePoint is vulnerable against a broad range of typical application based vulnerabilities. On one hand an attacker is able to execute arbitrary JavaScript code in the context of an arbitrary user. On the other hand, an attacker is able to read out the contents of the applications database due to missing input validation. Furthermore an attacker can use cross-site request forgery to perform arbitrary web requests with the identity of the victim without being noticed by the victim. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** BlackBerry powered by Android Security Bulletin - March 2017 *** --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?articleNumber=000039151 *** DFN-CERT-2017-0404: Red Hat JBoss Enterprise Web Server: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0404/ *** Vuln: Mozilla Firefox and Thunderbird Multiple Security Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/96693 https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/ *** Bugtraq: [security bulletin] HPESBGN03712 rev.1 - HPE LoadRunner and Performance Center, Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/540238 *** [R1] Tenable Appliance 4.5.0 Fixes Multiple Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2017-07 *** Schneider Electric Wonderware Intelligence *** --------------------------------------------- This advisory contains mitigation details for a credentials management vulnerability in Schneider Electrics Wonderware Intelligence software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-066-01 *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2016-7975, CVE-2016-7986, and CVE-2017-5341 *** https://support.f5.com:443/kb/en-us/solutions/public/k/55/sol55129614.html?… --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, and CVE-2017-5342 *** https://support.f5.com:443/kb/en-us/solutions/public/k/04/sol04225025.html?… --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, and CVE-2016-7933 *** https://support.f5.com:443/kb/en-us/solutions/public/k/39/sol39512927.html?… --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, and CVE-2017-5486 *** https://support.f5.com:443/kb/en-us/solutions/public/k/31/sol31997425.html?… --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, and CVE-2016-7939 *** https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49144112.html?… --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2016-7926, CVE-2016-7932, and CVE-2016-7938 *** https://support.f5.com:443/kb/en-us/solutions/public/k/72/sol72403108.html?… --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, and CVE-2016-7927 *** https://support.f5.com:443/kb/en-us/solutions/public/k/77/sol77384526.html?… --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2016-7940, CVE-2016-7973, CVE-2016-7974, CVE-2016-7983, and CVE-2016-7984 *** https://support.f5.com:443/kb/en-us/solutions/public/k/94/sol94010578.html?… --------------------------------------------- *** Security Advisory: tcpdump vulnerabilities CVE-2016-7985, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, and CVE-2016-8575 *** https://support.f5.com:443/kb/en-us/solutions/public/k/94/sol94778122.html?… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in BIND impact AIX (CVE-2016-9131) *** http://aix.software.ibm.com/aix/efixes/security/bind_advisory15.asc --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ proliferation of channel agents causes denial of service (CVE-2017-1145) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999672 --------------------------------------------- *** IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability *** http://www-01.ibm.com/support/docview.wss?uid=swg21999736 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer *** http://www-01.ibm.com/support/docview.wss?uid=swg21999881 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2016-6303, CVE-2016-2182, CVE-2016-2178, CVE-2016-6306, CVE-2016-2183, CVE-2016-2177, CVE-2016-7052) *** http://www.ibm.com/support/docview.wss?uid=swg21999451 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Reliable Scalable Cluster Technology shipped with IBM Tivoli System Automation for Multiplatforms (CVE-2017-1134). *** http://www.ibm.com/support/docview.wss?uid=swg21998459 --------------------------------------------- *** IBM Security Bulletin: IBM MessageSight affected by GSKit Sweet32 Birthday attacks (CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg21999452 --------------------------------------------- *** IBM Security Bulletin: OpenNTF project Social Business SDK CVE-2016-3092 *** http://www.ibm.com/support/docview.wss?uid=swg21999337 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 7-03-2017
by Daily end-of-shift report 07 Mar '17

07 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 06-03-2017 18:00 − Dienstag 07-03-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Sicherheitsupdate härtet WordPress gegen XSS-Angriffe *** --------------------------------------------- Wer das CMS WordPress nutzt sollte sicherstellen, dass die aktuelle Version 4.7.3 installiert ist. Ansonsten könnten Angreifer Sicherheitslücken in vorigen Versionen ausnutzen. --------------------------------------------- https://heise.de/-3645684 *** River City Media: Spammer vergessen 1,4 Milliarden Mailadressen im Netz *** --------------------------------------------- Ein Backup-Fehler dürfte das Aus für ein großes Spamnetzwerk aus den USA bedeuten. River City Media verdiente Geld mit Spam-Nachrichten, SMS-Kampagnen und Affiliate-Marketing - inklusive gefälschter Suchmaschinen. --------------------------------------------- https://www.golem.de/news/river-city-media-spammer-vergessen-1-4-milliarden… *** SAP Security for Beginners part 7: SAP ABAP Platform Security *** --------------------------------------------- >From the previous articles of SAP Security for CISO series (especially SAP Risks), you reviewed many examples of potential attacks on these systems. Now it is time to learn how these attacks can be conducted via vulnerabilities discovered in SAP systems. First, let's look at patching process in SAP. When the vendor fixes vulnerabilities in... --------------------------------------------- http://resources.infosecinstitute.com/sap-security-beginners-part-7-sap-aba… *** TU Wien-Team auf drittem Platz bei internationalem Hacker-Wettbewerb *** --------------------------------------------- International Capture The Flag-Bewerb mit Internet-Sicherheits-Teams von 78 Universitäten --------------------------------------------- http://derstandard.at/2000053747853 *** A tcpdump Tutorial and Primer with Examples *** --------------------------------------------- Mar 6, 2017 - I just performed a major update to this tutorial after over 10 years. The update includes a fully functional table of contents and a number of additional explanations. Enjoy! --------------------------------------------- https://danielmiessler.com/study/tcpdump/ *** WikiLeaks Releases CIA Hacking Tools *** --------------------------------------------- WikiLeaks just released a cache of 8,761 classified CIA documents from 2012 to 2016, including details of its offensive Internet operations.I have not read through any of them yet. If you see something interesting, tell us in the comments. --------------------------------------------- https://www.schneier.com/blog/archives/2017/03/wikileaks_relea.html *** DFN-CERT-2017-0394: Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0394/ *** WordPress Multiple Plugins - Remote File Upload *** --------------------------------------------- Topic: WordPress Multiple Plugins - Remote File Upload Risk: High Text:Id like to report multiple remote file upload vulnerabilities on five plugins, attached is the PoC exploit and screenshot ; It... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017030065 *** [2017-03-07] Unauthenticated OS command injection & arbitrary file upload in Western Digital WD My Cloud *** --------------------------------------------- Multiple critical vulnerabilities, such as unauthenticated OS command injection or arbitrary file upload, within the WD My Cloud devices allow an attacker to gain access on the device. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Sicherheitsupdate für Symantec Endpoint Protection *** --------------------------------------------- Symantec Endpoint Protection ist ein Softwarepaket zum Schutz vor Viren und Malware.In Symantec Endpoint Protection 12.1 existiert eine Sicherheitslücke, die es einem Angreifer mit Zugriff auf Ihren Computer unter bestimmten Umständen ermöglicht, diesen zu übernehmen und massiv zu schädigen. Eine weitere Sicherheitslücke in Symantec Endpoint Protection 12.1 und 14.0 ermöglicht es dem Angreifer, beliebige Befehle auf Ihrem Computer auszuführen. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_… *** VU#355151: ACTi cameras models from the D, B, I, and E series contain multiple security vulnerabilities *** --------------------------------------------- Vulnerability Note VU#355151 ACTi cameras models from the D, B, I, and E series contain multiple security vulnerabilities Original Release date: 07 Mar 2017 | Last revised: 07 Mar 2017 Overview According to the reporter, ACTi devices including D, B, I, and E series models using firmware version A1D-500-V6.11.31-AC are vulnerable to several issues. Description According to the reporter, multiple ACTi devices, including the D, B, I, and E series models, that use firmware version... --------------------------------------------- http://www.kb.cert.org/vuls/id/355151 *** Security Advisory: The BIG-IP system may respond with the NXDOMAIN status when it receives a DNS query of a certain type on a CNAME wide IP *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23022557.html?… *** Vuln: WePresent WiPG-1500 Device CVE-2017-6351 Hardcoded Password Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96588 *** Vuln: TeX Live CVE-2016-10243 Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96593 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Information Disclosure vulnerability affects IBM DB2 LUW (CVE-2017-1150) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999515 --------------------------------------------- *** IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2016-9131, CVE-2016-9444, CVE-2016-9147, CVE-2016-9778 and CVE-2017-3135) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021889 --------------------------------------------- *** IBM Security Bulletin: Multiple cross-site scripting vulnerabilities found in IBM UrbanCode Deploy (CVE-2016-9006) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000264 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect IBM Cognos Metrics Manager (CVE-2016-0762, CVE-2016-6816) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999723 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21999671 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Websphere Application Server affects IBM Cognos Metrics Manager (CVE-2016-5983) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999722 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring Basic Services Vulnerability (CVE-2016-5933) *** http://www.ibm.com/support/docview.wss?uid=swg21997223 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 6-03-2017
by Daily end-of-shift report 06 Mar '17

06 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 03-03-2017 18:00 − Montag 06-03-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** 25 Jahre Michelangelo: Der Tag der großen Virenpanik *** --------------------------------------------- Am 6. März 1992 hielt die Welt den Atem an. An diesem Tag sollte der Michelangelo-Virus Tausende, wenn nicht gar Millionen Festplatten löschen. Zum 25. Jahrestag beleuchtet c't die Geschichte des berüchtigten Virus. --------------------------------------------- https://heise.de/-3643630 *** Attacking machine learning with adversarial examples *** --------------------------------------------- Conclusion Adversarial examples show that many modern machine learning algorithms can be broken in surprising ways. These failures of machine learning demonstrate that even simple algorithms can behave very differently from what their designers intend. We encourage machine learning researchers to get involved and design methods for preventing adversarial examples, in order to close this gap between what designers intend and how algorithms behave. If youre interested in working on adversarial... --------------------------------------------- https://openai.com/blog/adversarial-example-research/ *** Lets Act Now to Prevent Hacking of the Power Grid *** --------------------------------------------- Standards, guidelines and exercises have bolstered the security of high-voltage networks but little has been done to protect the low-voltage systems that power our homes and workplaces. --------------------------------------------- http://europe.newsweek.com/lets-act-now-prevent-hacking-power-grid-563609 *** DFIR Tools *** --------------------------------------------- Over 600 DFIR tools in an online searchable database. --------------------------------------------- http://www.dfir.training/index.php/tools/advanced-search *** Uber Uses Ubiquitous Surveillance to Identify and Block Regulators *** --------------------------------------------- The New York Times reports that Uber developed apps that identified and blocked government regulators using the app to find evidence of illegal behavior:Yet using its app to identify and sidestep authorities in places where regulators said the company was breaking the law goes further in skirting ethical lines -- and potentially legal ones, too. Inside Uber, some of those who knew about the VTOS program and how the Greyball tool was being used were troubled by it.[...]One method involved... --------------------------------------------- https://www.schneier.com/blog/archives/2017/03/uber_uses_ubiqu.html *** Western Digital My Cloud: NAS-Gerät macht jeden zum Admin *** --------------------------------------------- Western Digital hat in der Hackerszene nicht den Ruf, Schwachstellen schnell zu beheben. Sicherheitslücken, die den Login-Vorgang und die Ausführung von Code betreffen, wurden daher ohne Responsible Disclosure veröffentlicht - damit die Nutzer handeln können. --------------------------------------------- https://www.golem.de/news/western-digital-my-cloud-nas-geraet-macht-jeden-z… *** Nextcloud-Scan: Security-Prüfung für Cloud-Speicher *** --------------------------------------------- Zwei Drittel der öffentlich erreichbaren Installation von ownCloud oder dessen Fork Nextcloud sind angreifbar. Ob die eigene Instanz betroffen ist, können Anwender auf einer Website überprüfen. --------------------------------------------- https://heise.de/-3645045 *** MMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via IoT botnet *** --------------------------------------------- In this post there is no malicious software/malware analyzed, but this is one of the impact of the malware infected IoT devices caused by weak credentials are described indirectly. The only malicious aspect written in the post is the individual(s) involved and participate to these attacks, and, well, I personally do not think the tool used is also malicious too since. in a way, it is very useful for UNIX networking and development. --------------------------------------------- http://blog.malwaremustdie.org/2017/02/mmd-0062-2017-ssh-direct-tcp-forward… *** Security Advisory - Arbitrary Memory Read Write Vulnerability in Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170306-… *** Vuln: EPSON TMNet WebConfig CVE-2017-6443 Multiple HTML Injection Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/96556 *** Vuln: FreeIPA CVE-2017-2590 Multiple Security Bypass Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/96557 *** [R3] SecurityCenter 5.4.4 Fixes File Upload unserialize() Function PHP Object Handling Remote File Deletion *** --------------------------------------------- Advisory Timeline 2017-02-17 - [R1] Initial Release 2017-02-28 - [R2] Adjust CVSS for worst-case scenario (AV:A -> AV:N) 2017-03-03 - [R3] Add SC upgrade information --------------------------------------------- https://www.tenable.com/security/tns-2017-05 *** Vuln: Piwik Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96567 *** keepassxc / zxcvbn-c One byte stack buffer overflow *** --------------------------------------------- Topic: keepassxc / zxcvbn-c One byte stack buffer overflow Risk: High Text:Hi, I recently reported a one byte buffer overflow in keepassxc [1] [2]. Its a pretty typical C bug: An array supposed to ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017030044 *** DSA-3802 zabbix - security update *** --------------------------------------------- An SQL injection vulnerability has been discovered in the Latest datapage of the web frontend of the Zabbix network monitoring system --------------------------------------------- https://www.debian.org/security/2017/dsa-3802 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSource GNU C library affects IBM Netezza Host Management (CVE-2015-8776) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997242 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability in the libgcrypt library (CVE-2016-6313) *** http://www.ibm.com/support/docview.wss?uid=swg21999613 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2016-2177, CVE-2016-6306, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999357 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability in OpenLDAP (CVE-2015-6908) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999615 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability in IBM WebSphere Application Server (CVE-2016-5986) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999614 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Commerce admin utilities could lead to disclosure of user personal data (CVE-2016-5894) *** http://www.ibm.com/support/docview.wss?uid=swg21997408 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 3-03-2017
by Daily end-of-shift report 03 Mar '17

03 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 02-03-2017 18:00 − Freitag 03-03-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** WhatsApp - Unsicher trotz Verschlüsselung *** --------------------------------------------- Die Einführung der Ende-zu-Ende-Verschlüsselung wurde von WhatsApp-Nutzern und Datenschützern sehr begrüßt. Dass es hierbei aber dennoch zu erheblichen Sicherheitsproblemen kommt, haben nun Forscher des Fraunhofer-Instituts für Angewandte und Integrierte Sicherheit AISEC herausgefunden. Betroffen sind vor allem Android-Nutzer. --------------------------------------------- https://www.aisec.fraunhofer.de/de/presse-und-veranstaltungen/presse/presse… *** Undocumented Backdoor Account in DBLTek GoIP *** --------------------------------------------- Trustwave recently reported a remotely exploitable issue in the Telnet administrative interface of numerous DblTek branded devices. The issue permits a remote attacker to gain a shell with root privileges on the affected device due to a vendor backdoor in... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Undocumented-Backdoor-A… *** Command Input Typo Caused Massive AWS S3 Outage *** --------------------------------------------- In a postmortem status report, Amazon blamed a command input typo for the massive AWS S3 outage that took out a large chunk of the Internet three days ago. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/hardware/command-input-typo-caused-ma… *** Malware Retrieves PowerShell Scripts from DNS Records *** --------------------------------------------- Malware researchers have come across a new Remote Access Trojan (RAT) that uses a novel technique to evade detection on corporate networks by fetching malicious PowerShell commands stored inside a domains DNS TXT records. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-retrieves-powershell… *** January-February 2017 *** --------------------------------------------- The NCCIC/ICS-CERT Monitor for January/February 2017 is a summary of ICS-CERT activities for the previous two months. --------------------------------------------- https://ics-cert.us-cert.gov/monitors/ICS-MM201702 *** Lernkurve mit neuem Feed *** --------------------------------------------- Wir sammeln aus vielen Quellen Informationen zu Infektionen und anderen Sicherheitsproblemen im österreichischen Internet und geben diese an die Netzbetreiber weiter. Details dazu stehen in unserem Jahresbericht. Kürzlich haben wir eine neuen Anbieter in unser Portfolio aufgenommen, der unser Lagebild zu Infektionen verbessern sollte. Seit vorgestern verteilen wir Daten aus dieser Quelle. Wir bekamen von einigen Seiten Feedback, dass hier was... --------------------------------------------- http://www.cert.at/services/blog/20170303152402-1946.html *** IDM 4.5 SAP HR Driver Version 4.0.1.0 *** --------------------------------------------- Abstract: Patch update for the Identity Manager SAP HR driver with the SAP JCO version 3. This patch will take the driver version to 4.0.1.0. You must have IDM 4.5 with SP2 or later to use this driver. You should only use this if you are using SAP JCO3. It will not work with SAP JCO2. NetIQ/MicroFocus recommends that users of SAP JCO2 transition to SAP JCO3 and use the IDM SAP HR driver for JCO3. Beginning with IDM 4.0 JCO2 is no longer supported.Document ID: 5258492Security Alert: --------------------------------------------- https://download.novell.com/Download?buildid=KbKm3O1mw4M~ *** VMSA-2017-0002 *** --------------------------------------------- Horizon DaaS update addresses an insecure data validation issue --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0002.html *** Vuln: Rapid7 Insight Collector CVE-2017-5234 DLL Loading Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96545 *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by vulnerabilities in Network Security Services (NSS) (CVE-2016-2834, CVE-2016-5285, CVE-2016-8635) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21998918 *** Eaton xComfort Ethernet Communication Interface *** --------------------------------------------- This advisory contains mitigation details for an improper access controls vulnerability in the Eaton xComfort Ethernet Communication Interface. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-061-01 *** Schneider Electric Conext ComBox *** --------------------------------------------- This advisory contains mitigation details for a resource exhaustion vulnerability in Schneider Electric's Conext ComBox solar battery monitor. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-061-02

1 0

Tageszusammenfassung - Donnerstag 2-03-2017
by Daily end-of-shift report 02 Mar '17

02 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 01-03-2017 18:00 − Donnerstag 02-03-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Kaspersky Releases Decryptor for the Dharma Ransomware *** --------------------------------------------- Kaspersky has tested a set of Dharma master decryption keys posted to BleepingComputer and has confirmed they are legitimate. These keys have been included in their RakhniDecryptor, which I have tested against a Dharma infection. The decryptor worked flawlessly! [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor… *** The Story of an Expired WHOIS Server *** --------------------------------------------- We write quite often about SEO spam injections on compromised websites, but this is the first time we have seen this blackhat tactic spreading into the WHOIS results for a domain name. If you are not familiar with "WHOIS", it is a protocol used to check who owns a specific domain name. These simple text records are publicly available and usually contain contact details for the website owner, i.e. their name, address, and phone number (unless the website owner purchased a WHOIS... --------------------------------------------- https://blog.sucuri.net/2017/03/story-expired-whois-server.html *** Infected Apps in Google Play Store (its not what you think), (Thu, Mar 2nd) *** --------------------------------------------- Xavier pointed me towards a new issue posted on Palo Altos Unit 42 blog - the folks at PA found apps in the Google Play store infected with hidden-iframe type malware. 132 apps (so far) are affected, with the most popular one seeing roughly 10,000 downloads. But were not at the end of the trail of breadcrumbs yet .. these apps were traced back to just 7 developers, who arent in the same company, but all have a connection to Indonesia (the smoking gun here was the code signing certificate). But... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22139&rss *** Researcher Breaks reCAPTCHA Using Googles Speech Recognition API *** --------------------------------------------- A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Googles reCAPTCHA fields using another Google service, the Speech Recognition API. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-breaks-recaptcha-… *** Crypt0L0cker Ransomware is Back with Campaigns Targeting Europe *** --------------------------------------------- Crypt0L0cker, otherwise known as TorrentLocker, has started to make resurgence as it performs targeted campaigns at European countries. These attacks are also now using Italys PEC system to digitaly sign SPAM emails in order to make them look more official. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/crypt0l0cker-ransomware-is-b… *** Security Advisory - Buffer Overflow Vulnerability in the Boot Loaders of Huawei Mobile Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170302-… *** DSA-3799 imagemagick - security update *** --------------------------------------------- This update fixes several vulnerabilities in imagemagick: Variousmemory handling problems and cases of missing or incomplete inputsanitising may result in denial of service or the execution of arbitrarycode if malformed TIFF, WPG, IPL, MPC or PSB files are processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3799 *** AES - Critical - Unsupported - SA-CONTRIB-2017-027 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-027Project: AES encryption (third-party module)Version: 7.x, 8.xDate: 2017-March-01DescriptionThis module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution... --------------------------------------------- https://www.drupal.org/node/2857028 *** Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-025Project: Remember Me (third-party module)Version: 7.xDate: 2017-March-01Description Remember me is a module that allows users to check "Remember me" when logging in. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466CVE identifier(s) issuedA CVE identifier will... --------------------------------------------- https://www.drupal.org/node/2857015 *** Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-028Project: breakpoint panels (third-party module)Version: 7.xDate: 2017-March-01Description Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will hide it from that breakpoint. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by... --------------------------------------------- https://www.drupal.org/node/2857073 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to missing authentication checks (CVE-2016-9729) *** http://www.ibm.com/support/docview.wss?uid=swg21999545 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to SQL injection (CVE-2016-9728) *** http://www.ibm.com/support/docview.wss?uid=swg21999543 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to cross site scripting (CVE-2016-9723, CVE-2017-1133) *** http://www.ibm.com/support/docview.wss?uid=swg21999534 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to cross-site request forgery (CVE-2016-9730) *** http://www.ibm.com/support/docview.wss?uid=swg21999549 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to XML Entity Injection (CVE-2016-9724) *** http://www.ibm.com/support/docview.wss?uid=swg21999537 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to OS command injection (CVE-2016-9726, CVE-2016-9727) *** http://www.ibm.com/support/docview.wss?uid=swg21999542 --------------------------------------------- *** IBM Security Bulletin: Malicious File Download vulnerability in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) CVE-2016-9693 *** https://www-01.ibm.com/support/docview.wss?uid=swg21998655 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2016-7053, CVE-2016-7054, CVE-2016-7055) *** http://www.ibm.com/support/docview.wss?uid=swg21998755 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ administration command could cause denial of service (CVE-2016-8971) *** https://www-01.ibm.com/support/docview.wss?uid=swg21998663 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in dependent component shipped in IBM Development Package for Apache Spark (CVE-2016-4970) *** http://www.ibm.com/support/docview.wss?uid=swg21999185 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Sterling Connect:Express for UNIX (CVE-2016-7055, CVE-2017-3731 and CVE-2017-3732) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999470 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark *** http://www.ibm.com/support/docview.wss?uid=swg21999561 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio *** http://www-01.ibm.com/support/docview.wss?uid=swg21999668 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a local attacker to obtain sensitive information using HTTP Header Injection (CVE-2017-1124) *** http://www.ibm.com/support/docview.wss?uid=swg21998053 --------------------------------------------- *** IBM Security Bulletin: Mozilla NSS as used in IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2016-2834) *** http://www.ibm.com/support/docview.wss?uid=swg21999532 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to a denial of service (CVE-2016-9740) *** http://www.ibm.com/support/docview.wss?uid=swg21999556 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM and QRadar Incident Forensics are vulnerable to information exposure (CVE-2016-9720) *** http://www.ibm.com/support/docview.wss?uid=swg21999533 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar Incident Forensics is vulnerable to overly permissive CORS access policies (CVE-2016-9725) *** http://www.ibm.com/support/docview.wss?uid=swg21999539 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 1-03-2017
by Daily end-of-shift report 01 Mar '17

01 Mar '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 28-02-2017 18:00 − Mittwoch 01-03-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Dridex Becomes First Malware Family to Integrate AtomBombing Technique *** --------------------------------------------- Bad news from malware-land after security researchers from IBM reported today theyd discovered the first samples of version 4.0 of the infamous and highly-active Dridex banking trojan. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/dridex-becomes-first-malware… *** Android: Passwort-Manager mit Sicherheitslücken *** --------------------------------------------- Passwort-Manager verwalten auf Smartphones diverse Zugangsdaten. Das ist zwar praktisch - doch nicht immer sind die Daten auch sicher verwahrt, wie das Frauenhofer SIT herausfand. Einige der untersuchten Apps wiesen gravierende Mängel auf. --------------------------------------------- https://heise.de/-3640040 *** Botnets *** --------------------------------------------- Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down.But now the problem is getting worse, thanks to a flood of cheap webcams, digital video recorders, and other gadgets in the "Internet of... --------------------------------------------- https://www.schneier.com/blog/archives/2017/03/botnets.html *** BSI legt Grundstein für Prüfungen gemäß IT-Sicherheitsgesetz *** --------------------------------------------- Betreiber kritischer Infrastruktur müssen sich zukünftig regelmäßig prüfen lassen und dabei nachweisen, Sicherheitsvorkehrungen gemäß dem Stand der Technik vorgenommen zu haben. Die ersten Schulungen für Prüfer machen klar, was das konkret bedeutet. --------------------------------------------- https://heise.de/-3632463 *** Wir werden alle an der Cloud verbluten .. oder so *** --------------------------------------------- http://www.cert.at/services/blog/20170301112306-1918.html *** [2017-03-01] XXE and XSS vulnerabilities in Aruba AirWave *** --------------------------------------------- The authenticated XXE and reflected XSS vulnerabilities were found in Aruba AirWave versions prior to 8.2.3.1. The XXE flaw can be exploited by either a low-privileged user or a social engineering attack which could allow an attacker to read sensitive files on the system. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** DFN-CERT-2017-0362: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0362/ *** SSA-934525 (Last Update 2017-03-01): Vulnerability in SINUMERIK Integrate *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-934525… *** SSA-701708 (Last Update 2017-03-01): Local Privilege Escalation in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708… *** SECURITY BULLETIN: Multiple Vulnerabilities in Trend Micro SafeSync for Enterprise (SSFE) 3.2 *** --------------------------------------------- Trend Micro has released a new build for Trend Micro SafeSync for Enterprise (SSFE) 3.2. This fix resolves multiple vulnerabilities in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations. --------------------------------------------- https://success.trendmicro.com/solution/1116749 *** Cisco Prime Infrastructure Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the HTTP web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system.The vulnerability is due to insufficient input validation of a user-supplied value. An attacker could exploit this vulnerability by convincing a user to click a specific link. There are no workarounds that address this vulnerability. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco NetFlow Generation Appliance Stream Control Transmission Protocol Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Stream Control Transmission Protocol (SCTP) decoder of the Cisco NetFlow Generation Appliance (NGA) could allow an unauthenticated, remote attacker to cause the device to hang or unexpectedly reload, causing a denial of service (DoS) condition.The vulnerability is due to incomplete validation of SCTP packets being monitored on the NGA data ports. An attacker could exploit this vulnerability by sending malformed SCTP packets on a network that is monitored by an NGA data... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability in the Expat XML parser (CVE-2016-0718) *** --------------------------------------------- A vulnerability has been identified in the Expat XML parser, which affects IBM Security Access Manager appliances. CVE(s): CVE-2016-0718 Affected product(s) and affected version(s): IBM Security Access Manager for Web 7.0 appliances, all firmware versions. IBM Security Access Manager for Web 8.0 appliances, all firmware versions. IBM Security Access Manager for Mobile 8.0 appliances, all... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21998991 *** IBM Security Bulletin: Tivoli Storage Manger (IBM Spectrum Protect) SQL interface vulnerable to unauthorized access (CVE-2016-8940) *** --------------------------------------------- Tivoli Storage Manager (IBM Spectrum Protect) SQL interface is vulnerable to unauthorized access to user credentials and product sensitive information. CVE(s): CVE-2016-8940 Affected product(s) and affected version(s): This vulnerability affects the following IBM Tivoli Storage Manager (IBM Spectrum Protect) Server levels: 7.1.0.0 through 7.1.7.0 6.3.0.0 through 6.3.6.0 6.2, 6.1, and 5.5 all levels (these releases... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21998946 *** Novell Patches *** --------------------------------------------- *** iManager 3.0.2.1 *** https://download.novell.com/Download?buildid=z_UnDt0kYyM~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 9 HotFix 2 *** https://download.novell.com/Download?buildid=KcXKGUw7GSg~ --------------------------------------------- *** eDirectory 9.0.2 Hot Fix 2 *** https://download.novell.com/Download?buildid=dRl85TKqwOE~ --------------------------------------------- *** iManager 2.7 Support Pack 7 - Patch 9 *** https://download.novell.com/Download?buildid=v_njeFs4biE~ ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 28-02-2017
by Daily end-of-shift report 28 Feb '17

28 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 27-02-2017 18:00 − Dienstag 28-02-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Mac-AV-Software ermöglichte Einschleusen von Schadcode *** --------------------------------------------- Eine unzureichende Absicherung bei der Lizenzprüfung von Eset Endpoint Antivirus für macOS ermöglichte es einem Angreifer, beliebigen Code mit Root-Rechten auszuführen. Die als kritisch eingestufte Sicherheitslücke wurde inzwischen behoben. --------------------------------------------- https://heise.de/-3638786 *** MongoDB: Sprechender Teddy teilte alle Daten mit dem Internet *** --------------------------------------------- Spielzeug aus der Cloudpets-Reihe zeichnet die Stimmen der Kinder auf. Wem das nicht schon zu creepy ist, der dürfte sich spätestens über die offene MongoDB-Datenbank aufregen. 800.000 Nutzer mit über 2 Millionen Sprachsamples sind betroffen. (Spielzeug, Datenschutz) --------------------------------------------- https://www.golem.de/news/mongodb-sprechender-teddy-teilte-alle-daten-mit-d… *** Severe SQL Injection Flaw Discovered in WordPress Plugin with Over 1 Million Installs *** --------------------------------------------- A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a websites database. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-sql-injection-flaw-di… *** Decrypting after a Findzip ransomware infection *** --------------------------------------------- The Findzip ransomware was discovered on February 22, 2017. At that time, it was thought that files would be irreversibly encrypted by this ransomware, with no chance of decryption. Turns out, thats not quite true. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip… *** Guidelines on Incident Notification for Digital Service Providers *** --------------------------------------------- ENISA publishes a comprehensive guideline on how to implement incident notification requirements for Digital Service Providers, in the context of the NIS Directive. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/guidelines-on-incident-notifica… *** DFN-CERT-2017-0355: TYPO3: Zwei Schwachstellen ermöglichen Cross-Site-Scripting-Angriffe und das Umgehen von Sichherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0355/ *** DFN-CERT-2017-0340: Red Hat Package Manager (RPM): Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0340/ *** SAP BusinessObjects Financial Consolidation Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1037910 *** VU#742632: Sage XRT Treasury database fails to properly restrict access to authorized users *** --------------------------------------------- Vulnerability Note VU#742632 Sage XRT Treasury database fails to properly restrict access to authorized users Original Release date: 28 Feb 2017 | Last revised: 28 Feb 2017 Overview Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Description CWE-639: Authorization Bypass Through User-Controlled Key - CVE-2017-3183Sage XRT Treasury is a business finance... --------------------------------------------- http://www.kb.cert.org/vuls/id/742632 *** DFN-CERT-2017-0356: ktnef: Eine Schwachstelle ermöglicht u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0356/ *** Bugtraq: Advisory X41-2017-001: Multiple Vulnerabilities in X.org *** --------------------------------------------- http://www.securityfocus.com/archive/1/540180 *** VTS17-003: Multiple Vulnerabilities in Veritas NetBackup and NetBackup Appliance *** --------------------------------------------- https://www.veritas.com/content/support/en_US/security/VTS17-003.html *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server January 2017 CPU *** http://www-01.ibm.com/support/docview.wss?uid=swg21998379 --------------------------------------------- *** IBM Security Bulletin: DB2 local escalation of privilege vulnerability affects Tivoli Storage Manager (IBM Spectrum Protect) Server (CVE-2016-5995) *** http://www.ibm.com/support/docview.wss?uid=swg21998885 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Jazz for Service Management affects IBM Performance Management products (CVE-2016-9975) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993846&myns=swgtiv&mynp=… --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Cognos Controller *** http://www-01.ibm.com/support/docview.wss?uid=swg21983083 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Cognos Controller (CVE-2016-3427) *** http://www-01.ibm.com/support/docview.wss?uid=swg21983082 --------------------------------------------- *** IBM Security Bulletin: vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Performance Management products *** http://www.ibm.com/support/docview.wss?uid=swg21993794 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Controller. *** http://www-01.ibm.com/support/docview.wss?uid=swg21977636 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cognos Controller (CVE-2015-3195) *** http://www-01.ibm.com/support/docview.wss?uid=swg21976531 --------------------------------------------- *** IBM Security Bulletin: OpenSSL as used in IBM QRadar SIEM is vulnerable to various CVEs *** http://www.ibm.com/support/docview.wss?uid=swg21999478 --------------------------------------------- *** IBM Security Bulletin: Pivotal Spring Framework as used in IBM QRadar SIEM is vulnerable to various CVEs *** http://www.ibm.com/support/docview.wss?uid=swg21999395 --------------------------------------------- *** IBM Security Bulletin: Apache Solr as used in IBM QRadar SIEM and Incident Forensics is vulnerable to a denial of service (CVE-2014-0050) *** http://www.ibm.com/support/docview.wss?uid=swg21999474 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM uses broken or risky cryptographic algorithms (CVE-2016-2879) *** http://www.ibm.com/support/docview.wss?uid=swg21997341 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM contains hard-coded credentials (CVE-2016-2880) *** http://www.ibm.com/support/docview.wss?uid=swg21997340 --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to various CVEs *** http://www.ibm.com/support/docview.wss?uid=swg21999488 --------------------------------------------- *** IBM Security Bulletin: IBM Java as used in IBM QRadar SIEM and Incident Forensics is vulnerable to various CVEs *** http://www.ibm.com/support/docview.wss?uid=swg21999479 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 27-02-2017
by Daily end-of-shift report 27 Feb '17

27 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 24-02-2017 18:00 − Montag 27-02-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Project Zero: Erneut ungepatchter Microsoft-Bug veröffentlicht *** --------------------------------------------- Project Zero meint es ernst: Zum dritten Mal innerhalb weniger Monate gibt es einen Bugreport ohne Patch von Microsoft. Dieses Mal handelt es sich um einen Type-Confusion-Fehler in Internet Explorer und Edge. --------------------------------------------- https://www.golem.de/news/project-zero-erneut-ungepatchter-microsoft-bug-ve… *** DFN-CERT-2017-0348: Microsoft Internet Explorer, Microsoft Edge: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- Ein entfernter, nicht authentifizierter Angreifer, welcher einen Benutzer zum Besuch einer bösartig manipulierten Webseite verleiten kann, kann die Schwachstelle ausnutzen, um einen Denial-of-Service (DoS)-Zustand zu bewirken oder beliebigen Programmcode zur Ausführung zu bringen. Diese Schwachstelle wird von dem Google Projekt Zero veröffentlicht, da der Zeitraum, der dem Hersteller zum Beheben der Schwachstelle eingeräumt wurde (90 Tage), abgelaufen ist. Ein Sicherheitsupdate steht derzeit noch nicht zur Verfügung. Ein Proof-of-Concept zur Ausnutzung der Schwachstelle ist ebenfalls verfügbar. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0348/ *** Cloudflare data leak...what does it mean to me?, (Fri, Feb 24th) *** --------------------------------------------- The ISC has received several requests asking us to weigh in on the ramifications of the Cloudflare data leak, also being referred to by some as CloudBleed. The short version of the vulnerability is that in raresituations, a bug in Cloudflares edge servers could be triggered, which would cause a buffer overrun to occur. When these buffer overruns occurred, random data would be returned in the replies from the Cloudflare servers. This data would be data from any of Cloudflares customer... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22113&rss *** Zahlungsverkehr: Swift verlangt bessere Cyberabwehr *** --------------------------------------------- Im Kampf gegen Cyberkriminelle verlangt das Zahlungsverkehrssystem Swift größere Anstrengungen seitens der angeschlossenen Banken. --------------------------------------------- https://futurezone.at/b2b/zahlungsverkehr-swift-verlangt-bessere-cyberabweh… *** DSA-3795 bind9 - security update *** --------------------------------------------- It was discovered that a maliciously crafted query can cause ISCsBIND DNS server (named) to crash if both Response Policy Zones (RPZ)and DNS64 (a bridge between IPv4 and IPv6 networks) are enabled. Itis uncommon for both of these options to be used in combination, sovery few systems will be affected by this problem in practice. --------------------------------------------- https://www.debian.org/security/2017/dsa-3795 *** SHA1 Collision Attack Makes Its First Victim: Subversion Repositories *** --------------------------------------------- It took only one day for the SHA1 collision attack revealed by Google on Thursday to make its first victims after developers of the WebKit browser engine broke their Subversion (SVN) source code repository on Friday. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/sha1-collision-attack-makes-… *** DSA-3796 apache2 - security update *** --------------------------------------------- Several vulnerabilities were discovered in the Apache2 HTTP server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3796 *** More on Bluetooth Ingenico Overlay Skimmers *** --------------------------------------------- This blog has featured several stories about "overlay" card and PIN skimmers made to be placed atop Ingenico-brand card readers at store checkout lanes. Im revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles on Ingenico overlay skimmers. --------------------------------------------- https://krebsonsecurity.com/2017/02/more-on-bluetooth-ingenico-overlay-skim… *** Gefälschte Oberbank-Nachricht: Konto gesperrt! *** --------------------------------------------- Kund/innen erhalten scheinbar eine E-Mail der Oberbank. Darin heißt es, dass es zu einem nicht autorisierten Zugriff auf ihr Konto gekommen sei. [...] Es handelt sich um einen Phishingversuch! --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-oberbank-nachricht-k… *** Cyber extortionists hold MySQL databases for ransom *** --------------------------------------------- Ransomware has become cyber crooks' favorite attack methodology for hitting businesses, but not all cyber extortion attempts are effected with this particular type of malware. Since the beginning of the year, we have witnessed attackers compromising databases, exfiltrating data from them, wiping them and then asking for money (0.2 BTC) in order to return the data. They ransacked MongoDB, CouchDB and Hadoop databases, and now they've set MySQL databases in their sights. According to... --------------------------------------------- https://www.helpnetsecurity.com/2017/02/27/mysql-databases-ransom/ *** Security products and HTTPS: lets do it better *** --------------------------------------------- A recent paper showed that many HTTPS-intercepting security solutions have implemented TLS rather poorly. Does that mean we should avoid such solutions altogether? --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/02/security-products-and-https-… *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: Slowloris denial-of-service attack vulnerability CVE-2007-6750 *** https://support.f5.com:443/kb/en-us/solutions/public/12000/600/sol12636.htm… --------------------------------------------- *** Security Advisory: Linux kernel vulnerability CVE-2016-9555 *** https://support.f5.com:443/kb/en-us/solutions/public/k/54/sol54095660.html?… --------------------------------------------- *** Security Advisory: Expat XML library vulnerability CVE-2015-2716 *** https://support.f5.com:443/kb/en-us/solutions/public/k/50/sol50459349.html?… --------------------------------------------- *** Security Advisory: libarchive vulnerability CVE-2016-8688 *** https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35263486.html?… --------------------------------------------- *** Security Advisory: libarchive vulnerability CVE-2016-8689 *** https://support.f5.com:443/kb/en-us/solutions/public/k/52/sol52697522.html?… --------------------------------------------- *** Security Advisory: libarchive vulnerability CVE-2016-8687 *** https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13074505.html?… --------------------------------------------- *** Security Advisory: Linux kernel vulnerability CVE-2016-4998 *** https://support.f5.com:443/kb/en-us/solutions/public/k/74/sol74171196.html?… --------------------------------------------- *** Security Advisory: OpenSSL vulnerability CVE-2017-3732 *** https://support.f5.com:443/kb/en-us/solutions/public/k/44/sol44512851.html?… --------------------------------------------- *** Security Advisory: F5 TLS vulnerability CVE-2016-9244 *** https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05121675.html?… --------------------------------------------- *** Security Advisory: PHPMailer vulnerability CVE-2016-10045 *** https://support.f5.com:443/kb/en-us/solutions/public/k/73/sol73926196.html?… --------------------------------------------- *** Security Advisory: BIG-IP REST vulnerability CVE-2016-6249 *** https://support.f5.com:443/kb/en-us/solutions/public/k/12/sol12685114.html?… --------------------------------------------- *** Security Advisory: GnuTLS vulnerabilities CVE-2017-5335, CVE-2017-5336, and CVE-2017-5337 *** https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59836191.html?… --------------------------------------------- *** Security Advisory: perl-XML-Twig vulnerability CVE-2016-9180 *** https://support.f5.com:443/kb/en-us/solutions/public/k/08/sol08383757.html?… --------------------------------------------- *** Security Advisory: OpenSSL vulnerability CVE-2017-3731 *** https://support.f5.com:443/kb/en-us/solutions/public/k/37/sol37526132.html?… --------------------------------------------- *** Security Advisory: BIND vulnerability CVE-2017-3135 *** https://support.f5.com:443/kb/en-us/solutions/public/k/80/sol80533167.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2015-8806 *** https://support.f5.com:443/kb/en-us/solutions/public/k/04/sol04450715.html?… --------------------------------------------- *** Security Advisory: GnuTLS vulnerability CVE-2017-5334 *** https://support.f5.com:443/kb/en-us/solutions/public/k/31/sol31336596.html?… --------------------------------------------- *** Security Advisory: iControl vulnerability CVE-2016-9256 *** https://support.f5.com:443/kb/en-us/solutions/public/k/47/sol47284724.html?… --------------------------------------------- *** Security Advisory: TMM vulnerability CVE-2016-9245 *** https://support.f5.com:443/kb/en-us/solutions/public/k/22/sol22216037.html?… ---------------------------------------------

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily