- Daily - CERT.at

Tageszusammenfassung - Freitag 29-07-2016
by Daily end-of-shift report 29 Jul '16

29 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-07-2016 18:00 − Freitag 29-07-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Long-running malvertising campaign infected thousands of computers per day *** --------------------------------------------- Security researchers have shut down a large-scale malvertising operation that used sophisticated techniques to remain undetected for months and served exploits to millions of computers.The operation, dubbed AdGholas, has been running since at least October 2015. According to security vendor Proofpoint, the gang behind it managed to distribute malicious advertisements through more than 100 ad exchanges, attracting between 1 million and 5 million page hits per day.The Proofpoint researchers... --------------------------------------------- http://www.cio.com/article/3101817/long-running-malvertising-campaign-infec… *** Would You Use This ATM? *** --------------------------------------------- One basic tenet of computer security is this: If you cant vouch for a networked things physical security, you also cannot vouch for its cybersecurity. Thats because in most cases, networked things really arent designed to foil a skilled and determined attacker who can freely connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atop of an ATM out in front of a bustling grocery store in my hometown of Northern Virginia. --------------------------------------------- http://krebsonsecurity.com/2016/07/would-you-use-this-atm/ *** Q2 DDoS activity up 83%, report *** --------------------------------------------- Nexusguard researchers noticed an 83 percent uptick in DDoS attacks in Q2 2016 compared to Q1. --------------------------------------------- http://www.scmagazine.com/q2-ddos-threat-report-notes-83-percent-uptick/art… *** Pwnie Express open sources IoT and Bluetooth security tools *** --------------------------------------------- Pwnie Express announced the availability of open sourced versions of its Blue Hydra and Android build system software. The release of these tools enable comprehensive Bluetooth detection and community based development of penetration testing Android devices. Bluetooth detection is critical for effective device threat detection and must cover both Low energy (LE) and Classic Bluetooth standards. Blue Hydra has also been integrated into Pwnie's monitoring platform, Pulse, to provide... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/29/pwnie-express-iot-bluetooth-secu… *** Businesses need to protect data, not just devices *** --------------------------------------------- As organizations embrace the digital transformation of their business, they are increasingly facing new security concerns. More companies are moving away from device-centric, platform-specific endpoint security technologies toward an approach that secures their applications and data everywhere. A new Citrix Qualtrics survey revealed that: More than half of Citrix customers reported that they are changing the way their SecOps teams are operated because of the increase in ransomware, targeted... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/29/protect-data-not-just-devices/ *** Virtually all business cloud apps lack enterprise grade security *** --------------------------------------------- Blue Coat Systems analyzed apps for their ability to provide compliance, data protection, security controls and more. Of the 15,000 apps analyzed, it was revealed that 99 percent do not provide sufficient security, compliance controls and features to effectively protect enterprise data in the cloud. Shadow data still a major threat Their report revealed that shadow data, unmanaged content employees store and share across cloud apps, continues to remain a major threat, with 23 percent... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/29/business-cloud-apps-lack-enterpr… *** Elektronikversand Pollin bestätigt schwerwiegenden Hacker-Angriff *** --------------------------------------------- Nachdem die Kundendaten bereits für personalisierte Phishing-Angriffe missbraucht wurden, erklärte der Elektronik-Shop nun, dass seine Server angegriffen wurden. Die Täter haben viel mitgenommen, darunter auch offenbar die Bankverbindungen der Kunden. --------------------------------------------- http://heise.de/-3281324 *** Malicious RTF Files, (Fri, Jul 29th) *** --------------------------------------------- About a year ago I received RTF samples that I could not analyze with RTFScan or rtfobj (FYI: Philippe Lagadec has improved rtfobj.py significantly since then). So I started to write my own RTF analysis tool (rtfdump), but I was not satisfied enough with the way I presented the analysis result to warrant a release of my tool. Last week, I started analyzing new samples and updating my tool. I released it, and show how I analyze sample 07884483f95ae891845caf0d50ce507f in this diary entry. This... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21315&rss *** Unter Windows 10 Pro gelten bald nicht mehr alle Gruppenrichtlinien *** --------------------------------------------- Mit Windows 10, insbesondere dem "Anniversary Update", ändert Microsoft die Anwendungslogik von Gruppenrichtlinien. Künftig entscheidet nicht nur die Version des Betriebssystems (Windows 7/8/10), sondern auch die Edition (Pro, Enterprise). [...] Nach dem Update wird es mit Pro-Ausgaben von Windows 10 nicht mehr möglich sein, das Verhalten zentral zu steuern. Und ganz nebenbei werden auch Umwege verschlossen, zum Beispiel die Manipulation per Registry-Schlüssel. --------------------------------------------- http://www.heise.de/newsticker/meldung/Unter-Windows-10-Pro-gelten-bald-nic… *** Citrix NetScaler Service Delivery Appliance Multiple Security Updates *** --------------------------------------------- A number of vulnerabilities have been identified in the Citrix NetScaler Service Delivery Appliance (SDX) that could allow a malicious administrative user to crash the host or other VMs and execute arbitrary code on the SDX host. --------------------------------------------- https://support.citrix.com/article/CTX206006 *** iPrint Appliance 1.1 Patch 6 *** --------------------------------------------- Abstract: This patch includes bug fixes, security fixes and a consolidation of previously released patchesDocument ID: 5250978Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-1.1.0.417.HP.zip (27.49 MB)iPrint-1.1.0.421.HP.zip (1,008.67 MB)Products:iPrint Appliance 1.1Superceded Patches:iPrint Appliance 1.1 Patch --------------------------------------------- https://download.novell.com/Download?buildid=vv7Z6imI7Js~ *** iPrint Appliance 2.0 Patch 2 *** --------------------------------------------- Abstract: This patch includes bug fixes, security fixes and a consolidation of previously released patchDocument ID: 5250983Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.531.HP.zip (721.05 MB)Products:iPrint Appliance 2Superceded Patches:iPrint Appliance 2.0 --------------------------------------------- https://download.novell.com/Download?buildid=svMlzlyK0go~ *** Bugtraq: [SYSS-2016-046] Perixx PERIDUO-710W - Missing Protection against Replay Attacks *** --------------------------------------------- http://www.securityfocus.com/archive/1/539041 *** VU#217871: Intel CrossWalk project does not validate SSL certificates after first acceptance *** --------------------------------------------- Vulnerability Note VU#217871 Intel CrossWalk project does not validate SSL certificates after first acceptance Original Release date: 29 Jul 2016 | Last revised: 29 Jul 2016 Overview The Intel Crosswalk project is a framework for developing hybrid apps for Android and iOS. The Crosswalk project does not properly handle SSL certificate validation when a user accepts an invalid certificate, preventing the app for validating any future SSL certificates. Description CWE-356: Product UI does not --------------------------------------------- http://www.kb.cert.org/vuls/id/217871 *** Bugtraq: Vicon Network Cameras - Authentication Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/539037 *** Bugtraq: [SYSS-2016-044] Logitech K520 - Insufficient Protection against Replay Attacks *** --------------------------------------------- http://www.securityfocus.com/archive/1/539040 *** Bugtraq: [SYSS-2016-059] Microsoft Wireless Desktop 2000 - Insufficient Verification of Data Authenticity (CWE-345) *** --------------------------------------------- http://www.securityfocus.com/archive/1/539045 *** Bugtraq: [SYSS-2016-047] Perixx PERIDUO-710W - Keystroke Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539042

1 0

Tageszusammenfassung - Donnerstag 28-07-2016
by Daily end-of-shift report 28 Jul '16

28 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-07-2016 18:00 − Donnerstag 28-07-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Taking Steps to Fight Back Against Ransomware *** --------------------------------------------- Ransomware is an attack in which malware encrypts files and extorts money from victims. It has become a favorite among cybercriminals because it is easy to develop, simple to execute, and does a very good job of compelling users to pay to regain access to their precious files or systems. Almost anyone and every business... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/taking-steps-to-fight-back-against-ran… *** Infection Monkey: Test a network from an attacker's point of view *** --------------------------------------------- Infection Monkey, a tool designed to test the resiliency of modern data centers against cyber attacks, was developed as an open source tool by GuardiCore's research group. "Traditional testing tools are no longer able to effectively detect vulnerabilities in today's data center networks as they cannot continuously exploit the weakest link and propagate in-depth, resulting in a very partial view of network vulnerabilities" said Pavel Gurvich, CEO of GuardiCore. How... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/28/infection-monkey-test-network-at… *** Verifying SSL/TLS certificates manually, (Thu, Jul 28th) *** --------------------------------------------- I think that we can surely say that, with all its deficiencies, SSL/TLS is still a protocol we cannot live without, and basis of todays secure communication on the Internet.Quite often I get asked on how certificates are really verified by browsers or other client utilities. Sure, the canned answer that certificates get signed by CAs and a browser verifies if signatures are correct is always there, but more persistent questions on how it exactly works happen here and there as well. So, if you... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21311&rss *** Passwort Manager: Lastpass behebt kritische Lücke *** --------------------------------------------- Die gestern von Tavis Ormandy gemeldete kritische Schwachstelle im Passwort-Manager Lastpass ist nach Angaben des Unternehmens inzwischen geschlossen worden. Ein neue Lastpass-Version soll unter Firefox bereitstehen. --------------------------------------------- http://www.golem.de/news/passwort-manager-lastpass-bestaetigt-behebung-krit… *** Phishing-Angriff auf Pollin-Kunden *** --------------------------------------------- Bei heise Security haben sich mehrere Kunden des Elektronikhändlers Pollin gemeldet, die befürchten, dass ihre persönlichen Daten einschließlich Bankverbindung bei dem Händler kopiert wurden. --------------------------------------------- http://heise.de/-3280449 *** You cant turn off Cortana in the Windows 10 Anniversary Update *** --------------------------------------------- Microsoft made an interesting decision with Windows 10's Anniversary Update, which is now in its final stages of development before it rolls out on August 2. Cortana, the personal digital assistant that replaced Windows 10's search function and taps into Bing's servers to answer your queries with contextual awareness, no longer has an off switch. --------------------------------------------- http://www.pcworld.com/article/3100358/windows/you-cant-turn-off-cortana-in… *** Security Holes Exposed In Smart Lighting System *** --------------------------------------------- Sylvania Osram Lightify vulnerabilities could allow an attacker to turn out the lights or ultimately infiltrate the corporate network. --------------------------------------------- http://www.darkreading.com/cloud/security-holes-exposed-in-smart-lighting-s… *** Hintergrund: Windows 10 mit Schutz vor Pass-the-Hash-Angriffen *** --------------------------------------------- Mit Hilfe moderner Virtualisierungstechnik soll der Credential Guard eine der gefährlichsten Angriffstechniken für Windows-Netze entschärfen. --------------------------------------------- http://heise.de/-3280610 *** DSA-3633 xen - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3633 *** DSA-3632 mariadb-10.0 - security update *** --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.26. Please see the MariaDB 10.0 Release Notes for furtherdetails: --------------------------------------------- https://www.debian.org/security/2016/dsa-3632 *** Vuln: DBD::mysql my_login() Function Use After Free Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/92118 *** Vuln: QEMU hw/scsi/esp.c Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/92119 *** F5 Security Advisory: glibc vulnerability CVE-2016-4429 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/17/sol17075474.html?… *** AXIS Authenticated Remote Command Execution *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016070209 *** DFN-CERT-2016-1153: Apache Software Foundation HTTP-Server, Lighttpd: Eine "Schwachstelle" ermöglicht HTTP-Proxy-Umleitungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1153/ *** DFN-CERT-2016-1216: Red Hat JBoss Operations Network: Mehrere Schwachstelle ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1216/ *** Xen Security Advisory CVE-2016-5403 / XSA-184 *** --------------------------------------------- A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size. (This requires reusing vring descriptors in more than one request, which is incorrect but possible.) Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation controlled by the guest. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-184.html *** Sentinel 7.3 SP3 (Sentinel 7.3.3.0) *** --------------------------------------------- Abstract: Sentinel 7.3.3 upgrade for Sentinel 7.3Document ID: 5250650Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.3.3.0-2205.x86_64.tar.gz.sha256 (109 bytes)sentinel_server-7.3.3.0-2205.x86_64.tar.gz (1.69 GB)Products:Sentinel 7.3.2Sentinel 7.1.1Sentinel 7.1Sentinel 7.3.1Sentinel 7.2Sentinel 7.2.1Sentinel 7.3Sentinel 7.2.2Sentinel 7.0Sentinel 7.0.1Sentinel 7.0.2Sentinel 7.0.3Sentinel 7.3.3Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=aGwCXcABsl0~ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Nexus 1000v Application Virtual Switch Cisco Discovery Protocol Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Wireless LAN Controller Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Videoscape Session Resource Manager Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Service Catalog Reflected Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT System Software Snort Rule Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Email Security Appliance File Type Filtering Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 27-07-2016
by Daily end-of-shift report 27 Jul '16

27 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-07-2016 18:00 − Mittwoch 27-07-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Dridex Re-Mastered *** --------------------------------------------- Well, its been quite an eventful time since last I posted. I have so much in the works that it is hard to tell where to begin. It seems that we are seeing new flavors of ransomware every week and botnets seem to come and go with a frequency weve not seen in a while. This week, though, I promised Dridex, so Dridex it is. --------------------------------------------- http://www.scmagazine.com/dridex-re-mastered/article/511683/ *** Analyze of a Linux botnet client source code, (Wed, Jul 27th) *** --------------------------------------------- I like to play active-defense. Every day, I extract attackers IP addresses from my SSH honeypots and performa quick Nmap scan against them. The goal is to gain more knowledge about the compromised hosts. Most of the time, hosts are located behind a residential broadband connection. But sometimes, you find more interesting stuff. When valid credentials are found, the classic scenario is the installation of a botnet client that will be controlled via IRC to launchmultiple attacks or scans. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21305&rss *** Erpressungs-Trojaner: Malware-Entwickler spioniert bei der Konkurrenz - Opfer profitieren davon *** --------------------------------------------- Auf Pastebin sind tausende Schlüssel zum Dechiffrieren von Daten aufgetaucht, die vom Verschlüsselungs-Trojaner Chimera gefangengenommen wurden. --------------------------------------------- http://heise.de/-3279201 *** Kritische Lücke in Lastpass: Entwickler arbeiten an Lösung *** --------------------------------------------- Tavis Ormandy hat eine kritische Sicherheitslücke im Passwort-Manager Lastpass gefunden und über Twitter gemeldet. Die Entwickler der Software arbeiten demnach bereits an einer Lösung. --------------------------------------------- http://heise.de/-3279424 *** Black Hat 2016: Neuer Angriff schafft Zugriff auf Klartext-URLs trotz HTTPS *** --------------------------------------------- Besonders in öffentlichen Netzwerken schützen verschlüsselte HTTPS-Verbindungen davor, dass Admins oder gar andere Nutzer im gleichen Netz den eigenen Datenverkehr belauschen. Dieser Schutz ist offenbar löchrig - und zwar auf fast allen Browsern und Betriebssystemen. --------------------------------------------- http://www.golem.de/news/black-hat-2016-neuer-angriff-schafft-zugriff-auf-k… *** Free and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 16: Account Monitoring and Control *** --------------------------------------------- This is Part 16 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here: Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to… *** From Locky with love - reading malicious attachments *** --------------------------------------------- Read on to learn how the latest downloaders used to deliver Locky ransomware and show how to statically decipher their hidden URLs.Categories: Malware Threat analysisTags: downloaderLocky(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/07/from-locky-with-love-… *** httpoxy in Österreich *** --------------------------------------------- Wir haben vorige Woche eine Warnung zu httpoxy veröffentlicht, dabei geht es um: CGI ist ein Standard, mit dem Webseiten dynamisch mit Hilfe von Scripten serverseitig erstellt werden können. Dazu werden die Informationen über den Client und zur Anfrage in Umgebungsvariablen an das Script übergeben. Enthält der HTTP-Request einen Header "Proxy:", dann wird der Inhalt dieses Headers in die Umgebungsvariable HTTP_PROXY... --------------------------------------------- http://www.cert.at/services/blog/20160727173056-1764.html *** Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access *** --------------------------------------------- The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file ICAMClient.jar into users browser which serves additional admin features. In the JAR file there is an account rou with password iris4000 that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23 --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php *** Iris ID IrisAccess ICU 7000-2 Remote Root Command Execution *** --------------------------------------------- The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote command execution vulnerability. The vulnerability exist due to several POST parameters in the /html/SetSmarcardSettings.php script not being sanitized when using the exec() PHP function while updating the Smart Card Settings on the affected device. Calling the $CommandForExe variable which is set to call the /cgi-bin/setsmartcard CGI binary with the affected parameters as arguments allows the attacker to execute --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5346.php *** Iris ID IrisAccess ICU 7000-2 Multiple XSS and CSRF Vulnerabilities *** --------------------------------------------- The application is prone to multiple reflected cross-site scripting vulnerabilities due to a failure to properly sanitize user-supplied input to the HidChannelID and HidVerForPHP POST parameters in the SetSmarcardSettings.php script. Attackers can exploit this issue to execute arbitrary HTML and script code in a users browser session. The application also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5345.php *** F5 Security Advisory: MySQL vulnerability CVE-2016-2047 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53729441.html?… *** Bugtraq: [security bulletin] HPSBST03603 rev.1 - HPE StoreVirtual Products running LeftHand OS using glibc, Remote Arbitrary Code Execution, Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/539015 *** Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for two vulnerabilities in the Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-208-01 *** Siemens SIMATIC NET PC-Software Denial-of-Service Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a denial-of-service vulnerability in the Siemens SIMATIC NET PC-Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-208-02 *** Siemens SINEMA Remote Connect Server Cross-site Scripting Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a cross-site scripting vulnerability in the Siemens SINEMA Remote Connect Server application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-208-03 *** Rockwell Automation FactoryTalk EnergyMetrix Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on June 21, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for authentication vulnerabilities in the Rockwell Automation FactoryTalk EnergyMetrix application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-173-03

1 0

Tageszusammenfassung - Dienstag 26-07-2016
by Daily end-of-shift report 26 Jul '16

26 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-07-2016 18:00 − Dienstag 26-07-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Devices with Qualcomm modems safe from critical ASN.1 telecom flaw *** --------------------------------------------- Despite initial concerns, smartphones equipped with Qualcomm modems are not vulnerable to a recently announced vulnerability that could potentially allow attackers to take over cellular network gear and consumer mobile .. --------------------------------------------- http://www.cio.com/article/3099688/devices-with-qualcomm-modems-safe-from-c… *** Patchwork cyberespionage group expands targets from governments to wide range of industries *** --------------------------------------------- Symantec finds that Patchwork now targets a variety of industries in the US, China, Japan, South East Asia, and the UK. --------------------------------------------- http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expand… *** Bugtraq: [security bulletin] HPSBGN03630 rev.1 - HP Operations Manager for Unix, Solaris, and Linux using Apache Commons Collections (ACC), Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/539001 *** Trump, DNC, RNC Flunk Email Security Test *** --------------------------------------------- Donald J. Trump has repeatedly bashed Sen. Hillary Clinton for handling classified documents on her private email server, even going so far as to suggest that anyone who is so lax with email security isn’t fit to become .. --------------------------------------------- http://krebsonsecurity.com/2016/07/trump-dnc-rnc-flunk-email-security-test/ *** Bugtraq: July 2016 - Bamboo Server - Critical Security Advisory *** --------------------------------------------- http://www.securityfocus.com/archive/1/539003 *** DFN-CERT-2016-1197/">Perl: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1197/ *** Mobilfunk: Sicherheitslücke macht auch Smartphones angreifbar *** --------------------------------------------- Große Teile der Mobilfunkinfrastruktur sind laut Sicherheitsforschern über eine Lücke in einer Software-Bibliothek gefährdet. Ein Fix steht zwar bereit, doch Updates wird es für die meisten Geräte wohl nicht geben. --------------------------------------------- http://www.golem.de/news/mobilfunk-sicherheitsluecke-macht-auch-smartphones… *** Amazon Silk browser removes Google’s default encryption *** --------------------------------------------- Google’s good intentions of keeping searches made via its search engine protected through default encryption have been stymied by Amazon. A bug in the Amazon Silk .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/26/amazon-silk-bug-encryption/ *** 50+ vulnerabilities found in popular home gateway modems/routers *** --------------------------------------------- Researcher Gergely Eberhardt with Hungarian security testing outfit SEARCH Laboratory has unearthed over fifty vulnerabilities in five home gateway modems/routers used by Hungarian Cable TV operator UPC Magyarország, but also by many ISPs around the .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/26/home-gateway-modems-vulnerabilit… *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a PV guest VM to compromise or crash the host. --------------------------------------------- https://support.citrix.com/article/CTX214954 *** Low-cost wireless keyboards open to keystroke sniffing and injection attacks *** --------------------------------------------- Bastille Networks researcher Marc Newlin has discovered a set of security vulnerabilities in low-cost wireless keyboards that could be exploited to collect all passwords, security questions, sensitive personal, bank account and .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/26/keystroke-sniffing-wireless-keyb… *** DFN-CERT-2016-1199/">Xen: Zwei Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1199/ *** Command and Control Channels Using "AAAA" DNS Records, (Tue, Jul 26th) *** --------------------------------------------- Dataexfiltration and command and control channels via DNS are nothing new exactly. In many ways, DNS is an ideal covert channel. Even well-protected systems usually can connect to a recursive name server that will forward queries .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21301 *** DFN-CERT-2016-1200/">Moodle: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1200/

1 0

Tageszusammenfassung - Montag 25-07-2016
by Daily end-of-shift report 25 Jul '16

25 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-07-2016 18:00 − Montag 25-07-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gratis Entschlüsselungs-Tools nehmen es mit elf Erpressungs-Trojanern auf *** --------------------------------------------- AVG und Trend Micro haben ihre kostenlosen Tools aktualisiert, mit denen Opfer von diversen Verschlüsselungs-Trojanern unter Umständen wieder Zugriff auf ihre Daten bekommen können. --------------------------------------------- http://heise.de/-3277015 *** PowerWare Ransomware Masquerades as Locky to Intimidate Victims *** --------------------------------------------- PowerWare ransomware spoofs Locky malware family in an attempt to scare victims into paying up. --------------------------------------------- http://threatpost.com/ransomware-powerware-masquerades-as-locky-to-intimida… *** Cross-platform malware Adwind infects Mac *** --------------------------------------------- We examine a cross-platform malware with a Mac payload and found the hackers behind it really didnt put that much effort into making it work on the Mac.Categories: Mac Threat analysisTags: Applemacmalwarerat(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/07/cross-platform-malwar… *** Kovter becomes almost file-less, creates a new file type, and gets some new certificates *** --------------------------------------------- Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter's persistence method and some updates on their latest malvertising campaigns. New persistence method Since June 2016,... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-f… *** It Is Our Policy, (Sat, Jul 23rd) *** --------------------------------------------- How many times have you heard someone say out loud our our security policy requires...?Many times we hear and are sometimes even threatened with the security policy. Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons. I regularly get the question, How many security policiesshould I have? My response is often found by... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21293&rss *** Nemucod dot dot..WSF *** --------------------------------------------- The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension. It is a variation of what has been observed since last year (2015) - the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file,... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/ *** Europol will Opfern von Internet-Erpressung helfen *** --------------------------------------------- Mit der Website nomoreransom.org will die Europol Opfern von Krypto-Trojanern helfen, wieder Zugang zu ihren Daten zu bekommen. --------------------------------------------- http://futurezone.at/digital-life/europol-will-opfern-von-internet-erpressu… *** Stealing Bitcoin With Math - HOPE XI *** --------------------------------------------- by Filippo Valsorda Published July 23, 2016 in Programming Explaining Bitcoin and attacks old and new. WARNING: contains more than 15 math formulas. --------------------------------------------- https://speakerdeck.com/filosottile/stealing-bitcoin-with-math-hope-xi *** Bypassing UAC on Windows 10 using Disk Cleanup *** --------------------------------------------- Matt Graeber (@mattifestation) and I recently dug into Windows 10, and discovered a rather interesting method of bypassing User Account Control [...]. Currently, there are a couple of public UAC bypass techniques, most of which require a privileged file copy using the IFileOperation COM object or WUSA extraction to take advantage of a DLL hijack. [...] The technique covered in this post differs from the other methods and provides a useful alternative as it does not rely on a privileged file... --------------------------------------------- https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cle… *** Researchers discover 110 snooping Tor nodes *** --------------------------------------------- In a period spanning 72 days, two researchers from Northeastern University have discovered at least 110 "misbehaving" and potentially malicious hidden services directories (HSDirs) on the Tor anonymity network. What's an HSDir? An HSDir is a Tor node that receives descriptors for hidden services - servers configured to receive inbound connections only through Tor, meaning their IP address and network location remains hidden - and, upon request, directs users to... --------------------------------------------- https://www.helpnetsecurity.com/2016/07/25/snooping-tor-nodes/ *** DSA-3625 squid3 - security update *** --------------------------------------------- Several security issues have been discovered in the Squid caching proxy. --------------------------------------------- https://www.debian.org/security/2016/dsa-3625 *** DSA-3626 openssh - security update *** --------------------------------------------- Eddie Harari reported that the OpenSSH SSH daemon allows userenumeration through timing differences when trying to authenticateusers. When sshd tries to authenticate a non-existing user, it will pickup a fixed fake password structure with a hash based on the Blowfishalgorithm. If real users passwords are hashed using SHA256/SHA512, thena remote attacker can take advantage of this flaw by sending largepasswords, receiving shorter response times from the server fornon-existing users. --------------------------------------------- https://www.debian.org/security/2016/dsa-3626 *** DSA-3627 phpmyadmin - security update *** --------------------------------------------- Several vulnerabilities have been fixed in phpMyAdmin, the web-basedMySQL administration interface. --------------------------------------------- https://www.debian.org/security/2016/dsa-3627 *** [2016-07-25] Multiple vulnerabilities in Micro Focus (Novell) Filr appliance *** --------------------------------------------- The Micro Focus (Novell) Filr Appliance contains several vulnerabilities that, when combined, allow an unauthenticated attacker to execute arbitrary system commands as the user "root" or allow an authenticated attacker to hijack user and administrator sessions. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** Filr 2.0 - Security Update 2 *** --------------------------------------------- Abstract: This patch provides a number of Security Updates for Filr, Search and MySQL 2.0.0 appliances including updated Java applets.Document ID: 5250090Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:Filr-2.0.0.465.HP.zip (204.82 MB)preinstall-filr20su2.zip (409 bytes)Search-2.0.0.414.HP.zip (24.96 MB)MySQL-2.0.0.195.HP.zip (24.2 MB)Products:Filr 2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=3V-3ArYN85I~ *** Filr 1.2 - Security Update 3 *** --------------------------------------------- Abstract: This patch provides a number of Security Updates for Filr, Search and MySQL 1.2 appliances including updated Java applets.Document ID: 5250470Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.2.0.416.HP.zip (11 kB)Filr-1.2.0.871.HP.zip (153.52 MB)Search-1.2.0.1008.HP.zip (11.04 kB)Products:Filr 1.2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=BOTiHcBFfv0~ *** Bugtraq: CA20160721-01: Security Notice for CA eHealth *** --------------------------------------------- CA20160721-01: Security Notice for CA eHealth --------------------------------------------- http://www.securityfocus.com/archive/1/538982 *** Vuln: Objective Systems ASN1C CVE-2016-5080 Heap Based Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/91836 *** Vulnerability in Objective Systems ASN1C Compiler Affecting Cisco Products *** --------------------------------------------- A vulnerability in the ASN1C compiler by Objective Systems affects Cisco ASR 5000 devices running StarOS and Cisco Virtualized Packet Core (VPC) systems. The vulnerability could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the Linux kernel affects PowerKVM (CVE-2016-3044) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023969 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ImageMagick affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023934 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ntp affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023885 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in PCRE affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023886 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in lcms affects PowerKVM (CVE-2013-7455) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023876 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM Tivoli Storage Manager Administration Center (CVE-2016-4560) *** http://www.ibm.com/support/docview.wss?uid=swg21985483 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM Tivoli Monitoring for Tivoli Storage Manager Server (CVE-2016-4560) *** http://www.ibm.com/support/docview.wss?uid=swg21984949 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 22-07-2016
by Daily end-of-shift report 22 Jul '16

22 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-07-2016 18:00 − Freitag 22-07-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** 15 Vulnerabilities in SAP HANA Outlined *** --------------------------------------------- SAP recently fixed 15 different vulnerabilities that existed in the database management system HANA and subsequent communication channels. The bugs affect 10,000 users running the software. --------------------------------------------- http://threatpost.com/15-vulnerabilities-in-sap-hana-outlined/119406/ *** IDM 4.5 JDBC Fanout 1.0.1.0 *** --------------------------------------------- https://download.novell.com/Download?buildid=GfcX9EX05Hs~ *** DSA-3624 mysql-5.5 - security update *** --------------------------------------------- Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.50. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details: --------------------------------------------- https://www.debian.org/security/2016/dsa-3624 *** CrypMIC ransomware is a CryptXXX copycat, with a few twists *** --------------------------------------------- CryptXXX ransomware has a doppelganger - its called CrypMIC. And the resemblance doesnt appear to be a coincidence. --------------------------------------------- http://www.scmagazine.com/crypmic-ransomware-is-a-cryptxxx-copycat-with-a-f… *** Security Notice - Statement on Heap Overflow Vulnerability in Code Generated by Objective Systems ASN1C *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160722-01-… *** HPE IceWall Identity Manager and HPE IceWall SSO Password Reset Option running Apache Commons FileUpload, Remote Denial of Service (DoS) *** --------------------------------------------- A potential security vulnerability has been identified with HPE IceWall Identity Manager and HPE IceWall SSO Password Reset Option running Apache Commons .. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05204371 *** US-Polizei will Smartphone eines Toten mittels künstlichem Finger entsperren *** --------------------------------------------- Eine US-Polizeibehörde will mittels eines 3D-gedruckten Fingers das Smartphone eines Toten entsperren. Sie erhofft sich, so den Mörder des Smartphone-Besitzers zu fassen. --------------------------------------------- http://heise.de/-3276618 *** Sicherheitsfirma Quadsys hat Konkurrenten gehackt *** --------------------------------------------- Mitglieder des Managements einer britischen Security-Firma sollen die Datenbanken einer konkurrierenden Firma gehackt haben, um an Kundendaten zu gelangen. Das haben die Beschuldigten nun auch zugegeben. --------------------------------------------- http://heise.de/-3276742 *** STARTTLS: Keine Verschlüsselung mit der SPD *** --------------------------------------------- Der Mailanbieter Posteo hat die Möglichkeit eingeführt, E-Mails nur noch zu verschicken, wenn der Zielserver die STARTTLS-Verschlüsselung anbietet. Dabei fielen einige Mailserver auf, die den längst etablierten Verschlüsselungsstandard nicht unterstützen. --------------------------------------------- http://www.golem.de/news/starttls-keine-verschluesselung-mit-der-spd-1607-1… *** Decrypter for Locky-mimicking PowerWare ransomware released *** --------------------------------------------- Palo Alto Networks’ researchers have created a decrypter for the variant of the PoshCoder ransomware that imitates the Locky ransomware. Dubbed PowerWare by the researchers, the malware adds the “.locky” filename .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/22/powerware-ransomware-decrypter/ *** Promi-Mailaccounts gehackt: Gefängnisstrafe für US-Amerikaner *** --------------------------------------------- Ein junger US-Amerikaner spionierte unter anderem Hollywood-Stars aus, indem er sich per Phishing Zugriff auf über 360 Mailaccounts verschaffte. Dafür wurde er nun verurteilt. --------------------------------------------- http://heise.de/-3276992

1 0

Tageszusammenfassung - Donnerstag 21-07-2016
by Daily end-of-shift report 21 Jul '16

21 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-07-2016 18:00 − Donnerstag 21-07-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Computing System Performance Manager Input Validation Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unified Computing System (UCS) Performance Manager could allow an authenticated, remote attacker to execute arbitrary commands.The vulnerability is due to insufficient input validation performed on parameters .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** SoakSoak Botnets Now Pushing Neutrino Exploit Kit and CryptXXX Ransomware *** --------------------------------------------- Research spot SoakSoak botnets spreading the Neutrino Exploit Kit that in turn infect the unsuspecting with the CryptXXX ransomware. --------------------------------------------- http://threatpost.com/soaksoak-botnets-now-pushing-neutrino-exploit-kit-and… *** Everyones favorite infosec biz - Blue Coat - must cough up $40m to rival in patent rip-off row *** --------------------------------------------- >From SSL cert blowup to busted infringement appeal Blue Coat has lost its appeal challenging a nearly $40m patent infringement lawsuit brought by rival security company .. --------------------------------------------- www.theregister.co.uk/2016/07/20/blue_coat_finjan_lawsuit/ *** Tor Could Protect Your Smart Fridge From Spies and Hackers *** --------------------------------------------- There's a growing fear that the exploding internet of things - from baby cams to pacemakers - could be a goldmine for spies and criminal hackers alike. Tor could help protect them.The post Tor Could Protect Your Smart Fridge From Spies and Hackers appeared first on The Intercept. --------------------------------------------- https://theintercept.com/2016/07/20/tor-could-protect-your-smart-fridge-fro… *** Facebook malware - the missing piece *** --------------------------------------------- Recently we revealed that a threat actors exploited social networks to spread a Trojan that captures a victim's entire browser traffic. Approximately 10,000 Facebook users with Windows PCs were hit by malicious friend notifications. In this article we will explain the security issue and attack. --------------------------------------------- http://securelist.com/blog/research/75476/facebook-malware-the-missing-piec… *** Firefox blockiert bald Flash-Inhalte *** --------------------------------------------- Ab Version 48 folgt ein strengerer Umgang mit der sterbenden Web-Technologie --------------------------------------------- http://derstandard.at/2000041512429 *** Dell SonicWALL GSM comes with hidden default account *** --------------------------------------------- While developing new audit modules for the company's vulnerability scanning technology, Digital Defense researchers found six vulnerabilities in Dell's SonicWALL Global Management System, four of them deemed critical. SonicWALL GMS is a central control, .. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/21/dell-sonicwall-gsm-backdoor/ *** Kritischer Fehler: Wichtiges Update für Mac-Netzwerkkontrolleur Little Snitch *** --------------------------------------------- Ein Bug ermöglicht einem Angreifer, den Netzwerkfilter der Mac-Software zu überlisten – die neu veröffentlichte Version soll das Problem ausräumen. Little Snitch überwacht ausgehende Netzwerkverbindungen in Mac OS X. --------------------------------------------- http://heise.de/-3275508 *** Ciscos Unified Computing System anfällig für Schad-Code *** --------------------------------------------- Im Unified Computing System Performance Manager klafft eine kritische Sicherheitslücke. Admins sollten die verfügbare abgesicherte Version zügig installieren. --------------------------------------------- http://heise.de/-3275609 *** Canadian Man Behind Popular 'Orcus RAT' *** --------------------------------------------- Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce .. --------------------------------------------- http://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-…

1 0

Tageszusammenfassung - Mittwoch 20-07-2016
by Daily end-of-shift report 20 Jul '16

20 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-07-2016 18:00 − Mittwoch 20-07-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DDoS trends: Bigger, badder but not longer *** --------------------------------------------- 10Gbps is the new norm, warns Arbor Networks DDoS attacks once again escalated in both size and frequency during the first six months of 2016. --------------------------------------------- www.theregister.co.uk/2016/07/19/ddos_sitrep/ *** Critical Patch Update - July 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html *** Solaris Third Party Bulletin - July 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.h… *** Oracle Linux Bulletin - July 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090… *** Oracle VM Server for x86 Bulletin - July 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-309054… *** ASN.1 Anyone? CVE-2016-5080, (Tue, Jul 19th) *** --------------------------------------------- *Queue Back to the Future Music* Over more than a decade ago there was a major discovery in ASN.1 that contributed to arguably one of the worst vulnerabilities in a long time. Fast forward *Queue awful fast forward tape music* to .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21277 *** WordPress admin? Thinking of spending time with the family? Think again *** --------------------------------------------- P0wnage party pops plugins, providing plenty of party-pooping projects The Dutch hacking communitys Summer of Pwnage (SoP) has disclosed three vulnerabilities in WordPress plugins, including an XSS in the popular Ninja Forms. --------------------------------------------- www.theregister.co.uk/2016/07/20/wordpress_admin_thinking_of_spending_time_… *** Flaws found in security products from AVG, Symantec and McAfee *** --------------------------------------------- Patch frenzy imminent, say researchers, thanks to bad use of code hooking Hundreds of security products may not be up the job, researchers say, thanks to flawed uses of code hooking.… --------------------------------------------- www.theregister.co.uk/2016/07/20/hooks_cooked_hackers_crack_tonnes_of_secur… *** Ruining the Magic of Magentos Encryption Library *** --------------------------------------------- Lets look at how Magento implements cryptography, with a series of exhibits followed by an explanation of whats happening and why its dangerous: ... If you looked at the code, I promise this is every bit as bad as it looks at a glance. --------------------------------------------- http://www.openwall.com/lists/oss-security/2016/07/19/3 *** Hackers Allegedly Steal 1.4M Passwords From Mac Forums, Web Hosting Talk *** --------------------------------------------- A hacker or hackers has allegedly stolen more than 1.4 million passwords, email addresses, and other data from the databases of popular forums including Web Hosting Talk, and Mac Forums and HotScripts. --------------------------------------------- https://motherboard.vice.com/read/hackers-allegedly-steal-14m-passwords-fro… *** DNSSEC-Schlüsseltausch 2017 – die Vorbereitungen laufen *** --------------------------------------------- Wer am 11. Oktober 2017 meint, dass sein Internet kaputt ist, der sollte bei seinem Provider nachfragen, ob das mit dem DNSSEC-Schlüsseltausch zu tun hat. Bis dahin ist es zwar noch ein wenig hin, doch die Vorbereitungen laufen auf Hochtouren. --------------------------------------------- http://heise.de/-3273136 *** ICS Security Training In London *** --------------------------------------------- SANS ICS London takes place on September 19-25th, at the Grand Connaught Rooms. - Attend the one-day European ICS Security Summit on Monday 19th September. - Take ICS515: ICS Active Defence and Incident Response - a 5-day course, .. --------------------------------------------- https://www.sans.org/event/ics-london-2016 *** Vtiger CRM does not properly restrict access to application data *** --------------------------------------------- http://jvn.jp/en/jp/JVN01956993/ *** WordPress plugin "Nofollow Links" vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN13582657/ *** Petya Ransomware Analysis Part I *** --------------------------------------------- Introduction What makes Petya a special ransomware is that it doesn’t aim to encrypt each file individually, but aims for low-level disk encryption. In this series, we’ll be looking .. --------------------------------------------- http://resources.infosecinstitute.com/petya-ransomware-analysis-part-i/ *** Rekord-Quartals-Update: Oracle fixt 276 Sicherheitslücken in seinen Produkten *** --------------------------------------------- Die meisten Schwachstellen klaffen in Fusion Middleware und der Sun System Products Suite. Aber auch Java SE ist verwundbar und bekommt Sicherheits-Updates spendiert. --------------------------------------------- http://heise.de/-3273522 *** Unechte Bank Austria-Mails und Phishing-Apps im Umlauf *** --------------------------------------------- Mit unechten Bank Austria-Nachrichten oder der Phishing-App „Bank Austria SmsSecurity“ versuchen Kriminelle, an Zugangsdaten von Kunden des Unternehmens zu gelangen. Damit verfolgen sie das Ziel, auf fremde Kosten Transaktionen durchzuführen und sich zu bereichern. --------------------------------------------- https://www.watchlist-internet.at/phishing/unechte-bank-austria-mails-und-p…

1 0

Tageszusammenfassung - Dienstag 19-07-2016
by Daily end-of-shift report 19 Jul '16

19 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-07-2016 18:00 − Dienstag 19-07-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Third time (un)lucky – improved Petya is out *** --------------------------------------------- So far, we dedicated several articles to the interesting, low-level ransomware called Petya, hijacking the boot sector. Each of those versions was using Salsa20 algorithm to encrypt Master File Table and make disk inaccessible. However, .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-im… *** DSA-3622 python-django - security update *** --------------------------------------------- It was discovered that Django, a high-level Python web developmentframework, is prone to a cross-site scripting vulnerability in theadmins add/change related popup. --------------------------------------------- https://www.debian.org/security/2016/dsa-3622 *** World-Check terror suspect DB hits the web at just US$6750 *** --------------------------------------------- Last months borked Couchdb breach delivers more pain to Thomson Reuters The World-Check database that lists "heightened risk individuals and organizations" is reportedly up for sale on the dark web. --------------------------------------------- www.theregister.co.uk/2016/07/19/6750_buys_you_22_million_worldcheck_citize… *** Carbanak Gang Tied to Russian Security Firm? *** --------------------------------------------- Among the more plunderous cybercrime gangs is a group known as "Carbanak," Eastern European hackers blamed for stealing more than a billion dollars from banks. Today .. --------------------------------------------- http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-f… *** Lauschangriff: Netzwerk-Geräte von Juniper akzeptierten selbst signierte Zertifikate *** --------------------------------------------- Juniper hat in seinem Betriebssystem Junos OS einen Bug geschlossen, der die Signatur-Prüfung von Zertifikaten aushebelte. --------------------------------------------- http://heise.de/-3270285 *** Apple aktualisiert alle seine Betriebssysteme *** --------------------------------------------- iOS 9.3.3, OS X El Captian 10.11.6, watchOS 2.2.2 und tvOS 9.2.2 stehen zum Download bereit – und beheben Fehler vor dem nächsten großen Update. --------------------------------------------- http://heise.de/-3270059 *** Malware History: Code Red *** --------------------------------------------- Fifteen years (5479 days) ago… Code Red hit its peak. An infamous computer worm, Code Red exploited a vulnerability in Microsoft Internet Information Server (IIS) to propagate. Infected servers displayed the following .. --------------------------------------------- https://labsblog.f-secure.com/2016/07/19/malware-history-code-red/ *** Cross-Site Scripting in third party library mso/idna-convert *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-third-party-library-… *** Cross-Site Scripting vulnerability in typolinks *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-vulnerability-in-typoli… *** SQL Injection in TYPO3 Frontend Login *** --------------------------------------------- https://typo3.org/news/article/sql-injection-in-typo3-frontend-login/ *** Cross-Site Scripting in TYPO3 Backend *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-typo3-backend-1/ *** Pokémon Go: Sicherheitsforscher stoßen auf 215 Fake-Apps *** --------------------------------------------- In verschiedenen Android-App-Stores sollen gefährliche Trittbrettfahrer-Apps lauern, die mit Pokémon Go bis auf den Namen nichts gemein haben. Im schlimmsten Fall spionieren sie Geräte aus. --------------------------------------------- http://heise.de/-3270676 *** Long lasting Magnitude EK malvertising campaign not affected by slowdown in EK activity *** --------------------------------------------- We have been tracking a malvertising campaign distributing the Cerber ransomware linked to the actor behind the Magnitude exploit kit for months. Despite a global slowdown in .. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/exploits/2016/07/long-lasting-magn…

1 0

Tageszusammenfassung - Montag 18-07-2016
by Daily end-of-shift report 18 Jul '16

18 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-07-2016 18:00 − Montag 18-07-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** New Realstatistics Attack Vector Compromising Joomla Sites *** --------------------------------------------- Over the past few weeks we’ve seen a large number of Joomla websites compromised with the Realstatistics malware campaign. This mass infection is still evolving and continues .. --------------------------------------------- https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromisi… *** Security Advisory - Input Validation Vulnerabilities in Camera Driver of Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160716-… *** Zwei Millionen Nutzerdaten vom Ubuntu-Forum gestohlen *** --------------------------------------------- Das Internet-Forum der Linux-Distribution Ubuntu wurde gehackt. Zwei Millionen Datensätze von Nutzern wurden dabei gestohlen. Passwörter sollen nicht betroffen sein. --------------------------------------------- http://futurezone.at/digital-life/zwei-millionen-nutzerdaten-vom-ubuntu-for… *** Alter Trillian-Forumsserver gehackt, gut drei Millionen Nutzerdatensätze abgegriffen *** --------------------------------------------- Bei den Betreibern des Instant Messengers Trillian ist ein Server gehackt worden, der zu Archivzwecken Support-Forum und Blog hostete. Ein paar Millionen Nutzerdaten sind dabei in fremde Hände gelangt. Der eigentliche Messenger-Dienst ist nicht betroffen. --------------------------------------------- http://heise.de/-3269058 *** OWASP just posted AppSecEU 16 videos. Heres the playlist for those interested. *** --------------------------------------------- https://www.youtube.com/watch?v=qrTShcOW8kM&list=PLpr-xdpM8wG-Kf1_BOnT2LFZU… *** OpenSSH has user enumeration bug *** --------------------------------------------- Blowfish is faster than SHA256, and thats a problem when servers talk back A bug in OpenSSH allows an .. --------------------------------------------- www.theregister.co.uk/2016/07/17/openssh_has_user_enumeration_bug/ *** Extortion trojan watches until crims find you doing something dodgy *** --------------------------------------------- And then the extortion starts and youre asked to steal critical data A newly-detected piece of malware dubbed "Delilah" has been fingered as probably the first such code created .. --------------------------------------------- www.theregister.co.uk/2016/07/18/first_insider_theft_extortion_trojan_found/ *** Security firm clarifies power-station SCADA malware claim *** --------------------------------------------- Its not the next Stuxnet, says SentinelOne, its just very naughty code Malware hyped as aimed at the hear of power plants is nothing of the sort according to security .. --------------------------------------------- www.theregister.co.uk/2016/07/18/firm_calls_bullshit_on_scada_malware/ *** Understanding Electronic Control Units (ECUs) in Connected Automobiles and How They Can Be Hacked *** --------------------------------------------- Before you read any further, I must caution you that the weaknesses described in this article impact multiple ECUs on the market today and therefore have had all identifiers, such as references to specific automobile and ECU .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/understanding-electron… *** Online Banking: User hatten Zugriff auf fremde Konten *** --------------------------------------------- Es ist eine Horrorvorstellung für viele Kunden: Ein Fremder schaut plötzlich auf das eigene Bankkonto. Das ist nun bei der Comdirect passiert - wegen einer technischen Panne. --------------------------------------------- http://futurezone.at/digital-life/online-banking-user-hatten-zugriff-auf-fr… *** Kritische Sicherheitslücke in CGI-Umgebungen (Apache, IIS, ...) *** --------------------------------------------- Es wurde ein Designfehler in diversen Implementationen des CGI Standards gefunden, der schwerwiegende Folgen für die Sicherheit der Webserver haben kann. CERT.at bittet daher um Beachtung der folgenden Hinweise. --------------------------------------------- https://cert.at/warnings/all/20160718.html

1 0

Tageszusammenfassung - Freitag 15-07-2016
by Daily end-of-shift report 15 Jul '16

15 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 14-07-2016 18:00 − Freitag 15-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Erpressungstrojaner: Locky kann jetzt auch offline *** --------------------------------------------- Eine neue Version der Locky-Ransomware kann jetzt auch Rechner ohne Internetverbindung verschlüsseln. Die Offline-Variante hat für die Opfer immerhin einen kleinen Vorteil. --------------------------------------------- http://www.golem.de/news/erpressungstrojaner-locky-kann-jetzt-auch-offline-… *** Untangling Kovter's persistence methods *** --------------------------------------------- Kovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious modules in PowerShell scripts as well as in registry keys to make detection and analysis difficult. In this post we will take a deep dive into the techniques used by its latest samples to see all the elements and...Categories: Malware Threat analysisTags: click fraudkovter(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/ *** Security Best Practices for Azure App Service Web Apps, Part 5 *** --------------------------------------------- Microsoft's Azure App Service is a fully managed platform as a service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. Despite the ease of using Azure, developers need to keep security in mind because Azure will not take care of every aspect of security. In our first... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/azure-app-service-web-apps-security-be… *** Reverse engineering DUBNIUM - Stage 2 payload analysis *** --------------------------------------------- Recently, we blogged about the basic functionality and features of the DUBNIUM advanced persistent threat (APT) activity group Stage 1 binary and Adobe Flash exploit used during the December 2015 incident (Part 1, Part 2). In this blog, we will go through the overall infection chain structure and the Stage 2 executable details. Stage 2 executables... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dub… *** Oracle Critical Patch Update Pre-Release Announcement - July 2016 *** --------------------------------------------- This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2016, which will be released on Tuesday, July 19, 2016. --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html *** Spähsoftware: Maxthon-Browser sendet kritische Daten nach China *** --------------------------------------------- Forscher haben entdeckt, dass der alternative Browser Maxthon sicherheitsrelevante Nutzerdaten an einen Server in Peking sendet. Die Daten ließen sich hervorragend für gezielte Angriffe nutzen. Und sie sind nur schlecht gegen Dritte abgesichert. --------------------------------------------- http://www.golem.de/news/spaehsoftware-maxthon-browser-sendet-sensible-date… *** Steueranlagen von Kraftwerken ungeschützt im Netz *** --------------------------------------------- Journalisten haben über 100 Systeme - Steuerungen von Kraftwerken, Eigenheimen und Industrieanlagen - gefunden, die ungeschützt im Netz erreichbar sind - auch in Österreich. --------------------------------------------- http://futurezone.at/digital-life/steueranlagen-von-kraftwerken-ungeschuetz… *** Neutrino EK picks up momentum in recent attacks *** --------------------------------------------- The Neutrino developers have made some changes to the landing page source code as well as integrated a new exploit. The malware campaigns that once were Anglers continue to point to Neutrino including a large malvertising attack on top adult sites we detected a few days ago.Categories: Cybercrime ExploitsTags: AnglerEKexploit kitmalvertisingneutrino(Read more...) --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2016/07/neutrino-ek-picks-up-momen… *** Debian Security Advisory DSA-3618-1 - php5 security update *** --------------------------------------------- CVE ID: CVE-2016-5768 CVE-2016-5769 CVE-2016-5770 CVE-2016-5771 CVE-2016-5772 CVE-2016-5773 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.23, which includes additional bug fixes. --------------------------------------------- https://lists.debian.org/debian-security-announce/2016/msg00196.html *** DFN-CERT-2016-1140: FortiManager, FortiAnalyzer: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1140/ *** F5 Security Advisories *** --------------------------------------------- *** sol53084033: OpenSSL vulnerability CVE-2016-2178 *** An attacker could trigger an exploit using a timing side-channel attack to discover a DSA private key. https://support.f5.com/kb/en-us/solutions/public/k/53/sol53084033.html?ref=… --------------------------------------------- *** sol04054286: Linux kernel TCP vulnerability CVE-2016-2070 *** Successful exploitation of this vulnerability leads to a denial-of-service (DoS) attack, due to a divide-by-zero error which causes the system to stop responding. Product/Versions known to be vulnerable: ARX 6.2.0 - 6.4.0, Traffix SDC 5.0.0, 4.0.0 - 4.4.0 https://support.f5.com/kb/en-us/solutions/public/k/04/sol04054286.html?ref=… --------------------------------------------- *** sol05125306: glibc vulnerability CVE-2016-1234 *** This vulnerability may allow a context-dependent attacker to cause a denial of service (DoS) via a long name. Product/Versions known to be vulnerable: Traffix SDC 5.0.0, 4.0.0 - 4.4.0 https://support.f5.com/kb/en-us/solutions/public/k/05/sol05125306.html?ref=… --------------------------------------------- *** sol23873366: OpenSSL vulnerability CVE-2016-2177 *** This vulnerability may allow remote attackers to cause a denial-of-service (DoS) attack. https://support.f5.com/kb/en-us/solutions/public/k/23/sol23873366.html?ref=… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Meeting Server Persistent Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Administrator Interface Reflected Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Reflected Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Administrator Interface SQL Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Command Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: XML External Entities Injection Vulnerability in IBM Traveler (CVE-2016-3039) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985858 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities have been identified in IBM JRE and WebSphere Application Server shipped with IBM Tivoli Service Automation Manager (CVE-2016-3426, CVE-2016-3427) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000148 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) - IBM Java SDK updates April 2016 *** http://www-01.ibm.com/support/docview.wss?uid=swg21985875 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984732 --------------------------------------------- *** IBM Security Bulletin: A cross-site scripting vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager Version 9 (CVE-2015-7417) *** http://www.ibm.com/support/docview.wss?uid=swg21987056 --------------------------------------------- *** ICS-CERT Advisories *** --------------------------------------------- *** Schneider Electric Pelco Digital Sentry Video Management System Vulnerability *** https://ics-cert.us-cert.gov/advisories/ICSA-16-196-01 --------------------------------------------- *** Moxa MGate Authentication Bypass Vulnerability *** https://ics-cert.us-cert.gov/advisories/ICSA-16-196-02 --------------------------------------------- *** Schneider Electric SoMachine HVAC Unsafe ActiveX ControL Vulnerability *** https://ics-cert.us-cert.gov/advisories/ICSA-16-196-03 --------------------------------------------- *** Philips Xper-IM Connect Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSMA-16-196-01 --------------------------------------------- *** Advantech WebAccess ActiveX Vulnerabilities (Update A) *** https://ics-cert.us-cert.gov/advisories/ICSA-16-173-01 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 14-07-2016
by Daily end-of-shift report 14 Jul '16

14 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-07-2016 18:00 − Donnerstag 14-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Troldesh ransomware influenced by (the) Da Vinci code *** --------------------------------------------- We at the MMPC are constantly tracking new and emerging ransomware threats so we can be one step ahead of active campaigns and help protect our users. As part of these efforts, we recently came across a new variant of the Win32/Troldesh ransomware family. Ransomware, like most malware, is constantly trying to change itself in... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-inf… *** The Power of Web Shells, (Wed, Jul 13th) *** --------------------------------------------- [Warning: this diary contains many pictures and may take some time to load on slow links] Web shellsare not new in the threats landscape. A web shell is a script (written in PHP, ASL, Perl, ... - depending on the available environment) that can be uploaded to a web server to enable remote administration. If web shells are usually installed for good purposes, many of them are installed on compromisedservers. Once in place, the web shell will allow a complete takeover of the victims server but it... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21257&rss *** PCI for SMB - Requirement 2- Do Not Use Defaults *** --------------------------------------------- In this series of articles, we talk about PCI and how it affects SMBs (small/medium sized businesses) that are going through the compliance process using the PCI SAQ's (Self Assessment Questionaries). --------------------------------------------- https://blog.sucuri.net/2016/07/pci-for-smb-requirement-2-do-not-use-defaul… *** Beware of ws-xmlrpc library in your Java App *** --------------------------------------------- Apache XML-RPC is a XML-RPC library for Java. XML-RPC is a protocol for making remote procedure call via HTTP with the help of XML. Apache XML-RPC can be used on the client's side to make XML-RPC calls as well as on the server's side to expose some functionality via XML-RPC. Now ws-xmlrpc library is not supported by Apache. Last version is 3.1.3 which was released in 2013. However, many applications still use ws-xmlrpc library. Among them are Apache Continuum and Apache Archiva. --------------------------------------------- https://0ang3el.blogspot.co.at/2016/07/beware-of-ws-xmlrpc-library-in-your.… *** Join ENISA study on cloud security and eHealth *** --------------------------------------------- ENISA, using its prior knowledge on cloud security, launches a study on cloud and eHealth. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/join-enisa-study-on-cloud-secur… *** DLL Hijacking Attacks Revisited *** --------------------------------------------- This article is all about different DLL hijacking attacks techniques used by malware to achieve persistence. We will be discussing DLL search order hijacking, DLL Side loading, and Phantom DLL Hijacking techniques. Also, we will see how can we detect it and prevent the DLL hijacking attack. What is DLL hijacking? DLL provide common code... --------------------------------------------- http://resources.infosecinstitute.com/dll-hijacking-attacks-revisited/ *** Github Engineering: SYN Flood Mitigation with synsanity *** --------------------------------------------- In an effort to reduce the impact of these attacks, we began work on a series of additional mitigation strategies and systems to better prepare us for a future attack of a similar nature. Today we're sharing our mitigation for one of the attacks we received: synsanity, a SYN flood DDoS mitigation module for Linux 3.x. --------------------------------------------- http://githubengineering.com/syn-flood-mitigation-with-synsanity/ *** The Value of a Hacked Company *** --------------------------------------------- Most organizations only grow in security maturity the hard way -- that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organizations overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised. --------------------------------------------- http://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/ *** Warnung vor der Verschlüsselungssoftware "Cerber" *** --------------------------------------------- [...] Die Ransomware „Cerber“ wird aktuell durch gefälschte Bewerbungsschreiben verbreitet. Die Täter antworten auf Stellenangebote im Internet und versenden den Schadcode mit den beigefügten Dateien, die beispielsweise als Lebenslauf getarnt sind. Dadurch verleihen sie ihren Emails eine erhöhte Plausibilität und Glaubwürdigkeit. Beim Öffnen der Datei wird der Schadcode ausgeführt bzw. aus dem Internet nachgeladen. In weiterer Folge werden Daten auf sämtlichen im Netzwerk befindlichen Computern und Laufwerken verschlüsselt. --------------------------------------------- http://www.bmi.gv.at/cms/BK/betrug/files/C4_Newsletter_Ransomware_Cerber.pdf *** LibTIFF Buffer Index Error in TIFFReadRawStrip1() and TIFFReadRawTile1() Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1036300 *** Bugtraq: [ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538900 *** Bugtraq: [ERPSCAN-16-020] SAP NetWeaver AS JAVA UDDI component - XXE vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538901 *** Bugtraq: [ERPSCAN-16-019] SAP NetWeaver Enqueue Server - DoS vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538902 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect StoredIQ (CVE-2016-2107) *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by StoredIQ. StoredIQ has addressed the applicable CVEs. CVE(s): CVE-2016-2107 Affected product(s) and affected version(s): StoredIQ v7.6 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21985359X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/112854 --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21985359 *** IBM Security Bulletin: A JMX component vulnerability in IBM Java SDK and IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement (CVE-2016-3427) *** --------------------------------------------- The IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement products are affected by a JMX component security vulnerability that exists in IBM SDK Java Technology Edition and IBM WebSphere Application Server. This issue was disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-3427 Affected product(s) and affected... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21986797 *** IBM Security Bulletin: IBM Traveler installer impacted by vulnerability in InstallAnywhere (CVE-2016-2542) *** --------------------------------------------- IBM Traveler installer utilizes a version of Flexera InstallAnywhere which could allow a local attacker to gain elevated privileges on the system. CVE(s): CVE-2016-2542 Affected product(s) and affected version(s): IBM Traveler 8.5.3 IBM Traveler 9.0 IBM Traveler 9.0.1 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21984632X-Force Database: --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21984632 *** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM License Metric Tool v7.5 & v7.2.2, IBM Tivoli Asset Discovery for Distributed and IBM Endpoint Manger for Software Use Analysis v2.2 (CVE-2016-4560) *** --------------------------------------------- A vulnerability in InstallAnywhere on Windows systems affects IBM License Metric Tool v7.5 & v7.2.2, IBM Tivoli Asset Discovery for Distributed and IBM Endpoint Manger for Software Use Analysis v2.2. CVE(s): CVE-2016-4560 Affected product(s) and affected version(s): IBM License Metric Tool v7.5 & v7.2.2 IBM Tivoli Asset Discovery for Distributed IBM Endpoint Manger for Software... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983503 *** USN-3032-1: eCryptfs vulnerability *** --------------------------------------------- Ubuntu Security Notice USN-3032-114th July, 2016ecryptfs-utils vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10SummaryeCryptfs could be made to expose sensitive information.Software description ecryptfs-utils - eCryptfs cryptographic filesystem utilities DetailsIt was discovered that eCryptfs incorrectly configured the encrypted swappartition for certain drive types. An attacker could use this issue to discoversensitive... --------------------------------------------- http://www.ubuntu.com/usn/usn-3032-1/ *** VU#665280: Accela Civic Platform Citizen Access portal contains multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#665280 Accela Civic Platform Citizen Access portal contains multiple vulnerabilities Original Release date: 13 Jul 2016 | Last revised: 13 Jul 2016 Overview Accela Civic Platform Citizen Access portal contains cross-site scripting and arbitrary file upload vulnerabilities. Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) - CVE-2016-5660Accela Civic Platform Citizen Access portal contains a cross-site scripting (XSS) --------------------------------------------- http://www.kb.cert.org/vuls/id/665280 *** Cisco ASR 5000 Series SNMP Community String Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS XR Software Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS XR for NCS 6000 Packet Timer Leak Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-040Project: RESTful Web Services (third-party module)Version: 7.xDate: 2016-July-13Security risk: 22/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescriptionThis module enables you to expose Drupal entities as RESTful web services.RESTWS alters the default page callbacks for entities to provide additional functionality.A vulnerability in this approach allows an attacker to send specially... --------------------------------------------- https://www.drupal.org/node/2765567 *** Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-039Project: Coder (third-party module)Version: 7.xDate: 2016-July-13Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescriptionThe Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.The module doesnt sufficiently validate user inputs in a script file that has... --------------------------------------------- https://www.drupal.org/node/2765575 *** Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-038Project: Webform Multiple File Upload (third-party module)Version: 7.xDate: 2016-July-13Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescriptionThe Webform Multiple File Upload module allows users to upload multiple files on a Webform.The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a... --------------------------------------------- https://www.drupal.org/node/2765573 *** sol08440897: Linux kernel vulnerability CVE-2016-0774 *** --------------------------------------------- Impact: A local unprivileged user may be able to leak kernel memory to user space or cause a denial-of-service (DoS). --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/08/sol08440897.html?ref=… *** sol55181425: Wget vulnerability CVE-2016-4971 *** --------------------------------------------- Impact: An attacker with local access may be able to upload arbitrary files to the system. Product/Versions known to be vulnerable: ARX 6.2.0 - 6.4.0, Traffix SDC 5.0.0, 4.0.0 - 4.4.0 --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/55/sol55181425.html?ref=… *** sol55922302: XSS in F5 WebSafe Dashboard vulnerability CVE-2016-5236 *** --------------------------------------------- Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard allow privileged authenticated user to inject arbitrary web script or HTML when creating a new user, account or signature. (CVE-2016-5236) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/55/sol55922302.html?ref=… *** Juniper Security Advisories *** --------------------------------------------- *** JSA10751 - 2016-07 Security Bulletin: SRX Series: On High-End SRX-Series, ALGs applied to in-transit traffic may trigger high CP (central point) utilization leading to denial of services. (CVE-2016-1276) *** http://kb.juniper.net/index?page=content&id=JSA10751&actp=RSS --------------------------------------------- *** JSA10758 - 2016-07 Security Bulletin: Junos: Crafted UDP packet can lead to kernel crash on 64-bit platforms (CVE-2016-1263) *** http://kb.juniper.net/index?page=content&id=JSA10758&actp=RSS --------------------------------------------- *** JSA10756 - 2016-07 Security Bulletin: Junos: FreeBSD-SA-09:07.libc - Information leak in db(3) (CVE-2009-0590) *** http://kb.juniper.net/index?page=content&id=JSA10756&actp=RSS --------------------------------------------- *** JSA10755 - 2016-07 Security Bulletin: Junos: Self-signed certificate with spoofed trusted Issuer CN accepted as valid (CVE-2016-1280) *** http://kb.juniper.net/index?page=content&id=JSA10755&actp=RSS --------------------------------------------- *** JSA10754 - 2016-07 Security Bulletin: Junos J-Web: Privilege Escalation due to information leak (CVE-2016-1279) *** http://kb.juniper.net/index?page=content&id=JSA10754&actp=RSS --------------------------------------------- *** JSA10750 - 2016-07 Security Bulletin: Junos: mbuf leak when flooding new IPv6 MAC addresses received via VPLS instances (CVE-2016-1275) *** http://kb.juniper.net/index?page=content&id=JSA10750&actp=RSS --------------------------------------------- *** JSA10753 - 2016-07 Security Bulletin: SRX Series: Upgrades using partition option may allow unauthenticated root login (CVE-2016-1278) *** http://kb.juniper.net/index?page=content&id=JSA10753&actp=RSS --------------------------------------------- *** JSA10752 - 2016-07 Security Bulletin: Junos: Kernel crash with crafted ICMP packet (CVE-2016-1277) *** http://kb.juniper.net/index?page=content&id=JSA10752&actp=RSS --------------------------------------------- *** JSA10756 - 2016-07 Security Bulletin: Junos: FreeBSD-SA-09:07.libc - Information leak in db(3) (CVE-2009-1436) *** http://kb.juniper.net/index?page=content&id=JSA10756&actp=RSS ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 13-07-2016
by Daily end-of-shift report 13 Jul '16

13 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-07-2016 18:00 − Mittwoch 13-07-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** VU#123799: libbpg contains a type confusion vulnerability that leads to out of bounds write *** --------------------------------------------- Vulnerability Note VU#123799 libbpg contains a type confusion vulnerability that leads to out of bounds write Original Release date: 12 Jul 2016 | Last revised: 12 Jul 2016 Overview libbpg is a library for the BPG graphics format. libbpg 0.9.5 through 0.9.7 may allow a crafted file to write out-of-bounds, which may lead to denial of service or arbitrary code execution. Description CWE-787: Out-of-bounds Write - CVE-2016-5637According to the reporter, improper checking of... --------------------------------------------- http://www.kb.cert.org/vuls/id/123799 *** MSRT July 2016 - Cerber ransomware *** --------------------------------------------- As part of our ongoing effort to provide better malware protection, the July 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detection for Win32/Cerber, a prevalent ransomware family. The inclusion in MSRT complements our Cerber-specific family detections in Windows Defender, and our ransomware-dedicated cloud protection features. We started seeing Cerber in February... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/07/12/msrt-july-2016-cerber-r… *** Tollgrade Smart Grid EMS LightHouse Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s Smart Grid LightHouse Sensor Management System Software EMS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-194-01 *** GE Proficy HMI SCADA CIMPLICITY Privilege Management Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an improper privilege management vulnerability and recently released exploit code for the GE Proficy HMI/SCADA CIMPLICITY application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-194-02 *** Hunting for Malicious Files with MISP + OSSEC, (Tue, Jul 12th) *** --------------------------------------------- A few months ago, I wrote a diary called Unity Makes Strength which was illustrated with an example of integrationbetween a malware analysis solution and a next-generation firewall. The goal is to increase the ability to block malicious traffic as soon as possible. Today, Id like to explain how to improve the detection of malware on Windows computers thanks to the integration of MISPand OSSEC. I already presented the Malware Information Sharing Platformin another diary. About OSSEC, in a few... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21251&rss *** Patchday: Microsoft stopft Lücken in Windows, Office und SecureBoot *** --------------------------------------------- Microsoft hat elf Sicherheitsupdates für seine Produkte veröffentlicht. Die meisten davon sind als kritisch vermerkt und erlauben Angreifern aus dem Netz, eigenen Schadcode nach Belieben auszuführen. --------------------------------------------- http://heise.de/-3265524 *** Securing Smart Cars - Join ENISA study and workshop *** --------------------------------------------- ENISA is currently performing a study on cyber security measures for smart cars and earlier this year launched the ENISA CaRSEC (Cars and Roads SECurity) expert group. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/securing-smart-cars-join-enisa-… *** Security Advisory - Input Validation Vulnerability in Huawei Routers *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160713-… *** Security Advisory - Input Validation Vulnerability in WiFi Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160713-… *** Security Advisory - Input Validation Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160713-… *** Drupal: Patch released today to fix a highly critical RCE in contributed modules, (Wed, Jul 13th) *** --------------------------------------------- Drupal announced that they will release today (Wed July13th 2016 16:00 UTC) a patch that will fix highly critical remote code execution vulnerabilities in contributed modules. Drupal core is not affected. The vulnerability is a PHP Arbitrary Code Execution and is rated up to 22/25 (based on risk calculation model used by Drupal - details here). The vulnerable modules are used on between 1.000 and 10.000 instances. If you maintain one or more Drupal websites, review the list of affected... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21255&rss *** IBM Security Bulletin: IBM Personal Communications could allow a remote user to obtain sensitive information including user passwords, allowing unauthorized access. (CVE-2016-0321) *** --------------------------------------------- IBM Personal Communications is susceptible to unauthorized access vulnerability when running on a compromised system (by the victim opening a mail with a malicious attachment or visiting a malicious website). Malware could run with user privileges but not necessarily having access to the password. An attacker could retrieve user credentials by running PowerShell Script and... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981692 *** Using the Java Security Manager in Enterprise Application Platform 7 *** --------------------------------------------- JBoss Enterprise Application Platform 7 allows the definition of Java Security Policies per application. The way its implemented means that well also be able to define security policies per module, in addition to define one per application. The ability to apply the Java Security Manager per application, or per module in EAP 7, makes it a versatile tool in the mitigation of serious security issues, or useful for applications with strict security requirements.The main difference between EAP 6,... --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2276521

1 0

Tageszusammenfassung - Dienstag 12-07-2016
by Daily end-of-shift report 12 Jul '16

12 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-07-2016 18:00 − Dienstag 12-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Security updates available for Adobe Flash Player (APSB16-25) *** --------------------------------------------- Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Platform: Windows, Macintosh, Linux and ChromeOS --------------------------------------------- https://helpx.adobe.com/security/products/flash-player/apsb16-25.html *** Bugtraq: Persistent Cross-Site Scripting in WP Live Chat Support plugin *** --------------------------------------------- A persistent Cross-Site Scripting (XSS) vulnerability has been found in the WP Live Chat Support plugin. By using this vulnerability an attacker can supply malicious code on behalf of a logged on WordPress user in order to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. --------------------------------------------- http://www.securityfocus.com/archive/1/538871 *** Serious flaw fixed in widely used WordPress plug-in *** --------------------------------------------- If youre running a WordPress website and you have the hugely popular All in One SEO Pack plug-in installed, its a good idea to update it as soon as possible. The latest version released Friday fixes a flaw that could be used to hijack the sites admin account.The vulnerability is in the plug-ins Bot Blocker functionality and can be exploited remotely by sending HTTP requests with specifically crafted headers to the website.The Bot Blocker feature is designed to detect and block spam bots based --------------------------------------------- http://www.csoonline.com/article/3093379/security/serious-flaw-fixed-in-wid… *** Hiding in White Text: Word Documents with Embedded Payloads, (Wed, Jul 6th) *** --------------------------------------------- This is a guest diary by Yaser Mansour. Due to the extensive use of images, please note that all the images are clickable to view them at full size. A PDF version of this diary is available here Malicious macros in Office documents are not new, and several samples have been analyzed here at the ISC Diary website. Usually, the macro script is used to drop the second stage malware either by reaching to the internet or by extracting a binary embedded in the Office document itself. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21227&rss *** Jigsaw Ransomware Decrypted, Again *** --------------------------------------------- Jigsaw ransomware's encryption has been thwarted by Check Point researchers that discover a fatal flaw. --------------------------------------------- http://threatpost.com/jigsaw-ransomware-decrypted-again/119186/ *** [RCESEC-2016-003][CVE-2016-4469] Apache Archiva 1.3.9 Multiple Cross-Site Request Forgeries *** --------------------------------------------- The application basically offers a Cross-Site Request Forgery protection using the a Struts-based token called "token". While many administrative functionalities like adding new users are protected on this way, the following HTTP POST-based functions are missing this token and are therefore vulnerable to CSRF: --------------------------------------------- http://www.securityfocus.com/archive/1/538877 *** [security bulletin] HPSBHF03608 rev.1 - HPE iMC PLAT and other Network Products using Apache Java Commons Collection (ACC), Remote Execution of Arbitrary Code *** --------------------------------------------- Potential Security Impact: Remote Execution of Arbitrary Code VULNERABILITY SUMMARY: A vulnerability in Apache Commons Collections (ACC) for handling Java object deserialization was addressed by HPE iMC PLAT and other network products. The vulnerability could be exploited remotely to allow execution of arbitrary code. --------------------------------------------- http://www.securityfocus.com/archive/1/538880 *** SSA-301706 (Last Update 2016-07-12): GNU C Library Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706… *** The July 2016 issue of our SWITCH Security Report is available! *** --------------------------------------------- A new issue of our monthly SWITCH Security Report has just been released. The topics covered in this report are: * DAO-ism on the ethereal plane - hacker bags cryptocurrency worth USD 50 million * Ransomware - smart, greedy and unkillable * CANVAS ready to launch - bridging cybersecurity and ethics * US border guards want to be your Facebook friend - and other news on anti-terror measures The Security Report is available in both English and German. --------------------------------------------- https://securityblog.switch.ch/2016/07/12/july-2016-issue-switch-security-r… *** Erpressungs-Trojaner Ranscam schickt Daten unwiederbringlich ins digitale Nirwana *** --------------------------------------------- Wie jede Ransomware behauptet auch Ranscam, alle als Geiseln genommenen persönlichen Daten nach einer Lösegeldzahlung freizugeben. In diesem Fall haben das die Drahtzieher aber grundsätzlich gar nicht vorgesehen, warnen Sicherheitsforscher. --------------------------------------------- http://heise.de/-3265137 *** SFG: Furtim's Parent *** --------------------------------------------- The Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one European energy company. --------------------------------------------- https://sentinelone.com/blogs/sfg-furtims-parent/ *** IBM Security Bulletins*** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware (CVE-2016-2107 CVE-2016-2176) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099429 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in icu affects IBM Flex System Chassis Management Module (CVE-2014-9654) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099427 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could expose sensitive information produced in log files of certain URLs (CVE-2016-0393) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986053 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities fixed in IBM Security Privileged Identity Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg21986260 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 11-07-2016
by Daily end-of-shift report 11 Jul '16

11 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-07-2016 18:00 − Montag 11-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Researchers Develop A Way To Stop Ransomware By Watching The Filesystem *** --------------------------------------------- An anonymous reader quotes a report from Phys.Org: Ransomware -- what hackers use to encrypt your computer files and demand money in exchange for freeing those contents -- is an exploding global problem with few solutions, but a team of University of Florida researchers says it has developed a way to stop it dead in its tracks. The answer, they say, lies not in keeping it out of a computer but rather in confronting it once its there ... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/Z6eYMxY95mo/researchers-dev… *** BMWs ConnectedDrive ist löchrig *** --------------------------------------------- Die eine Schwachstelle betrifft die Registrierung von Fahrzeugen anhand einer Fahrzeugnummer (VIN). Die dafür vorgesehene Überprüfung lässt sich überrumpeln, sodass Konfigurationsdaten anderer Fahrzeuge offen stehen. Damit sollen sich nicht nur Playlisten, E-Mail-Konten, Fahrrouten und Verkehrsinformationen manipulieren, sondern Fahrzeuge auch auf- und abschließen lassen. --------------------------------------------- http://heise.de/-3262756 *** Researchers Find Over 6,000 Compromised Redis Installations *** --------------------------------------------- An anonymous Slashdot reader writes: Security researchers have discovered over 6,000 compromised installations of Redis, the open source in-memory data structure server, among the tens of thousands of Redis servers indexed by Shodan. "By default, Redis has no authentication or security mechanism enabled, and any security mechanisms must be implemented by the end user." --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/UFahhS2H-bU/researchers-fin… *** Polycom HDX 7000 Series Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- The web client does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. --------------------------------------------- http://www.securitytracker.com/id/1036261 *** Lessons Learned from Industrial Control Systems, (Sun, Jul 10th) *** --------------------------------------------- However, like many of you, I have certain business-critical systems running on legacy hardware or requiring now-unsupported Operating Systems. These are the systems that you can't patch, or that even if they experience a compromise, you can't immediately shut them down. How to you secure networks with such constraints? --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21243&rss *** Industrial cybersecurity threat landscape *** --------------------------------------------- Expansion of the Internet makes ICS easier prey to attackers. The number of ICS components available over the Internet increases every year. Taking into account that initially many ICS solutions and protocols were designed for isolated environments, such availability often provides a malicious user with multiple capabilities to cause impact to the infrastructure behind the ICS due to lack of security controls. --------------------------------------------- http://securelist.com/analysis/publications/75343/industrial-cybersecurity-… *** System Management Mode (SMM) BIOS Vulnerability *** --------------------------------------------- Lenovo Security Advisory: LEN-8324 Potential Impact: Execution of code in SMM by an attacker with local administrative access Severity: High Scope of Impact: Industry-wide Update as of 7/7/2016: The "Product Impact" section below of this advisory has been updated. --------------------------------------------- https://support.lenovo.com/ch/en/solutions/LEN-8324 *** D-Link kündigt Sicherheits-Patch für einige Produkt-Serien an *** --------------------------------------------- Sicherheitsforscher haben eine Lücke in einer Webcam von D-Link entdeckt, über die Angreifer das Administrator-Kennwort überschreiben können. Die Schwachstelle soll noch weitere Produkte des Herstellers bedrohen. --------------------------------------------- http://heise.de/-3263433 *** Berichte über neue Erpressungswelle mit iPhone-Fernsperre *** --------------------------------------------- Angreifer setzen offenbar erneut auf 'Mein iPhone suchen', um das Gerät aus der Ferne zu sperren. Die Freigabe des iPhones erfolge nur nach Zahlung einer Lösegeldsumme, so die Drohung. --------------------------------------------- http://heise.de/-3263761 *** Cisco Adaptive Security Appliance Access Control List ICMP Echo Request Code Filtering Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Adaptive Security Appliance (ASA) Software implementation of access control list (ACL) permit and deny filters for ICMP Echo Reply messages could allow an unauthenticated, remote attacker to bypass ACL configurations for an affected device. ICMP traffic that should be denied may instead be allowed through an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect Rational Insight *** http://www-01.ibm.com/support/docview.wss?uid=swg21986564 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect Rational Reporting for Development Intelligence *** http://www-01.ibm.com/support/docview.wss?uid=swg21986563 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache Tomcat affects Rational Insight (CVE-2015-5174) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986559 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache Tomcat affects Rational Reporting for Development Intelligence (CVE-2015-5174) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986558 --------------------------------------------- *** IBM Security Bulletin: The IBM BigFix Platform has a cross-site scripting vulnerability (CVE-2016-0269) *** http://www.ibm.com/support/docview.wss?uid=swg21985734 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Tivoli / Security Directory Server *** http://www-01.ibm.com/support/docview.wss?uid=swg21986452 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 8-07-2016
by Daily end-of-shift report 08 Jul '16

08 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-07-2016 18:00 − Freitag 08-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Pentesters (and Attackers) Love Internet Connected Security Cameras!, (Wed, Jul 6th) *** --------------------------------------------- A recent story making the rounds in both the infosec and public press is the recent use of internet-connected security cameras as a base for DDOS attacks. They dont have a lot of CPU, but theyre linux platforms that are easily hackable, never get updated and usually have good bandwidth available to them. This shouldnt come as any surprise to folks who are in the security business, or those who do any kind of a product eval before they plug new gear into their network. I see security cameras on... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21231&rss *** D-Link Wi-Fi Camera Flaw Extends to 120 Products *** --------------------------------------------- A software component that exposed D-Link Wi-Fi cameras to remote attacks is also used in more than 120 other products sold by the company. --------------------------------------------- http://threatpost.com/d-link-wi-fi-camera-flaw-extends-to-120-products/1190… *** Zero-day flaw lets hackers tamper with your car through BMW portal *** --------------------------------------------- Researchers have disclosed zero-day vulnerabilities affecting the BMW web domain and ConnectedDrive portal which remain unpatched and open to attack. According to researchers from Vulnerability Labs, there are two main bugs both related to the BMW online service web app for ConnectedDrive, the connected car hub for new, internet-connected vehicles produced by the automaker. --------------------------------------------- http://www.zdnet.com/article/hackers-can-tamper-with-car-registration-throu… *** CryptXXX, Cryptobit Ransomware Spreading Through Campaign *** --------------------------------------------- Researchers have spotted several types of ransomware, including CryptXXX and a fairly new strain, Cryptobit, being pushed through the same shady series of domains. --------------------------------------------- http://threatpost.com/cryptxxx-cryptobit-ransomware-spreading-through-campa… *** BMW ConnectedDrive flaws could be misused to tamper with car settings *** --------------------------------------------- Security researcher Benjamin Kunz Mejri has found two vulnerabilities in the BMW ConnectedDrive web portal/web application. About the vulnerabilities in BMW ConnectedDrive The first one is a client-side cross site scripting web vulnerability that could be exploited by a remote attacker without a privileged account to inject his own malicious script codes to the client-side of the affected module context. Minimal user interaction is needed for this attack to work. --------------------------------------------- https://www.helpnetsecurity.com/2016/07/08/bmw-connecteddrive-flaws/ *** BSI-Lagedossier erklärt Krypto-Trojaner *** --------------------------------------------- Das BSI erklärt auf 35 Seiten, was es mit Ransomware auf sich hat, welche Familien wie verbreitet sind und wie man sich die Dinger vom Hals hält. --------------------------------------------- http://heise.de/-3262333 *** Keydnap: Mac-Malware will Passwörter aus Schlüsselbund klauen *** --------------------------------------------- Der als harmlose Datei getarnte Schädling versucht mit einem Trick, das Passwort des Nutzers zu erlangen. Mit Root-Rechten geht Keydnap dann auf die Jagd nach den im Schlüsselbund von OS X abgelegten Kennwörtern. --------------------------------------------- http://heise.de/-3262501 *** 1,025 Wendy's Locations Hit in Card Breach *** --------------------------------------------- At least 1,025 Wendys locations were hit by a malware-driven credit card breach that began in the fall of 2015, the nationwide fast-food chain said Thursday. The announcement marks a significant expansion in a data breach that is costing banks and credit unions plenty: Previously, Wendys had said the breach impacted fewer than 300 locations. --------------------------------------------- http://krebsonsecurity.com/2016/07/1025-wendys-locations-hit-in-card-breach/ *** Dropping Elephant APT Targets Old Windows Flaws *** --------------------------------------------- Dropping Elephant, an advanced persistent threat group, is using old exploits to target unpatched version of Windows in highly effective cyber espionage campaign. --------------------------------------------- http://threatpost.com/dropping-elephant-apt-targets-old-windows-flaws/11912… *** Initiative im Bundesrat: Härteres Vorgehen gegen Botnetz-Kriminalität *** --------------------------------------------- Wer in ein Haus einbricht, kann wegen Hausfriedensbruch oder Diebstahl zur Verantwortung gezogen werden. Wer sich Zugang zu einem fremden Rechner verschafft, soll laut einer Gesetzesinitiative ähnliches zu erwarten haben. --------------------------------------------- http://heise.de/-3262684 *** Security Advisories Relating to Symantec Products - Symantec Client IDS Driver PE File Memory Corruption Denial of Service *** --------------------------------------------- Symantecs Client Intrusion Detection System (CIDS) driver may cause a system crash when interacting with a specifically-crafted Portable Executable file. --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** Security Advisories Relating to Symantec Products - Symantec Workspace Streaming and Workspace Virtualization Path Traversal and Arbitrary File Read *** --------------------------------------------- Symantec Workspace Streaming (SWS) and Workspace Virtualization (SWV) management consoles were susceptible to a path traversal in a file download configuration file that could allow a malicious user who could access the vulnerable file to view unauthorized application files of specific file types. An authenticated console user could manipulate this same file to read any file on the host system. This could potentially provide additional information for staging additional attacks on the... --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** WECON LeviStudio Buffer Overflow Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for buffer overflow vulnerabilities in WECON's LeviStudio software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-189-01 *** Moxa Device Server Web Console Authorization Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authorization bypass vulnerability in Moxa's Device Server Web Console. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-189-02 *** Security Advisory - Two Buffer Overflow Vulnerabilities in Wi-Fi Driver of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160708-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects ProtecTIER (CVE-2016-2108) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1007982 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM MessageSight *** http://www-01.ibm.com/support/docview.wss?uid=swg21986473 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Oracle Outside In Technology affects IBM Rational DOORS Next Generation (CVE-2016-3455) *** http://www.ibm.com/support/docview.wss?uid=swg21985994 --------------------------------------------- *** IBM Security Bulletin: Fixes for Multiple Security Vulnerabilities in IBM Security Identity Manager Virtual Appliance available *** http://www-01.ibm.com/support/docview.wss?uid=swg21985736 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware, QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099423 --------------------------------------------- *** IBM Security Bulletin: Vulnerability affects IBM Rational Team Concert GIT Integration (CVE-2016-2865 ) *** http://www.ibm.com/support/docview.wss?uid=swg21985865 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Libcurl affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru Firmware and QLogic Virtual Fabric Extension Module for IBM BladeCenter (CVE-2016-0755) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099424 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM BladeCenter *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099425 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099426 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 7-07-2016
by Daily end-of-shift report 07 Jul '16

07 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-07-2016 18:00 − Donnerstag 07-07-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** New Mac backdoor malware: Eleanor *** --------------------------------------------- This new malware is only the second piece of true Mac malware spotted so far in 2016, with the first being the KeRanger ransomware. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-e… *** CryptXXX ransomware updated, (Wed, Jul 6th) *** --------------------------------------------- This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21229&rss *** [webapps] - OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities *** --------------------------------------------- Several vulnerabilities have been discovered between 2015, October and 2016, February. Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages. In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over. --------------------------------------------- https://www.exploit-db.com/exploits/40065 *** Realstatistics Malware Campaign Leads To Ransomware *** --------------------------------------------- Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last 2 weeks ( codenamed 'Realstatistics'). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS). We have codenamed the campaign 'Realstatistics' because of the domain being used by the attackers. --------------------------------------------- https://blog.sucuri.net/2016/07/joomla-wordpress-affected-by-realstatistics… *** EMC Avamar Backup Restoration Flaw Lets Remote Authenticated Users Read and Delete Files on the Target System *** --------------------------------------------- A vulnerability was reported in EMC Avamar. A remote authenticated user can read and delete files on the target system. A remote authenticated user can exploit a flaw in the backup restoration component to read and delete files on the target system. EMC Avamar Data Store and Avamar Virtual Edition are affected. --------------------------------------------- http://www.securitytracker.com/id/1036235 *** Androids July security bulletin patches 20 critical flaws *** --------------------------------------------- Google releases Android security bulletin, providing updates for 89 critical and high severity vulnerabilities affecting software and hardware components including Mediaserver, OpenSSL, BoringSSL, Bluetooth, Qualcomm, and numerous drivers. --------------------------------------------- http://www.scmagazine.com/androids-july-security-bulletin-patches-20-critic… *** mimikittenz *** --------------------------------------------- mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes. --------------------------------------------- https://github.com/putterpanda/mimikittenz *** Acer Portal Android Application - MITM SSL Certificate Vulnerability (CVE-2016-5648) *** --------------------------------------------- The Acer Portal Android application (version 3.9.3.2006 and below), installed by the manufacturer on all Acer branded Android devices, does not validate the SSL certificate it receives when connecting to the mobile application login server. --------------------------------------------- http://www.securityfocus.com/archive/1/538851 *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-26) *** --------------------------------------------- A prenotification Security Advisory (APSB16-26) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, July 12, 2016. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1374 *** Insecure Unserialize in extension "Page path" (pagepath) *** --------------------------------------------- It has been discovered that the extension "Page path" (pagepath) is susceptible to Insecure Unserialize. --------------------------------------------- https://typo3.org/news/article/insecure-unserialize-in-extension-page-path-… *** Cross-Site Scripting in extension "CCDebug" (cc_debug) *** --------------------------------------------- It has been discovered that the extension "CCDebug" (cc_debug) is susceptible to Cross-Site Scripting. --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-extension-ccdebug-cc… *** ZDI-16-407: Eaton ELCSoft ELCSimulator Stack Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. Authentication is not required to exploit this vulnerability. --------------------------------------------- www.zerodayinitiative.com/advisories/ZDI-16-407/ *** ZDI-16-406: Novell NetIQ Sentinel Server ReportViewServlet fileName Directory Traversal Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to disclose arbitrary file contents on vulnerable installations of Novell NetIQ Sentinel Server. Authentication is required to exploit this vulnerability but it can be bypassed using a separate flaw within the LogonFormController. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-406/ *** Cisco Video Communication Server and Expressway Trusted Certificate Authentication Bypass Vulnerability *** --------------------------------------------- A vulnerability in certificate management and validation for the Mobile and Remote Access (MRA) feature for Cisco Expressway Series and TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to bypass authentication and access internal HTTP system resources. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco AMP Threat Grid Unauthorized Clean IP Access Vulnerability *** --------------------------------------------- A vulnerability in the virtual network stack of the Cisco AMP Threat Grid Appliance could allow an unauthenticated, remote attacker to access internal interfaces within the appliance. The vulnerability is due to insufficient isolation between the sandbox and other internal components. An attacker could exploit this vulnerability by submitting a malware sample crafted to exploit this flaw. An exploit could allow the attacker to intercept interprocess calls and allow them to access, modify, and delete information from the system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Virtual Server Protection for VMware (CVE-2015-3195) *** http://www.ibm.com/support/docview.wss?uid=swg21986312 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Applications are vulnerable to a privilege escalation attack. (CVE-2016-2917) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984304 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2016-3427) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985522 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg21984496 --------------------------------------------- *** IBM Security Bulletin: Multiple Samba vulnerability issues in IBM Storwize V7000 Unified *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005814 --------------------------------------------- *** IBM Security Bulletin: Multiple Samba vulnerability issue on IBM SONAS. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005813 --------------------------------------------- *** IBM Security Bulletin: Badlock Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2118) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005816 --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2015-5252) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005810 --------------------------------------------- *** IBM Security Bulletin:Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2015-7560) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005805 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in openldap2 affects IBM Flex System Chassis Management Module (CVE-2015-6908) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099421 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM UrbanCode Release (CVE-2015-5174) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000164 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 6-07-2016
by Daily end-of-shift report 06 Jul '16

06 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-07-2016 18:00 − Mittwoch 06-07-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** EU-Parlament beschließt Cybersicherheitsgesetz mit Meldepflicht *** --------------------------------------------- Die europäischen Abgeordneten haben den lange umstrittenen Richtlinienentwurf zur Netz- und Informationssicherheit verabschiedet. Damit kommen auf größere Online-Anbieter und Betreiber kritischer Infrastrukturen Auflagen zu. --------------------------------------------- http://heise.de/-3258129 *** Encryption Bypass Vulnerability Impacts Half of Android Devices *** --------------------------------------------- More than half of Android devices are vulnerable to encryption bypass attack, say researchers. --------------------------------------------- http://threatpost.com/encryption-bypass-vulnerability-impacts-half-of-andro… *** Nasty BIOS bug slugs Gigabyte, hackers say *** --------------------------------------------- Vendors queue for punishment as ThinkPwn fallout spreads Gigabyte has been swept into turmoil surrounding low-level security vulnerabilities that allows attackers to kill flash protection, secure boot, and tamper with firmware on PCs by Lenovo and other vendors. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/06/nasty_bios_… *** HP sichert Router gegen Fremdzugriffe ab *** --------------------------------------------- Hewlett Packard Enterprise versorgt einige Netzwerk-Produkte mit Sicherheitsupdates für zum Teil zwei Jahre alten Lücken. --------------------------------------------- http://heise.de/-3256913 *** Security Advisory - Multiple Vulnerabilities in OpenSSL in May 2016 *** --------------------------------------------- CVE-2016-2108, CVE-2016-2107, CVE-2016-2106, CVE-2016-2105, CVE-2016-2109, CVE-2016-2176 Huawei has released software updates to fix this vulnerability. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160706-… *** Android-App verrät auch WLAN-Passwörter von A1-Routern *** --------------------------------------------- Mit der Android-App RouterKeygen lassen sich auch WLAN-Passwörter von A1-Routern auslesen. Betroffen sind alte Router-Modelle aus dem Jahr 2011. --------------------------------------------- http://futurezone.at/digital-life/android-app-verraet-auch-wlan-passwoerter… *** Rexroth Bosch BLADEcontrol-WebVIS Vulnerabilities *** --------------------------------------------- This advisory provides mitigation details for an SQL injection vulnerability and a cross-site scripting vulnerability in the Rexroth Bosch BLADEcontrol-WebVIS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-187-01 *** "Elanor": Getarnte Mac-Malware stiehlt Daten und steuert Webcam *** --------------------------------------------- Backdoor verbirgt sich in Fake-App "EasyDoc", die auf Download-Seiten angeboten wird --------------------------------------------- http://derstandard.at/2000040542729 *** Cisco Prime Infrastructure Administrative Web Interface HTML Injection Vulnerability *** --------------------------------------------- A vulnerability in the administrative web interface of Cisco Prime Infrastructure (PI) could allow an authenticated, remote attacker to execute arbitrary commands on the affected system and on the devices managed by the system. ... Cisco has not released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM SDK for Node.js may be affected by CVE-2016-1669 *** http://www.ibm.com/support/docview.wss?uid=swg21986383 --------------------------------------------- *** IBM Security Bulletin: IBM SDK for Node.js may be affected by CVE-2014-9748 *** http://www.ibm.com/support/docview.wss?uid=swg21986384 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in ntp affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems (CVE-2015-5219) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099409 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source NTP Vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21986167 --------------------------------------------- *** IBM Security Bulletin: Lotus Mail Security Affected By Multiple Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986391 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the Apache Xerces-C XML parser affects IBM Cognos Metrics Manager (CVE-2016-0729) *** http://www.ibm.com/support/docview.wss?uid=swg21986259 --------------------------------------------- *** IBM Security Bulletin: Content Manager OnDemand for Multiplatforms is affected by Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-0729) *** http://www.ibm.com/support/docview.wss?uid=swg21985363 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Cognos Metrics Manager (CVE-2016-2106, CVE-2016-2107, CVE-2016-2108) *** http://www.ibm.com/support/docview.wss?uid=swg21977114 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Virtual Server Protection for VMware (CVE-2016-2176) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986313 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for Unix *** http://www-01.ibm.com/support/docview.wss?uid=swg21986123 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 5-07-2016
by Daily end-of-shift report 05 Jul '16

05 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-07-2016 18:00 − Dienstag 05-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** EU: 450 Millonen Euro für Cyberkriminalitäts-Forschung *** --------------------------------------------- Im Kampf gegen Cyberkriminalität will die EU-Kommission bis 2020 insgesamt 450 Millionen Euro an Forschungsausgaben bereitstellen. --------------------------------------------- http://futurezone.at/digital-life/eu-450-millonen-euro-fuer-cyberkriminalit… *** Word hole patched in 2012 is unchallenged king of Office exploits *** --------------------------------------------- Its 2016, people, even the pirates have patched Possibly the most exploited unchallenged Microsoft Office vulnerability of the last decade was found and patched in 2012. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/05/magento_vul… *** Getting ready for the European Cyber Security Month (ECSM) *** --------------------------------------------- ENISA together with the European Commission and its partners are preparing for this year's cyber security month running across the EU during October, focusing each week on a different topic. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/getting-ready-for-the-european-… *** Emulating and Exploiting Firmware binaries - Offensive IoT Exploitation series *** --------------------------------------------- Welcome to the third post in the "Offensive IoT Exploitation" series. In the previous one, we learned about how we can get started with analyzing firmware and extracting file systems. In this post, we will take it a step further by analyzing individual binaries from firmware, and even exploiting commonly found vulnerabilities. There are two... --------------------------------------------- http://resources.infosecinstitute.com/emulating-and-exploiting-firmware-bin… *** Exploiting Format Strings: Getting the Shell *** --------------------------------------------- In this article, we will have a look at how to exploit format String vulnerabilities to get a shell. Overview: In this article, we will briefly have a look at how to overwrite specific memory location, how to inject our shellcode in current memory of program and further overwrite the some desired memory address to... --------------------------------------------- http://resources.infosecinstitute.com/exploiting-format-strings-getting-the… *** 85 Millionen Android-Geräte von HummingBad-Malware befallen *** --------------------------------------------- HummingBad rootet Geräte und klickt auf Werbebanner, warnen Sicherheitsforscher. Das bringe den Kriminellen 300.000 US-Dollar im Monat ein. In Deutschland sollen zehntausende Geräte infiziert sein. --------------------------------------------- http://heise.de/-3254664 *** SSD Advisory - Wget Arbitrary Commands Execution *** --------------------------------------------- A vulnerability in the way wget handles redirects allows attackers that are able to hijack a connection initiated by wget or compromise a server from which wget is downloading files from, would allow them to cause the user running wget to execute arbitrary commands. --------------------------------------------- https://blogs.securiteam.com/index.php/archives/2701 *** Paper: New Keylogger on the Block *** --------------------------------------------- In a new paper published by Virus Bulletin, Sophos researcher Gabor Szappanos takes a look at the KeyBase keylogger, sold as a commercial product and popular among cybercriminals who use it in Office exploit kits. Read more... --------------------------------------------- https://www.virusbulletin.com/blog/2016/07/paper-new-keylogger-block/ *** Lenovo ThinkPwn UEFI exploit also affects products from other vendors *** --------------------------------------------- A critical vulnerability that was recently found in the low-level firmware of Lenovo ThinkPad systems also reportedly exists in products from other vendors, including HP and Gigabyte Technology.An exploit for the vulnerability was published last week and can be used to execute rogue code in the CPUs privileged SMM (System Management Mode).This level of access can then be used to install a stealthy rootkit inside the computers Unified Extensible Firmware Interface (UEFI) -- the modern BIOS -- or... --------------------------------------------- http://www.csoonline.com/article/3091753/security/lenovo-thinkpwn-uefi-expl… *** Apache Update: TLS Certificate Authentication Bypass with HTTP/2 (CVE-2016-4979), (Tue, Jul 5th) *** --------------------------------------------- Apache released an important update today to fix a vulnerability that affects servers that have http/2 enabled and use TLS client certificates for authentication. Apache 2.4.18-20 are vulnerable if: - TLS certificates are used for authenticating clients (look for the SSLVerifyClient require directive in your configuration file) - http/2 is enabled. (see if the Protocols line includes h2 and/or h2c).">tshark -Y ssl.handshake.extensions_alpn_str == h2 -n -i en0 \ -T fields -e ip.src -e... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21223&rss *** Unechte Amazon-Nachricht: Rechnung uber Ihre Verkaeufergebuehren *** --------------------------------------------- Kriminelle versenden vermeintliche Amazon-Benachrichtigungen. Darin behaupten sie, dass eine Steuerrechnung verfügbar sei. Interessenten, die diese einsehen wollen, sollen einen Dateianhang öffnen und ihre persönlichen Zugangsdaten bekannt geben. Dabei handelt es sich um einen Datendiebstahlsversuch. --------------------------------------------- https://www.watchlist-internet.at/phishing/unechte-amazon-nachricht-rechnun… *** (Windows) Syslog Server "npriority" field remote Denial of Service vulnerability *** --------------------------------------------- Bug Description: Syslog Server 1.2.3 is a free syslog server for Windows systems. The syslog server cannot handle the content of the npriority field well, whereupon the server may be collapsed by receiving a customized packet. --------------------------------------------- http://www.securityfocus.com/archive/1/538836 *** VU#690343: Acer Portal app for Android does not properly validate SSL certificates *** --------------------------------------------- Vulnerability Note VU#690343 Acer Portal app for Android does not properly validate SSL certificates Original Release date: 05 Jul 2016 | Last revised: 05 Jul 2016 Overview The Acer Portal app for Android allows customers to connect to the Acer Cloud. The Acer Portal app, from version 3.9.3.2003 to 3.9.3.2006, does not properly validate SSL certificates when connecting to the Acer Cloud. Description CVE-2016-5648 - CWE-295: Improper Certificate ValidationThe Acer Portal app for Android, from --------------------------------------------- http://www.kb.cert.org/vuls/id/690343 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Workload Scheduler (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176) *** http://www.ibm.com/support/docview.wss?uid=swg21985850 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Tivoli Netcool/Reporter *** http://www-01.ibm.com/support/docview.wss?uid=swg21986007 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Firefox affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** http://www.ibm.com/support/docview.wss?uid=swg2C1000114 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in NPM affects IBM API Connect (CVE-2016-3956, CVE-2016-2537, CVE-2016-2515) *** http://www-01.ibm.com/support/docview.wss?uid=swg21986144 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 4-07-2016
by Daily end-of-shift report 04 Jul '16

04 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 01-07-2016 18:00 − Montag 04-07-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Spotlight: WPBeginner's Approach to WordPress Security *** --------------------------------------------- WPBeginner offers tutorials, tips, and tricks for WordPress beginners to improve their sites. With over 150K Twitter followers and almost 10 million monthly visitors, the website is undeniably popular. The high-quality content provided by WPBeginner helps WordPress users make better decisions and gain awareness of their options. Using research and thought leadership, WPBeginner offers guidance... --------------------------------------------- https://blog.sucuri.net/2016/07/spotlight-wpbeginner-website-security.html *** SQLite developers need to push the patch *** --------------------------------------------- Tempfile permissions a can of worms SQLite has pushed out an update to fix a local tempfile bug, to address concerns that the bug could be exploitable beyond the merely local. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/04/sqlite_deve… *** Verschlüsselung: Sicherheitslücke bei Start Encrypt *** --------------------------------------------- Sicherheitsforscher haben im Client der Lets Encrypt-Alternative Start Encrypt zahlreiche Probleme gefunden, die die Ausstellung gültiger Zertifikate für beliebige URLs ermöglichte. Der Client hatte zudem zahlreiche weitere Probleme, die jetzt behoben sein sollen. --------------------------------------------- http://www.golem.de/news/verschluesselung-sicherheitsluecke-bei-start-encry… *** Zero-Day-Sicherheitslücke gefährdet Lenovo-Notebooks *** --------------------------------------------- Durch eine schwerwiegende Zero-Day-Lücke in der Firmware von Lenovos Thinkpads kann unter Umständen beliebiger Programmcode auf dem System ausgeführt werden. --------------------------------------------- http://futurezone.at/produkte/zero-day-sicherheitsluecke-gefaehrdet-lenovo-… *** Gratis-Tools entschlüsseln Erpressungstrojaner *** --------------------------------------------- Der Sicherheitssoftware-Hersteller AVG stellt kostenlose Werkzeuge zur Verfügung, mit denen man sich gegen diverse Verschlüsselungstrojaner wehren kann. --------------------------------------------- http://futurezone.at/digital-life/gratis-tools-entschluesseln-erpressungstr… *** Großes Sicherheits-Update für Foxit Reader und Phantom *** --------------------------------------------- In dem PDF-Anzeigeprogramm Foxit Reader klaffen kritische Sicherheitslöcher, die das Update auf Version 8.0 stopft. Ebenfalls betroffen ist der PDF-Editor Phantom. --------------------------------------------- http://heise.de/-3253936 *** UPC UBEE EVW3226 WPA2 Password Reverse Engineering *** --------------------------------------------- TL;DR: We reversed default WPA2 password generation routine for UPC UBEE EVW3226 router. This blog contains firmware analysis, reversing writeup, function statistical analysis and proof-of-concept generator. --------------------------------------------- https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-Reversing.html *** Security Alert: Adwind RAT Spotted in Targeted Attacks with Zero AV Detection *** --------------------------------------------- The malware economy is alive and well! And cyber criminals are making big money by using this business model. The re-emergence of Adwind RAT provides additional proof to support this. This Java-based malware has been spotted over the weekend in several targeted attacks against Danish companies. Given that the malicious email employed to deceive victims... --------------------------------------------- https://heimdalsecurity.com/blog/security-alert-adwind-rat-targeted-attacks… *** Bugtraq: HTTP session poisoning in EMC Documentum WDK-based applications causes arbitrary code execution and privilege elevation *** --------------------------------------------- http://www.securityfocus.com/archive/1/538819 *** DSA-3613 libvirt - security update *** --------------------------------------------- Vivian Zhang and Christoph Anton Mitterer discovered that setting anempty VNC password does not work as documented in Libvirt, avirtualisation abstraction library. When the password on a VNC server isset to the empty string, authentication on the VNC server will bedisabled, allowing any user to connect, despite the documentationdeclaring that setting an empty password for the VNC server prevents allclient connections. With this update the behaviour is enforced bysetting the password expiration --------------------------------------------- https://www.debian.org/security/2016/dsa-3613 *** DSA-3614 tomcat7 - security update *** --------------------------------------------- The TERASOLUNA Framework Development Team discovered a denial of servicevulnerability in Apache Commons FileUpload, a package to make iteasy to add robust, high-performance, file upload capability to servletsand web applications. A remote attacker can take advantage of this flawby sending file upload requests that cause the HTTP server using theApache Commons Fileupload library to become unresponsive, preventing theserver from servicing other requests. --------------------------------------------- https://www.debian.org/security/2016/dsa-3614 *** Sierra Wireless AirLink Raven XE and XT Gateway Vulnerabilities *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of three vulnerabilities affecting the Sierra Wireless AirLink Raven XE and XT gateways. According to this report, the affected products allow unauthenticated access to directories on the system, which may allow remote file upload, download, and system reboot. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-182-01 *** ZDI-16-405: Trihedral VTScada Path Out-Of-Bounds Indexing Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-405/ *** ZDI-16-404: Trihedral VTScada Filter Bypass Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-404/ *** ZDI-16-403: Trihedral VTScada Directory Traversal Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-403/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: : Multiple Vulnerabilities in OpenSSL affect IBM Security Guardium *** http://www-01.ibm.com/support/docview.wss?uid=swg21984609 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Notes Standard Client *** http://www-01.ibm.com/support/docview.wss?uid=swg21983686 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Control Center (CVE-2016-3427 and CVE-2016-3426) *** http://www.ibm.com/support/docview.wss?uid=swg21986174 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime Version 7 affect IBM Content Collector for SAP Applications (CVE-2016-3426 CVE-2016-0264) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985957 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Security Guardium *** http://www-01.ibm.com/support/docview.wss?uid=swg21985729 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Connect:Direct FTP+ for Windows installers are vulnerable to attack (CVE-2016-4560) *** http://www-01.ibm.com/support/docview.wss?uid=swg21982722 --------------------------------------------- *** IBM Security Bulletin: OpenSource Oracle MySQL Vulnerability affects IBM Security Guardium (CVE-2016-2047) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984605 --------------------------------------------- *** IBM Security Bulletin: : Vulnerabilities in OpenSSL affect IBM Security Guardium (CVE-2015-3197) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984601 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 1-07-2016
by Daily end-of-shift report 01 Jul '16

01 Jul '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 30-06-2016 18:00 − Freitag 01-07-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** F5: Security Advisory: GraphicsMagick vulnerability CVE-2016-5118 *** --------------------------------------------- The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbitrary code via a | (pipe) character at the start of a filename. (CVE-2016-5118) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/82/sol82747025.html?… *** The Types of Penetration Testing *** --------------------------------------------- Black Box/White Box/Gray Box Testing Red/Blue/Purple Teams --------------------------------------------- http://resources.infosecinstitute.com/the-types-of-penetration-testing/ *** Apache Xerces DTD Parsing Stack Overflow Lets Remote Users Cause the Target Application to Crash *** --------------------------------------------- Apache Xerces DTD Parsing Stack Overflow Lets Remote Users Cause the Target Application to Crash --------------------------------------------- http://www.securitytracker.com/id/1036211 *** Eaton ELCSoft Programming Software Memory Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for a heap-based memory corruption vulnerability and a stack buffer overflow vulnerability in Eaton's ELCSoft programming software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-182-01 *** Sofortmaßnahmen für Unternehmen bei Cyberangriffen *** --------------------------------------------- Die ersten 72 Stunden nach einem Cyber-Angriff können für die Rechtsverfolgung entscheidend sein, erklärten Wolf Theiss-Rechtsexperten vor Journalisten. --------------------------------------------- http://futurezone.at/b2b/sofortmassnahmen-fuer-unternehmen-bei-cyberangriff… *** SSA-444217 (Last Update 2016-06-30): Information Disclosure Vulnerabilities in SICAM PAS *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-444217… *** SSA-547990 (Last Update 2016-06-30): Information Disclosure Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-547990… *** Security Advisory 2016-01: Security Update for OTRS FAQ package *** --------------------------------------------- An attacker could access and manipulate the database with an HTTP request. --------------------------------------------- https://www.otrs.com/security-advisory-2016-01-security-update-otrs-faq-pac… *** Cracking Androids full-disk encryption is easy on millions of phones - with a little patience *** --------------------------------------------- Just need a couple of common bugs, some GPUs and time Androids full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected - and theres working code to prove it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/01/turns_out_b… *** Joomla com_smartformer 2.4.1 Shell Upload *** --------------------------------------------- * @package SmartFormer * @version 2.4.1 (J1.5 security fix) poc: 1 - choose a site and open it 2 - Upload shell.php 3 - Go to :/components/com_smartformer/files/shell.php --------------------------------------------- https://cxsecurity.com/issue/WLB-2016070002 *** Process Hallowing *** --------------------------------------------- In this article, we will learn what process hallowing is, how is it done, and how we can detect it while performing memory analysis. --------------------------------------------- http://resources.infosecinstitute.com/process-hallowing/ *** Exploiting Format Strings (Part 1) *** --------------------------------------------- Overview : In this article, we will learn what Format String Vulnerabilities is, how we exploit it to read specific values from the stack, further we will also have a look at how we can use different format specifiers to write arbitrary values to the stack. --------------------------------------------- http://resources.infosecinstitute.com/exploiting-format-strings-part-1/ *** UEFAs Euro 2016 app is airing football fans' privates in public *** --------------------------------------------- Offside! Lack of encryption bares usernames, passwords and more The official UEFA Euro 2016 app is leaking football fans' personal data, security researchers warn. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/07/01/euro_2016_a… *** Cracking Locky's New Anti-Sandbox Technique *** --------------------------------------------- This new trick may pose challenges for automated Locky tracking systems that utilize sandboxing due to the following considerations: New Locky binaries will not execute properly without the correct parameter. JavaScript downloaders may fail to download if the download locations are already down. --------------------------------------------- https://blog.fortinet.com/2016/06/30/cracking-locky-s-new-anti-sandbox-tech… *** Magento Re-Installation & Account Hijacking Vulnerabilities *** --------------------------------------------- Before discovering my latest Magento RCE, I've found two different vulnerabilities, both resulting in the complete compromise of customer data and/or the server. As they are far less complicated, I'm presenting both of them in this single blog post for your convenience. Vulnerable Versions: Magento EE & CE 2.x.x before 2.0.6. --------------------------------------------- http://netanelrub.in/2016/07/01/magento-re-installation-account-hijacking-v… *** F5: Security Advisory: Cross Site Scripting (XSS) vulnerability in F5 WebSafe Dashboard CVE-2016-5235 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/48/sol48572812.html?… *** A year of Windows kernel font fuzzing #2: the techniques *** --------------------------------------------- Posted by Mateusz Jurczyk of Google Project ZeroIn part #1 of the series (see here), we discussed the motivation and outcomes of our year long fuzzing effort against the Windows kernel font engine, followed by an analysis of two bug collisions with Keen Team and Hacking Team that ensued as a result of this work. While the bugs themselves are surely amusing, what we find even more interesting are the techniques and decisions we made to make the project as effective as it turned out to be. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font… *** Cisco Configuration Assistant Request Processing Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source PHP Vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21985802 --------------------------------------------- *** IBM Security Bulletin: Cross-site Request Forgery (CSRF) security vulnerability in IBM WebSphere Commerce (CVE-2016-2863) *** http://www.ibm.com/support/docview.wss?uid=swg21983626 --------------------------------------------- *** IBM Security Bulletin: HTTP response splitting attack in FastBack for Workstations Central Administration Console (CVE-2016-0359) *** http://www.ibm.com/support/docview.wss?uid=swg21986310 --------------------------------------------- *** IBM Security Bulletin: InstallAnywhere Vulnerability affects Daeja ViewONE Professional, Standard & Virtual (CVE-2016-4560) *** http://www.ibm.com/support/docview.wss?uid=swg21984799 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Taglibs Vulnerability in FastBack for Workstations Central Administration Console (CVE-2015-0254) *** http://www.ibm.com/support/docview.wss?uid=swg21986309 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2016Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21984323 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Open Source GNU glibc affects IBM OS Images for Red Hat Linux Systems. (CVE-2015-5277) *** http://www.ibm.com/support/docview.wss?uid=swg21986400 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 30-06-2016
by Daily end-of-shift report 30 Jun '16

30 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 29-06-2016 18:00 − Donnerstag 30-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Multiple vulnerabilities in Foxit Reader *** http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/dKs5CcUo7Us http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/XgoemmeT0GY http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/XNek5RDVxp0 http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/5xiMJFpDb9o http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/BO1ORv21ejs http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/Yvk8m_ilMEE http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/BEv0AHg6Das http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/wgd366hnP7k http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/XfbdbhhiNGQ http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/mGq36S5AkiI http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/-_uz9VtYDFE http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/2K_wjeRUsls *** DSA-3608 libreoffice - security update *** --------------------------------------------- Aleksandar Nikolic discovered that missing input sanitising in the RTFparser in Libreoffice may result in the execution of arbitrary code ifa malformed documented is opened. --------------------------------------------- https://www.debian.org/security/2016/dsa-3608 *** Ransomware auf Smartphones hat sich vervierfacht *** --------------------------------------------- Erpresserische Schadsoftware auf Android-Smartphones ist laut einer Untersuchung von Kaspersky innerhalb eines Jahres um das Vierfache gestiegen. --------------------------------------------- http://futurezone.at/digital-life/ransomware-auf-smartphones-hat-sich-vervi… *** Malware Authors Adopt CEO Fraud Techniques *** --------------------------------------------- CEO Fraud scams, a type of Business Email Compromise (BEC), have gained popularity among scammers recently. These scams use the power of the CEOs name to try and elicit a .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Malware-Authors-Adopt-CEO-Fr… *** CEO Fraud Scams and How to Deal With Them at the Email Gateway *** --------------------------------------------- Email scams known as "CEO Fraud" are very common right now. They are a type of "Business Email Compromise" (BEC). There have .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/CEO-Fraud-Scams-and-How-to-D… *** Datenleck bei Terrordatenbank *** http://futurezone.at/digital-life/datenleck-bei-terrordatenbank/207.148.569 *** Phishing Campaign with Blurred Images, (Wed, Jun 29th) *** --------------------------------------------- For a few days, Im seeing a lot of phishing emails that try to steal credentials from victims. Well, nothing brand new but,this time, the scenario is quite different : The .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21207 *** DSA-3609 tomcat8 - security update *** --------------------------------------------- Multiple security vulnerabilities have been discovered in the Tomcatservlet and JSP engine, which may result in information disclosure, thebypass of CSRF protections, bypass of the SecurityManager or denial ofservice. --------------------------------------------- https://www.debian.org/security/2016/dsa-3609 *** Rooting Hummer malware brings $500,000 per day to its creator *** --------------------------------------------- Android malware with device rooting capabilities has been hitting Google Play for a while now, but for users third-party app stores the situation is even more dangerous. The Hummer malware family Hummer, an Android Trojan .. --------------------------------------------- https://www.helpnetsecurity.com/2016/06/30/rooting-hummer-malware/ *** StartEncrypt considered harmful today *** --------------------------------------------- Recently, one of our hackers (Thijs Alkemade) found a critical vulnerability in StartCom's new StartEncrypt tool, that allows an attacker to gain valid SSL certificates .. --------------------------------------------- https://www.computest.nl/blog/startencrypt-considered-harmful-today/ *** Wasserwaagen-App: Android-Trojaner im Play Store installiert ungewollt Apps *** --------------------------------------------- http://www.golem.de/news/wasserwagen-app-android-trojaner-im-play-store-ins… *** SBA Research got COMET *** --------------------------------------------- We are proud to announce that SBA Research got COMET funding for the next four years! Read the press release here. --------------------------------------------- https://www.sba-research.org/2016/06/30/sba-research-got-comet/ *** Fileless Malware - A Behavioural Analysis Of Kovter Persistence *** --------------------------------------------- During a recent talk by a representative of MalwareBytes, it was discussed that several modern malware families, notable Poweliks, Phase Bot and Kovter are moving away .. --------------------------------------------- http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93… *** What media companies don't want you to know about ad blockers *** --------------------------------------------- [...] Thompson did not say one word in his keynote address about the significant security benefits of ad blockers, which is ironic, because his paper was one of .. --------------------------------------------- http://www.cjr.org/opinion/ad_blockers_malware_new_york_times.php *** Passwort-Cracker hashcat versucht sich an Android und VeraCrypt *** --------------------------------------------- Version 3.00 des Passwort-Knackers hashcat knackt weitere Dateiformate .. --------------------------------------------- http://heise.de/-3251874

1 0

Tageszusammenfassung - Mittwoch 29-06-2016
by Daily end-of-shift report 29 Jun '16

29 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 28-06-2016 18:00 − Mittwoch 29-06-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** How Red Hat uses CVSSv3 to Assist in Rating Flaws *** --------------------------------------------- Humans have been measuring risk since the dawn of time. "Im hungry, do I go outside my awesome cave here and forage for food? There might be something bigger, scarier, and hungrier than me out there...maybe I should wait?" Successfully navigating through life is a series of Risk/Reward calculations made each and every day. Sometimes, ideally, the choices are small ("Do I want fries with that?") while others can lead to catastrophic outcomes if the scenario isnt fully --------------------------------------------- https://access.redhat.com/blogs/766093/posts/CVSSv3 *** How to Compromise the Enterprise Endpoint *** --------------------------------------------- Posted by Tavis Ormandy.Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand. Today we're publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.These vulnerabilities are as bad as it gets. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-… *** E-Mail-Verschlüsselung für jedermann: Volksverschlüsselung steht bereit *** --------------------------------------------- Ab sofort können Windows-Nutzer die kostenlose Volksverschlüsselungs-Software nutzen, um E-Mails verschlüsselt über gängige Clients zu verschicken. --------------------------------------------- http://heise.de/-3250728 *** Europäisches Konsortium für cloud-basierte Unterschriften und Siegel gegründet *** --------------------------------------------- Zum Start der eIDAS-Verordnung haben euopäische Signatur-Dienstleister auf Initiative von Adobe das Cloud Signature Consortium (CSC) gegründet. Es soll einen offenen Standard für cloud-basierte Signaturen und Siegel erarbeiten. --------------------------------------------- http://heise.de/-3250807 *** Malware gibt sich als WhatsApp aus und stiehlt Daten *** --------------------------------------------- Auch andere Android-Apps wie Uber oder der Google Play Store wird von der Schadsoftware imitiert, um Kreditkartendaten zu erbeuten. --------------------------------------------- http://futurezone.at/digital-life/malware-gibt-sich-als-whatsapp-aus-und-st… *** Home security systems hacked with 1234 password - Update *** --------------------------------------------- Many smart home security systems come with standard passwords. Potential intruders can deactivate them online and use them to spy on homes - the affected systems are in use in many countries globally. --------------------------------------------- http://www.heise.de/ct/artikel/Home-security-systems-hacked-with-1234-passw… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: WebSphere Application Server Liberty API Discovery feature has potential vulnerability (CVE-2016-2945) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984502 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021361 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-3426 ) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021385 --------------------------------------------- *** IBM Security Bulletin: Cross Site Scripting (XSS) security vulnerabilities in IBM WebSphere Commerce (CVE-2016-2862) *** http://www.ibm.com/support/docview.wss?uid=swg21983625 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Storage Productivity Center (CVE-2016-0363) *** http://www.ibm.com/support/docview.wss?uid=swg21986168 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Open Source BeanShell has been addressed by IBM Kenexa LCMS Premier (CVE-2016-2510) *** http://www.ibm.com/support/docview.wss?uid=swg21985108 --------------------------------------------- *** IBM Security Bulletin: IBM Tealeaf Customer Experience installers vulnerable to attack (CVE-2016-2542) *** http://www-01.ibm.com/support/docview.wss?uid=swg21981024 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9, IBM BigFix Inventory v9 and IBM Endpoint Manager for Software Use Analysis v9 & v2.2 *** http://www-01.ibm.com/support/docview.wss?uid=swg21985099 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021361 --------------------------------------------- *** Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-3426 ) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021385 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 28-06-2016
by Daily end-of-shift report 28 Jun '16

28 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 27-06-2016 18:00 − Dienstag 28-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Reverse Engineering Malware *** --------------------------------------------- The AlienVault Labs team does a lot of malware analysis as a part of their security research. I interviewed a couple members of our Labs team, including Patrick Snyder, Eddie Lee, Peter Ewane and Krishna Kona, to learn more about how they do it. Here are some of the approaches and tools and .. --------------------------------------------- https://www.alienvault.com/blogs/labs-research/reverse-engineering-malware *** A year of Windows kernel font fuzzing #1: the results *** --------------------------------------------- Post by Mateusz Jurczyk of Google Project ZeroThis post series is about how we used at-scale fuzzing to discover and report a total of 16 vulnerabilities in the handling of TrueType and OpenType fonts in the Windows kernel during the .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font… *** Scientology Seeks Captive Converts Via Google Maps, Drug Rehab Centers *** --------------------------------------------- Fake online reviews generated by unscrupulous marketers blanket the Internet these days. Although online review pollution isnt exactly a hot-button consumer issue, there are plenty of cases in which phony reviews may endanger ones life or .. --------------------------------------------- http://krebsonsecurity.com/2016/06/scientology-seeks-captive-converts-via-g… *** Large CCTV Botnet Leveraged in DDoS Attacks *** --------------------------------------------- Our security operations team investigate and mitigate multiple denial of service (DDoS) attacks every single day. One recent case caught our attention because of the .. --------------------------------------------- https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.ht… *** DDoS Extortion - Almost Universally an Empty Threat *** --------------------------------------------- Last year there was an emergence of threats of DDoS against financial websites (that eventually broadened to others) under the DD4BC moniker. Eventually that morphed into Armada Collective with both stopping around .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21199 *** Nuclear goes boom *** --------------------------------------------- Silver medallist exploit kit dies alongside Angler as new top dog doubles rental price Shake ups at the top of the exploit kit world continue, with news the worlds two top pop boxes have disappeared. --------------------------------------------- www.theregister.co.uk/2016/06/28/nuclear_goes_boom/ *** The Latest Android Overlay Malware Spreading via SMS Phishing in Europe *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay… *** Locky-Sprössling: Erpressungs-Trojaner Bart verschlüsselt anders und verlangt hohes Lösegeld *** --------------------------------------------- Sicherheitsforscher beobachteten bei der Ransomware Bart eine neue Methode, Daten als Geisel zu nehmen. --------------------------------------------- http://heise.de/-3250058 *** Cybersicherheit: "Sehr viel Wissen wird nicht umgesetzt" *** --------------------------------------------- Beim Start-up-Wettbewerb Security Rockstars werden innovative Sicherheitslösungen gesucht. Einreichungen sind noch bis zum 15. Juli möglich. --------------------------------------------- http://futurezone.at/thema/start-ups/cybersicherheit-sehr-viel-wissen-wird-… *** Verschlüsselungs-Trojaner verleibt sich Zimbra-Mails ein *** --------------------------------------------- Die Schädling ZimbraCryptor infiziert die Zimbra Collaboration Suite und verschlüsselt alle Daten im E-Mail-Ordner. Dafür muss sich ein Angreifer aber in einen Zimbra-Server hacken. --------------------------------------------- http://heise.de/-3250331 *** Press conference with Minister of Interior Wolfgang Sobotka, KSÖ and SBA: Security Rockstars *** --------------------------------------------- Er hoffe auf “frische und unkonventionelle Herangehensweisen an Cybersicherheitsthemen, sagte Innenminister Wolfgang Sobotka (ÖVP) am Mittwoch bei einem Pressegespräch .. --------------------------------------------- https://www.sba-research.org/2016/06/28/pressegesprach/

1 0

Tageszusammenfassung - Montag 27-06-2016
by Daily end-of-shift report 27 Jun '16

27 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 24-06-2016 18:00 − Montag 27-06-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Economical With The Truth: Making DNSSEC Answers Cheap *** --------------------------------------------- We launched DNSSEC late last year and are already signing 56.9 billion DNS record sets per day. At this scale, we care a great deal about compute cost. One of the ways we .. --------------------------------------------- https://blog.cloudflare.com/black-lies/ *** Security Advisory: Multiple Wireshark (tshark) vulnerabilities *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/87/sol87669052.html *** Security Advisory: Multiple Wireshark (tshark) vulnerabilities *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/01/sol01837042.html *** Option CloudGate Insecure Direct Object References Authorization Bypass *** --------------------------------------------- Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass .. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5333.php *** Bart - a new Ransomware *** --------------------------------------------- Phishme is reporting the discovery of a new ransomwarewhich its creators have named Bart. Bart shares several commonalities with the Locky ransomware. Bart is delivered by thesame downloader, RockLoader. The payment .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21195 *** Zwei populäre Exploit-Kits schlagartig verschwunden *** --------------------------------------------- Sicherheitsforscher haben seit mehreren Wochen keine Aktivitäten mehr durch die vormals bei Cyber-Ganoven beliebten Exploit-Kits Angler und Nuclear festgestellt. --------------------------------------------- http://heise.de/-3248999 *** How executives really feel about infosec reports *** --------------------------------------------- More than half of IT and security executives will lose their jobs as a result of failing to provide useful, actionable information. While the majority of board members say they understand everything they�re being told by IT and security .. --------------------------------------------- https://www.helpnetsecurity.com/2016/06/27/executives-infosec-reports/ *** Hackers peer into Uber passenger privates, find and plot trips on maps *** --------------------------------------------- Brute force efforts reveal 1000 discount codes Three hackers have found eight holes in Uber that could allow fake drivers to be created and user email addresses reveal, .. --------------------------------------------- www.theregister.co.uk/2016/06/27/hackers_peer_into_uber_passenger_privates_… *** Annual FiRST Conference Wrap-up *** --------------------------------------------- The 28th FiRST security event was held in - the land of morning calms' capital, Seoul this past June 12-17, 2016. This is the yearly conference for all CERT .. --------------------------------------------- https://blog.fortinet.com/2016/06/23/annual-first-conference-wrap-up *** The Threatening Evolution of Exploit Kits *** --------------------------------------------- Exploit Kits, even more sophisticated and profitable Exploit kits are rapidly evolving, threat actors improve them on a daily basis by adding the code for the exploitation of the most recent vulnerabilities. In October 2015, .. --------------------------------------------- http://resources.infosecinstitute.com/the-threatening-evolution-of-exploit-… *** Unechte PayLife-Mail: Verdacht auf Ihre letzte Transaktion *** --------------------------------------------- Mit einer unechten Benachrichtigung von PayLife versuchen Kriminelle, an Kontoinformationen von Opfern zu gelangen. Um das Ziel zu erreichen, behaupten sie, dass es bei der letzten PayLife-Transaktion zu Unstimmigkeiten gekommen sei. Aus .. --------------------------------------------- https://www.watchlist-internet.at/phishing/unechte-paylife-mail-verdacht-au… *** EU finanziert Code-Review: Open-Source-Projekte gesucht *** --------------------------------------------- Mit einem Pilotprojekt will die EU die IT-Sicherheit verbessern. Nun sind die Nutzer gefragt: Welches Open Souce-Projekt sollte einen Sicherheits-Check bekommen? --------------------------------------------- http://heise.de/-3249615 *** How to Backdoor Diffie-Hellman *** --------------------------------------------- Abstract: Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSAs B-Safe product, a modified Dual-EC in Junipers operating system ScreenOS and a .. --------------------------------------------- https://eprint.iacr.org/2016/644 *** The Curious Case of an Unknown Trojan Targeting German-Speaking Users *** --------------------------------------------- Last week, an unidentified malware was discovered and circulated on Twitter by researcher @JAMES_MHT. Many researchers - including us - were unable to identify the malware so we decided to dig a bit further. In this post, .. --------------------------------------------- https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-…

1 0

Tageszusammenfassung - Freitag 24-06-2016
by Daily end-of-shift report 24 Jun '16

24 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 23-06-2016 18:00 − Freitag 24-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Crypto Wars: Neue Bundesbehörde soll Verschlüsselung knacken *** --------------------------------------------- Immer mehr Kommunikationsdienste verschlüsseln Nachrichten und schützen sie vor fremden Zugriffen. Die Bundesregierung will dem offenbar nicht tatenlos zusehen und eine Behörde mit dem Knacken der Kryptographie beauftragen. --------------------------------------------- http://heise.de/-3247957 *** PCI Compliance for eCommerce – Choosing Between SAQ A and A-EP *** --------------------------------------------- The Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards established in a joint venture between a number of the top credit card issuers in the world – Visa, MasterCard, American Express, .. --------------------------------------------- https://blog.sucuri.net/2016/06/navigating-pci-self-assessment-questionnair… *** How to: Testing Android Application Security, Part 2 *** --------------------------------------------- The popularity of Android devices and applications makes it a target for malware and other threats. This post is the second in a short series on Android .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/testing-android-application-security-p… *** Necurs Botnet is Back, Updated With Smarter Locky Variant *** --------------------------------------------- After a mysterious three weeks off the grid, Necurs has returned to spewing massive volumes of email containing improved versions of the potent Locky ransomware and Dridex banking Trojan. --------------------------------------------- http://threatpost.com/necurs-botnet-is-back-updated-with-smarter-locky-vari… *** Rockwell Automation Allen-Bradley Stratix 5400 and 5410 Packet Corruption Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a resource management vulnerability in Rockwell Automation’s Allen-Bradley Stratix 5400 and Allen-Bradley Stratix 5410 industrial networking switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-175-01 *** Unitronics VisiLogic OPLC IDE vlp File Parsing Stack Buffer Overflow Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a buffer overflow vulnerability in the Unitronics VisiLogic. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-175-02 *** Meinberg NTP Time Server Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for a stack buffer overflow vulnerability and a privilege escalation vulnerability in Meinberg’s NTP Time Servers Interface. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-175-03 *** About Lenovo Solution Center 3.3.002 Vulnerabilities (CVE-2016-5249) *** --------------------------------------------- After patching set of issues reported by Trustwave SpiderLabs last month, Lenovo released another version of its Lenovo Solution Center software to address new security .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/About-Lenovo-Solution-Center… *** Sicherheitslücke in Alarmanlagen von ABUS und Climax *** --------------------------------------------- Vernetzte Alarmanlagen sollen für Sicherheit und mehr Bedienkomfort sorgen. Durch eine Sicherheitslücke können Angreifer jedoch auf viele Systeme zugreifen – übers Internet. --------------------------------------------- http://heise.de/-3247868 *** WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN55826471/ *** WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN95082904/ *** WordPress plugin "Welcart e-Commerce" vulnerable to PHP object injection *** --------------------------------------------- http://jvn.jp/en/jp/JVN47363774/ *** [2016-06-24] ASUS DSL-N55U cross site scripting and information disclosure vulnerability *** --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** Erpressungs-Trojaner: Neue Locky-Welle infiziert Computer *** --------------------------------------------- Wer dieser Tage eine E-Mail mit Dateianhang bekommt, sollte diese noch kritischer als sonst beäugen: Aktuell verbreitet sich der Verschlüsselungs-Trojaner Locky erneut vornehmlich über vermeintliche Bewerbungs-Mails in Deutschland. --------------------------------------------- http://heise.de/-3248277 *** How to Spot Ingenico Self-Checkout Skimmers *** --------------------------------------------- A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then Ive heard from several readers who work at retailers that use .. --------------------------------------------- http://krebsonsecurity.com/2016/06/how-to-spot-ingenico-self-checkout-skimm… *** Pretty Good Privacy: 40 Jahre Diffie-Hellman *** --------------------------------------------- Am 23. Juni 1976 präsentierten Whitfield Diffie und Martin Hellman ihren Ansatz eines asymmetrischen Verschlüsselungsverfahren auf dem "Symposium on Information Theory" im schwedischen Ronneby. --------------------------------------------- http://heise.de/-3248793

1 0

Tageszusammenfassung - Donnerstag 23-06-2016
by Daily end-of-shift report 23 Jun '16

23 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 22-06-2016 18:00 − Donnerstag 23-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** After Angler: Shift in Exploit Kit Landscape and New Crytpo-Ransomware Activity *** --------------------------------------------- Early this year, we reported that in 2015, Angler came out as the top exploit kit, having contributed 59.5% in the total exploit kit activity for the year. Now, there's barely any pulse left.After the arrest of 50 people accused of using malware to steal US$25 million, it is interesting to .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-… *** ZDI-16-373: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Deep Discovery. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-373/ *** Fraudsters are Buying IPv4 Addresses *** --------------------------------------------- IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.Hence criminals interest in ways to land themselves IP addresses, some of which were detailed this week by ARINs senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators .. --------------------------------------------- https://www.schneier.com/blog/archives/2016/06/fraudsters_are_.html *** WordPress 4.5.3 release mends eight security flaws, 17 bugs *** --------------------------------------------- WordPress has released version 4.5.3 of its content management system, fixing eight security vulnerabilities that surfaced in previous versions, as well as 17 other bugs. --------------------------------------------- http://www.scmagazine.com/wordpress-453-release-mends-eight-security-flaws-… *** Cisco Unified Contact Center Enterprise Web-Based Management Interface Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Email Security Appliance .zip File Scanning Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** TLS Certificate Validation Vulnerability in Citrix iOS Receiver *** --------------------------------------------- http://support.citrix.com/article/CTX213998 *** Rise of Darknet Stokes Fear of The Insider *** --------------------------------------------- With the proliferation of shadowy black markets on the so-called "darknet" -- hidden crime bazaars that can only be accessed through special software that obscures ones true location online -- it has never been easier for disgruntled employees to harm their current or former employer. At least, this is the fear driving a growing stable of companies seeking technical solutions to detect would-be insiders. --------------------------------------------- http://krebsonsecurity.com/2016/06/rise-of-darknet-stokes-fear-of-the-insid… *** Linux Kernel ROP - Ropping your way to # (Part 2) *** --------------------------------------------- Introduction In Part 1 of this tutorial, we have demonstrated how to find useful ROP gadgets and build a privilege escalation ROP chain for our test system (3.13.0-32 kernel - Ubuntu 12.04.5 LTS). We have also developed a vulnerable kernel .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropp… *** Kritische Sicherheitslücken in libarchive gefährden FreeBSD & Co. *** --------------------------------------------- Sicherheitsforscher entdecken drei schwerwiegende Sicherheitslücken in der Open-Source-Biblitohek libarchive. Patches stehen noch nicht nicht für alle Tools bereit, die auf libarchive setzen. --------------------------------------------- http://heise.de/-3246535 *** Krypto-Trojaner Cerber: Angebliche Mediamarkt-Bestellung kommt Empfänger teuer zu stehen *** --------------------------------------------- Online-Erpresser verschicken derzeit Mails, die vorgeben, dass ein bei Mediamarkt.de besteller Artikel in Kürze geliefert wird. Wer die Bestellung einsehen oder stornieren will, handelt sich einen Krypto-Trojaner ein. --------------------------------------------- http://heise.de/-3246780 *** RFC 7905: ChaCha20-Verschlüsselung für TLS standardisiert *** --------------------------------------------- Mit RFC 7905 gibt es nun eine Spezifikation, um den Verschlüsselungsalgorithmus ChaCha20 im Poly1305-Modus in TLS zu nutzen. Der von Dan Bernstein entwickelte Algorithmus ist insbesondere auf .. --------------------------------------------- http://www.golem.de/news/rfc-7905-chacha20-verschluesselung-fuer-tls-standa… *** Apple gibt erstmals Einblick in Kern von iPhone-Betriebssystem iOS10 *** --------------------------------------------- In der Beta-Variante der nächsten Version iOS 10 ist der Kernel nicht verschlüsselt --------------------------------------------- http://derstandard.at/2000039668786 *** Unpatched Remote Code Execution Flaw Exists in Swagger *** --------------------------------------------- Researchers at Rapid7 found a vulnerability in the Swagger Code Generator that could execute arbitrary code embedded in a Swagger document. --------------------------------------------- http://threatpost.com/unpatched-remote-code-execution-flaw-exists-in-swagge… *** Redefining how we share our security data. *** --------------------------------------------- Red Hat Product Security has long provided various bits of machine-consumable information to customers and users via our Security Data page. Today we are pleased to announce that we have made it even easier to access and .. --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2387601 *** Defending Our Brand *** --------------------------------------------- Some months ago, it came to our attention that Comodo Group, Inc., is attempting to register at least three trademarks for the term "Let's Encrypt" for a variety of CA-related services. These trademark applications were .. --------------------------------------------- https://letsencrypt.org//2016/06/23/defending-our-brand.html *** Fünf Millionen Zertifikate: Lets Encrypt wächst rasant *** --------------------------------------------- Innerhalb von drei Monaten hat Let's Encrypt die Gesamtanzahl von kostenlos ausgestellten SSL-/TLS-Zertifikaten verfünffacht. --------------------------------------------- http://heise.de/-3247077

1 0

Tageszusammenfassung - Mittwoch 22-06-2016
by Daily end-of-shift report 22 Jun '16

22 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 21-06-2016 18:00 − Mittwoch 22-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection *** --------------------------------------------- Macro malware continues to evolve and use new tricks to evade detection. This threat is responsible for downloading malicious Trojans such as Dridex and ransomware such as Locky. Recently McAfee Labs has encountered a new variant of macro .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/macro-malware-adds-tricks-uses-maxmind… *** Advantech WebAccess ActiveX Vulnerabilities *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-173-01 *** Schneider Electric PowerLogic PM8ECC Cross-site Scripting Vulnerability *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-173-02 *** DHL Packstation: Sicherheitslücke begünstigt Missbrauch der fast 3000 Paketautomaten *** --------------------------------------------- Durch eine Sicherheitslücke konnten Online-Ganoven unnötig leicht auf die Paketfächer der rund acht Millionen Packstation-Nutzer zugreifen. Als DHL das Problem bestritt, hat c't es selbst versucht. --------------------------------------------- http://heise.de/-3243343 *** Hacker, Bromium donate $30,000 in bug bounty cash to charity *** --------------------------------------------- Google hacker Tavis Ormandy and security firm Bromium have handed Amnesty International US$30,000 in bug bounty cash awarded after the former broke the latters security controls. --------------------------------------------- www.theregister.co.uk/2016/06/22/hacker_bromium_donate_30000_in_bug_bounty_… *** ENISA discusses cyber challenges of the digital transformation *** --------------------------------------------- https://www.enisa.europa.eu/news/executive-news/enisa-discusses-cyber-chall… *** DNS-Sicherheitslücke bei Apple: Weitere Plattformen betroffen *** --------------------------------------------- Neben den AirPort-Basisstationen sind auch iOS, OS X und watchOS von einer kritischen Lücke betroffen .. --------------------------------------------- http://heise.de/-3244645 *** E-Mail-Verschlüsselung: EU-Kommission hat Angst vor verschlüsseltem Spam *** --------------------------------------------- PGP ist sicher, aber in der Handhabung oft kompliziert, gerade in grossen Unternehmen. Die EU-Kommission will die Technik in einem Pilotprojekt für alle Mitarbeiter einführen. Eine Angst geht dabei um: die vor verschlüsselten Spammails. --------------------------------------------- http://www.golem.de/news/e-mail-verschluesselung-eu-kommission-hat-angst-vo… *** KSN Report: Ransomware from 2014-2016 *** --------------------------------------------- The number of users attacked with ransomware is huge. But how big is it? Ransomware seems to be a global threat. But maybe there are regions at a higher risk of danger? There seem to be a lot of ransomware malware groups. But what are the most widespread and dangerous? --------------------------------------------- http://securelist.com/analysis/publications/75145/pc-ransomware-in-2014-201… *** Microsofts entrauscht homomorphe Krypto-Library SEAL *** --------------------------------------------- Das Rechnen mit verschlüsselten Daten rückt heran. Durch einen Wechsel des zugrundeliegenden Krypto-Systems will Microsoft die homomorphe Verschlüsselung auf eine neue Stufe heben. --------------------------------------------- http://heise.de/-3243299 *** Exploiting Public Information for OSINT *** --------------------------------------------- Open source intelligence is an act of finding the information using publicly available sources; these sources could be anything, for instance; newspaper, business directories, annual reports, etc. And the scope of OSINT is not only limited to .. --------------------------------------------- http://resources.infosecinstitute.com/exploiting-public-information-for-osi… *** Online-Backup-Anbieter Carbonite fordert Nutzer zu Passwort-Reset auf *** --------------------------------------------- Wegen einer vermehrten Anzahl von unautorisierten Zugriffen auf Accounts sollten Nutzer des Online-Backup-Services Carbonite ihr Passwort zurücksetzen. --------------------------------------------- http://heise.de/-3245465 *** Return of Locky *** --------------------------------------------- There's been a lot of discussion recently of the Necurs botnet being quiet. Today, Necurs activity resumed, and a new Locky malspam campaign began! Let's look at it! --------------------------------------------- https://malcat.moe/?p=53 *** Interview with a Craigslist scammer *** --------------------------------------------- Ever wondered what motivates people who swindle others on Craigslist? Read on for a fascinating look into the mind of a small-time .. --------------------------------------------- http://www.infoworld.com/article/3086304/cyber-crime/interview-with-a-craig… *** 105.386 Österreicher von LinkedIn-Datenleck betroffen *** --------------------------------------------- In der Datenbank des Karriere-Netzwerks LinkedIn befanden sich insgesamt 15.386 österreichische Mail-Adressen und 76.344 Passwörter. --------------------------------------------- http://futurezone.at/digital-life/105-386-oesterreicher-von-linkedin-datenl… *** Vulnerability Spotlight: Pidgin Vulnerabilities *** --------------------------------------------- Pidgin is a universal chat client that is used on millions of systems worldwide. The Pidgin chat client enables you to communicate on multiple chat networks simultaneously. Talos has identified multiple vulnerabilities in the way Pidgin handles the MXit .. --------------------------------------------- http://blog.talosintel.com/2016/06/vulnerability-spotlight-pidgin.html

1 0

Tageszusammenfassung - Dienstag 21-06-2016
by Daily end-of-shift report 21 Jun '16

21 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 20-06-2016 18:00 − Dienstag 21-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Exploiting Recursion in the Linux Kernel *** --------------------------------------------- On June 1st, I reported an arbitrary recursion bug in the Linux kernel that can be triggered by a local user on Ubuntu if the system was installed with home directory encryption support. If you want to see the crasher, the exploit .. --------------------------------- http://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux… *** USN-3012-1: Wget vulnerability *** --------------------------------------------- Dawid Golunski discovered that Wget incorrectly handled filenames whenbeing redirected from an HTTP to an FTP URL. --------------------------------------------- http://www.ubuntu.com/usn/usn-3012-1/ *** USN-3011-1: HAProxy vulnerability *** --------------------------------------------- Falco Schmutz discovered that HAProxy incorrectly handled the reqdenyfilter. --------------------------------------------- http://www.ubuntu.com/usn/usn-3011-1/ *** Reverse-engineering DUBNIUM's Flash-targeting exploit *** --------------------------------------------- The DUBNIUM campaign in December involved one exploit in-the-wild that affected Adobe Flash Player. In this blog, we're going to examine the technical details of the exploit that targeted vulnerability CVE-2015-8651. For .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dub… *** Cisco Integrated Services Routers OpenSSH TCP Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco 8800 Series IP Phone Filesystem Permission Enforcement Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco 8800 Series IP Phone Directory Traversal Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Red Line Drawn: China Recalculates Its Use of Cyber Espionage *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/06/red-line-drawn-china-e… *** Hacker erbeuten Kunden-Daten aus Acers Online-Shop *** --------------------------------------------- Unbekannte Datendiebe haben offensichtlich den nordamerikanischen Online-Shop von Acer geentert und Daten von Kunden kopiert. Darunter könnten dem Hersteller zufolge auch Kreditkarten-Daten inklusive Sicherheitscodes sein. --------------------------------------------- http://heise.de/-3242703 *** Unbefugte schleichen sich in GoToMyPC-Konten *** --------------------------------------------- Aufgrund unbefugter Zugriffe auf Nutzer-Konten, hat der Anbieter der Fernwartungs-Software GoToMyPC die Passwörter .. --------------------------------------------- http://heise.de/-3242747 *** Phishing mit gestohlenem iPhone *** --------------------------------------------- Kriminelle stehlen iPhones. Nach rund einer Woche melden sie sich bei ihren Opfern mit einer vermeintlich echten SMS von Apple. In ihr ist davon die Rede, dass das .. --------------------------------------------- https://www.watchlist-internet.at/phishing/phishing-mit-gestohlenem-iphone/ *** Apple: Mysteriöse Lücke in Airport-Router gepatcht *** --------------------------------------------- Der Airport-Router und Time-Capsule von Apple haben offenbar Probleme mit bestimmten DNS-Anfragen. Die Sicherheitslücke wurde jetzt geschlossen, möglicherweise konnten Angreifer das Netzwerk der Nutzer kompromittieren. --------------------------------------------- http://www.golem.de/news/apple-mysterioese-luecke-in-airport-router-gepatch… *** Poorly crafted LogMeIn password reset email looks phishy, but isn't *** --------------------------------------------- LogMeIn has been sending out password reset emails to some of its customers, to prevent account hijacking fuelled by the recent spate of massive login credential leaks. Unfortunately, their own legitimate email .. --------------------------------------------- https://www.helpnetsecurity.com/2016/06/21/poorly-crafted-logmein-password-… *** Zwei-Faktor-Authentifizierung: Smartphone als zweiter Schlüssel fürs Google-Konto *** --------------------------------------------- Wer die Zwei-Faktor-Authentifizierung für sein Google-Konto nutzt, muss ab sofort neben seinem Passwort keine Codes mehr eingeben, sondern kann direkt sein Smartphone zur Anmeldung nutzen. --------------------------------------------- http://heise.de/-3243338 *** Flash: Mac OS X blockiert wieder alte Versionen *** --------------------------------------------- Apples Browser Safari unterstützt das Flash-Plug-in nur noch, wenn es auf dem aktuellen Stand ist. Adobe hatte vor wenigen Tagen kritische Schwachstellen geschlossen, darunter eine Zero-Day-Lücke. --------------------------------------------- http://heise.de/-3243340 *** Finding Browser Extensions To Hunt Evil! *** --------------------------------------------- Browser extensions, sometimes called plug-ins or add-ons, provide all types of wondrous functionality on top of the web browser, some of which may be actually wanted by the user! These little gems, however, have also proved valuable .. --------------------------------------------- https://labs.opendns.com/2016/06/16/finding-browser-extensions-find-evil/

1 0

Tageszusammenfassung - Montag 20-06-2016
by Daily end-of-shift report 20 Jun '16

20 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 17-06-2016 18:00 − Montag 20-06-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Locky, Dridex, and Angler among cybercrime groups to experience fall in activity *** --------------------------------------------- There has been a sudden drop off in activity relating to a number of major malware families in recent weeks. Dridex (W32.Cridex), Locky (Trojan.Cryptolocker.AF), the Angler exploit kit and Necurs (Backdoor.Necurs), are among the threats who appear affected by this development. --------------------------------------------- http://www.symantec.com/connect/blogs/locky-dridex-and-angler-among-cybercr… *** Erpressungs-Trojaner RAA kommt mit Passwort-Dieb im Huckepack daher *** --------------------------------------------- Der Computer-Schädling RAA soll nicht nur Daten als Geisel nehmen und ein Lösegeld verlangen, sondern auch einen Trojaner mitbringen, der Passwörter abgreift. --------------------------------------------- http://heise.de/-3242139 *** You Acer holes! PC maker leaks payment cards in e-store hack *** --------------------------------------------- Lost info includes names, addresses, numbers and security codes Acers insecure customer database spilled peoples personal information - including full payment card numbers - into hackers hands for more than a year. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/06/17/what_a_pain… *** New Ransomware Written Entirely In JavaScript *** --------------------------------------------- An anonymous reader writes: Security researchers have discovered a new form of ransomware written entirely in JavaScript and using the CryptoJS library to encode a users files. Researchers say the file is being distributed through email attachments, according to SC Magazine, which reports that "Opening the attachment kicks off a series of steps that not only locks up the victims files, but also downloads some additional malware onto the target computer. ... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/MLUCGZ3AfdM/new-ransomware-… *** GoToMyPC remote desktop service resets all passwords in wake of attack *** --------------------------------------------- GoToMyPC, a remote computer administration service offered by Citrix, has forced a password reset for all customers in the wake of what they call a 'very sophisticated password attack.' Effective immediately, you will be required to reset your GoToMyPC password before you can login again, the company told customers via email on Sunday, and advised them to use their regular GoToMyPC login link to reset the password, or go through the 'Forgot Password' link --------------------------------------------- https://www.helpnetsecurity.com/2016/06/20/gotomypc-resets-passwords/ *** Understanding Critical Windows Artifacts and Their Relevance During Investigation-Part 1 *** --------------------------------------------- In this article, we will learn about critical Windows artifacts, what they mean, where they are located in the system, what can be inferred from them and how can they help in actual during the investigation. This will be a series of articles and in Part 1, we will learn about the NTFS timestamps which ... --------------------------------------------- http://resources.infosecinstitute.com/understanding-critical-windows-artifa… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL and a vulnerability in GNU glibc affect IBM Security Proventia Network Enterprise Scanner *** http://www-01.ibm.com/support/docview.wss?uid=swg21984794 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2016-0399) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984134 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability affects IBM Sterling B2B Integrator (CVE-2016-0341) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985111 --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco IOS XE Software SNMP Subsystem Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower Management Center Persistent Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco cBR-8 Series Converged Broadband Router SNMP Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Software Link Layer Discovery Protocol Processing Code Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Software Link Layer Discovery Protocol Processing Code Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 17-06-2016
by Daily end-of-shift report 17 Jun '16

17 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-06-2016 18:00 − Freitag 17-06-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** SAP patches three-year-old vulnerability, plus 20 more flaws *** --------------------------------------------- SAP this week patched 21 product vulnerabilities, including an information disclosure flaw that was originally disclosed more than three years ago. --------------------------------------------- http://www.scmagazine.com/sap-patches-three-year-old-vulnerability-plus-20-… *** X86 Shellcode Obfuscation - Part 3 *** --------------------------------------------- Last time, Ive added obfuscation support for most common x86 instructions, which allowed to process the obfuscation output several times in order to get even better results. The obfuscated code output now, while being pretty well obfuscated, still is pretty easy to navigate as the execution flow is not changed. I will fix it this episode as I explain methods of implementing full blown execution flow obfuscation by injecting dozens of jumps to make the code output unrecognizable. --------------------------------------------- https://breakdev.org/x86-shellcode-obfuscation-part-3/ *** ENISA: Free online tool for the notification of personal data breaches *** --------------------------------------------- The purpose of the tool is to allow data controllers to complete and submit online a personal data breach notification to the competent authority (DPA/NRA). The tool covers all types of personal data breaches and business sectors, whether public or private. Based on the input of the notification, the tool also provides to the competent authority an assessment of the severity of the breach. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/free-online-tool-for-the-notifi… *** GitHub: Anmeldeversuche mit auf anderen Sites gestohlenen Zugangsdaten *** --------------------------------------------- Das GitHub-Team hat zahlreiche Log-in-Versuche festgestellt, die teilweise erfolgreich waren. Offensichtlich haben Hacker versucht, sich mit auf anderen Sites gestohlenen Zugangsdaten anzumelden. --------------------------------------------- http://heise.de/-3240522 *** Kryptowährung: Einbrecher stehlen 56 Millionen US-Dollar in Ether - fast *** --------------------------------------------- Sicherheitslücke bei der Bitcoin-Alternative Ethereum: Angreifer konnten 3,5 Millionen Einheiten der Ether stehlen. Eine ungewöhnliche Maßnahme soll aber verhindern, dass das Geld auch wirklich ausgezahlt wird. --------------------------------------------- http://www.golem.de/news/kryptowaehrung-einbrecher-stehlen-56-millionen-us-… *** Security updates available for Adobe Flash Player (APSB16-18) and Adobe AIR (APSB16-23) *** --------------------------------------------- Adobe has published a Security Bulletin (APSB16-18) regarding security updates that address critical vulnerabilities in Adobe Flash Player. Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1371 *** Bugtraq: [CVE-2016-1014] Escalation of privilege via executable (un)installers of Flash Player *** --------------------------------------------- http://www.securityfocus.com/archive/1/538699 *** Cisco Prime Network Registrar System Configuration Protocol Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Bugtraq: User enumeration in Skype for Business 2013 *** --------------------------------------------- http://www.securityfocus.com/archive/1/538697 *** Bugtraq: [SECURITY] [DSA 3604-1] drupal7 security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/538696 *** Python urllib HTTP Header Injection *** --------------------------------------------- Topic: Python urllib HTTP Header Injection Risk: Low Text:Pythons built-in URL library ("urllib2" in 2.x and "urllib" in 3.x) is vulnerable to protocol stream injection attacks (a.k.a... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016060130 *** Solarwinds Virtualization Manager 6.3.1 Java Deserialization *** --------------------------------------------- Topic: Solarwinds Virtualization Manager 6.3.1 Java Deserialization Risk: High Text:Java Deserialization in Solarwinds Virtualization Manager 6.3.1 Product: Solarwinds Virtualization Manager Vendor: Solarwin... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016060126 *** Json2Html Cross Site Scripting *** --------------------------------------------- Topic: Json2Html Cross Site Scripting Risk: Low Text:# Exploit Title: Json2Html Javascript Library - Reflective/Persistant XSS # Date: 0 day # Exploit Author: David Silveiro # E... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016060123 *** Gemalto Sentinel License Manager 18.0.1 Directory Traversal *** --------------------------------------------- Topic: Gemalto Sentinel License Manager 18.0.1 Directory Traversal Risk: Medium Text:Gemalto Sentinel License Manager 18.0.1 Directory Traversal Vulnerability Vendor: Gemalto NV | SafeNet, Inc Product we... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016060121 *** Security Advisory - Insufficient Input Validation Vulnerability in the FusionInsight *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160617-… *** Moxa PT-7728 Series Switch Improper Authorization Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an improper authorization vulnerability in Moxa's Industrial Ethernet Switch PT-7728 series. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-168-01 *** sol64505405: NTP vulnerability CVE-2016-4956 *** --------------------------------------------- This vulnerability can only be exposed if the ntp.conf file is manually edited to enable "broadcastclient" mode in network time protocol (NTP). --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/64/sol64505405.html *** sol14969: BIG-IP Edge and FirePass client information leakage vulnerability CVE-2013-6024 *** --------------------------------------------- The Edge Client components in F5 BIG-IP APM, BIG-IP Edge Gateway, and FirePass allow attackers to obtain sensitive information from process memory via unspecified vectors. (CVE-2013-6024) An attacker with sufficient local privileges on a client machine running Windows or Mac OS X may be able to gain access to a users APM password. Note: This vulnerability is limited to the BIG-IP Edge Client and FirePass legacy client for Windows and Mac OS X only; it does not impact the BIG-IP or FirePass host. --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14969.html *** sol82644737: NTP vulnerability CVE-2016-4954 *** --------------------------------------------- Impact: The NTP service may be disrupted. Security Issue Status: F5 Product Development has assigned ID 597023 (BIG-IP), ID 598184 (BIG-IQ), ID 598186 (Enterprise Manager), and LRS-60784 (LineRate) to this vulnerability. --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/82/sol82644737.html *** IBM Security Bulletin: Vulnerability identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2016-3426) *** --------------------------------------------- A vulnerability in IBM SDK Java Technology Edition, Version 6 that is shipped with IBM WebSphere Service Registry and Repository Studio. These issues were disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-3426 Affected product(s) and affected version(s): WebSphere Service Registry and Repository Studio V8.5, V8.0, V7.5 and V7.0 are... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21985335 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on December 3, 2015 by the OpenSSL Project. OpenSSL is used by IBM b-type SAN switches and directors. IBM b-type SAN firmware has addressed the applicable CVEs. CVE(s): CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794 Affected product(s) and affected version(s): IBM b-type switches and directors running FOS versions prior to 7.4.1c are affected. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1006391

1 0

Tageszusammenfassung - Donnerstag 16-06-2016
by Daily end-of-shift report 16 Jun '16

16 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-06-2016 18:00 − Donnerstag 16-06-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Estonia - Cryptographic Algorithms Lifecycle Report 2016 published *** --------------------------------------------- Estonian Information System Authority (RIA) and Cybernetica have published the "Cryptographic Algorithms Lifecycle Report 2016". --------------------------------------------- https://www.enisa.europa.eu/about-enisa/structure-organization/national-lia… *** TLS Certificate Validation Vulnerability in Citrix iOS Receiver *** --------------------------------------------- A vulnerability has been identified in Citrix iOS Receiver that could result in TLS certificates being incorrectly validated. This vulnerability has been assigned the following CVE number: CVE-2016-5433: TLS Certificate Validation Vulnerability in Citrix iOS Receiver. This vulnerability affects all versions of Citrix iOS Receiver earlier than 7.0. This vulnerability does not affect Citrix Receivers on any other platforms. --------------------------------------------- http://support.citrix.com/article/CTX213998 *** Citrix XenServer Security Update for CVE-2016-5302 *** --------------------------------------------- A security vulnerability has been identified in XenServer 7.0 that may allow an attacker on the management network who is in possession of Active Directory credentials for an AD account that is not authorised to manage a XenServer host to compromise that host. The following vulnerability has been addressed: CVE-2016-5302 (Low): Incorrect host management AD authentication --------------------------------------------- http://support.citrix.com/article/CTX213549 *** Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036 *** --------------------------------------------- Project: Views (third-party module) Version: 7.x Date: 2016-June-15 Security risk: 7/25 ( Less Critical) Vulnerability: Access bypass DescriptionAn access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view. --------------------------------------------- https://www.drupal.org/node/2749333 *** Trend Micro: Sicherheitsfirma findet trojanisierte Teamviewer-Versionen *** --------------------------------------------- Wurde Teamviewer gehackt oder nicht? In den vergangenen Wochen beschwerten sich Hunderte Nutzer über Kriminelle, die über Teamviewer Konten plünderten. Der Hersteller selbst verwies auf schlechte Passwörter - eine Sicherheitsfirma hat jetzt eine weitere Idee. --------------------------------------------- http://www.golem.de/news/trend-micro-sicherheitsfirma-findet-trojanisierte-… *** Deep Discovery Inspector vulnerable to remote code execution *** --------------------------------------------- Deep Discovery Inspector provided by Trend Micro Incorporated contains a remote code execution vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN55428526/ *** Facebook Privacy & Security Guide: Everything You Need to Know [Updated] *** --------------------------------------------- Facebook grew in the past years to become the largest online social network in the world. It spread so much that even our parents, neighbors and distant relatives, even from remote areas of the country, now constantly use it. It's the place where everybody is active, from friends, family, work colleagues, old school friends to ... --------------------------------------------- https://heimdalsecurity.com/blog/facebook-security-privacy-guide/ *** Bugtraq: [security bulletin] HPSBNS03625 rev.1 - HPE NonStop Application Server for Java (NSASJ) running SSL/TLS, Remote Disclosure of Information *** --------------------------------------------- [security bulletin] HPSBNS03625 rev.1 - HPE NonStop Application Server for Java (NSASJ) running SSL/TLS, Remote Disclosure of Information --------------------------------------------- http://www.securityfocus.com/archive/1/538693 *** Bugtraq: [security bulletin] HPSBGN03553 rev.1 - HP OneView Products using glibc and OpenSSL, Multiple Remote Vulnerabilties *** --------------------------------------------- [security bulletin] HPSBGN03553 rev.1 - HP OneView Products using glibc and OpenSSL, Multiple Remote Vulnerabilties --------------------------------------------- http://www.securityfocus.com/archive/1/538692 *** Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002 *** --------------------------------------------- Project: Drupal core Version: 7.x, 8.x Security risk: 11/25 ( Moderately Critical) Vulnerability: Access bypass, Multiple vulnerabilities Description Saving user accounts can sometimes grant the user all roles --------------------------------------------- https://www.drupal.org/SA-CORE-2016-002 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco RV110W, RV130W, and RV215W Routers HTTP Request Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco RV110W, RV130W, and RV215W Routers Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco RV110W, RV130W, and RV215W Routers Arbitrary Code Execution Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco RV110W, RV130W, and RV215W Routers HTTP Request Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Cross-Site Request Forgery Vulnerability in IBM WebSphere Portal (CVE-2016-2901) *** http://www-01.ibm.com/support/docview.wss?uid=swg21983974 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application platform is vulnerable to a cross-site scripting attack. (CVE-2016-2883) *** http://www.ibm.com/support/docview.wss?uid=swg21985158 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in BeanShell affects IBM Leads (CVE-2016-2510) *** http://www.ibm.com/support/docview.wss?uid=swg21982167 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallAnywhere affects IBM InfoSphere Optim Performance Manager for DB2 on LUW and IBM InfoSphere Optim Configuration Manager on Windows Platform (CVE-2016-4560) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984067 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager FastBack for Bare Machine Recovery (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21984184 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager FastBack (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982809 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Notes KeyView PDF Filters (CVE-2016-0301, CVE-2016-0278, CVE-2016-0279, CVE-2016-0277) *** http://www.ibm.com/support/docview.wss?uid=swg21982277 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 15-06-2016
by Daily end-of-shift report 15 Jun '16

15 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-06-2016 18:00 − Mittwoch 15-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Advisory posted for Adobe Flash Player (APSA16-03) *** --------------------------------------------- A Security Advisory (APSA16-03) has been published regarding a critical vulnerability (CVE-2016-4171) in Adobe Flash Player. Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1367 *** Security Bulletins Posted *** --------------------------------------------- Adobe has published security bulletins for the Adobe DNG SDK (APSB16-19), Adobe Brackets (APSB16-20), Adobe Creative Cloud Desktop Application (APSB16-21) and ColdFusion (APSB16-22). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1361 *** MS16-JUN - Microsoft Security Bulletin Summary for June 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-JUN *** DSA-3602 php5 - security update *** --------------------------------------------- Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development. --------------------------------------------- https://www.debian.org/security/2016/dsa-3602 *** Where's the Macro? Malware authors are now using OLE embedding to deliver malicious files *** --------------------------------------------- Recently, we've seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we've seen macros used .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malwar… *** Mofang: A politically motivated information stealing adversary *** --------------------------------------------- Mofang is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang's targets are selected based on involvement with .. --------------------------------------------- https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-informati… *** Safari 10 blockiert Flash standardmäßig *** ---------------------------------------------- Ab Herbst gaukelt Apples Browser Webseiten in der Standardeinstellung vor, dass Plug-ins wie Flash, Silverlight oder Java gar nicht installiert seien. Der Schritt soll Strom sparen und für mehr Sicherheit sorgen. --------------------------------------------- http://heise.de/-3238170 *** VMSA-2016-0009 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0009.html *** VMSA-2016-0005.4 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0005.html *** VMSA-2015-0009.3 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0009.html *** VMSA-2015-0007.6 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0007.html *** iOS-Apps müssen ab 2017 HTTPS verwenden *** --------------------------------------------- Apple hat angekündigt, ab 1. Jänner 2017 HTTPS-Verbindungen für iOS-Apps zu verlangen. Daten sollen nur noch verschlüsselt übertragen werden. --------------------------------------------- http://futurezone.at/apps/ios-apps-muessen-ab-2017-https-verwenden/204.603.… *** Russische Spione hacken Computer von US-Demokraten *** --------------------------------------------- http://derstandard.at/2000038962384-406 *** Adobe-Patchday lässt kritische Flash-Lücke ungepatcht *** --------------------------------------------- Adobe schliesst Lücken in ColdFusion, der Creative Cloud, dem DNG Development Kit und seinem Texteditor Brackets. Nur eine kritische Flash-Lücke bleibt erst mal ungepatcht. --------------------------------------------- http://heise.de/-3238271 *** DSA-3603 libav - security update *** --------------------------------------------- Several security issues have been corrected in multiple demuxers anddecoders of the libav multimedia library. A full .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3603 *** Cross-Site Scripting in extension "Bootstrap Package" (bootstrap_package) *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-extension-formhandle… *** Microsoft-Patchday: Uralt-Lücke aus Windows-95-Zeiten geschlossen *** --------------------------------------------- Microsoft hat für diesen Monat 16 Sicherheitsupdates herausgegeben. Fünf davon sind kritisch und eine wichtige Lücke namens "BadTunnel" betrifft alle Windows-Versionen seit Windows 95. --------------------------------------------- http://heise.de/-3238328 *** xDedic - the shady world of hacked servers for sale *** --------------------------------------------- Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished. The short, cryptic name perhaps doesnt say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet. --------------------------------------------- http://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-… *** Programmiersprache: Microsoft forscht an sicherer C-Erweiterung *** --------------------------------------------- Einige Modifikationen an Syntax, Compiler und Laufzeitumgebung sollen C-Programme vor typischen Fehlern der Programmiersprache schützen. Microsoft erforscht diese Technik gemeinsam mit Universitäten in einem Open-Source-Projekt. --------------------------------------------- http://www.golem.de/news/programmiersprache-microsoft-forscht-an-sicherer-c… *** Next Steps for Legacy Plug-ins *** --------------------------------------------- The web platform is capable of amazing things. Thanks to the ongoing hard work of standards bodies, browser vendors, and web developers, web standards are feature-rich and continuously improving. The WebKit project in particular .. --------------------------------------------- https://webkit.org/blog/6589/next-steps-for-legacy-plug-ins/ *** Forenbetreiber gehackt: 45 Millionen Nutzer betroffen *** --------------------------------------------- Cyberkriminelle haben 45 Millionen Datensätze von VerticalScope gestohlen. Die kanadische Firma hostet über 1.100 Webseiten und Online-Foren. --------------------------------------------- http://futurezone.at/digital-life/forenbetreiber-gehackt-45-millionen-nutze… *** TalkTalk-Kunden werden über TeamViewer-Zugänge angegriffen *** --------------------------------------------- Nicht genug, dass die Daten der TalkTalk-Kunden im Netz sind: Jetzt werden diese auch noch Opfer von Ganoven. Diese versuchen, .. --------------------------------------------- http://heise.de/-3238766

1 0

Tageszusammenfassung - Dienstag 14-06-2016
by Daily end-of-shift report 14 Jun '16

14 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-06-2016 18:00 − Dienstag 14-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** ATM Insert Skimmers In Action *** --------------------------------------------- KrebsOnSecurity has featured several recent posts on "insert skimmers," ATM skimming devices made to fit snugly and invisibly inside a cash machines card acceptance slot. Im revisiting the subject again because Ive recently .. --------------------------------------------- http://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/ *** DSA-3601 icedove - security update *** --------------------------------------------- Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors maylead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3601 *** Virenscanner infiziert Systeme mit Sality-Virus *** --------------------------------------------- Durch ein Update landete des Virenscanners Rising landet eine infizierte Datei auf den Systeme, die sich dann daran macht, den Sality-Virus weiter zu verbreiten. --------------------------------------------- http://heise.de/-3237654 *** Vawtrak banking Trojan shifts to new targets *** --------------------------------------------- The Vawtrak banking Trojan (aka Snifula) is slowly but surely becoming a serious threat. With version 2, the malware has acquired the capability to target .. --------------------------------------------- https://www.helpnetsecurity.com/2016/06/14/vawtrak-banking-trojan-shifts-ne… *** Kritische Sicherheitslücke: Angreifer können Adminrechte in Oxid-E-Shop erlangen *** --------------------------------------------- Eine Sicherheitslücke im E-Shop-System Oxid ermöglicht Angreifern den Zugriff auf das Admininterface, es kann auch Code ins Frontend injiziert werden. Aktuelle Versionen werden mit einem Patch abgesichert, für ältere existiert lediglich ein Workaround. --------------------------------------------- http://www.golem.de/news/kritische-sicherheitsluecke-angreifer-koennen-admi… *** Aufregung um Linkedin-Hack in .at: Nutzer sollten dringend Passwort ändern *** --------------------------------------------- Vollständige Nutzerdatenbank aus dem Jahr 2012 kursiert, und sorgt nun auch hierzulande für Schlagzeilen. --------------------------------------------- http://derstandard.at/2000038935519 *** Weaponizing Nessus *** --------------------------------------------- Once in a blue moon we come across a client that has truly done security right (or at least, tried really hard to do so). All the low hanging fruit has .. --------------------------------------------- http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus *** The PhotoMiner Campaign *** --------------------------------------------- Over the past few months, we've been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by .. --------------------------------------------- https://www.guardicore.com/2016/06/the-photominer-campaign/ *** Finding pearls; fuzzing ClamAV *** --------------------------------------------- Previously, I wrote about the general workflow to follow if you wanted to seriously begin fuzzing applications, while covering fuzzing a small YAML library. In this post, we will cover taking that workflow and applying it in real life to the open-source antivirus project ClamAV. This fuzz job was .. --------------------------------------------- https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/ *** phpMyAdmin Project Successfully Completes Security Audit *** --------------------------------------------- Software Freedom Conservancy congratulates its phpMyAdmin project on succesfuly completing completing a thorough security audit, as part of Mozillas Secure Open Source Fund. No serious issues were found in the phyMyAdmin codebase. --------------------------------------------- https://www.phpmyadmin.net/news/2016/6/13/phpmyadmin-project-successfully-c… *** Netgear-Router dank festinstallierter Schlüssel einfach zu knacken *** --------------------------------------------- Die Router D6000 und D3600 können von Angreifern gekapert werden, da sie fest installierte Krypto-Schlüssel nutzen, die immer gleich sind. Ausserdem lässt sich das Administrator-Passwort sehr einfach auslesen. --------------------------------------------- http://heise.de/-3237907 *** Making Curl | Bash safe(r) *** --------------------------------------------- You know those software installation instructions that tell you to download and run a script directly from the internet, as root, using something like the following? --------------------------------------------- https://sysdig.com/blog/making-curl-bash-safer/

1 0

Tageszusammenfassung - Montag 13-06-2016
by Daily end-of-shift report 13 Jun '16

13 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 10-06-2016 18:00 − Montag 13-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Linux Kernel ROP - Ropping your way to # (Part 1) *** --------------------------------------------- Kernel ROP In-kernel ROP (Return Oriented Programming) is a useful technique that is often used to bypass restrictions associated with non-executable memory regions. For example, on default kernels1, it presents a practical approach for .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropp… *** Siemens SIMATIC S7-300 Denial-of-Service Vulnerability *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-161-01 *** Is it the End of Angler ? *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html *** Visual Studio 2015 stopft ungefragt Tracing-Code in C++-Programme *** --------------------------------------------- Microsofts aktuelle Entwicklungsumgebung baut ungefragt und automatisch Funktionsaufrufe in C++-Code ein, die dem Erfassen von Telemetrie-Daten dienen. Microsoft will das nun mit Updates abstellen. --------------------------------------------- http://heise.de/-3235676 *** Blackberry verteilt Nutzerdaten weltweit an Behörden *** --------------------------------------------- Blackberry entschlüsselt Nachrichten, die über seine Geräte verschickt und empfangen werden und teilt diese Informationen und andere Nutzerdaten mit Behörden in aller Welt. --------------------------------------------- http://futurezone.at/netzpolitik/blackberry-verteilt-nutzerdaten-weltweit-a… *** Petya and Mischa - Ransomware Duet (part 2) *** --------------------------------------------- After being defeated in April, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload - Mischa. Both are named after the satellites from the GoldenEye movie. They deploy .. --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/06/petya-and-mischa-rans… *** DNS Sinkhole ISO Version 2.0 *** --------------------------------------------- After 4 years (previous version 1.3 Jun 2012), I containing the following changes: - Updated to Slackware 14.1 with Linux kernel 3.10.17 - Added inetsim in the /opt directory as a limited alternative to collect redirected sinkhole .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21153 *** Symantec übernimmt Blue Coat für 4,65 Milliarden Dollar *** --------------------------------------------- Blue Coat wurde vom Sicherheitssoftwareanbieter Symantec gekauft und will sich fortan vor allem auf Anti-Viren-Software konzentrieren. --------------------------------------------- http://futurezone.at/b2b/symantec-uebernimmt-blue-coat-fuer-4-65-milliarden… *** Verschlüsselung: Lets Encrypt veröffentlicht 7.618 E-Mail-Adressen *** --------------------------------------------- Lets Encrypt will Verbindungen im Internet besser absichern und so die privaten Daten der Nutzer besser schützen. Doch jetzt hat das Projekt durch eine Panne selbst zahlreiche Mailadressen preisgegeben. --------------------------------------------- http://www.golem.de/news/verschuesselung-let-s-encrypt-verraet-7-618-e-mail… *** FLocker Mobile Ransomware Crosses to Smart TV *** --------------------------------------------- Using multiple devices that run on one platform makes life easier for a lot of people. However, if a malware affects one of these devices, the said malware may eventually affect the others, too. This appears to be the case when we came across an .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/flocker-ransomwa… *** Statt Backups: Britische Firmen horten Bitcoins für Erpressungstrojaner *** --------------------------------------------- Anstatt für regelmäßige Backups zu sorgen, scheinen viele britische Firmen lieber Kryptogeldreserven anzulegen, um Lösegeld für ihre Daten bezahlen zu können. Laut einer Befragung sind viele Firmen bereit, bis zu 50.000 Pfund zu zahlen. --------------------------------------------- http://heise.de/-3236563 *** Intel verankert Anti-Exploit-Technik in (CPU-)Hardware *** --------------------------------------------- Mit der "Control-flow Enforcement Technology" will Intel dem Ausnutzen von Sicherheitslücken eine weitere Hürde in den Weg legen. Wann CET jedoch in Prozessoren debüttiert, steht noch in den Sternen. --------------------------------------------- http://heise.de/-3236707 *** Microsoft kauft LinkedIn für 26,2 Milliarden Dollar *** --------------------------------------------- Das Karriere-Netzwerk LinkedIn wird von Microsoft übernommen. Der Xing-Konkurrent werde dabei insgesamt mit 26,2 Milliarden Dollar bewertet, teilten die Unternehmen mit. --------------------------------------------- http://futurezone.at/b2b/microsoft-kauf-linkedin-fuer-26-2-milliarden-dolla… *** Process Explorer: Part 2 *** --------------------------------------------- For Windows operating systems (OS), especially those up to and including Windows 7, Process Explorer is an excellent replacement for Task Manager. After publishing .. --------------------------------------------- https://blog.malwarebytes.org/101/2016/05/process-explorer-part-2/ *** Empfehlungen für Cybersicherheitsgesetz veröffentlicht *** --------------------------------------------- Ein Jahr lang haben Experten aus Wirtschaft, Wissenschaft und Behörden über das Cybersicherheitsgesetz diskutiert, das eine Meldepflicht bei Cyberangriffen bringen soll. --------------------------------------------- http://futurezone.at/netzpolitik/empfehlungen-fuer-cyberischerheitsgesetz-v…

1 0

Tageszusammenfassung - Freitag 10-06-2016
by Daily end-of-shift report 10 Jun '16

10 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 09-06-2016 18:00 − Freitag 10-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Reverse-engineering DUBNIUM *** --------------------------------------------- DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features. We located multiple variants of multiple-stage droppers and payloads in the last few months, and although they are not really packed or obfuscated in a... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dub… *** "Webseiten werden angreifbarer" *** --------------------------------------------- Alexander Mitter von nimbusec und Andreas Tomek von SBA Research über Sicherheits-Start-ups in Österreich, Bedrohungsszenarien und Viagra-Shops auf Unternehmenswebseiten. --------------------------------------------- http://futurezone.at/thema/start-ups/webseiten-werden-angreifbarer/203.199.… *** Offensive or Defensive Security? Both!, (Thu, Jun 9th) *** --------------------------------------------- Sometimes students ask me the best way to jump into the security world. I usually compare information security to medicine: You start with a common base (a strong knowledge in IT) then you must choose a specialization: auditor, architect, penetrationtester, reverse engineer, incident handler, etc. Basically, those specializations can be grouped in two categories: offensiveand defensive. Many people like the first one because it looks more funny and the portrait of the hacker as depicted in Hollywood... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21149&rss *** Secure Open Source: Mozilla stiftet Fonds für bessere Security *** --------------------------------------------- In dem Programm Secure Open Source (SOS) stellt Mozilla zunächst 500.000 US-Dollar bereit, um die Sicherheit von Open-Source-Software zu verbessern. Anders als bei der Linux Foundation soll das Geld explizit für Audits und einen sauberen Umgang mit Sicherheitslücken genutzt werden. --------------------------------------------- http://www.golem.de/news/secure-open-source-mozilla-stiftet-fonds-fuer-bess… *** Crysis ransomware fills vacuum left by TeslaCrypt *** --------------------------------------------- TeslaCrypt has reached the end of the road, and other ransomware is ready to fill the vacuum left behind it. A relative newcomer to the market, Crysis ransomware is already laying claim to parts of TeslaCrypt's territory. The Crysis ransomware family � not to be confused with the Crisis backdoor/spyware Trojan that targeted both Windows and Mac users some four years ago - is currently in its second iteration, and doesn't differ much from other... --------------------------------------------- https://www.helpnetsecurity.com/2016/06/10/crysis-ransomware/ *** An Interview With the Hacker Probably Selling Your Password Right Now *** --------------------------------------------- A conversation with the stolen-data wholesaler selling 800 million stolen passwords, and plaguing the security teams of LinkedIn, Twitter, and Tumblr. --------------------------------------------- http://www.wired.com/2016/06/interview-hacker-probably-selling-password/ *** Optimizing TLS over TCP to reduce latency *** --------------------------------------------- The layered nature of the Internet (HTTP on top of some reliable transport (e.g. TCP), TCP on top of some datagram layer (e.g. IP), IP on top of some link (e.g. Ethernet)) has been very important in its development. Different link layers have come and gone over... --------------------------------------------- https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/ *** EMC and VMware both suffer malicious user access messes *** --------------------------------------------- The wrong people can access data on Data Domain, NSX and vRealize VMware and EMC have each revealed security nasties. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/06/10/emc_and_vmw… *** VU#778696: Netgear D6000 and D3600 contain hard-coded cryptographic keys and are vulnerable to authentication bypass *** --------------------------------------------- Vulnerability Note VU#778696 Netgear D6000 and D3600 contain hard-coded cryptographic keys and are vulnerable to authentication bypass Original Release date: 10 Jun 2016 | Last revised: 10 Jun 2016 Overview The Netgear D6000 and D3600 routers are vulnerable to authentication bypass and contain hard-coded cryptographic keys embedded in their firmware. Description CWE-321: Use of Hard-coded Cryptographic Key -- CVE-2015-8288The firmware for these devices contains a hard-coded RSA private key,... --------------------------------------------- http://www.kb.cert.org/vuls/id/778696 *** USN-2995-1: Squid vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2995-19th June, 2016squid3 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummarySeveral security issues were fixed in Squid.Software description squid3 - Web proxy cache server DetailsYuriy M. Kaminskiy discovered that the Squid pinger utility incorrectlyhandled certain ICMPv6 packets. A remote attacker could use this issue tocause Squid to crash, resulting in a... --------------------------------------------- http://www.ubuntu.com/usn/usn-2995-1/ *** DSA-3599 p7zip - security update *** --------------------------------------------- Marcin Icewall Noga of Cisco Talos discovered an out-of-bound readvulnerability in the CInArchive::ReadFileItem method in p7zip, a 7zrfile archiver with high compression ratio. A remote attacker can takeadvantage of this flaw to cause a denial-of-service or, potentially theexecution of arbitrary code with the privileges of the user runningp7zip, if a specially crafted UDF file is processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3599 *** Security Advisory: Java vulnerabilities CVE-2013-5825 and CVE-2013-5830 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/48/sol48802597.html?… *** Security Advisory: iControl REST vulnerability CVE-2016-5021 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/99/sol99998454.html?… *** Bugtraq: ESA-2016-062: EMC Data Domain Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538642 *** VMSA-2016-0008 *** --------------------------------------------- VMware vRealize Log Insight addresses important and moderate security issues. --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0008.html *** VMSA-2016-0007 *** --------------------------------------------- VMware NSX and vCNS product updates address a critical information disclosure vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0007.html *** Bugtraq: [security bulletin] HPSBGN03617 rev.2 - HPE IceWall Federation Agent and IceWall File Manager using libXML2 library, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538640 *** [R2] OpenSSL 20160503 Advisory Affects Tenable Products *** --------------------------------------------- Nessus and SecurityCenter are potentially impacted by several vulnerabilities in OpenSSL that were recently disclosed and fixed. Note that due to the time involved in doing a full analysis of each issue, Tenable has opted to upgrade the included version of OpenSSL as a precaution, and to save time. [...] Advisory Timeline 2016-05-19 - [R1] Initial Release | 2016-06-09 - [R2] Security Center details added --------------------------------------------- https://www.tenable.com/security/tns-2016-10 *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-3705) *** --------------------------------------------- There is a vulnerability in libxml2 that is used by IBM BigFix Compliance Analytics. IBM BigFix Compliance has addressed this vulnerability. CVE(s): CVE-2016-3705 Affected product(s) and affected version(s): IBM BigFix Security Compliance Analytics 1.7 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21984773X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/112885 --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21984773 *** IBM Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. (CVE-2016-0264) *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 Service Refresh 2 Fixpack 11 that is used by IBM BigFix Compliance Analytics. These issues were disclosed as part of the IBM Java SDK updates in April 2016. CVE(s): CVE-2016-0264 Affected product(s) and affected version(s): IBM BigFix Security Compliance Analytics 1.8. Refer to... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983689 *** IBM Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Deploy (CVE-2015-5345, CVE-2015-5346, CVE-2015-5351) *** --------------------------------------------- Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Deploy. CVE(s): CVE-2015-5345, CVE-2015-5346, CVE-2015-5351 Affected product(s) and affected version(s): IBM UrbanCode Deploy 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.0.1.6, 6.0.1.7, 6.0.1.8, 6.0.1.9, 6.0.1.10, 6.0.1.11, 6.0.1.12, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.1, 6.1.1.1, 6.1.1.2, 6.1.1.3, 6.1.1.4, 6.1.1.5, 6.1.1.6, 6.1.1.7, 6.1.1.8, 6.1.2, 6.1.3, 6.1.3.1, 6.1.3.2, 6.2, 6.2.0.1,... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000126 *** IBM Security Bulletin: IBM Notes InstallShield vulnerable to DLL planting (CVE-2016-2542) *** --------------------------------------------- IBM Notes uses InstallShield which generates install executables that are vulnerable to a DLL-planting vulnerability. CVE(s): CVE-2016-2542 Affected product(s) and affected version(s): This vulnerability affects installers of following versions of IBM Notes... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21979808 *** IBM Security Bulletin: Vulnerability in Apache Standard Taglibs affects IBM WebSphere Application Server (CVE-2015-0254) *** --------------------------------------------- There is an XML External Entity Injection (XXE) vulnerability in the Apache Standard Taglibs that affects IBM WebSphere Application Server. CVE(s): CVE-2015-0254 Affected product(s) and affected version(s): This vulnerability affects the following versions and releases of IBM WebSphere Application Server Version 8.5.5 Full Profile and Liberty Version 8.5 Full Profile and Liberty Version 8.0 Version... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21978495

1 0

Tageszusammenfassung - Donnerstag 9-06-2016
by Daily end-of-shift report 09 Jun '16

09 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 08-06-2016 18:00 − Donnerstag 09-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** AVM warnt vor Telefonmissbrauch bei Routern mit älterer Firmware *** --------------------------------------------- Fritzboxen mit "seltenen Konfigurationen" und älterer Firmware könnten aktuell Opfer von Angreifern werden, die auf Telefonbetrug zielen. AVM rät zu Updates. --------------------------------------------- http://heise.de/-3232343 *** Unpatched D-Link Wi-Fi Camera Flaw Remotely Exploitable *** --------------------------------------------- D-Links DCS930L Wi-Fi camera is vulnerable to a stack overflow vulnerability that can be remotely exploited. --------------------------------------------- http://threatpost.com/unpatched-d-link-wi-fi-camera-flaw-remotely-exploitab… *** Skype being used to distribute malware *** --------------------------------------------- Skype being used to distribute QRAT malware to unsuspecting travelers looking for help on filling out U.S, travel documents. --------------------------------------------- http://www.scmagazine.com/skype-being-used-to-distribute-malware/article/50… *** Searching for malspam, (Thu, Jun 9th) *** --------------------------------------------- Introduction About a week ago, I stopped seeing the daily deluge of malicious spam (malspam) distributing Dridex banking trojans or Locky ransomware. Before this month, I generally noticed multiple waves of Dridex/Locky malspam almost every day. This malspam contains attachments with zipped .js files or Microsoft Office documents designed to download and install the malware. I havent found much discussion about the current absence of Dridex/Locky malspam. Since the actor(s) behind Dridex... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21145&rss *** Security: Locky- und Dridex-Botnetz ist spurlos verschwunden *** --------------------------------------------- Sicherheitsforscher haben einen massiven Rückgang von Infektionen der bekannten Malware-Familien Dridex und Locky beobachtet. Schuld sind offenbar Probleme beim verteilenden Botnetz. Für Locky gibt es keine neue Infrastruktur. Was mit Opfern passiert, ist derzeit offen. --------------------------------------------- http://www.golem.de/news/security-wo-ist-nur-das-botnetz-hin-1606-121396-rs… *** REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2016-033Project: REST/JSON (third-party module)Version: 7.xDate: 2016-June-08Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Access bypass, Information Disclosure, Multiple vulnerabilitiesDescriptionThis module enables you to expose content, users and comments via a JSON API.The module contains multiple vulnerabilities includingNode access bypassComment access bypassUser enumerationField access bypassUser registration... --------------------------------------------- https://www.drupal.org/node/2744889 *** Citrix XenServer Security Update for CVE-2016-5302 *** --------------------------------------------- A security vulnerability has been identified in XenServer 7.0 that may allow an attacker on the management network who is in possession of Active Directory credentials for an AD account that is not authorised to manage a XenServer host to compromise that host. --------------------------------------------- https://support.citrix.com/article/CTX213549 *** Bugtraq: ESA-2016-072: EMC NetWorker Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538634 *** Bugtraq: ESA-2016-064: EMC Data Domain Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538635 *** Security Advisory: Custom monitor privilege escalation vulnerability CVE-2016-5020 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/00/sol00265182.html?… *** Security Advisory: PHP vulnerability CVE-2016-4070 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/42/sol42065024.html?… *** SSA-526760 (Last Update 2016-06-08): Weak Credentials Protection in SIMATIC WinCC flexible *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-526760… *** SSA-818183 (Last Update 2016-06-08): Denial-of-Service Vulnerability in S7-300 CPU *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-818183… *** SSA-301706 (Last Update 2016-06-08): GNU C Library Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706… *** Bugtraq: [security bulletin] HPSBGN03618 rev.1 - HPE Service Manager remote Denial of Service (DoS), Disclosure of Information, Unauthorized Read Access to Files, Server Side Request Forgery *** --------------------------------------------- http://www.securityfocus.com/archive/1/538630 *** Bugtraq: [security bulletin] HPSBGN03624 rev.1 - HPE Project and Portfolio Management Center, Remote Disclosure of Sensitive Information, Execution of Arbitrary of Commands *** --------------------------------------------- http://www.securityfocus.com/archive/1/538629 *** Bugtraq: [security bulletin] HPSBMU03614 rev.1 - HPE Systems Insight Manager using Samba, Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538633 *** Bugtraq: [security bulletin] HPSBMU03584 rev.2 - HPE Network Node Manager I (NNMi), Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538632 *** Cisco Aironet 3800 Series Access Point Platforms ARP Request Handling Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Binary Files Privilege Escalation Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IP Phone 8800 Series Web Application Buffer Overflow Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino *** http://www.ibm.com/support/docview.wss?uid=swg21984678 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield/InstallAnywhere affects IBM Informix CSDK and Server installation on Windows(CVE-2016-2542, CVE-2016-4560) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984231 --------------------------------------------- *** IBM Security Bulletin: IBM Client Application Access InstallShield vulnerable to DLL planting (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21981968 --------------------------------------------- *** IBM Security Bulletin: Secure Properties in IBM UrbanCode Deploy Vulnerable (CVE-2016-0267) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000151 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tealeaf Customer Experience (CVE-2015-1794, CVE-2015-3194, CVE-2016-0702) *** http://www.ibm.com/support/docview.wss?uid=swg21981021 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerabilities in OpenSSL and ReDoS vulnerability in semver module affect IBM SDK for Node.js in IBM Bluemix (CVE-2016-2107, CVE-2016-2105, CVE-2015-8855) *** http://www-01.ibm.com/support/docview.wss?uid=swg21983514 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection *** http://www.ibm.com/support/docview.wss?uid=swg21984424 --------------------------------------------- *** IBM Security Bulletin: An unspecified JMX component vulnerability affects IBM SPSS Analytic Server (CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21984436 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 8-06-2016
by Daily end-of-shift report 08 Jun '16

08 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 07-06-2016 18:00 − Mittwoch 08-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft Bounty Program expansion - .NET Core and ASP.NET RC2 Beta Bounty *** --------------------------------------------- Today I have another exciting expansion of the Microsoft Bounty Program. Please visit https://aka.ms/BugBounty to find out more. As we approach release for .NET Core and ASP.NET, we would like to get even more feedback from the security research community. We are offering a bounty on the .NET Core and ASP.NET Core RC2 Beta Build which... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2016/06/07/microsoft-bounty-progra… *** SWIFT May Ban Banks Without Strong Cybersecurity (June 3, 2016) *** --------------------------------------------- The head of SWIFT says that banks without adequate cybersecurity measures in place could find themselves suspended from using the SWIFT financial transfer communication network... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/45/202 *** Ransomware Leaves Server Credentials in its Code *** --------------------------------------------- While SNSLocker isn't a stand-out crypto-ransomware in terms of routine or interface, its coarse and bland facade hid quite a surprise. After looking closer at its code, we discovered that this Ransomware contains the credentials for the access of its own server. We also found out that they used readily-available servers and payment systems. This... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/gADipA92iAA/ *** Phishers Abuse Hosting Temporary URLs *** --------------------------------------------- Recently we told you how hackers use alternative domain names provided by web hosts to make their URLs look less suspicious. This time we'll show a similar trick used by phishers. Phishing web pages get blacklisted very fast. That's why hackers need to purchase many domains or compromise many websites so that they can point... --------------------------------------------- https://blog.sucuri.net/2016/06/phishers-abuse-hosting-temporary-urls.html *** Neutrino EK and CryptXXX, (Wed, Jun 8th) *** --------------------------------------------- Introduction By Monday 2016-06-06, the pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware [1]. Until then, Id only seen Angler EK distribute CryptXXX. However, this is not the first time weve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK [2, 3, 4, 5]. It was documented as early as August 2015 [2]. This can be confusing, especially if youre expecting Angler EK. Campaigns can (and occasionally do) switch EKs. For an... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21141&rss *** Millions of must be firewalled services are open to the entire internet - research *** --------------------------------------------- 15m telnet nodes, 4.5m printers TCP port 445... Millions of services that ought to be restricted are exposed on the open internet, creating a huge risk of hacker attack against databases and more. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/06/08/services_be… *** How to Prevent Ransomware in Industrial Control Systems *** --------------------------------------------- Del Rodillas, our solution lead for SCADA & Industrial Control Systems, recently appeared in Electric Light & Power to discuss ransomware as an emerging threat for Operational Technology environments. With ransomware on everyone's mind these... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/06/how-to-prevent-ransomwar… *** Linkedln-Nutzer erhalten unechte Geschäftsrechnung *** --------------------------------------------- Kriminelle versenden gezielt vermeintlich offene Unternehmensrechnungen an Nutzer/innen des Sozialen Netzwerks Linkedln. Darin führen sie die auf der Plattform veröffentlichten und richtigen Informationen, wie den Namen, die Berufsposition und das Unternehmen, an. Empfänger/innen sollen den beigefügten Dateianhang öffnen. Er verbirgt Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/linkedln-nutzer-er… *** Google To Deprecate SSLv3, RC4 in Gmail IMAP/POP Clients *** --------------------------------------------- Google will next week begin a gradual deprecation of unsafe crypto protocol SSLv3 and cipher RC4 in Gmail IMAP/POP clients. --------------------------------------------- http://threatpost.com/google-to-deprecate-sslv3-rc4-in-gmail-imappop-client… *** ENISA zeigt Möglichkeiten der forensischen Analyse bei Cloud-Vorfällen *** --------------------------------------------- Als Hilfestellung - nicht nur - für Anbieter von Cloud-Diensten hat die europäische Sicherheitsbehörde ENISA ein Papier zum technischen Stand der Analyse von Sicherheitsvorfällen in der Cloud veröffentlicht. --------------------------------------------- http://heise.de/-3231521 *** But have I really been pwned? Vetting your data *** --------------------------------------------- The news has been full of leaked passwords for some popular services recently. But these numbers of hacked accounts can be exaggerated for effect, and sometimes blatantly wrong.Categories: Criminals Threat analysis(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/06/but-have-i-really-bee… *** Cisco IOS XR Software LPTS Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DSA-3597 expat - security update *** --------------------------------------------- Two related issues have been discovered in Expat, a C library for parsingXML. --------------------------------------------- https://www.debian.org/security/2016/dsa-3597 *** Symantec Embedded Security: Critical System Protection and Symantec Data Center Security: Server Advanced, Multiple Security Issues *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** DFN-CERT-2016-0918: GnuTLS: Eine Schwachstelle ermöglicht die Manipulation beliebiger Dateien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0918/ *** Trihedral VTScada Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for several vulnerabilities in Trihedral Engineering Ltd.'s Trihedral VTScada. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-159-01 *** KMC Controls Conquest BACnet Router Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on May 5, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for authentication and cross-site request forgery vulnerabilities in KMC Controls Conquest BACnet routers through its web interface. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-126-01 *** Security Advisory - Several Vulnerabilities in Huawei Honor Routers *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160607-… *** Security Advisory - Memory Leak Vulnerability in Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160608-… *** Security Advisory: SQLite vulnerabilities CVE-2015-3414 and CVE-2015-3415 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/37/sol37236006.html?… *** Security Advisory: SQLite vulnerability CVE-2015-3416 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.htm… *** Bugtraq: [security bulletin] HPSBGN03623 rev.1 - HPE Universal CMDB, Remote Disclosure of Sensitive Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/538623 *** Bugtraq: [security bulletin] HPSBGN03622 rev.1 - HPE UCMDB, Universal Discovery, and UCMDB Configuration Manager using Apache Commons Collection, Remote Code Executon *** --------------------------------------------- http://www.securityfocus.com/archive/1/538622 *** Bugtraq: [security bulletin] HPSBGN03621 rev.1 - HPE Universal CMDB using OpenSSL, Remote Disclosure of Sensitive Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/538621 *** IBM Security Bulletin: A vulnerability in the instance runAsUser function was found in IBM InfoSphere Streams (CVE-2016-2867) *** --------------------------------------------- There is a potential vulnerability in IBM InfoSphere Streams when the instance runAsUser property is set. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2016-2867 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 4.0.1.1 and earlier IBM Streams Version 4.1.1.0 and earlier Refer to the following reference URLs for remediation and additional vulnerability details:Source --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983444 *** IBM Security Bulletin:Multiple security vulnerabilities in Open Source Apache Tomcat affect IBM Cognos Business Viewpoint (CVE-2016-0714 , CVE-2015-5174) *** --------------------------------------------- There are multiple vulnerabilities in Open Source Apace Tomcat that is used by IBM Cognos Business Viewpoint. These were disclosed in the 02/22/2016 X-Force Reports. IBM Cognos Business Viewpoint has addressed the applicable CVEs. CVE(s): CVE-2016-0714, CVE-2015-5174 Affected product(s) and affected version(s): IBM Cognos Business Viewpoint 10.1 FP1 IBM Cognos Business Viewpoint 10.1.1 FP2 Refer... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21984197 *** IBM Security Bulletin:InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability (CVE-2016-4560) *** --------------------------------------------- InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability affect IBM Security AppScan Source CVE(s): CVE-2016-4560 Affected product(s) and affected version(s): IBM Security AppScan Source 8.7, 8.8, 9.0, 9.0.1, 9.0.2, 9.0.3 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21983037X-Force Database:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983037 *** IBM Security Bulletin: Vulnerabilities in IBM Domino Keyview PDF Filters (CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0277) *** --------------------------------------------- IBM Domino has four vulnerabilities in Keyview PDF filters. CVE(s): CVE-2016-0277, CVE-2016-0278, CVE-2016-0279, CVE-2016-0301 Affected product(s) and affected version(s): IBM Domino 9.0.1 FP5 and earlier releases. IBM Domino 9.0 IF4 and earlier releases. IBM Domino 8.5.3 FP6 IF12 and earlier releases. IBM Domino 8.5.2 FP4 IF3 and earlier releases. IBM Domino 8.5.1 FP5 IF3 and... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983292 *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2016-2073) *** --------------------------------------------- There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2016-2073 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983372 *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2015-8710) *** --------------------------------------------- There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2015-8710 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983371 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2016-2108, CVE-2016-2107). *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM Sterling Connect:Direct for UNIX. IBM Sterling Connect:Direct for UNIX has addressed the applicable CVEs. CVE(s): CVE-2016-2108, CVE-2016-2107 Affected product(s) and affected version(s): IBM Sterling Connect:Direct for Unix 4.1.0 IBM Sterling Connect:Direct for Unix 4.0.0 Refer to the following... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983909

1 0

Tageszusammenfassung - Dienstag 7-06-2016
by Daily end-of-shift report 07 Jun '16

07 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 06-06-2016 18:00 − Dienstag 07-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gezielte Trojaner-Mails mit persönlichen Daten aus dem LinkedIn-Hack *** --------------------------------------------- Aktuell kursieren gefälschte Rechnungen mit Trojaner im Gepäck, die sich LinkedIn-Daten zunutze machen und deswegen plausibel wirken. --------------------------------------------- http://heise.de/-3228473 *** Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript *** --------------------------------------------- This post was prepared with the invaluable assistance of Rahamathulla Hussain and Girish Kulkarni. During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Locky, a new ransomware threat spread via spam campaigns. The contents of the spam email are carefully crafted to lure victims using social engineering... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/locky-ransomware-hides-under-multiple-… *** Threat Actors Employ COM Technology in Shellcode to Evade Detection *** --------------------------------------------- COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the fundamental architectures in Windows. From the security point of view, several "features" built into COM have lead to many security vulnerabilities. These features include ActiveX (an Internet Explorer plug-in technology), the... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/threat-actors-employ-com-technology-sh… *** FastPOS malware exfiltrates data immediately after harvesting it *** --------------------------------------------- POS malware might have taken a backseat when ransomware became the go-to malware for many cyber crooks, but stealing payment card information to effect fraudulent transactions is still a lucrative business. Trend Micro researchers have recently analyzed a new POS malware family sporting some interesting functionalities. One of these is what made them dub the threat FastPOS: the malware does not wait to collect a batch of data and then send it periodically to the... --------------------------------------------- https://www.helpnetsecurity.com/2016/06/07/fastpos-malware/ *** Check your BITS, because deleting malware might not be enough *** --------------------------------------------- Attackers are abusing the Windows Background Intelligent Transfer Service (BITS) to re-infect computers with malware after theyve been already cleaned by antivirus products.The technique was observed in the wild last month by researchers from SecureWorks while responding to a malware incident for a customer. The antivirus software installed on a compromised computer detected and removed a malware program, but the computer was still showing signs of malicious activity at the network level. --------------------------------------------- http://www.cio.com/article/3080016/check-your-bits-because-deleting-malware… *** Android gets patches for serious flaws in hardware drivers and media server *** --------------------------------------------- The June batch of Android security patches addresses nearly two dozen vulnerabilities in system drivers for various hardware components from several chipset makers.The largest number of critical and high severity flaws were patched in the Qualcomm video driver, sound driver, GPU driver, Wi-Fi driver, and camera driver. Some of these privilege escalation vulnerabilities could allow malicious applications to execute malicious code in the kernel leading to a permanent device compromise. Similar... --------------------------------------------- http://www.csoonline.com/article/3079726/security/android-gets-patches-for-… *** Android Security Bulletin - June 2016 *** --------------------------------------------- [...] The most severe issue is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. --------------------------------------------- https://source.android.com/security/bulletin/2016-06-01.html *** BlackBerry powered by Android Security Bulletin - June 2016 *** --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available build, as outlined in the Available Updates section. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?articleNumber=000038209 *** NTP.org ntpd is vulnerable to denial of service and other vulnerabilities *** --------------------------------------------- NTP.orgs reference implementation of NTP server, ntpd, contains multiple vulnerabilities. A brief overview follows, but details may be found in NTPs security advisory listing and in the individual links below. --------------------------------------------- https://www.kb.cert.org/vuls/id/321640 *** DFN-CERT-2016-0840: IPv6-Protokoll: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- Version 1 (2016-05-26 11:34) Neues Advisory Version 2 (2016-05-27 09:49) Cisco aktualisiert die referenzierte Sicherheitsmeldung [...] Version 3 (2016-06-01 11:36) Cisco aktualisiert die referenzierte Sicherheitsmeldung [...] Version 4 (2016-06-03 14:31) Cisco aktualisiert cisco-sa-20160525-ipv6 und weist darauf hin, dass es sich nicht um einen Cisco spezifischen Fehler handelt, [...] Version 5 (2016-06-06 15:12) Juniper Networks informiert darüber, dass EX4300, EX4600, QFX3500 und QFX5100... --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0840/ *** Bugtraq: [security bulletin] HPSBGN03620 rev.1 - HPE Helion OpenStack using OpenSSL and QEMU, Remote Unauthorized Data Access *** --------------------------------------------- http://www.securityfocus.com/archive/1/538612 *** Bugtraq: [security bulletin] HPSBGN03619 rev.1 - HPE Discovery and Dependency Mapping Inventory (DDMi) using Java Deserialization, remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/538611 *** Bugtraq: [security bulletin] HPSBGN03442 rev.2 - HP Helion OpenStack using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/538610 *** IBM Security Bulletin: Path Traversal affects IBM Security Guardium Database Activity Monitor (CVE-2016-0298) *** --------------------------------------------- IBM Security Guardium Database Activity Monitor could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to view arbitrary files on the system. CVE(s): CVE-2016-0298 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation and... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981749 *** IBM Security Bulletin: Using Components with Known Vulnerabilities affects IBM Security Guardium (multiple CVEs) *** --------------------------------------------- IBM Security Guardium is vulnerable to several possible remote attacks CVE(s): CVE-2015-4881, CVE-2015-7181, CVE-2015-7981, CVE-2013-1981, CVE-2015-3416, CVE-2015-2730, CVE-2015-7704, CVE-2015-3238, CVE-2015-5312, CVE-2015-5288 Affected product(s) and affected version(s): IBM Security Guardium V10 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21981747X-Force Database:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981747 *** IBM Security Bulletin: Cacheable SSL Page vulenrability affects IBM Security Guardium Database Activity Monitor (CVE-2016-0237) *** --------------------------------------------- IBM Security Guardium Database Activity Monitor contains locally cached browser data, that could allow a local attacker to obtain sensitive information. CVE(s): CVE-2016-0237 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21981631X-Force Database:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981631 *** IBM Security Bulletin: Use of Hard-coded Cryptographic Key vulenrability affects IBM Security Guardium Database Activity Monitor (CVE-2016-0235) *** --------------------------------------------- IBM Security Guardium Database Activity Monitor uses a hard-coded password for the which is available to the administrator or a user with root access. This password could be used across other GRUB systems. CVE(s): CVE-2016-0235 Affected product(s) and affected version(s): IBM Security Guardium Database Activity Monitor V10 Refer to the following reference URLs for remediation... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21981748 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Streams (CVE-2016-0466, CVE-2016-0448) *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 Service Refresh 2 Fix Pack 11 and earlier releases, Version 7R1 Service Refresh 3 Fix Pack 31 and earlier releases, and Version 6 Service Refresh 16 Fix Pack 21 and earlier releases. If you run your own Java code using the IBM Java... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983436 *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM InfoSphere Streams. (CVE-2015-8317) *** --------------------------------------------- There is a vulnerability in libxml2 that is used by IBM InfoSphere Streams. IBM InfoSphere Streams has addressed this vulnerability. CVE(s): CVE-2015-8317 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21983370 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM MQ AMS (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on December 3, 2015 by the OpenSSL Project. OpenSSL is used by IBM MQ Advanced Message Security (AMS) on IBM i. IBM MQ has addressed the applicable CVEs. CVE(s): CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 Affected product(s) and affected version(s): IBM MQ 8.0 Advanced Message Security (AMS) on IBM i only Fix Pack 8.0.0.4... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21983823 *** IBM Security Bulletin: A vulnerability in XML processing affects IBM InfoSphere Streams (CVE-2015-1819) *** --------------------------------------------- IBM InfoSphere Streams may be vulnerable to a denial of service attack due to the use of Libxml2 (CVE-2015-1819) CVE(s): , CVE-2015-1819 Affected product(s) and affected version(s): IBM InfoSphere Streams Version 1.2.1.0 IBM InfoSphere Streams Version 2.0.0.4 and earlier IBM InfoSphere Streams Version 3.0.0.5 and earlier IBM InfoSphere Streams Version 3.1.0.7 and earlier IBM InfoSphere... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21981066 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM BigFix Remote Control (CVE-2016-2107) *** --------------------------------------------- OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM BigFix Remote Control. IBM BigFix Remote Control has addressed the applicable CVEs. CVE(s): CVE-2016-2107 Affected product(s) and affected version(s): IBM BigFix Remote Control version 9.1.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin:... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21984111

1 0

Tageszusammenfassung - Montag 6-06-2016
by Daily end-of-shift report 06 Jun '16

06 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 03-06-2016 18:00 − Montag 06-06-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Magento Credit Card Stealer for Braintree Extension *** --------------------------------------------- We regularly find and write about malware that steals credit card details from Magento sites because attackers discover new techniques to obtain sensitive data daily. This time, the malicious code is specifically designed for Magento sites that use the Braintree extension. This extension connects a Magento store with the Braintree payment processing service that is... --------------------------------------------- https://blog.sucuri.net/2016/06/magento-credit-card-stealer-braintree-exten… *** WordPress Sites Under Attack From New Zero-Day In WP Mobile Detector Plugin *** --------------------------------------------- An anonymous reader writes: A large number of websites have been infected with SEO spam thanks to a new zero-day in the WP Mobile Detector plugin that was installed on over 10,000 websites. The zero-day was used in real-world attacks since May 26, but only surfaced to light on May 29 when researchers notified the plugins developer. Seeing that the developer was slow to react, security researchers informed Automattic, who had the plugin delisted from WordPress.orgs Plugin Directory on May 31. In... --------------------------------------------- https://tech.slashdot.org/story/16/06/03/2243238/wordpress-sites-under-atta… https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-expl… *** Whats Going on With libtiff?, (Sun, Jun 5th) *** --------------------------------------------- libtiff, as the name implies, is a library used to parse TIFF formatted images. While you dont run into TIFF images on the web every day, the format is quite popular for higher-resolution/high qualityapplications like printing. TIFF allows the user to select between lossless or lossycompression depending on the preferences of the user. While the library is very popular, a reader wrote in last week asking if the library is still maintained. Currently, there are three security issues listed in... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21131&rss *** Destructive BadBlock ransomware can be foiled *** --------------------------------------------- If you have been hit with ransomware, you want that malware to be BadBlock - but only if you haven't restarted your computer. This particular malware is a lacklustre attempt to create something on par with more popular ransomware, and that allowed Emsisoft security researcher Fabian Wosar to create a decrypter tool for it. The tool can be downloaded for free, and Bleeping Computer has offered instructions on how to use it. But, aside from... --------------------------------------------- https://www.helpnetsecurity.com/2016/06/06/destructive-badblock-ransomware-… *** Researchers hack the Mitsubishi Outlander SUV, shut off alarm remotely *** --------------------------------------------- Mitsubishi Outlander, a popular hybrid SUV sold around the world, can be easily broken into by attackers exploiting security weaknesses in the setup that allows the car to be remotely controlled via an app. The weaknesses were discovered by Pen Test Partners, and include: The mobile app connects to the car through a Wi-Fi access point on it, instead via a web service and GSM module, making it impossible to use if one is not... --------------------------------------------- https://www.helpnetsecurity.com/2016/06/06/researchers-hack-mitsubishi-outl… *** Dangerous self-spreading successor of Zeus and Carberp discovered *** --------------------------------------------- June 3, 2016 In June, Doctor Web security researchers examined a new dangerous virus targeting Russian bank clients. The virus is designed to steal money from bank accounts and monitor user activity. It has borrowed a lot of features from its predecessors Zeus (Trojan.PWS.Panda) and Carberp. Yet, unlike them, it can be spread without any user intervention infecting executable files. Besides, curing of the infected computer is rather complicated and may take several hours. Due to the ability to... --------------------------------------------- http://news.drweb.com/show/?i=9999&lng=en&c=9 *** Firmware Analysis for IoT Devices *** --------------------------------------------- Introduction This is the second post in the IoT Exploitation and Penetration Testing series. In this post, we are going to have a look at a key component in an IoT device architecture - Firmware. Any IoT device you use, you will be interacting with firmware, and this is because firmware can be thought of... --------------------------------------------- http://resources.infosecinstitute.com/firmware-analysis-for-iot-devices/ *** Widespread exploits evade protections enforced by Microsoft EMET *** --------------------------------------------- Its bad news for businesses. Hackers have launched large-scale attacks that are capable of bypassing the security protections added by Microsofts Enhanced Mitigation Experience Toolkit (EMET), a tool whose goal is to stop software exploits.Security researchers from FireEye have observed Silverlight and Flash Player exploits designed to evade EMET mitigations such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF) and Export Address Table Access Filtering Plus --------------------------------------------- http://www.cio.com/article/3079747/widespread-exploits-evade-protections-en… *** Cisco Aironet Access Points Command-Line Interpreter Linux Shell Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IP 8800 Series Phones btcli Utility Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** JSA10749 - IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability (CVE-2016-1409) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10749&actp=RSS *** Security Advisory: NTP vulnerability CVE-2016-1548 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/63/sol63675293.html?… *** DSA-3595 mariadb-10.0 - security update *** --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.25. Please see the MariaDB 10.0 Release Notes for furtherdetails: --------------------------------------------- https://www.debian.org/security/2016/dsa-3595 *** Bugtraq: [security bulletin] HPSBUX03616 SSRT110128 rev.2 - HPE HP-UX running CIFS Server (Samba), Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Access *** --------------------------------------------- http://www.securityfocus.com/archive/1/538597 *** DFN-CERT-2016-0908: VideoLAN VLC Media Player: Eine Schwachstelle ermöglicht u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0908/ *** Citrix NetScaler Gateway Lets Remote Users Hijack the Target Users Login Form Credentials *** --------------------------------------------- http://www.securitytracker.com/id/1036020

1 0

Tageszusammenfassung - Freitag 3-06-2016
by Daily end-of-shift report 03 Jun '16

03 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 02-06-2016 18:00 − Freitag 03-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Trillium Exploit Kit Update Offers 'Security Tips' *** --------------------------------------------- McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums. We have analyzed the new version of the tool .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/trillium-exploit-kit-update-offers-sec… *** DSA-3593 libxml2 - security update *** --------------------------------------------- Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3593 *** GE MultiLink Series Hard-coded Credential Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a hard-coded credential vulnerability in GE's MultiLink series managed switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-154-01 *** WP Mobile Detector <= 3.5 - Arbitrary File Upload *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8505 *** Understanding Angler Exploit Kit - Part 1: Exploit Kit Fundamentals *** --------------------------------------------- Generally speaking, criminal groups use two methods for widespread distribution of malware. The most common method is malicious spam (malspam). This is a fairly direct mechanism, usually through an email attachment or .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-ang… *** MySQL is YourSQL *** --------------------------------------------- Its The End of the World and We Know It If you listen to the press - those purveyors of doom, those nattering nabobs of negativism - you arrive at a single, undeniable conclusion: The worldis going to hell in a hand-basket. They .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21117 *** Nach Kontroversen: Teamviewer führte neue Accountsicherungen ein *** --------------------------------------------- Wenige Tage nach zahlreichen Nutzerbeschwerden über gehackte Accounts reagiert Teamviewer mit einem vorgezogenen Sicherheitsupdate. Wir haben mit dem Unternehmen darüber gesprochen. --------------------------------------------- http://www.golem.de/news/nach-kontroversen-teamviewer-fuehrte-neue-accounts…

1 0

Tageszusammenfassung - Donnerstag 2-06-2016
by Daily end-of-shift report 02 Jun '16

02 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 01-06-2016 18:00 − Donnerstag 02-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DSA-3591 imagemagick - security update *** --------------------------------------------- Bob Friesenhahn from the GraphicsMagick project discovered a commandinjection vulnerability in ImageMagick, a program suite for imagemanipulation. An attacker with control on input image or the inputfilename can execute arbitrary commands with the privileges of the userrunning the application. --------------------------------------------- https://www.debian.org/security/2016/dsa-3591 *** Lenovo advises users to remove a vulnerable support tool preinstalled on their systems *** --------------------------------------------- PC maker Lenovo is recommending that users remove an application preloaded on their computers because it contains a high-severity flaw that could allow attackers to take over their systems.The vulnerable tool is called .. --------------------------------------------- http://www.csoonline.com/article/3077935/security/lenovo-advises-users-to-r… *** Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031 *** --------------------------------------------- https://www.drupal.org/node/2738707 *** DSA-3592 nginx - security update *** --------------------------------------------- It was discovered that a NULL pointer dereference in the Nginx coderesponsible for saving client request bodies to a temporary file mightresult in denial of service: Malformed requests could crash workerprocesses. --------------------------------------------- https://www.debian.org/security/2016/dsa-3592 *** Researchers spot 35-fold increase in newly observed ransomware domains *** --------------------------------------------- A record 35-fold increase in newly observed ransomware domains compared to the fourth quarter of 2015 have been spotted by Infoblox researchers. --------------------------------------------- http://www.scmagazine.com/infoblox-researchers-spotted-a-huge-uptick-in-dns… *** Yahoo Publishes National Security Letters After FBI Drops Gag Orders *** --------------------------------------------- Yahoo just became the first company to disclose that it has received NSLs without having to go to court to do so. --------------------------------------------- http://www.wired.com/2016/06/yahoo-publishes-national-security-letters-fbi-… *** Docker Containers Logging *** --------------------------------------------- In a previous diary, Jim talked about forensic operations against Docker containers. To be able to perform investigations after an incident, we must have some .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21121 *** Die meisten Android-Virenscanner sind unsicher *** --------------------------------------------- Eigentlich sollte AV-Software das Smartphone vor Schadcode schützen. Wie Forscher nun festgestellt haben, weisen viele Virenjäger für Android allerdings selbst eklatante Sicherheitsmängel auf. --------------------------------------------- http://heise.de/-3225169 *** Trend Micro enterprise products multiple vulnerabilities *** --------------------------------------------- Multiple enterprise products provided by Trend Micro Incorporated contain multiple vulnerabilities. --------------------------------------------- http://jvn.jp/en/jp/JVN48847535/ *** Trend Micro Internet Security multiple vulnerabilities *** --------------------------------------------- Trend Micro Internet Security provided by Trend Micro Incorporated contains multiple vulnerabilities. --------------------------------------------- http://jvn.jp/en/jp/JVN48789425/ *** Mitnick Attack Reappears at GeekPwn Macau Contest *** --------------------------------------------- Cao Yue, a Ph.D. student from University of California, Riverside, delivered a stunning show at the GeekPwn 2016 Macau Contest on May 12 attended by top-caliber white hat hackers worldwide. Cao succeeded in remotely hijacking TCP connections at his random choice. --------------------------------------------- http://www.prnewswire.com/news-releases/mitnick-attack-reappears-at-geekpwn… *** Hacker Lexicon: What Is Fuzzing? *** --------------------------------------------- Sometimes hacking isnt about taking a program apart: Its about throwing random objects at it to see what breaks. --------------------------------------------- http://www.wired.com/2016/06/hacker-lexicon-fuzzing/ *** [2016-06-02] Multiple critical vulnerabilities in Ubee EVW3226 Advanced wireless voice gateway *** --------------------------------------------- The firmware for the cable modem Ubee EVW3226 contains multiple critical vulnerabilities, which can be exploited to gain full system-level access to the device. This allows for inspection, modification and redirection of traffic. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activityon SCADA Systems *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.h… *** TeamViewer users claim accounts hacked *** --------------------------------------------- TeamViewer is a remote desktop connection software that allows users to share screens and allow remote access from anywhere in the world. In the past 24 hours, many customers .. --------------------------------------------- http://www.inquisitr.com/3156809/teamviewer-accounts-hacked-users-claim/ *** Erpresser-Mails drohen mit Rufschädigung über Social Media *** --------------------------------------------- Erpresser machen sich die Berichterstattung über aktuelle Hackerangriffe zunutze, um Droh-Mails zu verschicken, in denen sie den Opfern damit drohen, sensible Informationen auf deren Online-Konten zu veröffentlichen. --------------------------------------------- http://heise.de/-3225619 *** 93% Of Phishing Emails Are Now Ransomware *** --------------------------------------------- According to the latest data from security firm PhishMe, 93% of all phishing emails as of the end of March contained encryption ransomware. The numbers .. --------------------------------------------- https://tech.slashdot.org/story/16/06/02/1356241/93-of-phishing-emails-are-… *** How Russian cybercrime bosses crafted a ransomware empire out of an economic crisis *** --------------------------------------------- Amid a crashing ruble and shaken markets due to global sanctions over Russian president Vladimir Putins .. --------------------------------------------- http://www.neowin.net/news/how-russian-cybercrime-bosses-crafted-a-ransomwa… *** XSA-178 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-178.html *** XSA-175 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-175.html

1 0

Tageszusammenfassung - Mittwoch 1-06-2016
by Daily end-of-shift report 01 Jun '16

01 Jun '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 31-05-2016 18:00 − Mittwoch 01-06-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Tor Browser 6.0: Ditches SHA-1 Support, Uses DuckDuckGo For Default Search Results *** --------------------------------------------- The version 6.0 of Tor Browser, a free software for enabling anonymous communication, is now available to download. The new version introduces several changes, including disabling SHA-1 support, and removing .. --------------------------------------------- https://tech.slashdot.org/story/16/05/31/1643234/tor-browser-60-ditches-sha… *** Drupal SQLi (Drupalgeddon) Attack Trend CVE-2014-3704 / SA-CORE-2014-005 *** --------------------------------------------- It has been over 19 months since Drupalgeddon, which refers to Drupal's Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it .. --------------------------------------------- https://blog.sucuri.net/2016/05/drupal-sqli-drupalgeddon-attack-trend-cve-2… *** Finding Conditional Drupal Database Spam *** --------------------------------------------- Nobody likes spam. It's never fun (unless you're watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of what we deal with since our inception, giving us some pretty good .. --------------------------------------------- https://blog.sucuri.net/2016/05/finding-conditional-drupal-database-spam.ht… *** Cluster of 'megabreaches' compromises a whopping 642 million passwords *** --------------------------------------------- MySpace, Tumblr, and Fling are the latest services to join discredited LinkedIn. --------------------------------------------- http://arstechnica.com/security/2016/05/cluster-of-megabreaches-compromise-… *** Moxa UC 7408-LX-Plus Firmware Overwrite Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a firmware overwrite vulnerability in Moxa's UC 7408-LX-Plus device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-152-01 *** ABB PCM600 Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for one use of password hash with insufficient computational effort and three insufficiently protected credentials vulnerabilities in ABB's PCM600. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-152-02 *** Unfalsifiability of security claims *** --------------------------------------------- There is an inherent asymmetry in computer security: things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We .. --------------------------------------------- http://research.microsoft.com/pubs/256133/unfalsifiabilityOfSecurityClaims.… *** Lücke in ImageMagick und GraphicsMagick ermöglicht erneute Angriffe *** --------------------------------------------- Manipulierte Dateinamen können Schadcode über die popen()-Funktion des Betriebssystems zur Ausführung bringen. Patches stehen bereit. --------------------------------------------- http://heise.de/-3223811 *** Scrum.org hacked, may have lost crypto keys and some user data *** --------------------------------------------- Dont go dissing DevOps: a supplier has fessed up to a website vuln Scrum.org, the Scrum certification .. --------------------------------------------- www.theregister.co.uk/2016/06/01/scrumorg_hacked_may_have_lost_crypto_keys_… *** Heikle Sicherheitslücken in vorinstallierter Laptop-Software *** --------------------------------------------- http://derstandard.at/2000038006783 *** Microsoft: Spamfilter für Hotmail und Outlook kaputt *** --------------------------------------------- Unternehmen arbeitet mit Hochdruck an Lösung, manche Nutzer sollen "extreme Menge" an Spam-Mails erhalten --------------------------------------------- http://derstandard.at/2000038023486 *** The impossible task of creating a 'Best VPNs' list today *** --------------------------------------------- Our writer set out to make a list of reliable VPNs; turns out the task is complicated. --------------------------------------------- http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-t… *** VB2015 paper: Economic Sanctions on Malware *** --------------------------------------------- Financial pressure can be a proactive and potentially very effective tool in making our computer ecosystems safer. By cleverly employing various trust metrics and technologies such as digital signing, watermarking, and .. --------------------------------------------- https://www.virusbulletin.com/blog/2016/06/economic-sanctions-malware/ *** DRIDEX Poses as Fake Certificate in Latest Spam Run *** --------------------------------------------- At a glance, it seems that DRIDEX has dwindled its activities or operation, appearing only for a few days this May. This is quite unusual given that in the past five months or so, this prevalent online banking threat .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-poses-as-… *** Security: LG muss Android-Firmware reparieren *** --------------------------------------------- Zwei Sicherheitslücken in LGs-Android Firmware ermöglichen eine Reihe von Angriffen, teilweise auch aus der Ferne. Nutzer sollten schnell reagieren, die Updates stehen bereit. --------------------------------------------- http://www.golem.de/news/security-lg-muss-android-firmware-reparieren-1606-… *** Kindernahrung: Mein Baby Club von Hipp wurde gehackt *** --------------------------------------------- Kopierte Nutzerdaten sind immer ein Ärgernis - besonders, wenn die persönlichen Informationen von Kindern betroffen sind. Der Hersteller Hipp hat seine Kunden jetzt über einen Einbruch in die eigenen Serversysteme des Mein Baby Clubs informiert --------------------------------------------- http://www.golem.de/news/kindernahrung-mein-baby-club-von-hipp-wurde-gehack…

1 0

Tageszusammenfassung - Dienstag 31-05-2016
by Daily end-of-shift report 31 May '16

31 May '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-05-2016 18:00 − Dienstag 31-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Abgeschlossen: Wartungsarbeiten Dienstag, 31. 5. 2016 *** --------------------------------------------- Abgeschlossen: Wartungsarbeiten Dienstag, 31. 5. 201625. Mai 2016Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils .. --------------------------------------------- http://www.cert.at/services/blog/20160525113745-1748.html *** Österreichische Handy-Signatur anfällig für Phishing *** --------------------------------------------- Mit einer sogenannten Handy-Signatur können Österreicher auch Dokumente für Kommunikation Behörden rechtsverbindlich unterschreiben. Doch die digitale Unterschrift lässt sich mit einem einfachen Phishing-Angriff fälschen. --------------------------------------------- http://heise.de/-3222980 *** Vulnerability in Citrix Studio Could Result in Insecure Access Policy Configuration *** --------------------------------------------- A vulnerability has been identified in Citrix Studio that could allow Access Policy rules to be set insecurely on the Citrix XenDesktop Delivery Controller. --------------------------------------------- https://support.citrix.com/article/CTX213045 *** Nach Kritik: Pornhub überarbeitet sein Bounty-Programm *** --------------------------------------------- Mit ihrem Bug-Bounty-Programm hat eine Pornoseite Schlagzeilen gemacht. Doch die Kommunikation mit den Hackern und die gezahlten Bountys sorgten für viel Kritik. Das Unternehmen verspricht jetzt Besserung. --------------------------------------------- http://www.golem.de/news/nach-kritik-pornhub-ueberarbeitet-sein-bounty-prog… *** Twitter paid out $322,420 in bug bounties *** --------------------------------------------- Researchers have proven that bug bounties are a cheaper way for discovering vulnerabilities than hiring full-time bug hunters would be and, in the last few years, many Internet and tech companies have instituted such programs. The security community has praised those who have, and the .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/31/twitter-bug-bounty/ *** Neuer Tor Browser setzt bei der Suche auf DuckDuckGo *** --------------------------------------------- Die bisherige Standardsuche Disconnect habe auf von Google auf Bing umgestellt, mit katastrophalem Ergebnis, begründen die Entwickler ihre Entscheidung. Weitere Änderungen betreffen Mac-Nutzer und die Anzeige von YouTube-Videos. --------------------------------------------- http://heise.de/-3210346 *** Bloatware Insecurity Continues to Haunt Consumer, Business Laptops *** --------------------------------------------- High-severity vulnerabilities were found in pre-installed software updaters present in consumer and business laptops from vendors such as Dell, HP, Lenovo, Asus and Acer. --------------------------------------------- http://threatpost.com/bloatware-insecurity-continues-to-haunt-consumer-busi…

1 0

Tageszusammenfassung - Montag 30-05-2016
by Daily end-of-shift report 30 May '16

30 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-05-2016 18:00 − Montag 30-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security baseline for Windows Server 2016 Technical Preview 5 (TP5) *** --------------------------------------------- Microsoft is pleased to announce the draft release of the security configuration baseline settings for Windows Server 2016, corresponding to Technical .. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2016/05/27/security-baseline-f… *** New Locky ransomware campaign sets sights on Amazon customers *** --------------------------------------------- Amazon customers are the target of a wide-ranging phishing email scam intended to fool recipients into opening up a malicious attachment that results in the downloading of Locky ransomware. --------------------------------------------- http://www.scmagazine.com/new-locky-ransomware-campaign-sets-sights-on-amaz… *** How Attackers Use a Flash Exploit to Distribute Crimeware and Other Malware *** --------------------------------------------- Background Adobe Flash is multimedia software that runs on more than 1 billion systems worldwide. Its long list of security vulnerabilities and huge market presence .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/how-attackers-use-a-fl… *** VMSA-2016-0005.2 *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0005.html *** Security Advisory: Stored XSS in Jetpack *** --------------------------------------------- During regular research audits for our Sucuri Firewall (Cloud-based WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites. The .. --------------------------------------------- https://blog.sucuri.net/2016/05/security-advisory-stored-xss-jetpack-2.html *** ZDI-16-361: (Pwn2Own) Apple OS X libATSServer Heap-based Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-361/ *** ZDI-16-360: (Pwn2Own) Apple OS X fontd Sandbox Escape Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple OS X. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-360/ *** Microsoft stattet Windows 10 mit doppelten Virenschutz aus *** --------------------------------------------- http://derstandard.at/2000037805637 *** Nach LinkedIn Datenleck auch bei MySpace *** --------------------------------------------- Der LinkedIn-Hacker hat laut eigenen Angaben auch 360 Millionen E-Mail-Adressen von MySpace-Nutzern und .. --------------------------------------------- http://futurezone.at/digital-life/nach-linkedin-datenleck-auch-bei-myspace/… *** Duqu 2.0 kernel exploitation technique analysis (part 1 of 2) *** --------------------------------------------- Out of the multiple components used in the sophisticated Duqu 2.0 cyberespionage attack, we had a chance to look into one of the kernel exploits used for its .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/29/%e2%80%8bduqu-2-0-kerne… *** CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename *** --------------------------------------------- All existing releases of GraphicsMagick and ImageMagick support a file open syntax where if the first character of the file specification is a |, then the remainder of the filename is passed to the shell for execution using the .. --------------------------------------------- http://permalink.gmane.org/gmane.comp.security.oss.general/19669 *** breaking into a wordpress site without knowing wordpress/php or infosec at all *** --------------------------------------------- This is a post about how I tried and broke into my colleges wordpress installation without having any prior knowledge of wordpress/php and without any experience with hacking web-servers. The attempts were spread out over a month, .. --------------------------------------------- https://notehub.org/5zo2v *** Saudi-Arabien soll Cyberangriffe gegen Iran gestartet haben *** --------------------------------------------- http://derstandard.at/2000037865736 *** Microsoft geht gegen zu einfache Passwörter vor *** --------------------------------------------- Künftig sollen Nutzer von Azure und anderen Diensten Warnungen erhalten, wenn ihr Kennwort .. --------------------------------------------- http://derstandard.at/2000037866342 *** Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the IP Version 6 (IPv6) packet processing functions of Cisco IOS XR Software, Cisco IOS XE Software, and Cisco NX-OS Software could allow an .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Angreifer erbeuten Nutzerdaten von sz-magazin.de *** --------------------------------------------- Ein Unbefugter habe sich Mitte Mai rechtswidrig Zugriff auf einen Datenbankserver des SZ-Magazins verschafft. --------------------------------------------- http://heise.de/-3222586 *** Hintergrund: Zertifikate sperren - so gehts *** --------------------------------------------- Verkehrte Welt -- um ein Zertifikat zu sperren, muss man es erst installieren. Mit der folgenden Anleitung .. --------------------------------------------- http://heise.de/-3222308 *** Zum Weltnichtrauchertag: BSI warnt vor Malware in E-Zigaretten *** --------------------------------------------- Wer E-Zigaretten raucht, erspart seiner Lunge Teer, setzt aber die Gesundheit seines Rechners aufs Spiel - zumindest, wenn die E-Zigarette per USB aufgeladen wird. --------------------------------------------- http://www.golem.de/news/zum-weltnichtrauchertag-bsi-warnt-vor-malware-in-e…

1 0

Tageszusammenfassung - Freitag 27-05-2016
by Daily end-of-shift report 27 May '16

27 May '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-05-2016 18:00 − Freitag 27-05-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** VU#482135: MEDHOST Perioperative Information Management System contains hard-coded database credentials *** --------------------------------------------- MEDHOST Perioperative Information Management System (PIMS) versions prior to 2015R1 contain hard-coded credentials that are used for customer database access. --------------------------------------------- http://www.kb.cert.org/vuls/id/482135 *** Environmental Systems Corporation Data Controllers Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-147-01 *** Sixnet BT Series Hard-coded Credentials Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a hard-coded credential vulnerability in Sixnet's BT series routers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-147-02 *** Black Box AlertWerks ServSensor Credential Management Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a credential management vulnerability in Black Box's AlertWerks ServSensor devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-147-03 *** Bugtraq: ESA-2016-061: EMC Isilon OneFS SMB Signing Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538499 *** Up to a dozen banks are reportedly investigating potential SWIFT breaches *** --------------------------------------------- More banks have reportedly launched investigations into potential security breaches on their networks after hackers stole US$81 million from the Bangladesh .. --------------------------------------------- http://www.cio.com/article/3075448/up-to-a-dozen-banks-are-reportedly-inves… *** Cisco WebEx Meeting Center Site Access Control User Account Enumeration Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Advisory: NTP vulnerability CVE-2016-2519 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/41/sol41613034.html *** Security Advisory: NTP vulnerability CVE-2016-2517 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/61/sol61200338.html *** Multiple Buffalo wireless LAN routers vulnerable to information disclosure *** --------------------------------------------- http://jvn.jp/en/jp/JVN75813272/ *** Multiple Buffalo wireless LAN routers vulnerable to directory traversal *** --------------------------------------------- http://jvn.jp/en/jp/JVN81698369/ *** Link (.lnk) to Ransom *** --------------------------------------------- We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/ *** Spoofer *** --------------------------------------------- Seeking to minimize Internets susceptibility to spoofed DDoS attacks, we are developing and supporting open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices. This .. --------------------------------------------- http://www.caida.org/projects/spoofer/ *** Security Advisory - Apache Struts2 Remote Code Execution Vulnerability in Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160527-… *** Path Traversal in extension "Media management" (media) *** --------------------------------------------- https://typo3.org/news/article/path-traversal-in-extension-media-management… *** Cross-Site Scripting in extension "Formhandler" (formhandler) *** --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-extension-formhandle… *** Global companies arent quick to patch 'high' severity flaw in OpenSSL *** --------------------------------------------- Yet another Padding Oracle flaw (CVE-2016-2107), allowing decrypting TLS traffic in a MITM attack, remains exploitable on the most popular web and email servers. --------------------------------------------- https://www.htbridge.com/blog/CVE-2016-2107-padding-oracle-exploit.html *** TLS-Zertifikate: Google zieht Daumenschrauben der CAs weiter an *** --------------------------------------------- Ab Juni müssen alle Symantec-CAs ihre Aktivitäten via Certificate Transparency registrieren. Sonst werden die Zertifikats-Inhaber abgestraft. Das könnte auch andere CAs treffen. --------------------------------------------- http://heise.de/-3215053 *** Cisco Firepower Management Center Web Interface Code Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Android Banking Trojan 'SpyLocker' Targets More Banks in Europe *** --------------------------------------------- Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/android-banking-trojan-spylocker-targe…

1 0

Tageszusammenfassung - Mittwoch 25-05-2016
by Daily end-of-shift report 25 May '16

25 May '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-05-2016 18:00 − Mittwoch 25-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** New Botnets Used for Low and Slow Credential Testing (May 23, 2016) *** --------------------------------------------- Botnets are being used to test account access credentials... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/41/306 *** Many Ubiquiti Wireless Devices Still Vulnerable (May 20 and 23, 2016) *** --------------------------------------------- Owners of Ubiquiti wireless devices are being urged to apply a patch that the company released last year; the flaw it fixes is being actively exploited... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/41/308 *** Nulled WordPress Themes: Malvertising and Black Hat SEO *** --------------------------------------------- If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on your site. A benign plugin may sneakingly inject ads into your site which cause malvertising problems for the site visitors (e.g. SweetCaptcha). Other plugins may be hijacked by hackers or... The post Nulled WordPress Themes: Malvertising and Black Hat SEO appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/05/nulled-wordpress-themes-malvertising-black-… *** New Wekby Attacks Use DNS Requests As Command and Control Mechanism *** --------------------------------------------- We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks… *** SWIFT exec unveils info sharing plan, calls Bangladesh a watershed event *** --------------------------------------------- SWIFT CEO Gottfried Leibbrandt issued details of the messaging service companys information-sharing strategy. --------------------------------------------- http://www.scmagazine.com/swift-exec-unveils-info-sharing-plan-calls-bangla… *** Stop Using "internal" Top Level Domain Names, (Wed, May 25th) *** --------------------------------------------- Cert.org this week warned again that internal top level domain names can be used against you, if one of these domains happens to be registered as a new generic top level domain (gTLD). Currently, there are about 1200 approved gTLDs, and the number will only increase even though the initial gold rush seems to have leveled off somewhat [1] US-Cert just sent out a reminder again regarding the use of internal domain names for automatic proxy configuration via WPAD. If this internal, but not... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21095&rss *** CVE-2015-2545: overview of current threats *** --------------------------------------------- Cyberespionage attacks conducted by different groups across the Asia-Pacific (APAC) and Far East regions share one common feature: in order to infect their victims with malware, the attackers use an exploit for the CVE-2015-2545 vulnerability. --------------------------------------------- http://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of… *** Who's tracking you online, and how? *** --------------------------------------------- Armed with a tool that mimics a consumer browser but is actually bent on discovering all the ways websites are tracking visitors, Princeton University researchers have discovered several device fingerprinting techniques never before seen in the wild. The web privacy measurement tool is called OpenWPM, and has been open sourced. Its creators are the very same researchers who performed this latest study. They crawled and analyzed measurements collected from 1 million of the most popular... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/25/whos-tracking-you-online/ *** The Answer is always the same: Layers of Security *** --------------------------------------------- There is a common misperception that now that containers support seccomp we no longer need SELinux to help protect our systems. WRONG. The big weakness in containers is the container possesses the ability to interact with the host kernel and the host file systems. Securing the container processes is all about shrinking the attack surface on the host OS and more specifically on the host kernel.seccomp does a great job of shrinking the attack surface on the kernel. The idea is to limit the number... --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2334141 *** Skimmers Found at Walmart: A Closer Look *** --------------------------------------------- Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals. --------------------------------------------- http://krebsonsecurity.com/2016/05/skimmers-found-at-walmart-a-closer-look/ *** VMSA-2016-0006 *** --------------------------------------------- VMware vCenter Server updates address an important cross-site scripting issue --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0006.html *** HPE Service Manager Unspecified Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1035954 *** Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities *** --------------------------------------------- Multiple ETAP binaries are prone to a stack-based buffer overflow vulnerability because the application fails to handle malformed arguments. An attacker can exploit these issues to execute arbitrary code within the context of the application or to trigger a denial-of-service conditions. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php *** Operation Technology ETAP 14.1.0 Local Privilege Escalation *** --------------------------------------------- ETAP suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the C flag (Change) for Authenticated Users group. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5323.php *** ZDI-16-354: (0Day) ActivePDF Toolkit ImageToPDF IAT Overwrite Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ActivePDF Toolkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-354/ *** Moxa MiiNePort Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for weak credential management, sensitive information not protected, and cross-site request forgery vulnerabilities in Moxa's MiiNePort serial device server module series. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-145-01 *** Security Advisory: Java vulnerabilities CVE-2013-5802 and CVE-2013-5823 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53316849.html?… *** Security Advisory: Multiple Java vulnerabilities *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/95/sol95313044.html?… *** Wartungsarbeiten Dienstag, 31.5.2016 *** --------------------------------------------- Wartungsarbeiten Dienstag, 31. 5. 2016 | 25. Mai 2016 | Am Dienstag, 31. Mai 2016, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen, diese können jeweils mehrere Minuten andauern. Es... --------------------------------------------- http://www.cert.at/services/blog/20160525113745-1748.html Next End-of-Shift report: 2016-05-27

1 0

Tageszusammenfassung - Dienstag 24-05-2016
by Daily end-of-shift report 24 May '16

24 May '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-05-2016 18:00 − Dienstag 24-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** DMA Locker 4.0 - Known Ransomware Preparing For A Massive Distribution *** --------------------------------------------- We take a look at the step towards maturity of DMA Locker how this will be spreading on a bigger scale.Categories: Malware Threat analysisTags: DMA Lockerransomware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/05/dma-locker-4-0-known-… *** Beware of keystroke loggers disguised as USB phone chargers, FBI warns *** --------------------------------------------- Private industry notification comes 15 months after debut of KeySweeper. --------------------------------------------- http://arstechnica.com/security/2016/05/beware-of-keystroke-loggers-disguis… *** SWIFT to unveil new security plan after hackers heists *** --------------------------------------------- The SWIFT secure messaging service that underpins international banking said it plans to launch a new security program as it fights to rebuild its reputation in the wake of the Bangladesh Bank heist. [...] Users frequently do not inform SWIFT of breaches of their SWIFT systems and even now, the co-operative has not proposed any sanctions for clients who fail to pass on information, which SWIFT itself says is key to stopping future attacks. --------------------------------------------- http://www.reuters.com/article/us-cyber-banks-swift-idUSKCN0YE2S6 *** Kommentar: Allo, Google? Gehts noch? *** --------------------------------------------- Googles WhatsApp-Alternative Allo verschlüsselt nicht konsequent, sondern liest stattdessen aktiv mit. Was soll das? --------------------------------------------- http://heise.de/-3215729 *** WPAD name collision bug opens door for MitM attackers *** --------------------------------------------- A vulnerability in Web Proxy Auto-Discovery (WPAD), a protocol used to ensure all systems in an organization utilize the same web proxy configuration, can be exploited to mount MitM attacks from anywhere on the Internet, US-CERT warns. "With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration. These strings may be used by private or enterprise networks, and in certain circumstances, such as when a work computer... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/24/wpad-name-collision-bug/ *** Hacker finds flaw in teleconference tool used by US Army, NASA and CERN *** --------------------------------------------- Like we need another reason to hate videoconferences Sydney security tester Jamieson OReilly has reported a since-patched vulnerability in popular video platform Vidyo - used by the likes of the US Army, NASA and CERN - that could see videos leaked and systems compromised. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/05/19/popular_tel… *** Pastejacking im Browser: Codeausführung per Copy and Paste *** --------------------------------------------- Browser können den Inhalt der Zwischenablage selbstständig verändern. In einem Proof-of-Concept wird gezeigt, wie diese Funktion für Angriffe genutzt werden kann - und Nutzer sich recht einfach schützen können. --------------------------------------------- http://www.golem.de/news/pastejacking-im-browser-codeausfuehrung-per-copy-a… *** Bösartige Apps stellen heimlich teure Telefonverbindungen her *** --------------------------------------------- Warnung der Regulierungsbehörde --------------------------------------------- http://derstandard.at/2000037564561 *** Neben Erpressung nun auch DDoS: Verschlüsselungs-Trojaner Cerber lernt dazu *** --------------------------------------------- Mit einer neuen Version von Cerber wollen die Drahtzieher hinter der Ransomware noch mehr Profit generieren: Der Schädling nimmt persönliche Daten als Geisel und die Kriminellen können infizierte Computer für DDoS-Attacken missbrauchen. --------------------------------------------- http://heise.de/-3217254 *** The Anti-Ransomware Protection Plan You Need to Follow Today *** --------------------------------------------- Technology has made our lives both easier and more complicated - there's no denying that. Fast Internet access opened up a world of wisdom and all the distractions we can image. But the door is also open for cyber criminals with little to no scruples and a big appetite for money. And there's no better... --------------------------------------------- https://heimdalsecurity.com/blog/anti-ransomware-protection-plan/ *** Xen Security Advisory CVE-2014-3672 / XSA-180 *** --------------------------------------------- When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-180.html *** Pulse Connect Secure Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035932 *** Missing Access Check in TYPO3 CMS *** --------------------------------------------- It has been discovered, that TYPO3 CMS lacks an access check for Extbase actions. --------------------------------------------- https://typo3.org/news/article/missing-access-check-in-typo3-cms/ *** Missing Access Check in extension "Frontend User Registration" (sf_register) *** --------------------------------------------- It has been discovered that the extension "Frontend User Registration" (sf_register) lacks a proper access check. --------------------------------------------- https://typo3.org/news/article/missing-access-check-in-extension-frontend-u… *** Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager JSON Privilege Escalation Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco UCS Invicta Software Default GPG Key Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: GNU C Library (glibc) vulnerability CVE-2016-3075 *** https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?… --------------------------------------------- *** Security Advisory: OpenSSH vulnerability CVE-2016-1907 *** https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35424631.html?… --------------------------------------------- *** Security Advisory: glibc vulnerability CVE-2016-3075 *** https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15439022.html?… --------------------------------------------- *** Security Advisory: Java vulnerabilities CVE-2013-5782 and CVE-2013-5803 *** https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14340611.html?… --------------------------------------------- *** Security Advisory: PHP Vulnerability CVE-2016-4539 *** https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35240323.html?… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0264 ,CVE-2016-3449) *** http://www.ibm.com/support/docview.wss?uid=swg21983578 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005812 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Security Update (CVE-2016-0322) *** http://www.ibm.com/support/docview.wss?uid=swg21982611 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2015-5174) *** http://www.ibm.com/support/docview.wss?uid=swg21983128 --------------------------------------------- *** IBM Applicable countries and regions *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099367 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in the versions of IBM WebSphere Application Server Community Edition bundled with Web Experience Factory 7.0.x and 8.0.x (CVE-2015-5345) (CVE-2016-0706) (CVE-2016-0714) *** http://www.ibm.com/support/docview.wss?uid=swg21981775 --------------------------------------------- *** IBM Security Bulletin: HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000121 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 23-05-2016
by Daily end-of-shift report 23 May '16

23 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-05-2016 18:00 − Montag 23-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Backdoor in Fake Joomla! Core Files *** --------------------------------------------- We usually write a lot about obfuscation methods on Sucuri Labs and here on the blog. Sometimes we write about free tools to obfuscate your code that aren't that free and we also have an online tool to help decoding the malware you find. But sometimes the malware is not clearly encoded using base64, gzinflate, hex concatenation,... The post Backdoor in Fake Joomla! Core Files appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/05/unexpected-backdoor-fake-core-files.html *** 60 percent of enterprise Android phones prone to QSEE vulnerability *** --------------------------------------------- Duo Labs researchers found that 60 percent of enterprise Android phones are affected by a critical QSEE vulnerability. --------------------------------------------- http://www.scmagazine.com/majority-of-enterprise-android-phones-vulnerable-… *** The strange case of WinZip MRU Registry key, (Sun, May 22nd) *** --------------------------------------------- When we want to know if a document (.doc, .pdf, whatever) has been opened by the user, in a Windows environment our information goldmine place is the Registry and particularly its MRUs keys. However, it seems this is not always the case. During the analysis of the Retefe case I wrote about in my previous diary, I came across a Registry behavior I did not expect, or at least I was not aware of, about how to verify if the file contained within the zip archive had been opened or not. Regarding... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21087&rss *** ENISA- Europol issue joint statement *** --------------------------------------------- ENISA and Europol issue joint statement on lawful criminal investigation that respects 21st Century data protection. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-europol-issue-joint-state… *** Geldautomaten: Kriminelle erbeuten Millionen in zwei Stunden *** --------------------------------------------- Kriminelle Kartenfälscher agieren global: Mit Hilfe von Kreditkarteninformationen einer südafrikanischen Bank erbeutete eine Bande in Japan in nur 2,5 Stunden Bargeld im Wert von mehr als 12 Millionen Euro. --------------------------------------------- http://www.golem.de/news/geldautomaten-kriminelle-erbeuten-millionen-in-zwe… *** National coordinators meet to prepare for ECSM launch *** --------------------------------------------- National coordinators from across Europe gathered in Brussels earlier this month in preparation for the launch of this year's European Cyber Security Month. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/national-coordinators-meet-to-p… *** Organizations unprepared for employee-caused security incidents *** --------------------------------------------- While employee-related security risks are the number-one concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior, according to a new Ponemon Institute study. The study, Managing Insider Risk Through Training & Culture, asked more than 600 individuals at companies that currently have a data protection and privacy training program to weigh in on the topic of negligent and malicious employee behaviors, as well as the consequences... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-inciden… *** When Hashing isn't Hashing *** --------------------------------------------- Anyone working in application security has found themselves saying something like this a thousand times: "always hash passwords with a secure password hashing function." I've said this phrase at nearly all of the developer events I've spoken at, it's become a mantra of sorts for many of us that try to improve the security of applications. We tell developers to hash passwords, then we have to qualify it to explain that it isn't normal hashing. --------------------------------------------- https://adamcaudill.com/2016/05/23/when-hashing-isnt-hashing/ *** Technical Report about the RUAG espionage case *** --------------------------------------------- After several months of Incident Response and Analysis in the RUAG cyber espionage case, we got the assignment from the Federal Council to write and publish a report about the findings. The following is a purely technical report, intending to inform the public about Indicators of Compromise (IOCs) and the Modus Operandi of the attacker group behind this case. We strongly believe in... --------------------------------------------- https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espion… *** Hack von Rüstungskonzern: Schweizer Cert gibt Security-Tipps für Unternehmen *** --------------------------------------------- Daran könnten sich andere Sicherheitsfirmen ein Beispiel nehmen: Das Schweizer Cert hat detailliert die Angriffsmethoden einer APT-Gruppe auf den Technikkonzern Ruag analysiert und gibt Unternehmen Tipps zum Schutz. --------------------------------------------- http://www.golem.de/news/hack-von-ruestungskonzern-schweizer-cert-gibt-secu… *** After trio of hacks, SWIFT addresses information sharing concerns *** --------------------------------------------- Following reports of a cyberattack last year in which hackers stole $9 million from an Ecuadorean bank, SWIFT stated it is taking steps to create more information sharing practices. --------------------------------------------- http://www.scmagazine.com/after-trio-of-hacks-swift-addresses-information-s… *** Student convicted after finding encryption flaws in government network *** --------------------------------------------- He found that the encrypted network often wasnt... but he lost patience when it looked as though nothing was being done about it. --------------------------------------------- https://nakedsecurity.sophos.com/2016/05/23/student-convicted-after-finding… *** A recently patched Flash Player exploit is being used in widespread attacks *** --------------------------------------------- It took hackers less than two weeks to integrate a recently patched Flash Player exploit into widely used Web-based attack tools that are being used to infect computers with malware.The vulnerability, known as CVE-2016-4117, was discovered earlier this month by security researchers FireEye. It was exploited in targeted attacks through malicious Flash content embedded in Microsoft Office documents.When the targeted exploit was discovered, the vulnerability was unpatched, which prompted a... --------------------------------------------- http://www.cio.com/article/3073558/a-recently-patched-flash-player-exploit-… *** Security Update Available for Adobe Connect (APSB16-17) *** --------------------------------------------- A Security Bulletin (APSB16-17) has been published regarding a security update for Adobe Connect. Adobe recommends users update their product installations to the latest version using the instructions referenced in the security bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1355 *** TA16-144A: WPAD Name Collision Vulnerability *** --------------------------------------------- Original release date: May 23, 2016 Systems Affected Windows, OS X, Linux systems, and web browsers with WPAD enabled Overview Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) program's incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in... --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA16-144A *** Bugzilla 4.4.11 and 5.0.2 Security Advisory *** --------------------------------------------- A specially crafted bug summary could trigger XSS in dependency graphs. --------------------------------------------- https://www.bugzilla.org/security/4.4.11/ *** DSA-3585 wireshark - security update *** --------------------------------------------- Multiple vulnerabilities were discovered in the dissectors/parsers forPKTC, IAX2, GSM CBCH and NCP which could result in denial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3585 *** SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance (IWSVA) Multiple Remote Code Execution Vulnerabilities *** --------------------------------------------- Trend Micro has released new builds of the Trend Micro InterScan Web Security Virtual Appliance. These updates resolve vulnerabilities in the product that could potentially allow a remote attacker to execute arbitrary code on vulnerable installations. --------------------------------------------- https://esupport.trendmicro.com/solution/en-US/1114185.aspx *** SECURITY BULLETIN: Trend Micro OfficeScan Path Traversal Vulnerability *** --------------------------------------------- Trend Micro has released an update for OfficeScan (OSCE) 11.0 Service Pack (SP) 1 which resolves a vulnerability in the product that when certain conditions are met could be exploited to access files and directories located outside of the core product web root folder. --------------------------------------------- https://esupport.trendmicro.com/solution/en-US/1114097.aspx *** ZDI-16-353: BitTorrent API Cross Site Scripting Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent and uTorrent. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-353/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-0283, CVE-2015-7417). *** http://www.ibm.com/support/docview.wss?uid=swg21981914 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology (CVE-2015-7484, CVE-2015-7474, CVE-2015-7485, CVE-2015-7486, CVE-2016-0219) *** http://www.ibm.com/support/docview.wss?uid=swg21983720 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3193, CVE-2015-3195, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21982608 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Marketing Platform (CVE-2016-0224, CVE-2016-0229, CVE-2016-0233) *** http://www.ibm.com/support/docview.wss?uid=swg21980989 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in XML processing affect IBM DataPower Gateways *** http://www.ibm.com/support/docview.wss?uid=swg21982607 --------------------------------------------- *** IBM Security Bulletin: Vulnerability identified in IBM Domino Java Console (CVE-2016-0304) *** http://www.ibm.com/support/docview.wss?uid=swg21983328 --------------------------------------------- *** IBM Security Bulletin: OpenSSL vulnerabilities in Node.js found on May 03, 2016 affect Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2016-2107, CVE-2016-2105) *** http://www.ibm.com/support/docview.wss?uid=swg21983555 --------------------------------------------- *** IBM Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software *** http://www.ibm.com/support/docview.wss?uid=swg21982949 --------------------------------------------- *** IBM Security Bulletin: One vulnerability in IBM Java SDK affect Application Delivery Intelligence 1.0.0 (CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023804 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: WebSphere Dashboard Framework (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21982528 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 6, affects: Web Experience Factory (CVE-2016-3427, CVE-2016-3426, CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21982527 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21983002 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems, IBM OS Images for AIX, and Windows. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21983647 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Image Construction and Composition Tool. (CVE-2016-0363, CVE-2016-0376, CVE-2016-3426, and CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21983644 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images (CVE-2016-2842) *** http://www.ibm.com/support/docview.wss?uid=swg21982159 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server *** http://www.ibm.com/support/docview.wss?uid=swg21981545 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ApacheTomcat affect IBM Security SiteProtector System (CVE-2015-5174, CVE-2015-5345, CVE-2016-0706 and CVE-2016-0714) *** http://www.ibm.com/support/docview.wss?uid=swg21983242 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3197 ) *** http://www.ibm.com/support/docview.wss?uid=swg21982697 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenStack affect IBM Spectrum Scale V4.2 and V4.1.1 (CVE-2015-8466 and CVE-2016-0738) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005833 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 20-05-2016
by Daily end-of-shift report 20 May '16

20 May '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 19-05-2016 18:00 − Freitag 20-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DSA-3584 librsvg - security update *** --------------------------------------------- Gustavo Grieco discovered several flaws in the way librsvg, a SAX-basedrenderer library for SVG files, parses SVG files with circulardefinitions. A remote attacker can take advantage of these flaws tocause an application using the librsvg library to crash. --------------------------------------------- https://www.debian.org/security/2016/dsa-3584 *** Petya and Mischa - Ransomware Duet (part 1) *** --------------------------------------------- After being defeated about a month ago, Petya comes back with new tricks. Now, not as a single ransomware, but in a bundle with another malicious payload - Mischa. Both are named after the satellites from the GoldenEye movie. They deploy attacks on .. --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/05/petya-and-mischa-rans… *** EITest campaign still going strong, (Fri, May 20th) *** --------------------------------------------- Originally reported by Malwarebytes in October 2014 [1], the EITest campaign has been going strong ever since. Earlier this year, I documented how the campaign has evolved over time [2]. During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21081 *** TLS/GCM: Gefahr durch doppelte Nonces *** --------------------------------------------- Moderne TLS-Verbindungen nutzen üblicherweise das AES-GCM-Verschlüsselungsverfahren. Das benötigt einen sogenannten Nonce-Wert, der sich nicht wiederholen darf. Ansonsten ist die Sicherheit dahin. --------------------------------------------- http://www.golem.de/news/tls-gcm-gefahr-durch-doppelte-nonces-1605-121005.h… *** Important Security-Bulletin Pre-Announcement *** --------------------------------------------- https://typo3.org/news/article/important-security-bulletin-pre-announcement… *** Resource Data Management Intuitive 650 TDB Controller Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for a privilege escalation vulnerability and a cross-site request forgery vulnerability in Resource Data Management's Intuitive 650 TDB Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-140-01 *** Siemens SIPROTEC Information Disclosure Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for information disclosure vulnerabilities in the Siemens SIPROTEC 4 and SIPROTEC Compact. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-140-02 *** Hacked in a public space? Thanks, HTTPS *** --------------------------------------------- Kali Linux, laptop, coffee - hack on! Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesnt mean anything if you cant trust the other end of the connection and its upstream signatories. Do you .. --------------------------------------------- www.theregister.co.uk/2016/05/20/https_wifi_trust_in_a_public_place/ *** Wichtiger Sicherheits-Patch für Typo3 voraus *** --------------------------------------------- In vielen Typo3-Versionen klafft offensichtlich eine schwerwiegende Sicherheitslücke. Ein Patch soll Anfang nächster Woche erscheinen. --------------------------------------------- http://heise.de/-3212058 *** l+f: Erpressung für den guten Zweck *** --------------------------------------------- Ein Verschlüsselungs-Trojaner fordert ein horrende Summe und will damit Gutes tun. Wer's glaubt ... --------------------------------------------- http://heise.de/-3212111

1 0

Tageszusammenfassung - Donnerstag 19-05-2016
by Daily end-of-shift report 19 May '16

19 May '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-05-2016 18:00 − Donnerstag 19-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Website Hacked Trend Report - 2016/Q1 *** --------------------------------------------- Our Remediation group is comprised of two distinct teams, the Incident Response Team (IRT) and Malware Research Team (MRT). These teams work closely with our customers in an effort to identify and remove website infections to include .. --------------------------------------------- https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html *** Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028 *** --------------------------------------------- https://www.drupal.org/node/2728711 *** Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027 *** --------------------------------------------- https://www.drupal.org/node/2728693 *** Web Mailing List vulnerable to cross-site scripting *** --------------------------------------------- http://jvn.jp/en/jp/JVN43076390/ *** The 5Ws and 1H of Ransomware *** --------------------------------------------- For the past three months, we have seen ransomware hop its way across globe. Majority of the ransomware incidents are found in the United States, then Italy, and Canada. The prevalence of large-scale ransomware incidents led the United States and Canadian governments to issue a joint statement about .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ranso… *** Hackerangriff auf Linkedin: 100 Millionen Nutzer betroffen *** --------------------------------------------- Attacke fand bereits 2012 statt - Ausmass wurde jedoch erst jetzt in vollem Umfang bekannt --------------------------------------------- http://derstandard.at/2000037231582 *** Erpressungstrojaner: Teslacrypt-Entwickler geben auf *** --------------------------------------------- Master-Key veröffentlicht, Entschlüsselungssoftware verfügbar. --------------------------------------------- http://derstandard.at/2000037236758 *** Ransomware Awareness Tag *** --------------------------------------------- Unsere Kollegen von der Schweizer Melde- und Analysestelle Informationssicherung MELANI veranstalten heute, am 19. Mai 2016, einen Aktionstag zum Thema Ransomware. Das Ziel ist es, die Informationen zu der Bedrohung .. --------------------------------------------- http://www.cert.at/services/blog/20160519095712-1737.html *** Kernel Waiter Exploit from the Hacking Team Leak Still Being Used *** --------------------------------------------- Although the Hacking Team leak took place several months ago, the impact of this data breach - where exploit codes were made public and spurred a chain of attacks - can still be felt until today. We recently spotted malicious Android apps that appear to use an exploit found in the Hacking Team data .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/kernel-waiter-ex… *** FBI muss Mozilla keine Informationen über Sicherheitslücke übergeben *** --------------------------------------------- Der Richter in einem Verfahren gegen einen Nutzer einer Kinderpornographie-Plattform hat es abgelehnt, dass Mozilla sich einmischt, um an Informationen über eine Sicherheitslücke im Tor-Browser zu kommen. --------------------------------------------- http://heise.de/-3211120

1 0

Tageszusammenfassung - Mittwoch 18-05-2016
by Daily end-of-shift report 18 May '16

18 May '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-05-2016 18:00 − Mittwoch 18-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** That Insane, $81M Bangladesh Bank Heist? Here's What We Know *** --------------------------------------------- Someone stole $81 million from Bangladesh Bank in a matter of hours, and appears to have targeted other banks that use .. --------------------------------------------- http://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/ *** Academics Make Theoretical Breakthrough in Random Number Generation *** --------------------------------------------- Two University of Texas academics have made what some experts believe is a breakthrough in random number generation that could have longstanding implications for cryptography and computer security. --------------------------------------------- http://threatpost.com/academics-make-theoretical-breakthrough-in-random-num… *** XSA-176 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-176.html *** First ATM malware is back and badder than ever *** --------------------------------------------- Original gangster Skimer goes global Cybercriminals have retrofitted a strain of ATM malware first discovered in 2009 to create an even more potent threat. --------------------------------------------- www.theregister.co.uk/2016/05/17/skimer_atm_malware/ *** Cisco Adaptive Security Appliance XML Parser Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Computing System Central Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Identity Services Engine Active Directory Integration Component Remote Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Malicious macro using a sneaky new trick *** --------------------------------------------- We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a… *** Hacker weiden Untergrund-Forum Nulled.IO aus *** --------------------------------------------- Im Hacker-Forum Nulled.IO treffen sich Gleichgesinnte und handeln etwa mit erbeuteten Nutzer-Konten. Ironischerweise wurde Nulled.IO nun selbst Opfer einer verheerenden Hacker-Attacke. --------------------------------------------- http://heise.de/-3209682 *** Windows 10 Device Guard and Credential Guard Demystified *** --------------------------------------------- While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I've observed there's still a lot of confusion regarding the security features of the operating system. This is a shame since some .. --------------------------------------------- https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-… *** Scammers target cybersecurity brands *** --------------------------------------------- Cybersquatting, typosquatting and phishing now target the largest cybersecurity brands. --------------------------------------------- https://www.htbridge.com/blog/scammers-target-cybersecurity-companies-brand… *** Google to shutter SSLv3, RC4 from SMTP servers, Gmail *** --------------------------------------------- Mark your calendars: Google will disable support for the RC4 stream cipher and the SSLv3 protocol on its SMTP servers and Gmail servers on June 16.After the deadline, Googles SMTP servers will no longer exchange mail with servers .. --------------------------------------------- http://www.cio.com/article/3071866/security/google-to-shutter-sslv3-rc4-fro… *** Magento 2.0.6 Security Update *** --------------------------------------------- Magento Enterprise Edition and Community Edition 2.0.6 contain multiple security and functional enhancements. You can find more details about the vulnerabilities addressed below. --------------------------------------------- https://magento.com/security/patches/magento-206-security-update *** Magento - Unauthenticated Remote Code Execution *** --------------------------------------------- The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post. --------------------------------------------- http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-executi… *** Sicherheitsrichtlinie: EU-Rat billigt Meldepflicht bei Cyberangriffen *** --------------------------------------------- Die EU-Mitgliedsstaaten haben den Kompromiss zur geplanten Richtlinie über Netz- und Informationssicherheit angenommen, den Verhandlungsführer zuvor mit dem EU-Parlament ausgehandelt hatten. Es geht um Sicherheitsauflagen für Online-Anbieter. --------------------------------------------- http://heise.de/-3210189 *** Ransomware Activity Spikes in March, Steadily increasing throughout 2016 *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/05/ransomware_activity.ht… *** The Ultimate Guide to Angler Exploit Kit for Non-Technical People *** --------------------------------------------- There's been a lot of talk about the Angler exploit kit lately, but, for most people, the warnings don't strike a chord. And they're definitely not to blame. Not everyone .. --------------------------------------------- https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-tech… *** Die Crypto Wars und die Folgen: Wie uns alte Hintertüren weiter verfolgen *** --------------------------------------------- Erneut fordern Politiker, Geheimdienste und Strafverfolger, Krypto-Software absichtlich zu schwächen. Das war schon einmal vorgeschrieben und die Konsequenzen verfolgen uns noch heute: Verheerende Sicherheitslücken haben genau darin ihren Ursprung. --------------------------------------------- http://heise.de/-3210209 *** Bitly partners with Let's Encrypt for HTTPS links *** --------------------------------------------- Bitly processes data associated with more than 12 billion clicks per month, leading to massive troves of intelligence. Now, they're partnering with Let's Encrypt to generate SSL certificates for more than 40,000 Bitly .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/18/bitly-https-links/ *** IRZ RUH2 3G Firmware Overwrite Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a firmware overwrite vulnerability in iRZ's RUH2 device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-138-01 *** Moxa EDR-G903 Secure Router Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on February 11, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for Moxa's ECR G903 secure routers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-042-01 *** Fixing `marked` XSS vulnerability *** --------------------------------------------- A few weeks ago we added to our DB a Cross-Site Scripting (XSS) vulnerability in the popular marked package. This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your application. --------------------------------------------- https://snyk.io/blog/marked-xss-vulnerability/

1 0

Tageszusammenfassung - Dienstag 17-05-2016
by Daily end-of-shift report 17 May '16

17 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 13-05-2016 18:00 − Dienstag 17-05-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Panama Papers: the result of neglected IT security *** --------------------------------------------- The financial, legal and political world have been turned upside down by the Panama Papers. But how on earth was it possible to steal 2.6 terabytes of data from Mossack Fonseca? --------------------------------------------- https://blog.gdatasoftware.com/2016/05/28239-panama-papers-the-result-of-ne… *** Yahoo-owned Tumblr announces email credential compromise *** --------------------------------------------- Tumblr announced Thursday that a third party accessed a set of Tumblr user email addresses with salted and hashed passwords. --------------------------------------------- http://www.scmagazine.com/tumblr-announces-email-credentials-compromised/ar… *** CVE-2016-4117: Flash Zero-Day Exploited in the Wild *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-ze… *** "Bösartiges Design": Wie Webseiten Nutzer reinlegen und betrügen *** --------------------------------------------- Skrupellose Abzock-Praktiken stehen immer mehr unter Kritik, etwa das automatische Anklicken von Abonnements --------------------------------------------- http://derstandard.at/2000037009828 *** Unethische Forschung: Wissenschaftler veröffentlichen 70.000 OKCupid-Profile *** --------------------------------------------- Wissenschaftler aus Dänemark haben Profile von rund 70.000 OKCupid-Nutzern analysiert und veröffentlicht. Den beteiligten Herren ist ein Ethik-Seminar dringend zu empfehlen. --------------------------------------------- http://www.golem.de/news/unethische-forschung-wissenschaftler-veroeffentlic… *** Gatecoin: Mehr als zwei Millionen US-Dollar in Kryptowährungen gestohlen *** --------------------------------------------- Wer seine Bitcoin oder Ether bei dem Anbieter Gatecoin aufbewahrt, sollte seine Accounts checken - rund 15 Prozent der Einlagen wurden gestohlen. Auszahlungen sollen erst ab dem 28. Mai wieder möglich sein, es wird aber an Entschädigungsregeln gearbeitet. --------------------------------------------- http://www.golem.de/news/gatecoin-ueber-zwei-millionen-us-dollar-in-kryptow… *** Swift-Attacke abgewehrt: Millionen-Transaktion im Visier von Cyberdieben *** --------------------------------------------- Ziel der Hacker bei der Tien Phong Bank war eine Transaktion von umgerechnet mehr als einer Million Euro gewesen --------------------------------------------- http://derstandard.at/2000037024022-1231152558333 *** Carding Sites Turn to the 'Dark Cloud' *** --------------------------------------------- Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes. In this .. --------------------------------------------- http://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/ *** Chrome könnte Flash noch dieses Jahr standardmässig blockieren *** --------------------------------------------- Google plant anscheinend, HTML5 noch stringenter als Standard in seinem Webbrowser Chrome einzusetzen. Flash-Inhalte sollen im Zuge dessen entweder gar nicht mehr oder nur in Ausnahmefällen wiedergegeben werden. --------------------------------------------- http://heise.de/-3208837 *** Android Hacking: Dumping and Analyzing Application's Memory *** --------------------------------------------- In this article, we will discuss how to dump the memory of a specific application using Android Studio's heap dump feature. We will also explore EclipseMemoryAnalyzer(MAT) to analyze the heap dump we acquire. It is possible to create heap dumps of an application�s heap in Android. We can dump .. --------------------------------------------- http://resources.infosecinstitute.com/android-hacking-dumping-and-analyzing… *** Cisco Video Communication Server Session Initiation Protocol Packet Processing Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** OS X El Capitan v10.11.5 and Security Update 2016-003 *** --------------------------------------------- https://support.apple.com/kb/HT206567 *** DSA-3580 imagemagick - security update *** --------------------------------------------- Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discoveredseveral vulnerabilities in ImageMagick, a program suite for imagemanipulation. These vulnerabilities, collectively known as ImageTragick,are the consequence of lack of sanitization of untrusted input. Anattacker with control .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3580 *** Secure Coding: How to Account for Input Sanitization *** --------------------------------------------- On average, a website leverages around 18-20 different plugins in its structure. These plugins enhance the website's functionality and in some instances extend the applications core capabilities. It's great for website owners because they can pick and .. --------------------------------------------- https://blog.sucuri.net/2016/05/secure-coding-account-input-sanitization.ht… *** Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Zombie crypto still rules smart grids: OSGP vendors need to kill RC4 *** --------------------------------------------- Deprecated almost everywhere, researchers crack open smart grid ancient crypto suite AGAIN The Open Smart Grid Protocols custom RC4 encryption has been cracked - again. --------------------------------------------- www.theregister.co.uk/2016/05/17/zombie_crypto_still_rules_smart_grids/ *** Malicious Android apps slip into Google Play, top third party charts *** --------------------------------------------- Enlist phones in ad fraud, premium SMS, loser DDoS Malicious Android applications have bypassed Googles Play store security checks to enslave infected devices into distributed denial of service attack, advertising fraud, and spam botnets. --------------------------------------------- www.theregister.co.uk/2016/05/17/viking_horde_android_app_malware/ *** VMSA-2016-0005 *** --------------------------------------------- VMware product updates address critical and important security issues --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0005.html *** Kritische Lücke gefährdet Antiviren-Produkte von Symantec und Norton *** --------------------------------------------- Ein gefährlicher Bug in der Scan Engine von Symantect zieht weite Kreise und bedroht alle Symantec- und Norton-Produkte auf allen Plattformen, warnt ein Sicherheitsforscher. --------------------------------------------- http://heise.de/-3208967 *** Security Principles in iOS Architecture *** --------------------------------------------- I strongly suggest readers checkout my two prior blogs on Cryptography, Principle of Least Privilege, and Biometrics. All of these will be explored in depth throughout this blog. --------------------------------------------- https://woumn.wordpress.com/2016/05/02/security-principles-in-ios-architect… *** Killing XSS and CSRF on web server layer *** --------------------------------------------- Existing and new web security technologies based on actively developed RFCs propose new approaches to common web vulnerabilities remediation. --------------------------------------------- https://www.htbridge.com/blog/killing-xss-and-csrf-on-web-server-layer.html *** "Cryptohitman": Erpressungstrojaner ersetzt Sperrbildschirm mit Pornos *** --------------------------------------------- Verschlüsselt Dateien mit Endung ".porno" - kostenloses Tool rettet Userdaten --------------------------------------------- http://derstandard.at/2000037097552 *** Finanzministerium warnt vor falschen BMF-Mails *** --------------------------------------------- Phishing-Attacke - Löschen, löschen, löschen! --------------------------------------------- http://derstandard.at/2000037101098 *** The Sleepy User Agent *** --------------------------------------------- >From time to time a customer writes in and asks about certain requests that have been blocked by the CloudFlare WAF. Recently, a customer couldn't understand why it appeared that some simple GET requests for their homepage were .. --------------------------------------------- https://blog.cloudflare.com/the-sleepy-user-agent/

1 0

Tageszusammenfassung - Freitag 13-05-2016
by Daily end-of-shift report 13 May '16

13 May '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 12-05-2016 18:00 − Freitag 13-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Cyber Heist Attribution *** --------------------------------------------- Written by Sergei Shevchenko and Adrian Nish | BACKGROUND | Attributing a single cyber-attack is a hard task and often impossible. However, when multiple attacks are conducted over long periods of time, they leave a trail of digital evidence. Piecing this together into a campaign can help investigators to see the bigger picture, and even hint at who may be behind the attacks. Our research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of... --------------------------------------------- http://baesystemsai.blogspot.com/2016/05/cyber-heist-attribution.html *** Neuer Angriff auf Swift-Netzwerk: Angreifer nutzen manipulierten PDF-Reader *** --------------------------------------------- Eine Bank setzte zur Überprüfung von Transaktionen offenbar keine Hashwerte der einzelnen Vorgänge ein - sondern nimmt eine Sichtprüfung von PDFs vor. Aus diesem Grund konnten Angreifer erneut illegale Transaktionen im Swift-Netzwerk vornehmen. --------------------------------------------- http://www.golem.de/news/neuer-angriff-auf-swift-netzwerk-angreifer-nutzen-… *** EZB plant Meldestelle für Cyber-Angriffe auf Banken *** --------------------------------------------- Auch die Bankenaufseher der Europäischen Zentralbank reagieren auf die wachsende Zahl von Angriffen mit einer Meldepflicht bei schwerwiegenden Bedrohungen. --------------------------------------------- http://heise.de/-3207934 *** MISP - Malware Information Sharing Platform, (Fri, May 13th) *** --------------------------------------------- In a previous diary (Unity Makes Strength), I briefly mentioned MISP(which means Malware Information Sharing Platform). Since this tool is becomingmore and more popular, Id like to give more details about it.Sharing is key could be the slogan of MISP. The ideais to allow different organizations to share IOCs (Indicators of Compromize) like IP addresses, domains, hashes, URLs, filenames, ... Thegoal is to increase their ability to protect themselves against malicious activities. With millions of... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21053&rss *** Open sourcing our NGINX HTTP/2 + SPDY code *** --------------------------------------------- In December, we released HTTP/2 support for all customers and last week we released HTTP/2 Server Push support as well. The release of HTTP/2 by CloudFlare had a huge impact on the number of sites supporting and using the protocol. Today, 50% of sites that use HTTP/... --------------------------------------------- https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code/ *** Meteocontrol WEBlog Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for one authentication and two information exposure vulnerabilities in Meteocontrol's WEB'log application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01 *** TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe *** --------------------------------------------- Topic: TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe Risk: Medium Text:Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775 The main component of Trend Micro Antivirus is CoreSe... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016050051 *** Symantec Messaging Gateway 10.6.x ACE Library Static Link to Vulnerable SSL Version *** --------------------------------------------- Revisions None Severity Severity (CVSS version 2 and CVSS Version 3) CVSS2 ... --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Bugtraq: May 2016 - HipChat Server - Critical Security Advisory *** --------------------------------------------- http://www.securityfocus.com/archive/1/538378 *** Bugtraq: [security bulletin] HPSBGN03597 rev.1 - HPE Cloud Optimizer (Virtualization Performance Viewer) using glibc Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538371 *** Bugtraq: [security bulletin] HPSBMU03589 rev.1 - HPE Version Control Repository Manager (VCRM), Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538377 *** Bugtraq: [security bulletin] HPSBMU03591 rev.1 - HPE Server Migration Pack, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538376 *** Bugtraq: [security bulletin] HPSBMU03590 rev.1 - HPE Systems Insight Manager (SIM) on Windows and Linux, Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538379 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server for Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21983039 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Content Manager Enterprise Edition 8.5.0 (CVE-2016-3449, CVE-2016-0264) *** http://www.ibm.com/support/docview.wss?uid=swg21982262 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Sterling Connect:Express for Unix (CVE-2016-2842). *** http://www.ibm.com/support/docview.wss?uid=swg21982374 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability exist in IBM Cognos TM1 *** http://www.ibm.com/support/docview.wss?uid=swg21981936 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (Multiple CVEs) *** http://www.ibm.com/support/docview.wss?uid=swg21973066 --------------------------------------------- Next End-of-Shift Report: 2016-05-17

1 0

Tageszusammenfassung - Donnerstag 12-05-2016
by Daily end-of-shift report 12 May '16

12 May '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 11-05-2016 18:00 − Donnerstag 12-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security Updates Available for Adobe Flash Player (APSB16-15) *** --------------------------------------------- A Security Bulletin (APSB16-15) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. Adobe... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1352 *** Tips to Prevent Ransomware in Healthcare Environments *** --------------------------------------------- If 2015 was the year of the healthcare breach, 2016 is shaping up to be the year of ransomware. By this time last year, 105 healthcare breaches had been reported to the U.S. Department of... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/05/tips-to-prevent-ransomwa… *** Entpacker 7-Zip kann zum Ausführen von Schadcode missbraucht werden *** --------------------------------------------- Über eine Lücke im Kompressions-Tool 7-Zip können Angreifer Schadcode ausführen und eventuell auch den Rechner des Opfers kapern. Besonders brisant: Der Open-Source-Code des Tools steckt auch in Sicherheitssoftware. --------------------------------------------- http://heise.de/-3206787 *** US-CERT warnt Betreiber von SAP-Systemen *** --------------------------------------------- Anlass der Sicherheitswarnung des Computer-Notfall-Teams der USA ist ein Bericht, demzufolge mindestens 36 Organisationen in der ganzen Welt über eine SAP-Lücke angegriffen und kompromittiert wurden. --------------------------------------------- http://heise.de/-3207245 *** New Wave of the Test0.com/Test5.xyz Redirect Hack *** --------------------------------------------- Last week we described the hack that randomly redirected site visitors either to a parked test0 .com domain or to malicious sites via the default7 .com domain. This week the default7 .com domain went down but the attackers returned with a new wave of site infections and the new redirecting domain - test5 .xyz (registered just a few... --------------------------------------------- https://blog.sucuri.net/2016/05/test0test5-com-redirect-hack-new-wave.html *** Popular cache Squid skids as hacker pops lid *** --------------------------------------------- Yet another mess we can blame on the combination of Flash and advertising Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/05/12/telco_fave_… *** Giving up Your Roots: A Root Remedy Checklist *** --------------------------------------------- As an IT organization, should you be concerned that your sysAdmins login as root, su to root, or sudo su to root?The post Giving up Your Roots: A Root Remedy Checklist appeared first on BeyondTrust. --------------------------------------------- https://www.beyondtrust.com/blog/root-remedy-checklist/ *** Facebook CTF platform is now open source *** --------------------------------------------- Capture the Flag competitions are a good - not to mention legal - way for hackers to build and hone their skills. But, quality CTF environments are difficult and expensive to build and run. This is a burden that Facebook aims to lighten by open sourcing the Facebook CTF platform, devised for the training of their own employees and used around the world by various organizations looking to interest kids in computer security. The now-free... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/12/facebook-ctf-platform-open-sourc… *** From the Netherlands Presidency of the EU Council: Coordinated vulnerability disclosure Manifesto signed *** --------------------------------------------- Approximately 30 organisations have signed the Coordinated Vulnerability Disclosure Manifesto today, in which they declare to support the principle of having a point of contact to report IT vulnerabilities to and already have this set up in their own organisations, or they plan to do so soon. By signing the manifesto, the participating... --------------------------------------------- https://www.enisa.europa.eu/news/member-states/from-the-netherlands-preside… *** DFN-CERT-2016-0770: Jenkins: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0770/ *** DFN-CERT-2016-0739: OpenVPN: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0739/ *** Security Notice - Statement on Bogner Florian Revealing Privilege Escalation Vulnerability in Huawei E5373 LTE Mobile Wi-Fi Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20160512-01-… *** F5 Security Advisory: Nginx vulnerabilities CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23073482.html?… *** BulletProof Security <= .53.3 - Multiple XSS Vulnerabilities *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8492 *** Bugtraq: [security bulletin] HPSBHF03592 rev.1 - HPE VAN SDN Controller OVA using OpenSSL, Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538359 *** Bugtraq: [security bulletin] HPSBNS03581 rev.2 - HPE NonStop Servers running Samba (NS-Samba), Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538360 *** Bugtraq: [security bulletin] HPSBST03598 rev.1 - HPE 3PAR OS using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/538365 *** Bugtraq: [security bulletin] HPSBST03586 rev.1 - HPE 3PAR OS, Remote Unauthorized Modification *** --------------------------------------------- http://www.securityfocus.com/archive/1/538364 *** Bugtraq: [security bulletin] HPSBST03599 rev.1 - HPE 3PAR OS running OpenSSH, Remote Denial of Service (DoS), Access Restriction Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/538366 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin:Vulnerability in IBM Java Runtime affect IBM Host On-Demand (CVE-2016-0363) *** http://www.ibm.com/support/docview.wss?uid=swg21982489 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Web Browser XSS Protection affects IBM Algorithmics Algo Risk Application - CVE-2016-0390 *** http://www.ibm.com/support/docview.wss?uid=swg21981321 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect WebSphere Application Server shipped with SmartCloud Provisioning *** http://www.ibm.com/support/docview.wss?uid=swg2C1000105 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Image Construction and Composition Tool. (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21982883 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Workload Deployer. (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21982877 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg21982172 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7488) *** http://www.ibm.com/support/docview.wss?uid=swg21982874 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7456) *** http://www.ibm.com/support/docview.wss?uid=swg21982873 --------------------------------------------- *** IBM Security Bulletin: A potential vulnerability in IBM Java SDK affect InfoSphere Streams (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21973403 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 11-05-2016
by Daily end-of-shift report 11 May '16

11 May '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 10-05-2016 18:00 − Mittwoch 11-05-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Security Advisory posted for Adobe Flash Player (APSA16-02) *** --------------------------------------------- A Security Advisory (APSA16-02) has been published regarding a critical vulnerability (CVE-2016-4117) in Adobe Flash Player. Adobe is aware of a report that an exploit .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1346 *** Security Updates for Adobe Acrobat and Reader and Hotfixes for ColdFusion Available *** --------------------------------------------- Security Bulletins for Adobe Acrobat and Reader (APSB16-14) as well as ColdFusion (APSB16-16) have been published. Adobe recommends users update their product installations to the latest versions using the instructions in the relevant security .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1350 *** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by vulnerabilities in IBM Spectrum Scale (CVE-2016-0263, CVE2016-0361) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023767 *** MS16-MAY - Microsoft Security Bulletin Summary for May 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-MAY *** May 2016 security update release *** --------------------------------------------- Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2016/05/10/may-2016-security-updat… *** 5 security experts share their best tips for 'fringe' devices *** --------------------------------------------- What is a 'fringe' device in IT?For some, it's a gadget everyone has forgotten about - a printer in a corner office, an Android tablet in a public area used to schedule conference rooms. A fringe device can also be one that's common enough to be used .. --------------------------------------------- http://www.cio.com/article/3068406/security/5-security-experts-share-their-… *** Panasonic FPWIN Pro Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details concerning buffer overflow vulnerabilities in Panasonic FPWIN Pro software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-131-01 *** DSA-3574 libarchive - security update *** --------------------------------------------- Rock Stevens, Andrew Ruef and Marcin Icewall Noga discovered aheap-based buffer overflow vulnerability in the zip_read_mac_metadatafunction in libarchive, a multi-format archive and compression library,which may .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3574 *** It's time to get serious about ICS cybersecurity *** --------------------------------------------- As recently reported by The Register, a proof-of-concept PLC worm could spell disaster for the critical infrastructure by making attacks exponentially more difficult to detect and stop. Unfortunately, the proof of concept of a PLC worm is a viable scenario which could cause immeasurable .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/11/time-get-serious-ics-cybersecuri… *** Patchday: Microsoft schliesst Zero-Day-Lücke im Internet Explorer *** --------------------------------------------- Wie jeden Monat heißt es auch im Mai für Windows-Nutzer wieder einmal: Jetzt schnell Patches einspielen! Diesmal ist es besonders dringend, denn eine im Patchday geschlossene Lücke wurde bereits vor ihrer Veröffentlichung aktiv für Angriffe missbraucht. --------------------------------------------- http://heise.de/-3202816 *** Multiple JVC HDRs and Net Cameras - Multiple Vulnerabilities *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016050040 *** The Art of Searching for Open Source Intelligence *** --------------------------------------------- The Internet is a big ocean, and it carries loads of information you might be interested in or looking for, but where and how to find that information? Thanks to search engines like Google that make the searches using a query possible, .. --------------------------------------------- http://resources.infosecinstitute.com/the-art-of-searching-for-open-source-… *** CryptXXX 2.0 foils decryption tool, locks PCs *** --------------------------------------------- CryptXXX ransomware, first spotted in mid-April, has reached version 2.0, and a new level of nastiness. It's also on its way to become one of the top ransomware families in the wild. The malware's first version would encrypt files but leave .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/11/cryptxxx-2-0-foils-decryption/ *** Adobe lässt sich Zeit mit Patch für ausgenutzte Lücke *** --------------------------------------------- Mit dem Sicherheitsupdate für den Flash-Player lässt Adobe sich mehr Zeit, als Nutzer zum Deinstallieren der Software benötigen. --------------------------------------------- http://www.golem.de/news/kritische-flash-luecke-adobe-laesst-sich-zeit-mit-… *** Hintergrund: Dridex analysiert *** --------------------------------------------- Eine kleine Artikelreihe zeigt, wie man einen Bot-Netz-Client mit dem Debugger auseinander nimmt. --------------------------------------------- http://heise.de/-3204362 *** TA16-132A: Exploitation of SAP Business Applications *** --------------------------------------------- Original release date: May 11, 2016 Systems Affected Outdated or misconfigured SAP systems Overview At least 36 organizations worldwide are affected by an SAP vulnerability [1]. Security researchers from Onapsis discovered .. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA16-132A *** Updated factsheets security of ICS/SCADA systems *** --------------------------------------------- Malicious persons and security researchers show interest in the (lack of) security of industrial control systems. This relates not only to 'traditional' ICS/SCADA systems, but also to building management systems (incl. HVAC and CCTV). --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/updated-factsheets-security… *** IBM Security Bulletin: Multiple vulnerabilities in Samba affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000130 *** IBM Security Bulletin: IBM Emptoris Sourcing is affected by open redirect vulnerability (CVE-2016-0329). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21982629 *** IBM Security Bulletin: Multiple vulnerabilities in Libxml2 affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000110

1 0

Tageszusammenfassung - Dienstag 10-05-2016
by Daily end-of-shift report 10 May '16

10 May '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 09-05-2016 18:00 − Dienstag 10-05-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** [Xen-announce] Xen Security Advisory 179 (CVE-2016-3710, CVE-2016-3712) - QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks *** --------------------------------------------- Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank .. --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2016-05/msg00001.html *** Finding Conditional SEO Spam in Drupal *** --------------------------------------------- Nobody likes spam. It's never fun (unless you're watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of .. --------------------------------------------- https://blog.sucuri.net/2016/05/seo-spam-in-drupal-database.html *** DSA-3572 websvn - security update *** --------------------------------------------- Nitin Venkatesh discovered that websvn, a web viewer for Subversion repositories, is susceptible to cross-site scripting attacks viaspecially crafted file and directory names in repositories. --------------------------------------------- https://www.debian.org/security/2016/dsa-3572 *** Gamarue, Nemucod, and JavaScript *** --------------------------------------------- JavaScript is now being used largely to download malware because it's easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod. This .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/09/gamarue-nemucod-and-jav… *** Don�t Put Off Till Tomorrow What You Should Start Today (Part 1) *** --------------------------------------------- For some, the upcoming EU legislative changes (the General Data Protection Regulation, referred to as GDPR, and the Network and Information Security Directive, referred to as the NIS Directive) may have seemed like they .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/05/cso-dont-put-off-till-to… *** Performing network forensics with Dshell. Part 1: Basic usage, (Mon, May 9th) *** --------------------------------------------- I found out recently there is a very interesting tool that enables some interesting capabilities to perform network forensics from a PCAP capture file. It"> in the command prompt. There is a major keyword that launches .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21035 *** This is what a root debug backdoor in the Linux kernel looks like *** --------------------------------------------- Allwinners all-loser code makes it into shipped firmware A root backdoor for debugging Android gadgets managed to end up in shipped firmware - and were surprised this sort of colossal blunder doesnt happen more often. --------------------------------------------- www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_na… *** DSA-3573 qemu - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3573 *** SS7 spookery on the cheap allows hackers to impersonate mobile chat subscribers *** --------------------------------------------- Flaws in the mobile signalling protocols can be abused to read messaging apps such as WhatsApp and Telegram. --------------------------------------------- www.theregister.co.uk/2016/05/10/ss7_mobile_chat_hack/ *** Security Advisory: ImageMagick vulnerability CVE-2016-3714 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/03/sol03151140.html *** Let's stop talking password flaws and instead discuss access management *** --------------------------------------------- A good bit of attention has been given to a new report that suggests that there are organizations that don't change their administrative passwords at all, ever. While it may be a bit eye opening that many IT professionals said they did not .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/10/password-flaws-access-management/ *** xt:Commerce: Dringende Patches ohne Details *** --------------------------------------------- Der Anbieter des Online-Shop-Systems xt:Commerce verteilt aktuell einen Sicherheitspatch. Betroffene Admins sollten die abgesicherten Versionen mit "sehr hoher .. --------------------------------------------- http://heise.de/-3200152 *** Hacker Challenges *** --------------------------------------------- Want to get started hacking things but don't want to do anything illegal? Here are some challenges others have made to help you practice some hacking skills. By participating in the challenges you could learn the following .. --------------------------------------------- https://www.tunnelsup.com/hacker-challenges/ *** Ransomware Is Not a 'Malware Problem' - It's a Criminal Business Model *** --------------------------------------------- Today Unit 42 published our latest paper on ransomware, which has quickly become one of the greatest cyberthreats facing organizations around the world. As a business model, ransomware has proven to be highly effective .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/05/unit-42-ransomware-trend… *** Lateral Movement: Do You Have Enough Eyes? *** --------------------------------------------- Sophisticated attackers can find their way into a corporate network in many ways. An attack could come from an external source, through the exploitation of a service, or by being brought in by a user whose laptop has been infected while .. --------------------------------------------- http://resources.infosecinstitute.com/lateral-movement-do-you-have-enough-e… *** Böse Bilder: Akute Angriffe auf Webseiten über ImageMagick *** --------------------------------------------- Die Gnadenfrist ist abgelaufen. Wer ein ungepatchtes ImageMagick auf seinem Server einsetzt, sollte schnellstens handeln, denn nun sind Exploits im Umlauf. --------------------------------------------- http://heise.de/-3200773 *** Xen Security Advisory CVE-2016-3710,CVE-2016-3712 / XSA-179 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-179.txt *** IBM Security Bulletin: Vulnerabilities in OpenSource PHP Affect IBM Lotus Protector For Mail Security (CVE-2016-3142 ) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21981983 *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000128 *** Hackers paradise: Outdated Internet Explorer, Flash installs in enterprises *** --------------------------------------------- Two in five Flash users DO update. Surprised? A quarter of all Windows devices are running outdated and unsupported versions of Internet Explorer, exposing users to more .. --------------------------------------------- www.theregister.co.uk/2016/05/10/ie_flash_vulns_rife/

1 0

Tageszusammenfassung - Montag 9-05-2016
by Daily end-of-shift report 09 May '16

09 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 06-05-2016 18:00 − Montag 09-05-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Symantec Endpoint Encryption Unquoted Service Path Local Elevation of Privilege *** --------------------------------------------- CVSS2 Base Score: 6.8 Symantec Endpoint Encryption (SEE) has an unquoted search path in EEDService. This could provide a non-privileged local user the ability to successfully insert arbitrary code in the root path. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** WordPress 4.5.2 Security Release *** --------------------------------------------- WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues. --------------------------------------------- https://wordpress.org/news/2016/05/wordpress-4-5-2/ *** Lenovo Patches Serious Flaw In Pre-Installed Support Tool *** --------------------------------------------- Reader itwbennett writes: Lenovo has made available a patch for the vulnerability in its Lenovo Solution Center, a support tool which comes pre-installed on many Lenovo laptops and desktops. The vulnerability could allow attackers to execute code with system privileges and take over computers. Users should automatically be prompted to update LSC when they open the application, but in case they arent, they should download the latest version (3.3.002) manually from Lenovos website. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/8xQvMt43Nw8/lenovo-patches-… *** The massive password breach that wasn't: Google says data is 98% 'bogus' *** --------------------------------------------- When a script kiddie sells 272 million accounts for $1, be very, very skeptical. --------------------------------------------- http://arstechnica.com/security/2016/05/the-massive-password-breach-that-wa… *** Security Advisory: OpenSSL vulnerability CVE-2016-2109 *** --------------------------------------------- The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding. --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23230229.html?… *** Analyzing ImageTragick Exploits in the Wild *** --------------------------------------------- Three days ago the ImageMagic (ImageTragick) vulnerability was released to the world. We've been actively monitoring as promised, and have started to see a few different attacks targeting the vulnerability. Interestingly enough, the attacks themselves seem to be targeted against specific customers and not mass blanket attacks, which is what you'd expect ... --------------------------------------------- https://blog.sucuri.net/2016/05/analyzing-imagetragick-exploits-in-the-wild… *** "Detecting the Siemens S7 Worm and Similar Capabilities" *** --------------------------------------------- An article came out on May 5th titled "Daisy-chained research spells malware worm hell for power plants and other utilities" with the subtitle of "Worlds first PLC worm spreads like cancer". Having been on the receiving end of sensationalized headlines before I empathize with the authors of the research... --------------------------------------------- http://ics.sans.org/blog/2016/05/08/detecting-the-siemens-s7-worm-and-simil… *** World Password Day--Dont be an easy target *** --------------------------------------------- Thursday, May 5th, marks the 'celebration' of the fourth annual World Password Day. .. * Have you updated the passwords on all of your accounts within the last three months? * Have you enabled two-factor authentication on accounts that allow it? *Are you using the strongest possible combinations of numbers, letters and symbols allowed by the site? *Are you using different passwords for every account (no duplicates or very similar variations)? --------------------------------------------- http://community.hpe.com/t5/Protect-Your-Assets/World-Password-Day-Don-t-be… *** AlphaLocker Is the Most Professional Ransomware Kit to Date ... but security researchers already cracked it *** --------------------------------------------- Luckily for us, other security experts have already cracked its secrets over the past weekend, and a decrypter was published that helps any of the infected victims recover their files for free, without paying the ransom. Nevertheless, heres a small intro into how crooks are creating, advertising, and then selling ransomware on the underground market. --------------------------------------------- http://news.softpedia.com/news/alphalocker-is-the-most-professional-ransomw… *** ImageMagick Vulnerability Information *** --------------------------------------------- A few days ago an ImageMagick vulnerability was disclosed dubbed 'ImageTragick' that affects WordPress websites whose host has ImageMagick installed. If you control your own hosting for your WordPress site, you should look to implement the following fix(es) immediately. --------------------------------------------- https://make.wordpress.org/core/2016/05/06/imagemagick-vulnerability-inform… *** Wordpress-Plugin bleibt ungefixt *** --------------------------------------------- Ein Sicherheitsforscher deckte zwei Lücken in der Wordpress-Erweiterung Event-Registration auf; die Hersteller reagieren jedoch nicht. --------------------------------------------- http://heise.de/-3198956 *** Penetration Testing of a Citrix Server *** --------------------------------------------- Here I'll discuss how I did a pentest of a Citrix server in a lab network. First, let us understand about Windows terminal service. Microsoft Windows Terminal Services, otherwise known as Remote Desktop Services, is one of the components of Windows 2003-08 Server, which allows multiple sessions to run the application over it. --------------------------------------------- http://resources.infosecinstitute.com/penetration-testing-of-a-citrix-serve… *** Security Advisory - XSS Vulnerability in the Email App of Huawei Smartphone *** --------------------------------------------- There is a vulnerability due to the lack of output encoding for some particular characters in the email APP built in the affected Smart Phones. A successful exploitation of the vulnerability could allow an unauthenticated remote attacker to perform a cross-site scripting (XSS) attack and lead to obtain the user information. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160507-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: The vulnerability in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions(CVE-2016-0363 and CVE-2016-0376) *** http://www.ibm.com/support/docview.wss?uid=swg21982634 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerability in OpenSSL affects IBM InfoSphere Master Data Management (CVE-2016-2842) *** http://www.ibm.com/support/docview.wss?uid=swg21982353 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilitiy in OpenSSL affect IBM Storwize V7000 Unified - CVE-2016-0800 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005717 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM SONAS - CVE-2016-0800 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005716 --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM SONAS (CVE-2015-5345) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005712 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager HSM for Windows (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982741 --------------------------------------------- *** IBM Security Bulletin: IBM Forms Viewer Installation could allow a remote attacker to execute arbitrary code on the system (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982440 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM SONAS (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005681 --------------------------------------------- *** IBM Security Bulletin: Potential vulnerabilities in IBM OpenPages GRC Platform with Database *** http://www.ibm.com/support/docview.wss?uid=swg21982461 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in TLS affects IBM SONAS (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005722 --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issues on IBM SONAS (CVE-2015-5252, CVE-2015-5296, and CVE-2015-5299) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005693 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Cordova Android may affect IBM WebSphere Portal (CVE-2015-5256) *** http://www.ibm.com/support/knowledgecenter/SSHRKX_8.5.0/mp/integrate/wl_int… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM SONAS (CVE-2015-1794, CVE-2015-3194, CVE-2015-3195, and CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005694 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect Tivoli Workload Scheduler (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21982432 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Liberty for Java for IBM Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21982850 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 6-05-2016
by Daily end-of-shift report 06 May '16

06 May '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 04-05-2016 18:00 − Freitag 06-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft to retire support for SHA1 certificates in the next 4 months *** --------------------------------------------- The lock icon will be gone by summer; sites using SHA1 to be blocked come January. --------------------------------------------- http://arstechnica.com/security/2016/05/microsoft-to-retire-support-for-sha… *** Österreich auf der Suche nach Nachwuchs-Hackern *** --------------------------------------------- Bei der Cyber Security Challenge 2016 werden vom Abwehramt und dem Verein Cyber Security Austria zum fünften Mal junge Hacker-Talente gesucht. --------------------------------------------- http://futurezone.at/digital-life/oesterreich-auf-der-suche-nach-nachwuchs-… *** ImageTragick: Another Vulnerability, Another Nickname, (Thu, May 5th) *** --------------------------------------------- Introduction On Tuesday 2016-05-03, we started seeing reports about a vulnerability for a cross-platform suite named ImageMagick [1, 2, 3]. This new vulnerability has been nicknamed ImageTragick and has its own website. Apparently, the vulnerability will be assigned to CVE-2016-3714. It wasnt yet on mitre.orgs CVE site when I wrote this diary. Johannes Ullrich already discussed this vulnerability in yesterdays ISC StormCast for 2016-05-04, but theres been more press about it. Should... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21023&rss *** Jaku botnet hides targeted attacks within generic botnet noise *** --------------------------------------------- Botnets are usually created by cyber criminals that use them to launch DDoS attacks, deliver spam, effect click fraud. The recently discovered Jaku botnet can effectively do all those things, if its botmaster(s) choose to do so, but it seems that they have other things in mind. The botnet which, according to Forcepoint researchers, numbered as many as 17,000 victims at different points in time, consists of several botnets "answering to" different C&C servers. The... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/05/jaku-botnet-targeted-attacks/ *** Juniper patches OpenSSHs roaming bug in Junos OS *** --------------------------------------------- Screen OS not affected The next vendor to kill off the OpenSSH roaming bug announced in January is Juniper Networks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/05/05/juniper_pat… *** Criminals Peddling Affordable AlphaLocker Ransomware *** --------------------------------------------- A relatively affordable and difficult to detect ransomware-as-a-service named AlphaLocker has begun making the rounds, researchers warn. --------------------------------------------- http://threatpost.com/criminals-peddling-affordable-alphalocker-ransomware/… *** Microsoft BITS Used to Download Payloads, (Thu, May 5th) *** --------------------------------------------- A few day ago,I found an interesting malicious Word document. First of all, the file has a very low score on VT:2/56 (analysis is available here). The document is a classic one:Once opened, it asks the victim to enable macro execution if not yet enabled. The document targets" />">">The OLE document contains"> $ oledump.py b2a9d203bb135b54319a9e5cafc43824 1: 113 \x01CompObj 2: 4096 \x05DocumentSummaryInformation 3: 4096 \x05SummaryInformation 4: 9398 1Table 5: --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21027&rss *** On The Monetization Of Crypto-Ransomware *** --------------------------------------------- Over the last few years, technologies and infrastructure, in the form of crypto-currencies, the dark web and well-organized criminal affiliate programs have aligned to create the perfect storm. And from that storm, the crypto-ransomware beast has arisen. There's a reason why crypto-ransomware is making the news almost daily - it's unique compared to every other... --------------------------------------------- https://labsblog.f-secure.com/2016/05/06/on-the-monetization-of-crypto-rans… *** Studie: TLS-Proxies bringen Sicherheitsprobleme *** --------------------------------------------- Unter 14 Antivirus- und Kinderschutzprodukten, die Inhalte in gesicherten TLS-Verbindungen filtern, fand sich kein einziges, das dabei keine zusätzlichen Sicherheitsprobleme verursachte. --------------------------------------------- http://heise.de/-3197932 *** Qualcomm flaw puts millions of Android devices at risk *** --------------------------------------------- A vulnerability in an Android component shipped with phones that use Qualcomm chips puts users text messages and call history at risk of theft.The flaw was found by security researchers from FireEye and was patched by Qualcomm in March. However, because the vulnerability was introduced five years ago, many affected devices are unlikely to ever receive the fix because theyre no longer supported by their manufacturers.The vulnerability, which is tracked as CVE-2016-2060, is located on an Android... --------------------------------------------- http://www.cio.com/article/3066827/qualcomm-flaw-puts-millions-of-android-d… *** Security Alert: New Ransomware Promises to Donate Earnings to Charity *** --------------------------------------------- Psychological manipulation is heavily used in cyber attacks, especially in phishing and ransomware compromise attempts. As with all online scams, the attackers' main objective is simple: to make as much money and steal as much data as possible. So, in their malicious pursuit, they'll come up with new tactics to force their victims into complying with their conditions. Encrypting ransomware, such as CryptoWall or TeslaCrypt, is proof. --------------------------------------------- https://heimdalsecurity.com/blog/security-alert-new-ransomware-donate-earni… *** New Security Flaw Found in Lenovo Solution Center Software *** --------------------------------------------- Security researchers at Trustwave SpiderLabs have discovered a new vulnerability in Lenovo's much maligned Lenovo Solution Center software. The vulnerability allows attackers with local network access to a PC to execute arbitrary code. --------------------------------------------- http://threatpost.com/new-security-flaw-found-in-lenovo-solution-center-sof… *** Public Key Infrastructure (PKI) *** --------------------------------------------- Executive Summary This article is a detailed theoretical and hands-on with Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. In the first section, PKI and its associated concepts will be discussed. A test bed or lab environment on Ubuntu 14 will be prepared to apply PKI knowledge. Generation of CA, server and user keys/certificates... --------------------------------------------- http://resources.infosecinstitute.com/public-key-infrastructure-pki-2/ *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-14) *** --------------------------------------------- A prenotification Security Advisory (APSB16-14) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, May 10, 2016. We will continue to provide updates on the upcoming releases via the Security Advisory as well as the... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1344 *** Squid HTTP caching proxy Multiple Vulns *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016050024 *** [R1] PHP < 5.6.21 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- http://www.tenable.com/security/tns-2016-09 *** HPE Network Node Manager i Multiple Flaws Let Remote Users Bypass Authentication, Obtain Data and Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035767 *** Bugtraq: ESA-2016-051: Patch 14 for RSA Authentication Manager 8.1 SP1 to Address Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538287 *** DSA-3567 libpam-sshauth - security update *** --------------------------------------------- It was discovered that libpam-sshauth, a PAM module to authenticateusing an SSH server, does not correctly handle system users. In certainconfigurations an attacker can take advantage of this flaw to gain rootprivileges. --------------------------------------------- https://www.debian.org/security/2016/dsa-3567 *** USN-2963-1: OpenJDK 8 vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2963-14th May, 2016openjdk-8 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTSSummarySeveral security issues were fixed in OpenJDK 8.Software description openjdk-8 - Open Source Java implementation DetailsMultiple vulnerabilities were discovered in the OpenJDK JRE related toinformation disclosure, data integrity, and availability. An attackercould exploit these to cause a denial of service, expose sensitive... --------------------------------------------- http://www.ubuntu.com/usn/usn-2963-1/ *** USN-2964-1: OpenJDK 7 vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2964-14th May, 2016openjdk-7 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTSSummarySeveral security issues were fixed in OpenJDK 7.Software description openjdk-7 - Open Source Java implementation DetailsMultiple vulnerabilities were discovered in the OpenJDK JRE related to informationdisclosure, data integrity, and availability. An attacker could exploitthese to cause a denial of service, expose... --------------------------------------------- http://www.ubuntu.com/usn/usn-2964-1/ *** Cisco security Advisories *** --------------------------------------------- *** Cisco Adaptive Security Appliance with FirePOWER Services Kernel Logging Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FirePOWER System Software Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Finesse HTTP Request Processing Server-Side Request Forgery Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016 *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in bind affect Power Hardware Management Console (CVE-2016-1285, CVE-2016-1286) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021266 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in ntp affect Power Hardware Management Console (CVE-2015-5300, CVE-2015-7704, CVE-2015-8138) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021264 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM XIV Storage System (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005699 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2015-7575, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21982445 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2015-7575, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21982446 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21972468 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Reporting for Development Intelligence (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21972469 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2016Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www.ibm.com/support/docview.wss?uid=swg21979767 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) February 2016 *** http://www.ibm.com/support/docview.wss?uid=swg21980693 --------------------------------------------- *** IBM Security Bulletin: Current Releases of IBM SDK for Node.js in IBM Bluemix are affected by CVE-2016-3956, CVE-2016-2515 and CVE-2016-2537. *** http://www.ibm.com/support/docview.wss?uid=swg21981433 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982467 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage FlashCopy Manager on Windows (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982448 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Mobile (CVE-2015-3416) *** http://www.ibm.com/support/docview.wss?uid=swg21981269 --------------------------------------------- *** IBM Security Bulletin: IBM SPSS Statistics ActiveX Control Buffer Overflow (CVE-2015-8530) *** http://www.ibm.com/support/docview.wss?uid=swg21982035 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7403) *** http://www.ibm.com/support/docview.wss?uid=swg21982660 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 4-05-2016
by Daily end-of-shift report 04 May '16

04 May '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 03-05-2016 18:00 − Mittwoch 04-05-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Dev using Libarchive? Patch and push *** --------------------------------------------- Input validation bug opens code execution vuln The popular Libarchive open source compression library needs an update to cover a code execution vulnerability. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/05/04/dev_using_l… *** Sicherheitsupdates: PHP anfällig für Remote Code Execution *** --------------------------------------------- Angreifer können verschiedenen PHP-Versionen aus der Ferne Schadcode unterjubeln. Drei abgesicherte Versionen schließen zwei Sicherheitslücken. --------------------------------------------- http://heise.de/-3196826 *** Neue Versionen von Apache Struts wehren sich gegen Schad-Code *** --------------------------------------------- Über eine Sicherheitslücke können Angreifer Server mit Apache Struts unter Umständen aus der Ferne attackieren und Code ausführen. --------------------------------------------- http://heise.de/-3196868 *** Petya: the two-in-one trojan *** --------------------------------------------- Petya Trojan is an unusual hybrid of an MBR blocker and data encryptor: it prevents not only the operating system from booting but also blocks normal access to files located on the hard drives of the attacked system. --------------------------------------------- http://securelist.com/blog/research/74609/petya-the-two-in-one-trojan/ *** Höflicher Erpressungstrojaner entschuldigt sich und bittet um Geschenke *** --------------------------------------------- Ein neuer Krypto-Trojaner geht um: Die Alpha Ransomware verlangt iTunes-Gutscheine vom Opfer, sonst bleiben die Daten mit AES-256 verschlüsselt. Der Erpresserbrief ist überraschend höflich, verschweigt allerdings wichtige Details. --------------------------------------------- http://heise.de/-3197135 *** Yet Another Padding Oracle in OpenSSL CBC Ciphersuites *** --------------------------------------------- Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it's in the code that fixes Lucky13.It was found by Juraj Somorovsky using a tool he developed called TLS-Attacker. Like in the "old days"... --------------------------------------------- https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphe… *** Neutrino exploit kit sends Cerber ransomware, (Wed, May 4th) *** --------------------------------------------- Introduction Seems like were always finding new ransomware. In early March 2016, BleepingComputer announced a new ransomware named Cerber had appeared near the end of February [1]. A few days later, the Malwarebytes blog provided further analysis and more details on subsequent Cerber samples [2]. Cerber is distributed through exploit kits (EKs) and malicious spam (malspam). Ive only seen .rtf attachments that download and install Cerber if opened in Microsoft Word [3]." /> Shown above:... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21017 *** Security Advisory: Stored XSS in bbPress *** --------------------------------------------- Exploitation Level: Easy/Remote DREAD Score: 6/10 Vulnerability: Stored XSS Patched Version: bbPress 2.5.9 During regular research audits of our Sucuri Firewall, we discovered a Stored XSS vulnerability affecting the bbPress plugin for WordPress which is currently installed on 300,000 live websites - one of them being the popular wordpress.org support forum. Vulnerability Disclosure Timeline: April... --------------------------------------------- https://blog.sucuri.net/2016/05/security-advisory-stored-xss-bbpress-2.html *** Xcode 7.3.1 *** --------------------------------------------- Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code --------------------------------------------- https://support.apple.com/kb/HT206338 *** Cisco Prime Collaboration Assurance Open Redirect Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** F5 Security Advisory: Multiple OpenSSL vulnerabilities CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/07/sol07538415.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21982223 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2016-0799, CVE-2016-0702). *** http://www.ibm.com/support/docview.wss?uid=swg21981764 --------------------------------------------- *** IBM Security Bulletin: Potential vulnerabilities in IBM OpenPages GRC Platform with Application Server *** http://www.ibm.com/support/docview.wss?uid=swg21982462 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager (CVE-2016-0448, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21977134 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager IP Edition *** http://www.ibm.com/support/docview.wss?uid=swg21975424 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM InfoSphere Information Server installer could expose sensitive information (CVE-2015-7493) *** http://www.ibm.com/support/docview.wss?uid=swg21982034 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2015-3194, CVE-2015-3195). *** http://www.ibm.com/support/docview.wss?uid=swg21981765 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Cognos Metrics Manager (CVE-2015-2017) *** http://www.ibm.com/support/docview.wss?uid=swg21976798 --------------------------------------------- *** IBM Security Bulletin: DB2 local escalation of privilege vulnerability affects IBM Tivoli Storage Manager server (CVE-2015-1947) *** http://www.ibm.com/support/docview.wss?uid=swg21979698 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Tivoli / Security Directory Server *** http://www.ibm.com/support/docview.wss?uid=swg21980585 --------------------------------------------- Next End-of-Shift report on 2016-05-06

1 0

Tageszusammenfassung - Dienstag 3-05-2016
by Daily end-of-shift report 03 May '16

03 May '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 02-05-2016 18:00 − Dienstag 03-05-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** GOZNYM MALWARE *** --------------------------------------------- Antivirus software detects GozNym hybrid as Nymaim variant GozNym samples resolve domains, do not connect to IPs returned. Separate IP used for HTTP comms. C2 channel for GozNym appears to be HTTP POST requests, in line with .. --------------------------------------------- https://blog.team-cymru.org/2016/05/goznym-malware/ *** JSA10748 - Protect-RE (loopback) Firewall Filter does not discard OSPF packets from non-permitted prefixes *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10748&actp=RSS *** Acunetix WVS 10 - Remote command execution (SYSTEM privilege) *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016050003 *** 3-in-4 Android phones, slabs, gizmos menaced by fresh hijack flaws *** --------------------------------------------- Another month, another round of critical vulnerabilities patched by Google Google has today issued a bundle of 40 security patches for its Android operating system. --------------------------------------------- www.theregister.co.uk/2016/05/02/android_may_patch_batch/ *** Fake Security Conferences *** --------------------------------------------- Turns out there are two different conferences with the title International Conference on Cyber Security (ICCS 2016), one real and one fake. Richard Clayton has the story .. --------------------------------------------- https://www.schneier.com/blog/archives/2016/05/fake_security_c.html *** RSA Data Loss Prevention Bugs Let Remote Users Conduct Cross-Site Scripting and Clickjacking Attacks and Let Remote Authenticated Users Bypass Security Controls and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1035714 *** SNMP Pentesting *** --------------------------------------------- In the previous article about SNMP, we have discussed how to set up your own vulnerable lab where we have configured pfSense and VyOS with SNMP misconfigurations. You can find this article here. In this article, we will discuss how to assess the security .. --------------------------------------------- http://resources.infosecinstitute.com/snmp-pentesting/ *** l+f: Webseite des Ministeriums für digitale Infrastruktur erneut löchrig *** --------------------------------------------- Nach Heartbleed nun XSS: Der Web-Auftritt des Bundesministeriums für Verkehr und digitale Infrastruktur war abermals unzureichend abgesichert. --------------------------------------------- http://heise.de/-3196376 *** OpenSSL Security Advisory [3rd May 2016] *** --------------------------------------------- https://openssl.org/news/secadv/20160503.txt *** OpenSSL schließt Abkömmling der Lucky-13-Lücke *** --------------------------------------------- Die vielgenutzte Krypto-Bibliothek erhält Patches für sechs Sicherheitslücken. Zwei davon haben die Priorität .. --------------------------------------------- http://heise.de/-3196510 *** Ransomware deployments after brute force RDP attack *** --------------------------------------------- Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected .. --------------------------------------------- https://blog.fox-it.com/2016/05/02/ransomware-deployments-after-brute-force…

1 0

Tageszusammenfassung - Montag 2-05-2016
by Daily end-of-shift report 02 May '16

02 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 29-04-2016 18:00 − Montag 02-05-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** DSA-3561 subversion - security update *** --------------------------------------------- Several vulnerabilities were discovered in Subversion, a version controlsystem. The Common Vulnerabilities and Exposures project identifies thefollowing problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3561 *** Google Patches 9 Security Flaws in New Chrome Browser Build *** --------------------------------------------- Five Chrome bug bounty hunters split $14,000 in rewards as Google patches nine security flaws in its browser, four are labeled 'high'. --------------------------------------------- http://threatpost.com/google-patches-9-security-flaws-in-new-chrome-browser… *** Cloned Websites Stealing Google Rankings *** --------------------------------------------- We often speak of black hat SEO tactics and content scraping sites are just one example of such tactics. Scraping is the act of copying all content from a website using automated scripts, usually with the intention of stealing .. --------------------------------------------- https://blog.sucuri.net/2016/04/cloned-website-stealing-google-rankings-seo… *** Lizard Squad Ransom Threats: New Name, Same Faux Armada Collective M.O. *** --------------------------------------------- [...] Beginning late Thursday evening (Pacific Standard Time) several CloudFlare customers began to receive threatening emails from a "new" group calling itself the 'Lizard Squad'. These emails have a similar modus operandi to the previous ransom emails. This group was threatenin .. --------------------------------------------- https://blog.cloudflare.com/lizard-squad-ransom-threats-new-name-same-faux-… *** Cyber Security Challenge: Wettbewerb für "Nachwuchs-Hacker" startet am 2. Mai *** --------------------------------------------- Ab sofort sind Schüler und Studenten wieder aufgerufen, sich den Online-Prüfungen der Cyber Security Challenge zu stellen. Die Qualifikationsphase läuft bis zum 1. August, das deutsche Finale findet Ende September in Berlin statt. --------------------------------------------- http://heise.de/-3194493 *** Crypto-ransomware Gains Footing in Corporate Grounds, Gets Nastier for End Users *** --------------------------------------------- In the first four months of 2016, we have discovered new families and variants of ransomware, seen their vicious new routines, and witnessed threat actors behind these operations upping the ransomware game to new heights. All these developments further establish crypto-ransomware as a .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/crypto-ransomwar… *** Schwarzmarkt: Preis für mobile Malware zieht an *** --------------------------------------------- Sicherheitsforschern zufolge floriert der Handel mit mobiler Malware. Der Anbieter des Android-Trojaners GM Bot zieht indes die Preise auf Malware-Marktplätzen spürbar an. --------------------------------------------- http://heise.de/-3195382 *** Practical Reverse Engineering Part 2 - Scouting the Firmware *** --------------------------------------------- In part 1 we found a debug UART port that gave us access to a linux shell. At this point we've got the same access to the router that a developer would use to debug issues, control the system, etc. --------------------------------------------- http://jcjc-dev.com/2016/04/29/reversing-huawei-router-2-scouting-firmware/ *** Ernste Sicherheitslücke in Ubuntus neuem Paketformat Snap geschlossen *** --------------------------------------------- Ubuntus neues Paketformat Snap sorgt erneut für Aufsehen: Nun haben die Entwickler einen Schreibfehler im Code entfernt, der Angreifern das Ausführen von beliebigem Schadcode ermöglicht hatte. --------------------------------------------- http://heise.de/-3195532

1 0

Tageszusammenfassung - Freitag 29-04-2016
by Daily end-of-shift report 29 Apr '16

29 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-04-2016 18:00 − Freitag 29-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** A Dramatic Rise in ATM Skimming Attacks *** --------------------------------------------- Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers. The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past. --------------------------------------------- http://krebsonsecurity.com/2016/04/a-dramatic-rise-in-atm-skimming-attacks/ *** Security: Der Internetminister hat Heartbleed *** --------------------------------------------- Die Webseite des Bundesministeriums für Verkehr und digitale Infrastruktur war für eine seit fast zwei Jahren geschlossene, kritische Sicherheitslücke anfällig. Das kompromittierte Zertifikat wird weiterhin verwendet. (Heartbleed, Verschlüsselung) --------------------------------------------- http://www.golem.de/news/security-der-internetminister-hat-heartbleed-1604-… *** Zahlreiche Zugangsdaten für den Messaging-Dienst Slack auf GitHub entdeckt *** --------------------------------------------- Die Sicherheitsfirma Detectify hat über tausend Zugangs-Tokens für Slack in öffentlich zugänglichen GitHub-Repositories gefunden. --------------------------------------------- http://heise.de/-3194000 *** eBay-Phisher gehen mit persönlichen Details auf Opferfang *** --------------------------------------------- Derzeit sind besonders perfide Phishing-Mails im Namen von eBay unterwegs. In den Nachrichten werden die Empfänger mit komplettem Namen und vollständiger Anschrift angesprochen. --------------------------------------------- http://heise.de/-3194026 *** Got ransomware? These tools may help *** --------------------------------------------- Your computer has been infected by ransomware. All those files -- personal documents, images, videos, and audio files -- are locked up and out of your reach.There may be a way to get those files back without paying a ransom. But first a couple of basic questions:Do you you have complete backups? If so, recovery is simply a matter of wiping the machine -- bye bye, ransomware! -- reinstalling your applications, and restoring the data files. Its a little stressful, but doable.Are they good... --------------------------------------------- http://www.cio.com/article/3063048/security/got-ransomware-these-tools-may-… *** Sysinternals Updated today - Updates to Sysmon, Procdump and Sigcheck. (Fri, Apr 29th) *** --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21001 https://blogs.technet.microsoft.com/sysinternals/2016/04/28/update-sysmon-v… *** BIND 9.9.9/9.10.4 released *** --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2016-April/000986.html https://lists.isc.org/pipermail/bind-announce/2016-April/000987.html https://lists.isc.org/pipermail/bind-announce/2016-April/thread.html *** DFN-CERT-2016-0686: Jenkins: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0686/ *** [HTB23301]: SQL Injection in GLPI *** --------------------------------------------- Product: GLPI v0.90.2Vulnerability Type: SQL Injection [CWE-89]Risk level: High Creater: INDEPNET Advisory Publication: April 8, 2016 [without technical details]Public Disclosure: April 29, 2016 CVE Reference: Pending CVSSv2 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L] Vulnerability Details: High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for... --------------------------------------------- https://www.htbridge.com/advisory/HTB23301 *** Bugtraq: [security bulletin] HPSBUX03583 SSRT110084 rev.1 - HP-UX BIND Service running Named, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538219 *** Cisco Information Server XML Parser Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** APPLE-SA-2016-04-28-1 OS X: Flash Player plug-in blocked *** --------------------------------------------- APPLE-SA-2016-04-28-1 OS X: Flash Player plug-in blockedDue to security and stability issues in older versions, Applehas updated the web plug-in blocking mechanism to disable allversions prior to Flash Player 21.0.0.226 and 18.0.0.343.Information on blocked web plug-ins will be posted to: [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Apr/msg00000.ht… *** Moxa NPort Device Vulnerabilities (Update B) *** --------------------------------------------- This alert update is a follow-up to the NCCIC/ICS-CERT updated alert titled ICS-ALERT-16-099-01A Moxa NPort Device Vulnerabilities that was published April 20, 2016, on the ICS-CERT web page. ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. These vulnerabilities were reported by Reid Wightman of Digital Bonds Labs, who coordinated with the vendor but not with ICS-CERT. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01 *** SSA-763427 (Last Update 2016-04-29): Vulnerability in Communication Processor (CP) modules SIMATIC CP 343-1, TIM 3V-IE, TIM 4R-IE, and CP 443-1 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-763427… *** SSA-921524 (Last Update 2016-04-29): Incorrect Frame Padding in ROS-based Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-921524… *** IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM® WebSphere Real Time *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21982198 *** IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM QuickFile (CVE-2015-2017). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21977561 *** Bugtraq: [SECURITY] [DSA 3561-1] subversion security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/538223 *** WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8473 *** WordPress <= 4.4.2 - Reflected XSS in Network Settings *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8474 *** WordPress <= 4.4.2 - Script Compression Option CSRF *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8475

1 0

Tageszusammenfassung - Donnerstag 28-04-2016
by Daily end-of-shift report 28 Apr '16

28 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-04-2016 18:00 − Donnerstag 28-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Malware Takes Advantage of Windows "God Mode" *** --------------------------------------------- Microsoft Windows has hidden an Easter Egg since Windows Vista. It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This "God Mode" can come in handy for admins, but attackers are now using this undocumented feature for evil ends. Files placed within one of these master control panel shortcuts are not easily accessible via Windows Explorer because the folders do... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/malware-takes-advantage-of-windows-god… *** VB2016 Call for Papers Deadline *** --------------------------------------------- You have until the early hours (GMT) of Monday 21 March to submit an abstract for VB2016! The VB2016 programme will be announced in the first week of April. --------------------------------------------- https://www.virusbulletin.com/blog/2016/03/vb2016-call-papers-deadline/ *** How broken is SHA-1 really? *** --------------------------------------------- SHA-1 collisions may be found in the next few months, but that doesnt mean that fake SHA-1-based certificates will be created in the near future. Nevertheless, it is time for everyone, and those working in security in particular, to move away from outdated hash functions. --------------------------------------------- https://www.virusbulletin.com/blog/2016/03/how-broken-sha-1-really/ *** Firefox 46 Patches Critical Memory Vulnerabilities *** --------------------------------------------- Mozilla released Firefox 46, which includes patches for one critical and four high-severity vulnerabilities, all of which can lead to remote code execution. --------------------------------------------- http://threatpost.com/firefox-46-patches-critical-memory-vulnerabilities/11… *** DNS and DHCP Recon using Powershell, (Thu, Apr 28th) *** --------------------------------------------- I recently had a client pose an interesting problem. They wanted to move all their thin clients to a separate VLAN. In order to do that, I needed to identify which switch port each was on. Since there were several device vendors involved, I couldnt use OUI portion of the MAC. Fortunately, they were using only a few patterns in their thin client hostnames, so that gives me an in. Great you say, use nmap -sn, sweep for the names, get the MAC addresses and map those to switch ports - easy right? --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20995&rss *** Time for a patch: six vulns fixed in NTP daemon *** --------------------------------------------- Whats the time? Its time to get ill. Unless you fix these beastly flaws Cisco has turned over a bunch of Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundations Core Infrastructure Initiative. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/28/time_for_a_… *** Handling security bugs, vulnerable infrastructure and a range of DDoS attacks: 22nd MELANI semi-annual report *** --------------------------------------------- In the second half of 2015, there were once again some spectacular cyber-related incidents worldwide. These were primarily DDoS attacks, phishing attacks and attacks on industrial control systems. Published today, the 22nd MELANI semi-annual report features handling security vulnerabilities as its key topic. --------------------------------------------- https://www.melani.admin.ch/melani/en/home/dokumentation/newsletter/semi-an… *** Binary Webshell Through OPcache in PHP 7 *** --------------------------------------------- In this article, we will be looking at a new exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, we can bypass certain hardening techniques that disallow the file write access in the web directory. This could be used by an attacker to execute his own malicious code in a hardened environment. --------------------------------------------- http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/ *** Kaspersky DDoS Intelligence Report for Q1 2016 *** --------------------------------------------- In Q1, resources in 74 countries were targeted by DDoS attacks. China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days). --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/74550/kaspersky-dd… *** Cyber Security Lecture given by Mozilla *** --------------------------------------------- May 09, 2016 - 4:00 pm - 6:30 pm TU Wien Karlsplatz 13 1040 Wien Let’s Encrypt (J.C. Jones) You can’t build a secure website without having a certificate, and getting a certificate is one of the hardest parts of setting up a secure website. Mozilla helped start up Let’s Encrypt to make getting a certificate easier and promote the security of the Web. In 16 months, Let’s Encrypt went from an idea... Mozilla Security (Richard Barnes) The Web is arguably the single largest platform for applications in the world. Securing a Web browser requires security expertise from across the field, including low-level program internals, network security, language design, and access controls. In this talk, we will discuss some of the critical Web... --------------------------------------------- https://www.sba-research.org/events/cyber-security-lecture-given-by-mozilla/ *** PCI DSS 3.2 is out: What's new? *** --------------------------------------------- The Payment Card Industry Security Standards Council has published the latest version of PCI DSS, the information security standard for organizations that handle customer credit cards. Changes and improvements in PCI DSS 3.2 include: Multi-factor authentication will be required for all administrative access into the cardholder data environment. Previously, use of multi-factor authentication was only a must when it was accessed remotely, by an untrusted user/device. This will not impact... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/28/pci-dss-3-2-whats-new/ *** Cisco Finds Backdoor Installed on 12 Million PCs *** --------------------------------------------- UPDATED. Cisco's Talos security intelligence and research group has come across a piece of software that installed backdoors on 12 million computers around the world. --------------------------------------------- http://www.securityweek.com/cisco-finds-backdoor-installed-12-million-pcs *** Forthcoming OpenSSL releases *** --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2h, 1.0.1t. These releases will be made available on 3rd May 2016 between approximately 1200-1500 UTC. They will fix several security defects with maximum severity "high". --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2016-April/000069.html *** VMSA-2015-0007.4 *** --------------------------------------------- VMware vCenter and ESXi updates address critical security issues. --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0007.html *** Bugtraq: CVE-2015-5207 - Bypass of Access Restrictions in Apache Cordova iOS *** --------------------------------------------- http://www.securityfocus.com/archive/1/538213 *** sol93532943: SSHD session.c vulnerability CVE-2016-3115 *** --------------------------------------------- Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/93/sol93532943.html?ref=… *** sol52349521: OpenSSL vulnerability CVE-2016-2842 *** --------------------------------------------- The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799. (CVE-2016-2842) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/52/sol52349521.html?ref=… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Enterprise Module Unauthorized Access Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Open Redirect Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: April 2016 *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Samba - including Badlock - Transformation Extender Hypervisor Edition *** http://www.ibm.com/support/docview.wss?uid=swg21981057 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Samba including Badlock - affect IBM OS Images for Red Hat Linux Systems. *** http://www.ibm.com/support/docview.wss?uid=swg21982097 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Samba, including Badlock, affect IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1021296 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in php5 affect IBM Flex System Manager (FSM) (CVE-2015-6836, CVE-2015-6837, CVE-2015-6838) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023641 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ISC BIND and Samba - including Badlock - affect IBM Netezza Host Management *** http://www.ibm.com/support/docview.wss?uid=swg21979985 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilitiesin gnutls affect IBM Flex System Manager(FSM) (CVE-2015-2806, CVE-2015-8313) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023642 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in openLDAP affects IBM Flex System Manager(FSM) (CVE-2015-6908) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023640 --------------------------------------------- *** IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server for Bluemix if FIPS 140-2 is enabled (CVE-2016-0306) and multiple vulnerabilities in Samba - including Badlock (CVE-2016-2118) *** http://www.ibm.com/support/docview.wss?uid=swg21982128 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux *** http://www.ibm.com/support/docview.wss?uid=swg21981752 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition *** http://www.ibm.com/support/docview.wss?uid=swg21980826 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities exist with Oracle Outside In Technology (OIT) in IBM FileNet Content Manager and IBM Content Foundation. *** http://www.ibm.com/support/docview.wss?uid=swg21975822 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Jan 2016 - Includes Oracle Jan 2016 CPU + 3 IBM CVEs affects IBM Algorithmics One Core, Algo Risk Application, and Counterparty Credit Risk *** http://www.ibm.com/support/docview.wss?uid=swg21981333 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Web (CVE-2015-3416) *** http://www.ibm.com/support/docview.wss?uid=swg21981270 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in RSOC_APP_01 Frameable Response Potential Clickjacking (CSRF) affects IBM Algorithmics Algo Risk Application - CVE-2016-0207 *** http://www.ibm.com/support/docview.wss?uid=swg21981322 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 27-04-2016
by Daily end-of-shift report 27 Apr '16

27 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-04-2016 18:00 − Mittwoch 27-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Nationale Strategie: De Maizière will Wirtschaft besser gegen Cyberspionage schützen *** --------------------------------------------- Manchmal ist es eine komplexer Hackerangriff, manchmal fängt sich der Chef die Schadsoftware auch direkt von der Speisekarte seines Lieblingsrestaurants ein. Vielen Unternehmen fehlt noch das Bewusstsein der Gefahr. Das soll anders werden. --------------------------------------------- http://heise.de/-3189372 *** All About Fraud: How Crooks Get the CVV *** --------------------------------------------- A longtime reader recently asked: "How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: Probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attackers server. --------------------------------------------- http://krebsonsecurity.com/2016/04/all-about-fraud-how-crooks-get-the-cvv/ *** A Look Inside Cerber Ransomware *** --------------------------------------------- The "Cerber" family of ransomware first appeared in open source reporting in March 2016, with victims readily identified by the ".cerber" extension left on encrypted files. Unlike many other ransomware variants, Cerber is designed to encrypt a victim's file system immediately, without receiving "confirmation" or instructions from a command and control (C2) node. After this malicious encryption is complete, HTML and text files are opened on the infected... --------------------------------------------- https://blog.team-cymru.org/2016/04/a-look-inside-cerber-ransomware/ *** Malvertising On The Pirate Bay Drops Ransomware *** --------------------------------------------- Magnitude EK strikes again, this time on The Pirate Bay, and drops the Cerber Ransomware. Categories: ExploitsTags: cerbermagnitude EKransomwareThe Pirate BayTPB(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016… *** Next up. A look at Locky Ransomware *** --------------------------------------------- Weve been examining some of the newer - or, at least, most currently prevalent - strains of ransomware. This time we look at Locky. --------------------------------------------- http://www.scmagazine.com/next-up-a-look-at-locky-ransomware/article/492355/ *** 7ev3n ransomware alters name, asks for much lower ransom *** --------------------------------------------- A variant of 7ev3n ransomware has modified its name and begun asking victims for a considerably lower ransom fee than it was seeking just a few months ago. Security researchers originally detected the 7ev3n ransomware back in January of this year. --------------------------------------------- https://www.grahamcluley.com/2016/04/7ev3n-ransomware-alters-asks-lower-ran… *** BSI-Umfrage: Ein Drittel der Unternehmen ist von Erpressungs-Trojanern betroffen *** --------------------------------------------- Den Ergebnissen einer Ransomware-Umfrage des BSI zufolge schützen 60 Prozent der befragten Institutionen aus der deutschen Wirtschaft die Lage als verschärft ein. Auch die Security Bilanz Deutschland vermeldet einen erhöhten Bedrohungsgrad. --------------------------------------------- http://heise.de/-3189776 *** "Ransomware ist mittlerweile die größte Bedrohung" *** --------------------------------------------- Trojaner, die Systeme verschlüsseln, bieten Kriminellen einen einfachen Weg, Geld zu verdienen. Die Opferzahlen steigen und auch Smartphones sind nicht mehr sicher. --------------------------------------------- http://futurezone.at/digital-life/ransomware-ist-mittlerweile-die-groesste-… *** Digging deep for PLATINUM *** --------------------------------------------- There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That's what motivated us - the Windows Defender Advanced Threat Hunting team, known... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platin… *** Boffins believe buggy Binder embiggens Android attack surface *** --------------------------------------------- Punching holes in problematic private APIs Bugs in Androids Binder inter-process communication (IPC) mechanism open up a mass of security bugs, according to University of Michigan boffins Huan Feng and Kang Shin. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/27/boffins_bel… *** Memory Forensics *** --------------------------------------------- Introduction This mini-course started with forensic memory basics, in this mini-course, we have explained how you can and what you can find artifacts from memory. As Memory forensics is very vast topic so we have also explained some memory basic such as how memory works what memory architecture and its unit is. Also, what artifacts... --------------------------------------------- http://resources.infosecinstitute.com/memory-forensics/ *** An Introduction to Mac memory forensics, (Tue, Apr 26th) *** --------------------------------------------- Unfortunately when its come to the memory forensics Mac in environment doesnt have the luxury that we have in the Windows environment. The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options. OSXPmem is the only available option for memory capturing that support El Capitan, https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zip Now let"> cd osxpmem.app/ "> chown --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20989&rss *** How to Suck at Information Security - A Cheat Sheet *** --------------------------------------------- This cheat sheet presents common information security mistakes, so you can avoid making them. Yeah, the idea is that you should do the opposite of what it says below. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs. --------------------------------------------- https://zeltser.com/suck-at-security-cheat-sheet/ *** [DSA 3558-1] openjdk-7 security update *** --------------------------------------------- CVE ID: CVE-2016-0636 CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, denial of service or information disclosure. --------------------------------------------- https://lists.debian.org/debian-security-announce/2016/msg00134.html *** VTS16-001: NetBackup Remote Access Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been identified in Veritas (formerly Symantec) NetBackup Master/ Media Servers and clients. An attacker, able to successfully access a vulnerable NetBackup host, could potentially execute arbitrary commands or operations resulting in possible unauthorized, privileged access to the targeted system. --------------------------------------------- https://www.veritas.com/content/support/en_US/security/VTS16-001.html *** F5 Security Advisory: glibc calloc vulnerability CVE-2015-5229 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23822215.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976066 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Editionaffects IBM Algorithmics Algo Risk Application and Algo One Core ( CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803, *** http://www.ibm.com/support/docview.wss?uid=swg21981349 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Provisioning Manager (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21981826 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-2601,CVE-2015-4749.CVE-2015-2625,CVE-2015-1931 ) *** http://www.ibm.com/support/docview.wss?uid=swg21976560 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in HTTP Response Splitting affects IBM Algorithmics Algo Risk Application & AlgoOne Core- CVE-2015-2017 *** http://www.ibm.com/support/docview.wss?uid=swg21981532 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 26-04-2016
by Daily end-of-shift report 26 Apr '16

26 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-04-2016 18:00 − Dienstag 26-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** "Fourth Sample of ICS Tailored Malware Uncovered and the Potential Impact" *** --------------------------------------------- I looked at the S4 Europe agenda which was sent out this morning by Dale Peterson and saw an interesting bullet: "Rob Caldwell of Mandiant will unveil some ICS malware in the wild that is doing some new and smarter things to attack ICS. We are working with Mandiant to provide a bit more info … Continue reading Fourth Sample of ICS Tailored Malware Uncovered and the Potential Impact... --------------------------------------------- http://ics.sans.org/blog/2016/04/25/fourth-sample-of-ics-tailored-malware-u… *** Juniper patches Logjam, Bar Mitzvah, and various Java vulns *** --------------------------------------------- In Junos Space, nobody can hear you patch | Juniper Networks sysadmins can add Junos Space network management patches to their to-do list. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/26/juniper_plu… *** Shopware update fixes RCE bug that affects both shop and target system *** --------------------------------------------- Shopware, an open-source shopping cart system chosen by a number of big European companies to power their online shops, has recently pushed out a critical security update. The update fixes a remote code execution bug that could allow attackers to read files on the target system, create new ones with malicious content, and run arbitrary code on the target system. This is a critical security vulnerability that not only affect the functions of the shop,... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/26/shopware-update-fixes-rce-bug/ *** Sicherheits-Report: Unternehmen setzen selbst simple Schutzmechanismen nicht um *** --------------------------------------------- Forensische Analysen von mehr als 3000 nachweislichen Datenlecks zeigen, dass sich Angreifer wenig Neues einfallen lassen - weil Unternehmensnetze immer noch nicht gegen die ewig gleichen Angriffsmuster geschützt sind. --------------------------------------------- http://heise.de/-3184485 *** Breaking Steam Client Cryptography *** --------------------------------------------- So as to not bury the lede: Older versions of Steam allow an attacker who observes a client connecting to Steam to read sensitive information sent over the network. This allows the attacker to take over the account, bypass SteamGuard, and sometimes view plain-text passwords. But how? --------------------------------------------- https://steamdb.info/blog/breaking-steam-client-cryptography/ *** Malware and non-malware ways for ATM jackpotting. Extended cut *** --------------------------------------------- Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. Unfortunately, ATM manufacturers and their primary customers - banks - don't pay much attention to the security of cash machines. --------------------------------------------- http://securelist.com/analysis/publications/74533/malware-and-non-malware-w… *** Two Tips to Keep Your Phone's Encrypted Messages Encrypted *** --------------------------------------------- WhatsApp and Viber may have turned on "default" end-to-end encryption, but truly securing your messages requires a couple steps of your own. --------------------------------------------- http://www.wired.com/2016/04/tips-for-encrypted-messages/ *** Yeabests[.]cc: A fileless infection using WMI to hijack your Browser *** --------------------------------------------- Windows comes with a tool called the Windows Management Instrumentation, or WMI, that can be used by system administrators to receive information and notifications from Windows. ... Unfortunately, this [..] can also be used by malware developers for more nefarious reasons such as creating fileless infectors. --------------------------------------------- http://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infect… *** ENISA's Executive Director addresses EP ITRE Committee on key points for cybersecurity for the EU *** --------------------------------------------- Following the Commission announcement on the path to digitise the EU industry, ENISA participated at the ITRE meeting on 21st April in an exchange of views on cybersecurity in the EU, and ENISA's role in the implementation of the Digital Single Market. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa2019s-executive-director-a… *** SWIFT banking network warns customers of cyberfraud cases *** --------------------------------------------- SWIFT, the international banking transactions network, has warned customers of "a number" of recent incidents in which criminals sent fraudulent messages through its system.The warning from SWIFT (Society for Worldwide Interbank Financial Telecommunication) suggests that a February attack on the Bangladesh Bank, in which thieves got away with US $81 million, was not an isolated incident.SWIFT is aware of malware that "aims to reduce financial institutions' abilities"... --------------------------------------------- http://www.cio.com/article/3061685/swift-banking-network-warns-customers-of… *** New Decryptor Unlocks CryptXXX Ransomware *** --------------------------------------------- Researchers at Kaspersky Lab today published a decryptor that recovers files encrypted by the CryptXXX ransomware. --------------------------------------------- http://threatpost.com/new-decryptor-unlocks-cryptxxx-ransomware/117668/ *** AKW Gundremmingen: Infektion mit Uralt-Schadsoftware *** --------------------------------------------- Im Atomkraftwerk Gundremmingen wurde mindestens ein Rechner mit Schadsoftware infiziert. Bei genauerer Betrachtung scheint die Situation allerdings weniger dramatisch, als zuerst angenommen. --------------------------------------------- http://heise.de/-3188599 *** Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC *** --------------------------------------------- Topic: Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC Risk: Medium Text:# Exploit Title: RATS 2.3 Crash POC # Date: 25th April 2016 # Exploit Author: David Silveiro # Author Contact: twitter.com/d... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040155 *** Bugtraq: Trend Micro (Account) - Email Spoofing Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538197 *** Bugtraq: VoipNow v4.0.1 - (xajax_handler) Persistent Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538198 *** Bugtraq: Sophos XG Firewall (SF01V) - Persistent Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538199 *** TYPO3 CMS 6.2.22 and 7.6.6 released *** --------------------------------------------- The TYPO3 Community announces the versions 6.2.22 LTS and 7.6.6 LTS of the TYPO3 Enterprise Content Management System. We are announcing the release of the following TYPO3 CMS updates: TYPO3 CMS 6.2.22 LTS TYPO3 CMS 7.6.6 LTS All versions are maintenance releases and contain bug fixes only. --------------------------------------------- https://typo3.org/news/article/typo3-cms-6222-and-766-released/ *** Bugtraq: [security bulletin] HPSBGN03582 rev.1 - HPE Helion CloudSystem using glibc, Remote Code Execution, Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538194 *** IBM Security Bulletin: IBM Vulnerability in BIND affects AIX (CVE-2015-8704) *** --------------------------------------------- http://www.ibm.com/support/ *** IBM Security Bulletin: IBM Vulnerability in OpenSSL affects AIX (CVE-2016-2842) *** --------------------------------------------- http://www.ibm.com/support/

1 0

Tageszusammenfassung - Montag 25-04-2016
by Daily end-of-shift report 25 Apr '16

25 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-04-2016 18:00 − Montag 25-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Angler Exploit Kit, Bedep, and CryptXXX, (Sat, Apr 23rd) *** --------------------------------------------- Introduction On Friday 2016-04-15, Proofpoint researchers spotted CryptXXX [1], a new type of ransomware from the actors behind Reveton. CryptXXX is currently spread through Bedep infections sent by the Angler exploit kit (EK). So far, Ive only seen Bedep send CryptXXX after Angler EK traffic caused by the pseudo-Darkleech campaign." /> CryptXXX infections have their own distinct look." /> Bedep recently improved its evasion capabilities [3]. Its being sent by one of the most... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20981&rss *** Highlights from the 2016 HPE Annual Cyber Threat Report, (Mon, Apr 25th) *** --------------------------------------------- HP released their annual report for 2016 that covers a broad range of information (96 pages) in various sectors and industries. The report is divided in 7 themes, those that appear the most interesting to me are Theme #5: The industry didnt learn anything about patching in 2015 and Theme #7: The monetization of malware. Theme #5 According to this report, the bug that was the most exploited in 2014 was still the most exploited last year which is now over five years old. CVE-2010-2568 where a... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20985&rss *** Top 10 web hacking techniques of 2015 *** --------------------------------------------- Now in its tenth year, the Top 10 List of Web Hacking Techniques takes a step back from the implications of an attack to understand how they happen. The list is chosen by the security research community, coordinated by WhiteHat Security. After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces: FREAK (Factoring Attack on RSA-Export Keys) LogJam Web Timing Attacks Made Practical Evading All... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/25/top-10-web-hacking-techniques-20… *** Kritische Lücken: HP Data Protector verzichtet auf Authentifikation *** --------------------------------------------- Angreifer können den HP Data Protector über verschiedene Schwachstellen in den Mangel nehmen und Code auf Computer schieben. Sicherheits-Updates unterbinden das. --------------------------------------------- http://heise.de/-3183095 *** Snap: Ubuntus neue Pakete sind auf dem Desktop nicht sicherer *** --------------------------------------------- Die Ubuntu-Macher Canonical behaupten, mit dem neuen Paketformat Snap werden installierte Apps sicherer. Für Desktop-Anwender stimmt das allerdings nicht. --------------------------------------------- http://heise.de/-3183128 *** RDP Replay Code Release *** --------------------------------------------- We took a more in depth look to see what information could be extracted from a PCAP of this [RDP] activity, and this led to a tool being created to replay the RDP session as the attacker would have seen it. We have made this tool available after being asked by a number of our blog readers. This tool requires the private key for decrypting, which can usually be recovered with cooperation from the client. --------------------------------------------- http://www.contextis.com/resources/blog/rdp-replay-code-release/ *** Apple ID und iCloud: Gezieltes Phishing mit Textnachricht *** --------------------------------------------- Betrüger versuchen derzeit per SMS, Nutzer auf eine gefälschte Apple-ID-Anmeldeseite zu locken, um persönliche Daten in Erfahrung zu bringen. Die Mitteilung ist persönlich adressiert. --------------------------------------------- http://heise.de/-3183878 *** A Newer Variant of RawPOS in Depth *** --------------------------------------------- RawPOS - A History RawPOS (also sometimes referred to as Rdasrv from the original service install name) is a Windows based malware family that targets payment card data. It has been around at least since 2011, if not much earlier. Despite it being very well known and the functions it performs easy to understand, RawPOS continues to prove extremely effective in perpetuating long-term and devastating card breaches to this day. Similar to its cousin, BlackPOS, this malware targets industries... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/a-newer-variant-of-raw… *** Empty DDoS Threats: Meet the Armada Collective *** --------------------------------------------- [...] Our conclusion was a bit of a surprise: weve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack. In fact, because the extortion emails reuse Bitcoin addresses, theres no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments. [...] --------------------------------------------- https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/ *** GozNym banking malware spotted now in Europe *** --------------------------------------------- IBMs X-Force reported today the actors behind the hybrid GozNym banking trojan that stole $4 million from U.S. banks in March have released a new configuration that is targeting European banks. --------------------------------------------- http://www.scmagazine.com/goznym-banking-malware-spotted-now-in-europe/arti… *** Angriff auf Zentralbank: Billigrouter und Malware führen zu Millionenverlust *** --------------------------------------------- Man sollte meinen, dass die Zentralbank eines Landes über eine Firewall verfügt. In Bangladesch war das offenbar nicht der Fall. So konnten Angreifer mit spezialisierter Malware fast 1 Milliarde US-Dollar überweisen - und scheiterten dann an einem Fehler. --------------------------------------------- http://www.golem.de/news/angriff-auf-zentralbank-billigrouter-und-malware-f… *** Manipulierte PNG-Datei schießt iOS- und Mac-Apps ab *** --------------------------------------------- Das Öffnen einer präparierten Bilddatei bringt Apps in iOS wie OS X zum Absturz, darunter den iOS-Homescreen. Die iMessage-App öffnet sich dadurch unter Umständen nicht mehr. --------------------------------------------- http://heise.de/-3184062 *** Exploit kit targets Android devices, delivers ransomware *** --------------------------------------------- Ransomware hitting mobile devices is not nearly as widespread as that which targets computers, but Blue Coat researchers have discovered something even less unusual: mobile ransomware delivered via exploit kit. The ransomware in question calls itself Cyber.Police (the researchers have dubbed it Dogspectus), and does not encrypt users' files, just blocks the infected Android device. It purports to be part of an action by the (nonexistent) "American national security agency"... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/25/exploit-kit-targets-android-devi… *** VU#229047: Allround Automations PL/SQL Developer v11 performs updates over HTTP *** --------------------------------------------- Vulnerability Note VU#229047 Allround Automations PL/SQL Developer v11 performs updates over HTTP Original Release date: 25 Apr 2016 | Last revised: 25 Apr 2016 Overview Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code. Description CWE-345: Insufficient Verification of Data Authenticity - CVE-2016-2346 According to the researcher, Allround Automations... --------------------------------------------- http://www.kb.cert.org/vuls/id/229047 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in git affect PowerKVM (CVE-2016-2315, CVE-2016-2324) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023527 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NetworkManager affect PowerKVM (CVE-2015-0272,CVE-2015-2924) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023498 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability was fixed in IBM Security Privileged Identity Manager (CVE-2016-0357) *** http://www.ibm.com/support/docview.wss?uid=swg21981720 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in libssh2 affects PowerKVM (CVE-2016-0787) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023482 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in ISC Bind affect PowerKVM (CVE-2016-1285, CVE-2016-1286) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023483 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-util affects PowerKVM (CVE-2016-1950) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023484 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in strongSwan affects PowerKVM (CVE-2015-8023) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023447 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects Sterling Connect:Enterprise for UNIX (CVE-2016-0800). *** http://www.ibm.com/support/docview.wss?uid=swg21980890 --------------------------------------------- *** IBM Security Bulletin: Information disclosure through unauthenticated SOAP request message. (CVE-2016-0299) *** http://www.ibm.com/support/docview.wss?uid=swg21981155 --------------------------------------------- *** IBM Security Bulletin: ClassLoader Manipulation with Apache Struts affecting IBM WebSphere Portal (CVE-2014-0114) *** http://www.ibm.com/support/docview.wss?uid=swg21680194 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libssh2 affects SAN Volume Controller and Storwize Family (CVE-2015-1782) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005710 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM SAN Volume Controller and Storwize Family (CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005709 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976896 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Control Center (CVE-2015-5254) *** http://www.ibm.com/support/docview.wss?uid=swg21981352 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM WebSphere MQ (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21981838 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005657 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005656 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005657 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 22-04-2016
by Daily end-of-shift report 22 Apr '16

22 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-04-2016 18:00 − Freitag 22-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Patches Denial-of-Service Flaws Across Three Products *** --------------------------------------------- Cisco released software updates to address five separate denial of service vulnerabilities, all which the company considers either high or critical severity, across its product line this week. --------------------------------------------- http://threatpost.com/cisco-patches-denial-of-service-flaws-across-three-pr… *** New version of TeslaCrypt ups ante for ransomware *** --------------------------------------------- Two updates in TeslaCrypt illustrate that ransomware is not only spreading wider, but is also evolving with new capabilities. --------------------------------------------- http://www.scmagazine.com/new-version-of-teslacrypt-ups-ante-for-ransomware… *** Cybercrime as a business rampant, new study *** --------------------------------------------- Attacks are getting fiercer and attackers more sophisticated and organized, according to the "2016 Trustwave Global Security Report," released this week. --------------------------------------------- http://www.scmagazine.com/cybercrime-as-a-business-rampant-new-study/articl… *** South Korea no 1 origin point for DDoS attacks *** --------------------------------------------- According to a new report by Imperva, South Korea serves as the most prolific point of origin for global DDoS attacks. --------------------------------------------- http://www.scmagazine.com/south-korea-no-1-origin-point-for-ddos-attacks/ar… *** SpyEye duo behind bank-account-emptying malware banged up *** --------------------------------------------- Billion-dollar Russian Trojan team in the tank for quarter of a century in the US A two-man team responsible for spreading the SpyEye malware that caused more than a billion dollars in financial hardship is now starting extended .. --------------------------------------------- www.theregister.co.uk/2016/04/21/us_jails_spyeye_malware_duo/ *** DSA-3554 xen - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3554 *** Core Windows Utility Can Be Used to Bypass AppLocker *** --------------------------------------------- A researcher has discovered that Windows' Regsvr32 can be used to download and run JavaScript and VBScript remotely from the Internet, bypassing AppLocker's whitelisting protections. --------------------------------------------- http://threatpost.com/core-windows-utility-can-be-used-to-bypass-applocker/… *** TeslaCrypt: New versions and delivery methods, no decryption tool *** --------------------------------------------- TeslaCrypt ransomware was first spotted and analyzed in early 2015, and soon enough researchers created a decryption tool for it. The malware has since reached versions 4.0 and 4.1 but, unfortunately, there is currently no way to decrypt the .. --------------------------------------------- https://www.helpnetsecurity.com/2016/04/22/teslacrypt-new-versions-no-decry… *** Your credentials at risk with Lansweeper 5 *** --------------------------------------------- As a penetration testers, we rarely have to find 'zero day' vulnerabilities or perform 'bug hunting' in order to compromise Windows Active Directory Domains. However, in one of these rare cases while performing an internal penetration test for a client, we had to do so. Lansweeper is .. --------------------------------------------- http://blog.gosecure.ca/2016/04/21/your-credentials-at-risk-with-lansweeper… *** Red Hat Product Security Risk Report: 2015 *** --------------------------------------------- This report takes a look at the state of security risk for Red Hat products for calendar year 2015. We look at key metrics, specific vulnerabilities, and the most common ways users of Red Hat products were affected by security issues. --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2262281 *** Hacking Nagios: The Importance of System Hardening *** --------------------------------------------- System hardening is important. Keeping systems in a hardened state is equally important. Good hardening should not only including keeping all the patches up-to-date, but also disabling all unnecessary services. The services that are necessary, must to be configured securely. All of this is .. --------------------------------------------- https://blog.anitian.com/hacking-nagios/ *** Hackerangriff: Drucker an deutschen Unis spuckten Nazi-Botschaften aus *** --------------------------------------------- Angriff auf vernetzte Kopierer und Drucker offenbar aus den USA - Sicherheitsleck behoben --------------------------------------------- http://derstandard.at/2000035504034 *** [2016-04-22] Insecure credential storage in my devolo Android app *** --------------------------------------------- The Android app of devolo Home Control suffers from insecure credential storage. Attackers can be able to recover sensitive information from stolen/lost devices. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** [2016-04-22] Multiple vulnerabilities in Digitalstrom Konfigurator *** --------------------------------------------- Multiple design and implementation flaws within the smart home system Digitalstrom enable an attacker to control arbitrary devices connected to the system and execute JavaScript code in the users browser. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** SEC Consult Study on Smart Home Security in Germany - a first silver lining on the horizon of IoT? *** --------------------------------------------- http://blog.sec-consult.com/2016/04/smart-home-security.html *** 1 Million Menschen nutzen Facebook über Tor *** --------------------------------------------- Lohnt es sich, einen eigenen Tor-Hidden-Service anzubieten? Facebook schreibt jetzt, dass die Zahl der aktiven Tor-Nutzer sich seit dem letzten Sommer verdoppelt hat. --------------------------------------------- http://www.golem.de/news/privatsphaere-1-million-menschen-nutzen-facebook-u… *** Snap: Ubuntus neues Paketformat ist unter X11 unsicher *** --------------------------------------------- Das neue Snap-Paketformat von Ubuntu soll nicht nur Installationen und Updates vereinfachen, sondern auch Anwendungen besser absichern. Unter X11 sei letzteres aber ein falsches Versprechen, sagt Sicherheitsforscher Matthew Garrett. überraschend ist das nicht. --------------------------------------------- http://www.golem.de/news/snap-ubuntus-neues-paketformat-ist-unter-x11-unsic… *** Why Hackers Love Your LinkedIn Profile *** --------------------------------------------- An employee opens an attachment from someone who claims to be a colleague in a different department. The attachment turns out to be malicious. The company network? Breached. If you follow the constant news about data breaches, you read this stuff all the .. --------------------------------------------- http://safeandsavvy.f-secure.com/2016/04/22/why-hackers-love-your-linkedin-… *** Nuclear Exploit-Kit bombardiert hunderttausende Rechner mit Locky *** --------------------------------------------- Ransomware wird im großen Stil über Exploit-Kits verteilt. Sicherheitsforschern ist es jetzt gelungen, ins Backend einer solchen Schadcode-Schleuder einzudringen und Statistiken über die Verbreitung der Trojaner zu sammeln. --------------------------------------------- http://heise.de/-3181696 *** JSA10727 - 2016-04 Security Bulletin: Junos Space: Multiple privilege escalation vulnerabilities in Junos Space (CVE-2016-1265) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10727

1 0

Tageszusammenfassung - Donnerstag 21-04-2016
by Daily end-of-shift report 21 Apr '16

21 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-04-2016 18:00 − Donnerstag 21-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Angebliche Paket-Verständigung von der "Post" kann Ihre Daten durch Verschlüsselung unbrauchbar machen *** --------------------------------------------- Modus Operandi Kaum ist die Bedrohung durch angebliche E-Mails von DHL im Abklingen, erreicht uns eine neue Welle von E-Mails mit gefährlichem Inhalt. Nunmehr gibt die Mail vor von der "Post" zu stammen und informiert über eine nicht erfolgreich durchgeführte Zustellung. Die weitere Vorgehensweise bleibt dabei gleich; der Empfänger wird aufgefordert den Versandschein über einen Link in der Mail herunter zu laden. --------------------------------------------- http://www.bmi.gv.at/cms/BK/betrug/files/Cryptolocker_Ransomware_Post.pdf *** Decoding Pseudo-Darkleech (#1), (Thu, Apr 21st) *** --------------------------------------------- Im currently going through a phase of WordPress dPression. Either my users are exceptionally adept at finding hacked and subverted WordPress sites, or there are just so many of these sites out there. This weeks particular fun seems to be happening on restaurant web sites. Inevitably, when checking out the origin of some crud, I discover a dPressing installation that shows signs of being owned since months. The subverted sites currently lead to Angler Exploit Kit (Angler EK), and are using... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20969&rss *** SpyEye botnet kit developer sentenced to long jail term *** --------------------------------------------- Aleksandr Andreevich Panin, the Russian developer of the SpyEye botnet creation kit, and an associate were on Wednesday sentenced to prison terms by a court in Atlanta, Georgia, for their role in developing and distributing malware that is said to have caused millions of dollars in losses to the financial sector.Panin, who set out to develop SpyEye as a successor to the Zeus malware that affected financial institutions since 2009, was sentenced by the court to nine and half years in prison,... --------------------------------------------- http://www.cio.com/article/3059554/spyeye-botnet-kit-developer-sentenced-to… *** Looking Into a Cyber-Attack Facilitator in the Netherlands *** --------------------------------------------- A small webhosting provider with servers in the Netherlands and Romania has been a hotbed of targeted attacks and advanced persistent threats (APT) since early 2015. Starting from May 2015 till today we counted over 100 serious APT incidents that originated from servers of this small provider. Pawn Storm used the servers for at least 80 high profile attacks against various governments in the US, Europe, Asia, and the Middle East. Formally the Virtual Private Server (VPS) hosting company is... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/MKFUpCeHi9s/ *** FBI warns farming industry about equipment hacks, data breaches *** --------------------------------------------- As Internet-connected equipment is increasingly used in many industry sectors, alerts like the latest one issued by the FBI to US farmers will likely become a regular occurrence. While precision agriculture technology (a.k.a. smart farming) reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/21/farming-cyber-risks/ *** Lab - Cryptographic Algorithms *** --------------------------------------------- For this lab we'll be using GPG, OpenSSL to demonstrate symmetric and asymmetric encryption/decryption and MD5, SHA1 to demonstrate hash functions. Virtual Machine Needed: Kali Before starting the lab here are some definitions: In all symmetric crypto algorithms (also called Secret Key encryption) a secret key is used for both encrypt plaintext and decrypt the... --------------------------------------------- http://resources.infosecinstitute.com/lab-cryptographic-algorithms/ *** Fremdenfeindliche Ausdrucke: "Hackerangriff" auf Universitätsdrucker *** --------------------------------------------- Hackerangriff oder doch nur eine falsche Druckerkonfiguration: In verschiedenen Universitäten in Deutschland sind in den Druckern Dokumente mit fremdenfeindlichem Hintergrund gefunden worden. --------------------------------------------- http://www.golem.de/news/fremdenfeindliche-ausdrucke-hackerangriff-auf-univ… *** Security update available for the Adobe Analytics AppMeasurement for Flash Library *** --------------------------------------------- A Security Bulletin (APSB16-13) has been published regarding a security update for the Adobe Analytics AppMeasurement for Flash Library. This update resolves an important vulnerability in the AppMeasurement for Flash library that could be abused to conduct DOM-based cross-site scripting attacks... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1341 *** DFN-CERT-2016-0655: Squid: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0655/ *** [R2] Nessus < 6.6 Fixes Two Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2016-08 *** Moxa NPort Device Vulnerabilities (Update A) *** --------------------------------------------- This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-16-099-01 Moxa NPort Device Vulnerabilities that was published April 8, 2016, on the ICS-CERT web page. ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. ICS-CERT has notified Moxa of the report, and Moxa has validated all five of the reported vulnerabilities. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01 *** Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow *** --------------------------------------------- Topic: Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow Risk: High Text:/* This function is reachable by sending a RNDIS Set request with OID 0x01010209 (OID_802_3_MULTICAST_LIST) from the Guest to... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040133 *** Avast SandBox Escape via IOCTL Requests *** --------------------------------------------- Topic: Avast SandBox Escape via IOCTL Requests Risk: Medium Text:* CVE: CVE-2016-4025 * Vendor: Avast * Reported by: Kyriakos Economou * Date of Release: 19/04/2016 * Affected Products: Mu... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040134 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Wireless LAN Controller Management Interface Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Wireless LAN Controller Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Wireless LAN Controller HTTP Parsing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Multiple Cisco Products libSRTP Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-0800) *** http://www.ibm.com/support/docview.wss?uid=swg21980721 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in libcURL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3237) *** http://www.ibm.com/support/docview.wss?uid=swg21980719 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3197, CVE-2015-4000) *** http://www.ibm.com/support/docview.wss?uid=swg21980716 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=swg21980714 --------------------------------------------- *** IBM Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2015-8851 *** http://www.ibm.com/support/docview.wss?uid=swg21981528 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Scale, with the Spectrum Scale GUI installed, is affected by a security vulnerability (CVE-2016-0361) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005742 --------------------------------------------- *** Drupal Security Advisories for Third-Party Modules *** --------------------------------------------- *** EPSA Crop - Image Cropping - Critical -XSS - SA-CONTRIB-2016-024 - Unsupported *** https://www.drupal.org/node/2710247 --------------------------------------------- *** Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023 *** https://www.drupal.org/node/2710115 --------------------------------------------- *** Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022 *** https://www.drupal.org/node/2710063 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 20-04-2016
by Daily end-of-shift report 20 Apr '16

20 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-04-2016 18:00 − Mittwoch 20-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Oracle critical updates released, (Wed, Apr 20th) *** --------------------------------------------- Oracle has released their critical updates list. Looking through it there is a very wide range of products, including java that require a fix. Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay. There are quite a few remotely exploitable, no auth required issues that are addressed by these patches. You may want to peruse the list to see if some of your products are affected. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20965&rss *** Java: Neue JDK-Versionen bringen strengere Sicherheitsvorgaben *** --------------------------------------------- Die Updates JDK 8u91 und 8u92 adressieren erneut vor allem das Thema Security: Unter anderem gilt der MD5-Algorithmus nun als unsicher, und die JVM bekommt Einstellungen zur Behandlung von Speicherüberlauffehlern. --------------------------------------------- http://heise.de/-3178164 *** Hacking and manipulating traffic sensors *** --------------------------------------------- With the advent of the Internet of Things, we're lucky to have researchers looking into these devices and pointing out the need for securing them better. One of these researchers is Kaspersky Lab's Denis Legezo, who took it upon himself to map the traffic sensors in Moscow and see whether they could be tampered with. The answer to that question is yes, they can be manipulated, and consequently lead to poor traffic management and annoyance... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/20/hacking-manipulating-traffic-sen… *** PoS Malware Steals Credit Card Numbers via DNS Requests *** --------------------------------------------- A new version of the NewPosThings PoS malware is using a clever technique to extract data from infected PoS terminals that almost no security solution monitors for malware activity. --------------------------------------------- http://news.softpedia.com/news/pos-malware-steals-credit-card-numbers-via-d… *** Using a Braun Shaver to Bypass XSS Audit and WAF *** --------------------------------------------- TL;DR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product. --------------------------------------------- https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-aud… *** Encryption everywhere? *** --------------------------------------------- This article discusses opportunistic encryption (OE), ways to set up systems so that they will automatically encrypt whenever they can rather than just whenever the user requests it. Many types of encryption require a choice by the user - encrypt with PGP rather than sending email in the clear, log into a remote system with... --------------------------------------------- http://resources.infosecinstitute.com/encryption-everywhere/ *** Towards Generic Ransomware Detection *** --------------------------------------------- Im not claiming these ideas are novel, nor unbeatable. My goal is simply to raise awareness about alternate means to help stymie the ransomware epidemic. Plus, attempting to write a tool that could generically protect my computer against OS X ransomware, seemed like a fun challenge! Finally, both this research and tool are version 1.0, meaning, likely room for improvement - so feedback is welcome :) --------------------------------------------- https://objective-see.com/blog/blog_0x0F.html *** DRAM bitflipping exploits that hijack computers just got easier *** --------------------------------------------- Approach relies on already installed code, including widely used glibc library. --------------------------------------------- http://arstechnica.com/security/2016/04/dram-bitflipping-exploits-that-hija… *** Panama Papers - How Hackers Breached the Mossack Fonseca Firm *** --------------------------------------------- Introduction The Panama Papers are a huge trove of high confidential documents stolen from the computer systems of the Panamanian law firm Mossack Fonseca that was leaked online during recently. It is considered the largest data leaks ever, the entire archive contains more than 11.5 Million files including 2.6 Terabytes of data related the activities of offshore... --------------------------------------------- http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-th… *** Kippo and dshield , (Tue, Apr 19th) *** --------------------------------------------- In this diary I will talk about how to configure kippo honeypot and how to submit your kippos log to SANS Dshield --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20963&rss *** Security Update for Microsoft Graphics Component (3148522) Version: 2.0 *** --------------------------------------------- V2.0 (April 19, 2016): To comprehensively address CVE-2016-0145, Microsoft re-released security update 3144432 for affected editions of Microsoft Live Meeting 2007 Console. Customers running Microsoft Live Meeting 2007 Console should install the update to be fully protected from the vulnerability. See Microsoft Knowledge Base Article 3144432 for more information. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-039 *** Bugtraq: ESA-2016-039: EMC ViPR SRM Multiple Cross-Site Request Forgery Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538133 *** Cisco IOS and Cisco IOS XE ntp Subsystem Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** F5 Security Advisory: glibc vulnerability CVE-2015-8779 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/39/sol39250133.html?… *** VMSA-2016-0002.1 *** --------------------------------------------- VMware product updates address a critical glibc security vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0002.html *** VMSA-2015-0009.2 *** --------------------------------------------- VMware product updates address a critical deserialization vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0009.html

1 0

Tageszusammenfassung - Dienstag 19-04-2016
by Daily end-of-shift report 19 Apr '16

19 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-04-2016 18:00 − Dienstag 19-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Touch ID: 90 Prozent der iPhone-Nutzer setzen jetzt auf Code-Sperre *** --------------------------------------------- Seit der Einführung des Fingerabdruckscanners hat sich laut Apple der Anteil der Nutzer verdoppelt, die ihr iPhone mit einem Gerätecode schützen und damit die Daten verschlüsseln. --------------------------------------------- http://heise.de/-3177095 *** JavaScript-toting spam emails: What should you know and how to avoid them? *** --------------------------------------------- We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware. Some of the JavaScript downloaders .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/04/18/javascript-toting-spam-… *** Google Alerts, Direct Webmaster Communication Get Bugs Fixed Quickly *** --------------------------------------------- Google determined that Safe Browsing warnings correlate with quicker remediation times, though not as quick as direct contact with webmasters who have registered with Google Search Console. --------------------------------------------- http://threatpost.com/google-alerts-direct-webmaster-communication-get-bugs… *** Magnitude EK Activity At Its Highest Via AdsTerra Malvertising *** --------------------------------------------- The Magnitude exploit kit is maximizing its leads via a large and uninterrupted malvertising campaign.Categories: ExploitsTags: adsterramagnitude EKmalvertisingterraclicks(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016… *** iPrint Appliance 2.0 Patch 1 *** --------------------------------------------- Abstract: Patch 1 for the iPrint Appliance 2.0 includes bug fixes.Document ID: 5240661Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.530.HP.zip (594.99 MB)Products:iPrint Appliance 2Superceded Patches:iPrint Appliance 2.0 FTF --------------------------------------------- https://download.novell.com/Download?buildid=W46YTfqEGiQ~ *** Symantec Messaging Gateway Multiple Security Issues *** --------------------------------------------- Revisions None Severity Severity (CVSS version 2 and CVSS Version 3) CVSS2 Base Score .. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Python-Based PWOBot Targets European Organizations *** --------------------------------------------- We have discovered a malware family named 'PWOBot' that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwob… *** Zahlen, bitte! Täglich 390.000 neue Schadprogramme *** --------------------------------------------- Momentan hat man das Gefühl, in jedem Mail-Anhang und hinter jedem Link versteckt sich irgendeine Malware. Antiviren-Hersteller und Test-Labore verstärken diesen Eindruck noch durch irrwitzig hohe Zahlen neuer Schadprogramme. --------------------------------------------- http://heise.de/-3177141 *** 2015 über 550 Millionen Datensätze von Sicherheitslecks betroffen *** --------------------------------------------- Anzahl bekannt gewordener Zero-Day-Lücken mehr als verdoppelt – Entwickler werden schneller beim Ausmerzen --------------------------------------------- http://derstandard.at/2000035195204 *** How-To Disable Windows Script Host *** --------------------------------------------- Numerous spam campaigns are pushing various crypto-ransomware families (and backdoors) via .zip file attachments. And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host. Do yourself a favor and edit your Windows Registry .. --------------------------------------------- https://labsblog.f-secure.com/2016/04/19/how-to-disable-windows-script-host/ *** Exploit kit writers turn away from Java, go all-in on Adobe Flash *** --------------------------------------------- 312% increase in Flash vulns over 2014, says study Exploit kit writers are no longer fussed about Java vulnerabilities, focusing their attention almost entirely on Adobe Flash. --------------------------------------------- www.theregister.co.uk/2016/04/19/exploit_kit_writers_love_flash/ *** Homeland Security: Open Source dient der inneren Sicherheit *** --------------------------------------------- Die Offenlegung von Code habe Vorteile bei der "Cybersicherheit" und werde helfen, die Nation vor Gefahren zu schützen, meint der Technikchef der zuständigen US-Behörde. Außerdem könnten Bürger die Behörde dank Open Source besser überwachen, glauben Entwickler. --------------------------------------------- http://www.golem.de/news/homeland-security-open-source-dient-der-inneren-si… *** Tools *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer. The following vulnerabilities have been addressed: ... --------------------------------------------- http://support.citrix.com/article/CTX209443 *** Perfides PayPal-Phishing mit angeblicher Eventim-Rechnung *** --------------------------------------------- Eine überdurchschnittlich gut gemachte Phishing-Mail soll PayPal-Kunden in die Datenfalle locken. Die Absender haben sogar beim Header getrickst. --------------------------------------------- http://heise.de/-3177745

1 0

Tageszusammenfassung - Montag 18-04-2016
by Daily end-of-shift report 18 Apr '16

18 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-04-2016 18:00 − Montag 18-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Bugtraq: [SECURITY] [DSA 3550-1] openssh security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/538099 *** Out-of-date apps put 3 million servers at risk of crypto ransomware infections *** --------------------------------------------- 1,600 schools, governments, and aviation companies already backdoored. --------------------------------------------- http://arstechnica.com/security/2016/04/3-million-servers-are-sitting-ducks… *** Chrome extensions will soon have to tell you what data they collect *** --------------------------------------------- Google is about to make it harder for Chrome extensions to collect your browsing data without letting you know about it, according to a new policy announced Friday.Starting in mid-July, developers releasing Chrome extensions .. --------------------------------------------- http://www.cio.com/article/3057259/chrome-extensions-will-soon-have-to-tell… *** How to Write Phishing Templates That Work *** --------------------------------------------- Phish Me Once Phishing isn't hard. Despite all the frightening news reports about ransomware and millions of stolen dollars and identities, people still happily click .. --------------------------------------------- http://resources.infosecinstitute.com/how-to-write-phishing-templates-that-… *** ZDI-16-244: Hewlett Packard Enterprise Vertica validateAdminConfig Remote Command Injection Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Vertica. Authentication is not required to exploit this vulnerability. --------------------------------------------- www.zerodayinitiative.com/advisories/ZDI-16-244/ *** ZDI-16-243: Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows an attacker to leak sensitive information on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-243/ *** Splunk Enterprise Multiple Flaws Let Remote Users Bypass Security and Deny Service and Remote Authenticated Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1035578 *** 'Blackhole' Exploit Kit Author Gets 7 Years *** --------------------------------------------- A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts -- including "Paunch," the nickname used by the author of the infamous "Blackhole" exploit kit. Once an extremely .. --------------------------------------------- http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-year… *** DSA-3551 fuseiso - security update *** --------------------------------------------- It was discovered that fuseiso, a user-space implementation of theISO 9660 file system based on FUSE, contains several vulnerabilities. --------------------------------------------- https://www.debian.org/security/2016/dsa-3551 *** leenk.me <= 2.5.0 - XSS and CSRF *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8457 *** DSA-3552 tomcat7 - security update *** --------------------------------------------- Multiple security vulnerabilities have been discovered in the Tomcatservlet and JSP engine, which may result in information disclosure,the bypass of CSRF protections and bypass of the SecurityManager. --------------------------------------------- https://www.debian.org/security/2016/dsa-3552 *** FAQ WD <= 1.0.14 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8455 *** e-search <= 1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8458 *** Hacking Team hacker explains how he did it *** --------------------------------------------- Some nine moths ago, a hacker that calls himself Phineas Fisher managed to breach the systems and networks of Hacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to .. --------------------------------------------- https://www.helpnetsecurity.com/2016/04/18/hacking-team-hacker-explains/ *** Abhörsicherheit: Web.de sichert Mail-Transport zusätzlich per DANE ab *** --------------------------------------------- Der Schritt ist bedeutsam, weil Web.de nicht nur einer der großen deutschen Freemail-Dienste ist, sondern, weil der Mutterkonzern United Internet auch zur Initiative "E-Mail made in Germany" gehört – um die es zuletzt freilich still geworden ist. --------------------------------------------- http://heise.de/-3175333 *** Remote code execution, git, and OS X *** --------------------------------------------- Sometimes I think about all of those pictures which show a bunch of people in startups. They have their office space, which might be big, or it might be small, but they tend to have Macs. Lots of Macs. A lot of them also use git to .. --------------------------------------------- https://rachelbythebay.com/w/2016/04/17/unprotected/ *** Oracle Critical Patch Update Pre-Release Announcement - April 2016 *** --------------------------------------------- This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for April 2016, which will be released on Tuesday, April 19, 2016. While this Pre-Release Announcement is as accurate .. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html *** Idiot millennials are saving credit card PINs on their mobile phones *** --------------------------------------------- Cleartext passwords are bad, kids, mmmkay? More than one in five 18-24 year olds (21 per cent) store PINs for credit or debit cards on their smartphones, tablets or laptops, according to research conducted by Equifax in conjunction with Gorkana. --------------------------------------------- www.theregister.co.uk/2016/04/18/storing_passwords_smartphone_bad_mkay/ *** Implementation of a Virtual IDS Device in Passive Mode *** --------------------------------------------- The arrival of server, desktop and network virtualization has brought along enormous flexibility in configuration options and a huge drop in installation and operating costs of IT networks. Due .. --------------------------------------------- http://resources.infosecinstitute.com/implementation-of-a-virtual-ids-devic… *** Academic network Janet clobbered with DDoS attacks - again *** --------------------------------------------- Funny how it always gets targeted at the end of term... Blightys government-funded educational network Janet has once again been hit by a cyber attack, with a fresh .. --------------------------------------------- www.theregister.co.uk/2016/04/18/janet_clobbered_with_ddos_attacks_again/ *** Oberösterreichische Firma bei Traktorenkauf auf Internetbetrüger reingefallen *** --------------------------------------------- 40.000 Euro Schaden - Homepage von englischem Anbieter "gefakt" --------------------------------------------- http://derstandard.at/2000035121122

1 0

Tageszusammenfassung - Freitag 15-04-2016
by Daily end-of-shift report 15 Apr '16

15 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 14-04-2016 18:00 − Freitag 15-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Computing System Platform Emulator Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Computing System Platform Emulator Filename Argument Handling Buffer Overflow Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Vorgebliches Flash-Update installiert unerwünschte Mac-Programme *** --------------------------------------------- Erneut ist ein als Flash-Aktualisierung getarnter Installer im Umlauf, der ungewollte OS-X-Programme einspielt. Ein Entwickler-Zertifikat stellt die Schutzfunktion Gatekeeper ruhig. --------------------------------------------- http://heise.de/-3174793 *** Bedep has raised its game vs Bot Zombies *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/04/bedepantiVM.html *** Xen hugetlbfs Support Lets Local Users on a Guest System Cause Denial of Service Conditions on the Guest System *** --------------------------------------------- http://www.securitytracker.com/id/1035569 *** Banking Trojans Nymaim, Gozi Merge to Steal $4M *** --------------------------------------------- 'Double-headed beast' Trojan, GozNym, drains $4 million from banks in past two weeks. --------------------------------------------- http://threatpost.com/banking-trojans-nymaim-gozi-merge-to-steal-4m/117412/ *** Ransomware authors use the bitcoin blockchain to deliver encryption keys *** --------------------------------------------- Ransomware authors are using the bitcoin blockchain, which serves as the cryptocurrencys public transaction ledger, to deliver decryption keys to victims.The technique, which removes the burden of maintaining a reliable website-based .. --------------------------------------------- http://www.cio.com/article/3056604/ransomware-authors-use-the-bitcoin-block… *** VMSA-2016-0004 *** --------------------------------------------- VMware product updates address a critical security issue in the VMware Client Integration Plugin --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0004.html *** HTTP Public Key Pinning: How to do it right, (Thu, Apr 14th) *** --------------------------------------------- [Thanks to Felix aka @nexusnode for inspiring this post. Also, see his blog post [1] for more details] One of the underutilizedsecurity measures I mentioned recently was HTTP Public Key Pinning, or HPKP. First again, what is HPKP: HPKP adds a special header to the HTTP response. This header lists hashes .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20943 *** Researchers Crack Microsoft and Google's Shortened URLs to Spy on People *** --------------------------------------------- They were even able to identify a young woman whod sought Google Maps directions to a Planned Parenthood clinic. --------------------------------------------- http://www.wired.com/2016/04/researchers-cracked-microsoft-googles-shortene… *** Russia sends exploit kit author to the GULAG for seven years *** --------------------------------------------- ♫ Mothers, dont let your babies grow up to be hackers ♫ The author of the infamous "Blackhole" exploit kit has been sentenced to seven years in a Russian penal colony, local media report. --------------------------------------------- www.theregister.co.uk/2016/04/15/blackhole_paunch_sentence/ *** OGH: Unternehmer bei "Phishing"-Attacke vom Konto selbst schuld *** --------------------------------------------- http://derstandard.at/2000034923248-406 *** AJAX Random Post <= 2.00 - Unauthenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8450 *** HDW WordPress Video Gallery <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8449 *** Blackberry: Kanadische Polizei besitzt seit 2010 Zentralschlüssel *** --------------------------------------------- Wurde genutzt um über die Jahre Millionen BBM-Nachrichten mitzulesen --------------------------------------------- http://derstandard.at/2000034940341 *** Sierra Wireless ACEmanager Information Exposure Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an exposure of sensitive information vulnerability in the Sierra Wireless ACEmanager application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-105-01 *** Accuenergy Acuvim II Series AXM-NET Module Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for authentication bypass vulnerabilities in Accuenergy's Acuvim II Series AXM-NET module. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-105-02 *** QuickTime unter Windows deinstallieren - JETZT! *** --------------------------------------------- Da zwei kritische Lücken in QuickTime für Windows klaffen und Apple die Anwendung nicht mehr unterstützt, .. --------------------------------------------- http://heise.de/-3175518

1 0

Tageszusammenfassung - Donnerstag 14-04-2016
by Daily end-of-shift report 14 Apr '16

14 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-04-2016 18:00 − Donnerstag 14-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Computing System Central Software Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** JSA10733 - 2016-04 Security Bulletin: ScreenOS: Multiple Vulnerabilities in OpenSSL *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10733&actp=RSS *** JSA10747 - 2016-04 Security Bulletin: QFX Series: PFE panic while processing VXLAN packets (CVE-2016-1274) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10747&actp=RSS *** JSA10735 - 2016-04 Security Bulletin: CTP Series: Multiple vulnerabilities in CTP Series *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10735&actp=RSS *** Cisco Catalyst Switches Network Mobility Services Protocol Port Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Juniper bleeding data and money: slaps Band-Aids all over Junos OS and warns markets *** --------------------------------------------- Security fixes for privilege escalation, DoS, TLS spoofing and more Junipers code reviewers have been hard at work, and have shipped a bunch of security bug-fixes. --------------------------------------------- www.theregister.co.uk/2016/04/14/juniper_drops_a_bunch_of_junos_os_security… *** Hackers hacking hackers to knacker white hat cracker trackers *** --------------------------------------------- These Russians speak really good Farsi and other signs thieves lack honour ACSC2016 Malware writers are selling each other out to white hats and hacking through each others infrastructure to frame rivals, Shadowservers Richard Perlotto says. --------------------------------------------- www.theregister.co.uk/2016/04/14/there_is_no_honour_among_thieves/ *** Entschlüsselungs-Tool verfügbar? Webseite identifiziert Erpressungs-Trojaner *** --------------------------------------------- Opfer von Verschlüsselungs-Trojanern können auf der Webseite ID Ransomware den Schädling identifizieren und unter anderem Infos zur Möglichkeit einer kostenlosen Entschlüsselung abrufen. --------------------------------------------- http://heise.de/-3173463 *** "Der Bundestrojaner ist staatliche Schadsoftware" *** --------------------------------------------- Für den IT-Experten Rene Pfeiffer ist die staatliche Spionagesoftware kein taugliches Mittel zur .. --------------------------------------------- http://derstandard.at/2000034779830 *** Hacker bringt "Flappy Bird" auf die E-Zigarette *** --------------------------------------------- Ist mit kleinem OLED-Bildschirm ausgestattet - Firmware zum Download gestellt --------------------------------------------- http://derstandard.at/2000034841151 *** Boost - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-021 *** --------------------------------------------- This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic.The module doesnt prevent form cache from leaking between anonymous users which .. --------------------------------------------- https://www.drupal.org/node/2705765 *** Features - Less Critical - Denial of Service (DoS) - SA-CONTRIB-2016-020 *** --------------------------------------------- This module enables you to organize and export configuration data.The module doesnt sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the .. --------------------------------------------- https://www.drupal.org/node/2705637 *** Badlock: A Lateral Concern *** --------------------------------------------- Yesterday, what seems like the entire InfoSec industry was underwhelmed when Badlock was finally disclosed and, apparently, didn't live up to its billing. While we agree that the month-long buildup to the disclosure, and flashy logo were unnecessary, we'd like to explain why we think this vulnerability will end up providing malicious actors with a .. --------------------------------------------- https://labsblog.f-secure.com/2016/04/14/badlock-a-lateral-concern/ *** Snort Lab: Custom SCADA Protocol IDS Signatures *** --------------------------------------------- In this lab, you are going to learn how to create custom Snort signatures for the Modbus/TCP protocol. First, let's take some time to examine the Modbus TCP Target system. Start the Modbus TCP PLC Target VM. This target simulates .. --------------------------------------------- http://resources.infosecinstitute.com/snort-lab-custom-scada-protocol-ids-s… *** East European Criminal Fastflux Infrastructure *** --------------------------------------------- Fast flux networks allow miscreants to make their network more resistant against takedowns. By updating and changing the A records of a domain rapidly, there is a constant changing list of IPs hosting the domain involved, .. --------------------------------------------- https://blog.team-cymru.org/2016/04/east-european-criminal-fastflux-infrast… *** USB: Digitale Signaturen schützen vor bösartigen oder schlechten Geräten *** --------------------------------------------- USB-Geräte mit Typ-C-Anschluss sollen sich künftig mit kryptografischen Zertifikaten ausweisen, um Malware-Angriffe und Probleme durch inkompatible Netzteile zu vermeiden. --------------------------------------------- http://heise.de/-3173701

1 0

Tageszusammenfassung - Mittwoch 13-04-2016
by Daily end-of-shift report 13 Apr '16

13 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-04-2016 18:00 − Mittwoch 13-04-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** [R1] Nessus < 6.6 Fixes Two Vulnerabilities *** --------------------------------------------- Tenable recently worked with Synacktiv to perform security testing for Nessus, as part of an ongoing initiative to proactively address security issues. During the test, their team found two issues that may impact a Nessus vulnerability scanner. Both issues require user authentication to exploit: CVE-2016-82012 - Stored XSS CVE-2016-82013 - XML External Entity (XXE) Expansion DoS --------------------------------------------- http://www.tenable.com/security/tns-2016-08 *** UPDATE: Security Updates Available for Adobe Flash Player (APSB16-10) *** --------------------------------------------- A Security Bulletin (APSB16-10) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1334 *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for the Adobe Creative Cloud Desktop Application (APSB16-11) as well as RoboHelp Server (APSB16-12) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1336 *** MS16-APR - Microsoft Security Bulletin Summary for April 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-APR *** ZeuS Banking Trojan Resurfaces As Atmos Variant *** --------------------------------------------- Atmos banking malware has perilous pedigree that includes Citadel and ZeuS. --------------------------------------------- http://threatpost.com/zeus-banking-trojan-resurfaces-as-atmos-variant/11734… *** Website Ransomware - CTB-Locker Goes Blockchain *** --------------------------------------------- During the last couple of years, website ransomware has become one of the most actively developing types of malware. After infamous fake anti-viruses, this it the second most prominent wave of malware that makes money by directly selling 'malware removal' services to users of infected computers. --------------------------------------------- https://blog.sucuri.net/2016/04/website-ransomware-ctb-locker-goes-blockcha… *** Badlock Vulnerability Falls Flat Against Its Hype *** --------------------------------------------- The much anticipated Badlock vulnerability wasn't in the SMB protocol after all, but in SAM and LSAD and exposed Windows machines to privilege escalation. --------------------------------------------- http://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117… *** Cisco Unity Connection Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** MSRT April release features Bedep detection *** --------------------------------------------- As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for: Win32/Bedep, Trojan family Win32/Upatre, Trojan family Ransom:MSIL/Samas [...] In this blog, we'll focus on the Bedep family of trojans. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-feat… *** S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8442 *** Patchday: Microsoft stopft 13 Lücken, Adobe lässt es ruhig angehen *** --------------------------------------------- Microsoft stellt Sicherheitspatches für sechs als kritisch und sieben als wichtig eingestufte Schwachstellen in Windows & Co. bereit. Adobe flickt diesen Monat lediglich jeweils eine kritische und wichtige Lücke. --------------------------------------------- http://heise.de/-3171881 *** Badlock *** --------------------------------------------- Gestern abend haben Microsoft und das Samba-Projekt Patches zum lange angekündigten (und mancherorts medial auch gut aufgebauschten) sog. "Badlock"-Bug (CVE-2016-0128) veröffentlicht [...] Inhaltlich ist das nicht wirklich tragisch - ein "Man-in-the-middle" könnte eine SMB-Verbindung übernehmen. Da SMB-Verbindungen normalerweise nur in lokalen Netzen oder via VPN aufgebaut werden, hält sich der Impact in Grenzen. --------------------------------------------- http://www.cert.at/services/blog/20160413110435-1730.html *** Siemens Industrial Products glibc Library Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a buffer overflow vulnerability in the glibc library affecting several of the Siemens industrial products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-103-01 *** Siemens SCALANCE S613 Denial-of-Service Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a resource exhaustion vulnerability that causes a denial-of-service condition in the Siemens SCALANCE S613 device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-103-02 *** Siemens Industrial Products DROWN Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a DROWN attack that can affect some Siemens industrial products under certain conditions. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-103-03 *** Honeywell Uniformance PHD Denial Of Service *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on March 10, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a denial-of-service vulnerability in the Uniformance Process History Database (PHD). --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-070-02 *** Broken IBM Java Patch Prompts Another Disclosure *** --------------------------------------------- Current versions of IBM SDK 7 and SDK 8 remain vulnerable to a 2013 Java vulnerability. Security Explorations discovered the original patch is broken and disclosed details on the flaw and a proof-of-concept exploit. --------------------------------------------- http://threatpost.com/broken-ibm-java-patch-prompts-another-disclosure/1173… *** DFN-CERT-2016-0601/">NVIDIA GPU-Treiber: Mehrere Schwachstellen ermöglichen u.a. Privilegieneskalation *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0601/

1 0

Tageszusammenfassung - Dienstag 12-04-2016
by Daily end-of-shift report 12 Apr '16

12 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-04-2016 18:00 − Dienstag 12-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Manamecrypt - a ransomware that takes a different route *** --------------------------------------------- Hardly a week passes these days without a new family of ransomware making the headlines. This week our analysts are taking apart Manamecrypt, also referred to as CryptoHost. Basically, Manamecrypt is a ransomware Trojan horse, but it differs from other ransomware families in a number of aspects. For .. --------------------------------------------- https://blog.gdatasoftware.com/2016/04/28234-manamecrypt-a-ransomware-that-… *** Von IP-Adressen, Kloschüsseln und einer abgelegenen Farm *** --------------------------------------------- Kansas ist das Herz des Cybercrime - zumindest wenn man einer Anwendung glauben schenkt, die IP-Adressen auf einer Karte verortet. Tatsächlich leben dort unschuldige Menschen, die nun viele wütende Anrufe und Kloschüsseln bekommen. --------------------------------------------- http://www.golem.de/news/skurrile-belaestigungen-von-ip-adressen-kloschuess… *** KickassTorrent touts adoption of two-factor authentication *** --------------------------------------------- A torrent site has added an extra layer of security for users logging in. --------------------------------------------- http://www.scmagazine.com/kickasstorrent-touts-adoption-of-two-factor-authe… *** Rokku Ransomware shows possible link with Chimera *** --------------------------------------------- Rokku is yet another ransomware, discovered in recent weeks. Currently, it's most common distribution method is spam where a malicious executable is dropped by a VB script attached to an e-mail. The building blocks .. --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/ *** Ramdo click-fraud malware uses evasive maneuvers to draw first blood from researchers *** --------------------------------------------- A thorough dissection of the click-fraud malware Ramdo shows a constantly evolving threat whose capabilities now include traffic encryption, random domain generation and improved virtualization detection. --------------------------------------------- http://www.scmagazine.com/ramdo-click-fraud-malware-uses-evasive-maneuvers-… *** Websites take control of USB devices: Googlers propose WebUSB API *** --------------------------------------------- What could possibly go wrong? Wait, what could possibly go right Two Google engineers have drafted a .. --------------------------------------------- www.theregister.co.uk/2016/04/11/google_posts_usb_devices_tool/ *** Half of people plug in USB drives they find in the parking lot *** --------------------------------------------- Why do we even bother with security software? A new study has found that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs. --------------------------------------------- www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/ *** DSA-3547 imagemagick - security update *** --------------------------------------------- Several vulnerabilities were discovered in Imagemagick, a program suite forimage manipulation. This update fixes a large number of potential securityproblems such as null-pointer access and buffer-overflows that might leadto memory leaks or denial of service. None of these security problems havea CVE number assigned. --------------------------------------------- https://www.debian.org/security/2016/dsa-3547 *** Atmos, the Citadel Trojan successor is in the wild *** --------------------------------------------- Security experts from the Heimdal Security firm are issuing an alert on the Atmos malware which is the successor of the dreaded Citadel Trojan. Months ago, the author of the dreaded Citadel malware was sentenced to prison, but in .. --------------------------------------------- http://securityaffairs.co/wordpress/46252/malware/atmos-trojan.html *** TYPO3 CMS 6.2.20, 7.6.5 and 8.0.1 released *** --------------------------------------------- https://typo3.org/news/article/typo3-cms-6220-765-and-801-released/ *** Snort Lab: Payload Detection Rules (PCRE) *** --------------------------------------------- Until now, when we used Snort to look for certain content within the payload, we've always looked for some specific values. What if we wanted to look for something that we .. --------------------------------------------- http://resources.infosecinstitute.com/snort-lab-payload-detection-rules-pcr… *** Kernel: Oracle startet eigene Sammlung von Linux-Sicherheitspatches *** --------------------------------------------- Um Updates leichter einspielen zu können, will Oracle Zweige des Linux-Kernel pflegen, die ausschließlich Patches für Sicherheitslücken enthalten. Was gut klingt, ist aber eine kontroverse Idee, da die Auswirkungen von Kernel-Fehlern schwer zu beurteilen sind. --------------------------------------------- http://www.golem.de/news/kernel-oracle-startet-eigene-sammlung-von-linux-si…

1 0

Tageszusammenfassung - Montag 11-04-2016
by Daily end-of-shift report 11 Apr '16

11 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-04-2016 18:00 − Montag 11-04-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Mumblehard takedown ends army of Linux servers from spamming *** --------------------------------------------- One year after the release of the technical analysis of the Mumblehard Linux botnet, we are pleased to report that it is no longer active. ESET, in cooperation with the Cyber Police of Ukraine and CyS Centrum LLC, have taken down the Mumblehard botnet, stopping all its spamming activities since February 29th, 2016. --------------------------------------------- http://www.welivesecurity.com/2016/04/07/mumblehard-takedown-ends-army-of-l… *** Improvements to Safe Browsing Alerts for Network Administrators *** --------------------------------------------- [...] Today, to provide Network Admins with even more useful information for protecting their users, we're adding URLs related to Unwanted Software, Malicious Software, and Social Engineering to the set of information we share. Here's the full set of data we share with network administrators:[...] --------------------------------------------- https://security.googleblog.com/2016/04/improvements-to-safe-browsing-alert… *** Ransomware: Locky, TeslaCrypt, Other Malware Families Use New Tool To Evade Detection *** --------------------------------------------- Today we identified a new tool actively being used by the Locky ransomware family to evade detection and potentially infect endpoints. Unit 42 identified slight changes in Locky detonations through the AutoFocus threat intelligence service,... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/04/unit42-ransomware-locky-… *** FBI: $2.3 Billion Lost to CEO Email Scams *** --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) this week warned about a "dramatic" increase in so-called "CEO fraud," e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates that these scams have cost organizations more than $2.3 billion in losses over the past three years. --------------------------------------------- http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/ *** If only hackers could stop slurping test and dev databases. Wait, our phone is ringing ... *** --------------------------------------------- Delphix thinks it has a solution Exposure and loss of sensitive data is happening everywhere these days. One attack surface, as the jargon has it, is sensitive production data used in internal testing and development systems. --------------------------------------------- http://www.theregister.co.uk/2016/04/08/delphix_data_breach_prevention/ *** Hikvision Digital Video Recorder Cross-Site Request Forgery *** --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5315.php *** The Open-source vulnerabilities database (OSVDB) shuts down permanently *** --------------------------------------------- The Open Sourced Vulnerability Database (OSVDB) shut down permanently in response to the lack of assistance from the industry. The Open Sourced Vulnerability Database (OSVDB) shut down permanently, the news was reported in a blog post published by the maintainers of the project. The decision was made in response to the lack of assistance from the industry. --------------------------------------------- http://securityaffairs.co/wordpress/46129/security/osvdb-shuts-down.html *** Windows XP ist nicht totzukriegen: 11 Prozent Marktanteil *** --------------------------------------------- 15 Jahre nach der Veröffentlichung und zwei Jahre nach Support-Ende durch Microsoft ist Windows XP weiterhin das dritthäufigste Betriebssystem im Desktop-Bereich. --------------------------------------------- http://futurezone.at/produkte/windows-xp-ist-nicht-totzukriegen-11-prozent-… *** Hacker-Angriff auf DuMont Mediengruppe: Zeitungsportale betroffen *** --------------------------------------------- Systeme aus Sicherheitsgründen abgeschaltet --------------------------------------------- http://derstandard.at/2000034558622 *** Moxa NPort Device Vulnerabilities *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of vulnerabilities affecting Moxa NPort 6110, 5100 series, and 6000 series devices. The Moxa NPort 6110 device is a Modbus/TCP to serial communication gateway. Moxa NPort 5100 series and 6000 series devices are serial-to-Ethernet converters. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01 *** Learning from Bait and Switch Mobile Ransomware *** --------------------------------------------- Porn and mobile malware; two things that can illicit the response "I didn't know how it got there" when someone finds them. We have recently caught sight of a mobile ransomware distributed by fake adult websites. However, much like a lot of things in the adult industry, this malware doesn't seem very logical.This piece showcases an incident that can help users understand mobile threats and aims to boost user awareness to these threats. We believe that securing knowledge --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/learning-from-ba… *** Mindless Flash masses saved as exploit kit devs go astray with 0day *** --------------------------------------------- Since-patched flaw was imperfectly targeted by incompetent crimeware Malwarebytes hacker Jerome Segura says black hats have made a mess of efforts to unleash an Adobe Flash zero day vulnerability as part of their popular exploit kit, reducing the pool of potential victims. --------------------------------------------- http://www.theregister.co.uk/2016/04/11/mindless_flash_masses_saved_as_magn… *** Vista: Das letzte Jahr für die viel gehasste Windows-Version *** --------------------------------------------- Am 11. April 2017 wird der Support eingestellt - Baldiges Update empfohlen --------------------------------------------- http://derstandard.at/2000034590249 *** New Threat Report *** --------------------------------------------- Our latest threat report (PDF) is now available. The report discusses trends from the most prevalent cybersecurity threats we've seen during the year 2015. The Chain of Compromise (CoC) model is also introduced along with exploit kits, ransomware and more. Get it and more from:f-secure.com/labs --------------------------------------------- https://labsblog.f-secure.com/2016/04/11/new-threat-report/ *** Erpressungs-Trojaner Petya geknackt, Passwort-Generator veröffentlicht *** --------------------------------------------- Ein kostenloses Tool soll das zum Entschlüsseln nötige Passwort innerhalb weniger Sekunden generieren können, verspricht der Macher des Werkzeugs. Erste Erfolgsberichte von Petya-Opfern liegen bereits vor. --------------------------------------------- http://heise.de/-3167064 *** Nuclear Drops Tor Runs and Hides *** --------------------------------------------- Yesterday we observed a new technique in the Nuclear kit and found a new payload and technique we've not seen before. --------------------------------------------- http://blog.talosintel.com/2016/04/nuclear-tor.html *** iMessage-Schwachstelle ermöglicht Zugriff auf alle Nachrichten im Klartext *** --------------------------------------------- Eine Sicherheitslücke in der Nachrichten-App erlaubt einem Angreifer, die Datenbank mit sämtlicher Kommunikation des Opfers auszulesen, sobald dieses einen zugesendeten Link anklickt. Apple hat die Schwachstelle in OS X 10.11.4 beseitigt. --------------------------------------------- http://www.heise.de/newsticker/meldung/iMessage-Schwachstelle-ermoeglicht-Z… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Netezza Host Management (CVE-2016-2842) *** http://www.ibm.com/support/docview.wss?uid=swg21980927 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2016-2097, CVE-2016-2098) *** http://www.ibm.com/support/docview.wss?uid=swg21979720 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2015-7560) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005727 --------------------------------------------- *** IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server if FIPS 140-2 is enabled (CVE-2016-0306) *** http://www.ibm.com/support/docview.wss?uid=swg21979231 --------------------------------------------- *** Multiple vulnerabilities in OpenSSL affect AIX CVE-2016-0800 CVE-2016-0799 CVE-2016-0798 CVE-2016-0797 CVE-2016-0705 CVE-2016-0702 *** http://www.ibm.com/support/ --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2016-0283) *** http://www.ibm.com/support/docview.wss?uid=swg21980429 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Information Governance Catalog is vulnerable to XXE Injection Attack (CVE-2016-0250) *** http://www.ibm.com/support/docview.wss?uid=swg21977152 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images (CVE-2016-0701, CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21979209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2015-7581, CVE-2016-0751, CVE-2016-0752, CVE-2016-0753) *** http://www.ibm.com/support/docview.wss?uid=swg21979514 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Algorithmics Algo Risk Application and Counterparty Credit Risk (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21979757 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM BigFix Compliance Analytics. (CVE-2015-7575, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21979412 --------------------------------------------- *** IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services Access Control: Information Disclosure - Dojo Readmes (CVE-2016-0232) *** http://www.ibm.com/support/docview.wss?uid=swg21977163 --------------------------------------------- *** IBM Security Bulletin: IBM DB2 LUW contains a denial of service vulnerability in which a malformated DRDA message may cause the DB2 server to terminate abnormally (CVE-2016-0211) *** http://www.ibm.com/support/docview.wss?uid=swg21979984 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2015-8317) *** http://www.ibm.com/support/docview.wss?uid=swg21979515 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500) *** http://www.ibm.com/support/docview.wss?uid=swg21979513 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 8-04-2016
by Daily end-of-shift report 08 Apr '16

08 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-04-2016 18:00 − Freitag 08-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Schweizer News-Site verbreitet Schadcode: Behörden und Firmen reagieren *** --------------------------------------------- Weil darüber offenbar gehäuft Schadcode verbreitet wird, haben nun die Schweizer Bundesverwaltung und mehrere große Unternehmen des Landes den Zugang ihrer Mitarbeiter zu einer der größten News-Sites des Landes gesperrt. --------------------------------------------- http://heise.de/-3165287 *** Security Features Nobody Implements, (Thu, Apr 7th) *** --------------------------------------------- Nobody may be wording it a bit strong. But adoption of these security features is certainly not taking off. If you can think of any features I forgot, then please comment: DNSSEC That is probably my favorite issue. DNSSEC fixes on of the most important protocols. Without it, spoofing is always possible, and in some cases not even terribly hard. I think there are a number of reasons it is not implemented: If you implement it, there is a good chance that you make your domain non-reachable if you... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20921&rss *** Open-source vulnerabilities database shuts down *** --------------------------------------------- An open-source project dedicated to cataloguing a huge range of computer security flaws has closed its doors as of Tuesday, according to an announcement on the Open-Source Vulnerability Database's blog.The OSVDB, which was founded in 2002, was meant to be an independent repository for security information, allowing researchers to compare notes without oversight from large corporate software companies.One of its founders was HD Moore, a well-known hacker and security researcher, best known... --------------------------------------------- http://www.cio.com/article/3053695/open-source-tools/open-source-vulnerabil… *** SBA Research @ Cyber-Physical Systems Week 2016 *** --------------------------------------------- We will participate in the events of CPS Week 2016 (Vienna, Austria, April 11-14, 2016). On Monday (April 11), Johanna Ullrich presents our work on "The Quest for Privacy in the Consumer Internet of Things" at the International Workshop on Consumers and the Internet of Things (ConsIoT 2016). A live webcast by the IoEtv will... --------------------------------------------- https://www.sba-research.org/2016/04/08/sba-research-cyber-physical-systems… *** Adobe fixes CVE-2016-1019 Zero-Day exploited to serve ransomware *** --------------------------------------------- Cyber criminals are exploiting the Flash player zero-day vulnerability (CVE-2016-1019) affecting Flash Player 21.0.0.197 and earlier disclosed by Adobe. Cyber criminals are already exploiting the Flash player zero-day vulnerability (CVE-2016-1019) affecting Flash Player 21.0.0.197 and earlier (CVE-2016-1019) disclosed by Adobe this week. Researchers at security firm Proofpoint confirmed that cyber gangs are exploiting it to distribute a ransomware dubbed Cerber. --------------------------------------------- http://securityaffairs.co/wordpress/46107/malware/adobe-fixes-cve-2016-1019… *** Breaking Semantic Image CAPTCHAs *** --------------------------------------------- Interesting research: Suphannee Sivakorn, Iasonas Polakis and Angelos D. Keromytis, "I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs": Abstract: Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions. Nevertheless, economic incentives have resulted in an armsrace, where fraudsters develop automated solvers and, in turn, captcha services tweak their design to break the... --------------------------------------------- https://www.schneier.com/blog/archives/2016/04/breaking_semant.html *** Lemur Vehicle Monitors BlueDriver LSB2 does not authenticate users for Bluetooth access *** --------------------------------------------- The Lemur Vehicle Monitors BlueDriver is an aftermarket automotive device that connects to a vehicles OBD-II port and provides information about the vehicles performance. The BlueDriver does not require a PIN for Bluetooth access, which allows anyone in range to send arbitrary commands to the vehicles CAN bus. --------------------------------------------- https://www.kb.cert.org/vuls/id/615456 *** DSA-3545 cgit - security update *** --------------------------------------------- Several vulnerabilities were discovered in cgit, a fast web frontend forgit repositories written in C. A remote attacker can take advantage ofthese flaws to perform cross-site scripting, header injection or denialof service attacks. --------------------------------------------- https://www.debian.org/security/2016/dsa-3545 *** DSA-3544 python-django - security update *** --------------------------------------------- Several vulnerabilities were discovered in Django, a high-level Pythonweb development framework. The Common Vulnerabilities and Exposuresproject identifies the following problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3544 *** Cisco IP Interoperability and Collaboration System Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Symantec ITMS Inventory Solution Application Denial Functionality Bypass *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Security Updates Available for Adobe Flash Player (APSB16-10) *** --------------------------------------------- A Security Bulletin (APSB16-10) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. Adobe... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1334 *** SSA-751155 (Last Update 2016-04-08): Denial-of-Service Vulnerability in SCALANCE S613 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-751155… *** SSA-623229 (Last Update 2016-04-08): DROWN Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-623229… *** SSA-301706 (Last Update 2016-04-08): GNU C Library Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706… *** IBM Security Bulletins *** --------------------------------------------- *** Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Chassis Management Module (CMM) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099307 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Chassis Management Module (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099309 --------------------------------------------- *** Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware, QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module and QLogic Virtual Fabric Extension Module *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099260 --------------------------------------------- *** Security Bulletin: Multiple vulnerabilities affect IBM Flex System Chassis Management Module *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099196 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Master Data Management *** http://www.ibm.com/support/docview.wss?uid=swg21980207 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2015-1283) *** http://www.ibm.com/support/docview.wss?uid=swg21977266&myns=swgother&mynp=O… --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2015-3183) *** http://www.ibm.com/support/docview.wss?uid=swg21977267&myns=swgother&mynp=O… ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 7-04-2016
by Daily end-of-shift report 07 Apr '16

07 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-04-2016 18:00 − Donnerstag 07-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Trojaner infiziert 3,2 Millionen Android-Geräte *** --------------------------------------------- Über 100 Apps im offiziellen Google Play Store wurden mit einem Trojaner ausgeliefert. Millionen Android-User sind laut Sicherheitsforschern betroffen. --------------------------------------------- http://futurezone.at/digital-life/trojaner-im-google-play-store-infiziert-3… *** Phishing Email That Knows Your Address *** --------------------------------------------- An anonymous reader writes: BBC is reporting about a new type of phishing email that includes the recipients home address. The publication, citing sources, claims that thousands of people have already received such malicious emails. Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipients computing device. From the report, "Members of the BBC Radio 4s You and Yours team were among those who received the scam emails, claiming they owed hundreds of --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/7bIiICdWlco/phishing-email-… *** Cisco warns of critical risks from web bugs and insecure SSH keys *** --------------------------------------------- Fresh round of network security patches served Cisco has released a fresh crop of security advisories, including warnings for critical flaws in the UCS, Prime Infrastructure and Evolved Programmable Network Manager (EPNM) that would allow an attacker to gain root access over its products. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/06/cisco_warns… *** IETF-Tagung: Neue Vorschläge zum Sichern des Mailtransports *** --------------------------------------------- Mailserver hinken sicherheitsmäßig immer noch hinter Webservern her, wie ein TLS-Check der IHK Stuttgart jüngst verdeutlichte. Mailprovider haben sich nun zusammengetan, um bei der IETF mit "Strict Transport Security" voranzukommen. --------------------------------------------- http://heise.de/-3163818 *** Boffins boost IETF crypto efforts *** --------------------------------------------- Nice elliptic curves, now show us your hardware so we can do this to TLS A pair of German engineers want to give a push to the adoption of new crypto in the IETF by pushing the curves in RFC 7748 into hardware. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/07/boffins_boo… *** Remote code execution found and fixed in Apache OpenMeetings *** --------------------------------------------- Password token snatch might explain that unexpected weirdo in your next online meeting Recurity Labs hacker Andreas Lindh has found four vulnerabilities, including a remote code execution hole, in Apache OpenMeetings. The flaws mean attackers could hijack installations of the popular virtual meetings and shared whiteboard application. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/07/apache_open… *** Panama Papers: Die katastrophale IT-Sicherheitspraxis von Mossack Fonseca *** --------------------------------------------- Der Panama-Leaks-Firma Mossack Fonseca ist offenbar nicht nur das Steuerrecht herzlich egal - sondern auch die IT-Security. Kein TLS, Drown und uralte Versionen von Drupal und Outlook Web Access machen es Angreifern leicht. --------------------------------------------- http://www.golem.de/news/panama-papers-die-katastrophale-it-sicherheitsprax… *** Bypassing Phone Security through Social Engineering *** --------------------------------------------- This works: Khan was arrested in mid-July 2015. Undercover police officers posing as company managers arrived at his workplace and asked to check his driver and work records, according to the source. When they disputed where he was on a particular day, he got out his iPhone and showed them the record of his work. The undercover officers asked to... --------------------------------------------- https://www.schneier.com/blog/archives/2016/04/bypassing_phone.html *** Complete Tour of PE and ELF: Section Headers *** --------------------------------------------- In the previous part, we have discussed the ELF and Program Header. In this article, we will cover the remaining part i.e. section headers. We will also see what effect packers have on binaries headers. Below is the structure of Section Header Sh_name: Remember in ELF Header we talked about string table. sh_name is an... --------------------------------------------- http://resources.infosecinstitute.com/complete-tour-of-pe-and-elf-part-5/ *** Kärntner Unternehmen wurde Opfer eines Verschlüsselungs-Trojaners *** --------------------------------------------- Produktionsmaschine fiel in der Folge für einen Tag aus --------------------------------------------- http://derstandard.at/2000034398697 *** EUROCRYPT 2016 - supported by SBA Research *** --------------------------------------------- May 08, 2016 - May 12, 2016 - All Day Aula der Wissenschaften Wollzeile 27A Vienna --------------------------------------------- https://www.sba-research.org/events/eurocrypt-2016-supported-by-sba-researc… *** ECRYPT-CSA Workshop on Cryptographic protocols for small devices - supported by SBA Research *** --------------------------------------------- May 13, 2016 - All Day TU Wien Karlsplatz 13 1040 Wien --------------------------------------------- https://www.sba-research.org/events/ecrypt-csa-workshop-on-cryptographic-pr… *** UPDATED: Security Advisory posted for Adobe Flash Player (APSA16-01) *** --------------------------------------------- A Security Advisory (APSA16-01) has been published regarding a critical vulnerability (CVE-2016-1019) in Adobe Flash Player. UPDATE: Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running *Windows 10 and earlier* with Flash Player... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1330 *** Juniper Networks Completes ScreenOS Update *** --------------------------------------------- As we committed to in our January 8, 2016 blog, we have replaced the cryptographic algorithm in the latest release of ScreenOS 6.3. --------------------------------------------- https://forums.juniper.net/t5/Security-Incident-Response/Juniper-Networks-C… *** Bugtraq: CVE-2016-3672 - Unlimiting the stack not longer disables ASLR *** --------------------------------------------- http://www.securityfocus.com/archive/1/537996 *** DFN-CERT-2016-0567: McAfee Email Gateway: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0567/ *** Panda Security URL Filtering Privilege Escalation *** --------------------------------------------- Topic: Panda Security URL Filtering Privilege Escalation Risk: Medium Text:* CVE: CVE-2015-7378 * Vendor: Panda Security * Reported by: Kyriakos Economou * Date of Release: 05/04/2016 * Affected Pro... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040048 *** Panda Endpoint Administration Agent Privilege Escalation *** --------------------------------------------- Topic: Panda Endpoint Administration Agent Privilege Escalation Risk: Medium Text:* CVE: CVE-2016-3943 * Vendor: Panda Security * Reported by: Kyriakos Economou * Date of Release: 05/04/2016 * Affected Pro... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040047 *** Security Advisory: Java vulnerabilities CVE-2016-0466 and CVE-2016-0483 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/50/sol50118123.html?… *** HP Security Bulletins *** --------------------------------------------- *** Bugtraq: [security bulletin] HPSBGN03569 rev.2 - HPE OneView for VMware vCenter (OV4VC), Remote Disclosure of Information *** http://www.securityfocus.com/archive/1/538003 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBST03568 rev.1 - HP XP7 Command View Advanced Edition Suite including Device Manager and Hitachi Automation Director (HAD), Remote Server-Side Request Forgery (SSRF) *** http://www.securityfocus.com/archive/1/538005 --------------------------------------------- *** HPE Universal Configuration Management Database Unspecified Flaw Lets Remote Users Obtain Information and Perform Redirect Attacks *** http://www.securitytracker.com/id/1035505 --------------------------------------------- *** HPSBNS03571 rev.1 - HPE NonStop Virtual TapeServer (VTS), Remote Arbitrary Code Execution, Denial of Service (DoS), Unauthorized Information Disclosure *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05073516 --------------------------------------------- *** HPSBGN03570 rev.1 - HPE Universal CMDB, Remote Information Disclosure, URL Redirection *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05073504 --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Prime Infrastructure and Evolved Programmable Network Manager Privilege Escalation API Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence Server Crafted IPv6 Packet Handling Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence Server Malformed STUN Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence Server Crafted URL Handling Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco UCS Invicta Default SSH Key Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Pure Power Integration Manager (PPIM) (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023271 --------------------------------------------- *** IBM Security Bulletin: SLOTH - Weak MD5 Signature Hash vulnerability may affect DS8000 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005735 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21980641 --------------------------------------------- *** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Image Construction and Composition Tool. (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21980640 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21980638 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Internet Pass-Thru (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21979712 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM PureApplication System. (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21980639 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director (CVE-2015-4872 CVE-2015-4840 CVE-2015-4903 ) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023588 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Master Data Management Collaborative Edition affected by Privilege Escalation security vulnerabilities (CVE-2015-7424) *** http://www.ibm.com/support/docview.wss?uid=swg21971542 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities have been identified in IBM Business Process Manager, and bundled products shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise *** http://www.ibm.com/support/docview.wss?uid=swg2C1000112 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Cross Site Scripting Vulnerability (CVE-2016-0344) *** http://www.ibm.com/support/docview.wss?uid=swg21980234 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 6-04-2016
by Daily end-of-shift report 06 Apr '16

06 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-04-2016 18:00 − Mittwoch 06-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security Advisory posted for Adobe Flash Player (APSA16-01) *** --------------------------------------------- A Security Advisory (APSA16-01) has been published regarding a critical vulnerability (CVE-2016-1019) in Adobe Flash Player. Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1330 *** Security: Ungepatchte Flash-Lücke wird aktiv ausgenutzt *** --------------------------------------------- Es ist mal wieder Flash-Player-deinstallieren-Tag. Eine derzeit ungepatchte Sicherheitslücke wird aktiv ausgenutzt, immerhin existiert ein Workaround. Adobe will aber bald reagieren. --------------------------------------------- http://www.golem.de/news/security-ungepatchte-flash-luecke-wird-aktiv-ausge… *** Server software poses soft target for ransomware *** --------------------------------------------- An alternate method for infecting computers with ransomware signals a shift in tactics by cybercriminals that could put businesses at greater risk, according to Symantec.A type of ransomware called Samsam has been infecting organizations but is not installed in the usual way."Samsam is another variant in a growing number of variants of ransomware, but what sets it apart from other ransomware is how it reaches its intended targets by way of unpatched server-side software," Symantec... --------------------------------------------- http://www.cio.com/article/3052553/server-software-poses-soft-target-for-ra… *** SAP Security - Think Different *** --------------------------------------------- Today we will discuss how SAP Security differs from traditional IT security. While in most cases security is security, no matter what we discuss, in SAP area there are some unique features. First of all, it is the question of responsibility. It's not a secret that SAP is owned and managed by business, which, to... --------------------------------------------- http://resources.infosecinstitute.com/sap-security-think-different/ *** Gpg4win 2.3.1 released *** --------------------------------------------- New in Gpg4win Version 2.3.1 (2015-04-05) - GpgOL now has an option dialog where S/MIME can be disabled. - GpgOL now supports the 64 Bit version of Microsoft Outlook. - ... --------------------------------------------- https://lists.wald.intevation.org/pipermail/gpg4win-announce/2016-April/000… *** Researchers release PoC exploit for broken IBM Java patch *** --------------------------------------------- Polish firm Security Explorations has had enough of broken patches for security vulnerabilities it has reported to vendors. On Monday, the company's CEO Adam Gowdiak has published on the Full Disclosure mailing list the technical details and PoC code for exploiting a security issue in IBM Java that has been poorly patched by the vendor. The flaw was discovered by Security Explorations researchers in early 2013. This is the 6th instance of a broken patch... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/06/broken-ibm-java-patch/ *** AdLoad: an advertisement bombarder *** --------------------------------------------- The AdLoad PUP is an infection that presents its victims with a great variation of advertisements, fake alerts, dubious offers, and even other PUPs. It targets users by location and OS.Categories: PUPs Threat analysisTags: adloadadvertisementfake alertMalwarebytesPieter ArntzPUPscam(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/04/adload-an-advertiseme… *** FBI Warns of Dramatic Increase in Business E-Mail Scams *** --------------------------------------------- FBI officials are warning potential victims of a dramatic rise in the business e-mail compromise scam or "B.E.C.", [...] Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries. [...] This amounted to more than $2.3 billion in losses. --------------------------------------------- https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-incre… *** Crypto ransomware targets called by name in spear-phishing blast *** --------------------------------------------- Once the domain of espionage, personalized scams embraced by profit-driven scammers. --------------------------------------------- http://arstechnica.com/security/2016/04/crypto-ransomware-targets-called-by… *** CONIKS *** --------------------------------------------- CONIKS is an new easy-to-use transparent key-management system: CONIKS is a key management system for end users capable of integration in end-to-end secure communication services. The main idea is that users should not have to worry about managing encryption keys when they want to communicate securely, but they also should not have to trust their secure communication service providers to... --------------------------------------------- https://www.schneier.com/blog/archives/2016/04/coniks.html *** DeepSec 2015 Videos (Youtube Playlist) *** --------------------------------------------- DeepSec 2015 IN-DEPTH SECURITY CONFERENCE - 17th to 20th November 2015 The Imperial Riding School Vienna, Austria --------------------------------------------- https://www.youtube.com/playlist?list=PLBA0WdWrcrCHpBtNgK-H64_S6-xBpzILR *** ICS/SCADA Threat Intelligence Sharing Portal (March 31, 2016) *** --------------------------------------------- The EastWest Institute and the US Department of Homeland Securitys ICS-CERT have launched a portal for operators of critical infrastructure around the world to share threat information... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/27/308 *** Von Moorhühnern, Autounfällen und veralteter Software *** --------------------------------------------- Peter fährt mit seinem Auto für dessen tourliche Untersuchung auf Fahrtüchtigkeit - kurz, Pickerl - zu seiner vertrauten Autowerkstatt. Nach rund einer halben Stunde sagt ihm der Mechaniker, dass die Bremsleitungen seines Autos stark korrodiert seien und es nur noch eine Frage der Zeit wäre, bis diese platzen und es folglich zu einem Ausfall der Bremsen käme. Peter schluckt: "Na, da hab ich... --------------------------------------------- http://www.cert.at/services/blog/20160406112228-1706.html *** VLC Media Player Buffer Overflow in Processing WAV Files Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1035456 *** Security Advisory: Java vulnerabilities CVE-2016-4066 and CVE-2016-0483 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/50/sol50118123.html?… *** DSA-3542 mercurial - security update *** --------------------------------------------- Several vulnerabilities have been discovered in Mercurial, a distributedversion control system. The Common Vulnerabilities and Exposures projectidentifies the following issues: --------------------------------------------- https://www.debian.org/security/2016/dsa-3542 *** DFN-CERT-2016-0556: Red Hat JBoss Enterprise Application Platform: Zwei Schwachstellen ermöglichen einen Denial-of-Service-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0556/ *** Pro-face GP-Pro EX HMI Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for hard-coded credentials in Pro-face's GP-Pro EX HMI software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-096-01 *** Eaton Lighting Systems EG2 Web Control Authentication Bypass Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on March 1, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for vulnerabilities in Eaton Lighting Systems' EG2 Web Control application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-03 *** Rockwell Automation Integrated Architecture Builder Access Violation Memory Error *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on February 25, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for an access violation memory error in Rockwell Automation's Integrated Architecture Builder application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-056-01 *** Bugtraq: op5 v7.1.9 Remote Command Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537992 *** Bugtraq: CA20160405-01: Security Notice for CA API Gateway *** --------------------------------------------- http://www.securityfocus.com/archive/1/537991 *** [HTB23286]: SQL Injection in SocialEngine *** --------------------------------------------- Product: SocialEngine v4.8.9Vulnerability Type: SQL Injection [CWE-89]Risk level: High Creater: WebligoAdvisory Publication: December 21, 2015 [without technical details]Public Disclosure: April 6, 2016 CVE Reference: Pending CVSSv2 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L] Vulnerability Details: High-Tech Bridge Security Research Lab discovered SQL-Injection vulnerability in a popular social networking software SocialEngine. The vulnerability can be exploited to gain --------------------------------------------- https://www.htbridge.com/advisory/HTB23286 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Samba affect IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1021200 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Privilege Escalation (CVE-2016-0342) *** http://www.ibm.com/support/docview.wss?uid=swg21980252 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Cross Site Request Forgery Vulnerability (CVE-2016-0346) *** http://www.ibm.com/support/docview.wss?uid=swg21980237 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Information disclosure (CVE-2016-0345) *** http://www.ibm.com/support/docview.wss?uid=swg21980233 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Information Disclosure (CVE-2016-0343) *** http://www.ibm.com/support/docview.wss?uid=swg21980229 --------------------------------------------- *** IBM Unauthenticated access to information in IBM TRIRIGA Application Platform (CVE-2016-0312) *** http://www.ibm.com/support/docview.wss?uid=swg21979762 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM BigFix Remote Control and IBM Endpoint Manager for Remote Control (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21978415 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702) *** http://www.ibm.com/support/docview.wss?uid=swg21978869 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Network Manager IP Edition 3.9 Fix Pack 4. *** http://www.ibm.com/support/docview.wss?uid=swg21978941 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM MQ Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21979829 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2016-0800, CVE-2016-0705 and CVE-2016-0797) *** http://www.ibm.com/support/docview.wss?uid=swg21980451 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Netezza Host Management *** http://www.ibm.com/support/docview.wss?uid=swg21979983 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect Tivoli Workload Scheduler (CVE-2016-0705, CVE-2016-0702, CVE-2016-0800, CVE-2016-0701) *** http://www.ibm.com/support/docview.wss?uid=swg21979602 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images *** http://www.ibm.com/support/docview.wss?uid=swg21979311 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for UNIX (CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704) *** http://www.ibm.com/support/docview.wss?uid=swg21978489 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 5-04-2016
by Daily end-of-shift report 05 Apr '16

05 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-04-2016 18:00 − Dienstag 05-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Chrome Extension Caught Hijacking Users Browsers *** --------------------------------------------- An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the users traffic through a proxy, showing ads and collecting analytics on the users traffic habits. This same malicious code has also been... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/4tdNNvCWAQs/chrome-extensio… *** Microsoft account-hijacking hole closed 48 hours after bug report *** --------------------------------------------- Token-harvesting attack meant one login could open doors to multiple Microsoft services British researcher Jack Whitton has reported a Microsoft account hijacking authentication bug that would have been another arrow in an attackers phishing quiver, save for the fact that Microsoft fixed it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/05/microsoft_b… *** Sicherheitslücken: Angreifer können Open-Xchange Code unterjubeln *** --------------------------------------------- In Open-Xchange klaffen zwei Schwachstellen, über die Kriminelle im schlimmsten Fall Sessions kapern können. Sicherheitspatches wurden bereits verteilt. --------------------------------------------- http://heise.de/-3162127 *** Update your ManageEngine Password Manager Pro ASAP! *** --------------------------------------------- Security researcher Sebastian Perez has revealed eight serious security vulnerabilities in ManageEngine Password Manager Pro (PMP), a password management software for enterprises, and has released details and PoC code for each of them. The solution has already been updated with fixes, so if your enterprise is using it to control the access to shared administrative/privileged passwords, you should update to the latest version and build (v8.3, build 8303) as soon as possible (if you haven't... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/05/update-manageengine-password-man… *** One Conference 2016 Protecting Bits and Atoms: Cyber security is a precondition for our future *** --------------------------------------------- Cyber security, and therefore being able to use all the possibilities that ICT offers, is a precondition for the undisturbed functioning of society and for our future. With these words, State secretary Dijkhoff (Security and Justice) emphasizes the importance of the international One Conference 2016 of the National Cyber Security Center (NCSC). We cant be passive on what is to come. The speed of the developments in the digital domain require a continuous effort of both public and private... --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/one-conference-2016-protect… *** Firefox Add-On Flaw Leaves Apple And Windows Computers Open To Attack *** --------------------------------------------- Researchers say reliance on an outdated Firefox extension platform opens the door for remote system attacks on Mac OS and Windows systems. --------------------------------------------- http://threatpost.com/firefox-add-on-flaw-leaves-apple-and-windows-computer… *** Keep Windows machines infected abusing Windows Desired State Configuration (DSC) *** --------------------------------------------- Two forensics experts have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine. At the last Black Hat Asia, the forensics experts Matt Hastings and Ryan Kazanciyan from Tanium have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine. The DSC... --------------------------------------------- http://securityaffairs.co/wordpress/46006/hacking/abusing-windows-dsc.html *** Complete Tour of PE and ELF: Part 4 *** --------------------------------------------- Since we have completed the PE structure, now it is time to look at the ELF structure which is somewhat easier to understand as compared to PE. For ELF structure, we will be looking at both the linking view and execution view of a binary. Sections are similar to what we saw in PE structure... --------------------------------------------- http://resources.infosecinstitute.com/complete-tour-of-pe-and-elf-part-4/ *** Passwort-Test von CNBC: Unverschlüsselt und unverantwortlich *** --------------------------------------------- In einem Artikel des Nachrichtensenders CNBC konnten Leser die Sicherheit ihrer Kennwörter testen. Was kann dabei schon schiefgehen? Eine ganze Menge, wie Sicherheitsforscher aufzeigen. --------------------------------------------- http://heise.de/-3162731 *** Google fixes 39 Android flaws, some allow hackers to take over your phone *** --------------------------------------------- Google has released one of the largest Android monthly security updates, fixing a total of 39 vulnerabilities - 15 rated critical, including four that can lead to a complete device compromise.The patches, which are included in new firmware images that were released Monday for the companys Nexus devices, will also be published to the Android Open Source Project over the next 24 hours.They include a fix for a vulnerability that Google warned about two weeks ago and which is already being... --------------------------------------------- http://www.cio.com/article/3052201/google-fixes-39-android-flaws-some-allow… *** About the security content of iOS 9.3 *** --------------------------------------------- This document describes the security content of iOS 9.3. --------------------------------------------- https://support.apple.com/en-us/HT206166 *** DFN-CERT-2016-0548: BlackBerry powered by Android: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0548/ *** DFN-CERT-2016-0549: Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0549/ *** Sophos Cyberoam NG Series Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Multiple reflected XSS issues were discovered in Cyberoam NG appliances. Input passed via the ipFamily, applicationname and username GET parameters to LiveConnections.jsp and LiveConnectionDetail.jsp is not properly sanitised before being returned to the user. Adding arbitrary X-Forwarded-For HTTP header to a request makes the appliance also prone to a XSS issue. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5313.php *** DSA-3541 roundcube - security update *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered that Roundcube, awebmail client, contained a path traversal vulnerability. This flawcould be exploited by an attacker to access sensitive files on theserver, or even execute arbitrary code. --------------------------------------------- https://www.debian.org/security/2016/dsa-3541 *** USN-2945-1: XChat-GNOME vulnerability *** --------------------------------------------- Ubuntu Security Notice USN-2945-14th April, 2016xchat-gnome vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryXChat-GNOME could be made to expose sensitive information over the network.Software description xchat-gnome - simple and featureful IRC client for GNOME DetailsIt was discovered that XChat-GNOME incorrectly verified the hostname in anSSL certificate. An attacker could trick XChat-GNOME into trusting... --------------------------------------------- http://www.ubuntu.com/usn/usn-2945-1/ *** USN-2944-1: Libav vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2944-14th April, 2016libav vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTSSummaryLibav could be made to crash or run programs as your login if it opened aspecially crafted file.Software description libav - Multimedia player, server, encoder and transcoder DetailsIt was discovered that Libav incorrectly handled certain malformed mediafiles. If a user were tricked into opening a crafted media file, anattacker could... --------------------------------------------- http://www.ubuntu.com/usn/usn-2944-1/ *** Bugtraq: [SE-2012-01] Broken security fix in IBM Java 7/8 *** --------------------------------------------- http://www.securityfocus.com/archive/1/537973 *** Open-Xchange Input Validation Flaws Let Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035469 *** Bugtraq: [security bulletin] HPSBGN03569 rev.1 - HPE OneView for VMware vCenter (OV4VC), Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/537977

1 0

Tageszusammenfassung - Montag 4-04-2016
by Daily end-of-shift report 04 Apr '16

04 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 01-04-2016 18:00 − Montag 04-04-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl Co-Handler: Stephan Richter *** SideStepper vulnerability in iOS 9 endangers companies that use MDM to distribute apps *** --------------------------------------------- Researchers are warning companies that the use of MDM technology opens up a loophole in protections added to Apples iOS 9 to help prevent employees from downloading malicious software posing as legit enterprise apps. --------------------------------------------- http://www.scmagazine.com/sidestepper-vulnerability-in-ios-9-endangers-comp… *** Analysis of the Locky infection process *** --------------------------------------------- In recent months, there has been a significant increase in the number of networks and users affected by ransomware known as Locky, which is used to encrypt a victim's files and then demand a ransom to be paid in bitcoins. But, how does this threat manage to infiltrate computer systems and hijack data? From the ESET Research Lab in Latin America, we can explain the steps and the methods used by cybercriminals to evade various layers of security. --------------------------------------------- http://www.welivesecurity.com/2016/04/04/analysis-of-the-locky-infection-pr… *** PayPal plugs phishing-enabling vulnerability, stumps up $500 *** --------------------------------------------- To the bug-splatter who found it. Not to you, dont get excited PayPal has patched a flaw which created a means for miscreants to abuse its platform to lend authenticity to fraudulent or otherwise malicious emails. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/01/paypal_plug… *** Steam hacker says more vulnerabilities will be found, but not by him *** --------------------------------------------- "It looks like their website hasnt been updated for years." --------------------------------------------- http://arstechnica.com/gaming/2016/04/steam-hacker-says-more-vulnerabilitie… *** New Heap-Spray Exploit Tied To LZH Archive Decompression *** --------------------------------------------- Researchers found a vulnerability in the classic compression standard Lhasa, once a mainstay for game developers in the mid-90s and still in use today. --------------------------------------------- http://threatpost.com/new-heap-spray-exploit-tied-to-lzh-archive-decompress… *** Magento e-commerce platform targeted with new ransomware KimcilWare *** --------------------------------------------- Users of the Magento e-commerce platform are being targeted with a new ransomware called KimcilWare. --------------------------------------------- http://www.scmagazine.com/magento-e-commerce-platform-targeted-with-new-ran… *** Magnitude EK Malvertising Campaign Adds Fingerprinting Gate *** --------------------------------------------- Threat actors refine a malvertising campaign leading to Magnitude EK.Categories: Cybercrime ExploitsTags: fingerprintingMagnitudemalvertising(Read more...) --------------------------------------------- https://blog.malwarebytes.org/cybercrime/2016/04/magnitude-ek-malvertising-… *** Continuous Integration: Jenkins sendet versehentlich anonyme Nutzungsdaten *** --------------------------------------------- Ein Bug in den Jenkins-Versionen 1.645 und 1.642.2 ignoriert die Einstellung zum Senden der Nutzungsstatistik. Ein Update soll das Problem beheben. Alternativ geben die Macher Tipps zur manuellen Abhilfe. --------------------------------------------- http://heise.de/-3161093 *** "Experience is a good school. But the fees are high." ENISA urges decision makers to take action before a major cyber crisis occurs in Europe *** --------------------------------------------- ENISA analysed the EU-level crisis management frameworks in five different sectors to make recommendations on more efficient cyber crisis cooperation and management. The report resulting from this study highlights the lessons that can be learnt from other sectors and that could be applicable in the cyber domain. The study concludes with a series of recommendations regarding EU-level priorities to alter the impact of potential cyber crises. More recently ENISA published a video related to this study that summarises the conclusions based on testimonials from experts in other sectors. --------------------------------------------- https://www.enisa.europa.eu/media/press-releases/201cexperience-is-a-good-s… *** Multiple vulnerabilities found in Quanta LTE routers (backdoor, backdoor accounts, RCE, weak WPS ...) *** --------------------------------------------- The Quanta LTE QDH Router device is a LTE router / access point overall badly designed with a lot of vulnerabilities. Its available in a number of countries to provide Internet with a LTE network. --------------------------------------------- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilit… *** Analysis of the Procedure of Penetration on a Hacked Host *** --------------------------------------------- On the morning of 14th, a colleague of mine reported that the CPU usage of a host reached up to 100%. Then Security Department embarked on investigation and concluded the followings:... --------------------------------------------- http://en.wooyun.io/2016/03/29/48.html *** Binärdateien vergleichen: BinDiff ab sofort (fast) gratis nutzen *** --------------------------------------------- Entwickler und Sicherheitsforscher können das Tool BinDiff zum Vergleichen von Binärdateien kostenlos herunterladen. Für die Nutzung ist aber ein kostenpflichtiger Disassembler nötig. --------------------------------------------- http://heise.de/-3161798 *** How Reporters Pulled Off the Panama Papers, the Biggest Leak in Whistleblower History *** --------------------------------------------- The 2.6 terabyte Panama Papers may be the first leak of their scale, but they wont be the last. --------------------------------------------- http://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-lea… *** DFN-CERT-2016-0539: Squid: Zwei Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0539/ *** DSA-3539 srtp - security update *** --------------------------------------------- Randell Jesup and the Firefox team discovered that srtp, Ciscosreference implementation of the Secure Real-time Transport Protocol(SRTP), does not properly handle RTP header CSRC count and extensionheader length. A remote attacker can exploit this vulnerability to crashan application linked against libsrtp, resulting in a denial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3539 *** DSA-3540 lhasa - security update *** --------------------------------------------- Marcin Noga discovered an integer underflow in Lhasa, a lzh archivedecompressor, which might result in the execution of arbitrary code ifa malformed archive is processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3540 *** Bugtraq: FortiManager & FortiAnalyzer 5.x (Appliance Application) - (filename) Persistent Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537967 *** Bugtraq: ManageEngine Password Manager Pro Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537969

1 0

Tageszusammenfassung - Freitag 1-04-2016
by Daily end-of-shift report 01 Apr '16

01 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-03-2016 18:00 − Freitag 01-04-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** ICONICS WebHMI Directory Traversal Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a directory traversal vulnerability in the ICONICS WebHMI V9 application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-091-01 *** Beware of Unverified TLS Certificates in PHP & Python *** --------------------------------------------- Web developers today rely on various third-party APIs. For example, these APIs allow you to accept credit card payments, integrate a social network with your website, or clear your CDN's cache. The HTTPS protocol is used to secure the connection with the API server. However, if your web app doesn't verify the TLS certificate, aRead More The post Beware of Unverified TLS Certificates in PHP & Python appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/03/beware-unverified-tls-certificates-php-pyth… *** TA16-091A: Ransomware and Recent Variants *** --------------------------------------------- In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users' access to it until a ransom is paid to unlock it. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA16-091A *** How To Build Your Own Rogue GSM BTS For Fun And Profit *** --------------------------------------------- In this blog post Im going to explain how to create a portable GSM BTS which can be used either to create a private ( and vendor free! ) GSM network or for GSM active tapping/interception/hijacking ... yes, with some (relatively) cheap electronic equipment you can basically build something very similar to what the governments are using from years to perform GSM interception. --------------------------------------------- https://evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-f… *** About the security content of iBooks Author 2.4.1 *** --------------------------------------------- Available for: OS X Yosemite v10.10 or later Impact: Parsing a maliciously crafted iBooks Author file may lead to disclosure of user information Description: An XML external entity reference issue existed with iBook Author parsing. This issue was addressed through improved parsing. CVE-ID CVE-2016-1789 --------------------------------------------- https://support.apple.com/en-us/HT206224 *** Security: Apples Rootless-Konzept hat erhebliche Mängel *** --------------------------------------------- Apples Sicherheitsmechanismus Rootless soll verhindern, dass mit Rootrechten Systemdateien verändert werden können. Doch er lässt sich leicht austricksen und Apple scheint es nicht eilig zu haben, die Lücken zu schließen. --------------------------------------------- http://www.golem.de/news/security-apples-rootless-konzept-hat-erhebliche-ma… *** WebKitGTK+ Security Advisory WSA-2016-0003 *** --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK+. CVE identifiers: CVE-2016-1778, CVE-2016-1779, CVE-2016-1781, CVE-2016-1782, CVE-2016-1783, CVE-2016-1785, CVE-2016-1786. --------------------------------------------- http://webkitgtk.org/security/WSA-2016-0003.html *** DFN-CERT-2016-0530 - PostgreSQL: Zwei Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- Zwei Schwachstellen in PostgreSQL ermöglichen einem entfernten, einfach authentifizierten Angreifer das Ausspähen von Informationen, das Durchführen von Denial-of-Service-Angriffen sowie das Umgehen von Sicherheitsvorkehrungen und in der Folge die Manipulation von Daten. Die PostgreSQL Global Development Group stellt ein Sicherheitsupdate auf die Version 9.5.2 bereit, um die Schwachstellen zu beheben. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0530/ *** New Ransomware KimcilWare Targets Magento Websites *** --------------------------------------------- Ransomware dubbed KimcilWare is targeting websites running the e-commerce platform Magento and encrypting website files. --------------------------------------------- http://threatpost.com/new-ransomware-kimcilware-targets-magento-websites/11…

1 0

Tageszusammenfassung - Donnerstag 31-03-2016
by Daily end-of-shift report 31 Mar '16

31 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-03-2016 18:00 − Donnerstag 31-03-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Auch Google sollte für US-Behörden Smartphones entsperren *** --------------------------------------------- Alles dreht sich im aktuellen Streit um gesperrte Smartphones von mutmaßlichen Straftätern um Apple und das FBI - US-Behörden haben aber auch an Google zahlreiche derartiger Aufforderungen verschickt. Das hat die Bürgerrechtsvereinigung ACLU herausgefunden. --------------------------------------------- http://www.golem.de/news/nicht-nur-apple-auch-google-sollte-fuer-us-behoerd… *** Lücke bei SAP-Software: Hunderttausende Unternehmen gefährdet *** --------------------------------------------- Deutsche Behörden stufen die Mängel als "kritisch" ein, erst seit Oktober behoben --------------------------------------------- http://derstandard.at/2000033938536 *** Trend-Micro-Produkte öffneten triviale Hintertür *** --------------------------------------------- Antiviren-Software soll das System vor bösartiger Software schützen. Immer öfter stellt sich jedoch heraus, dass sie selbst als Einfallstor dienen kann. Ein Sicherheitsexperte demonstriert das zum wiederholten Mal mit Trend Micros Security-Produkten. --------------------------------------------- http://heise.de/-3159436 *** Automatisierte Medikamenten-Verteiler mit über 1400 Sicherheitslücken *** --------------------------------------------- Veraltete SupplyStation-Systeme sind nach wie vor in Krankenhäusern im Einsatz und haben tausende Sicherheitslücken. Das ICS-CERT in den USA warnt deswegen vor dem Sicherheitsrisiko durch diese Medikamenten-Verteiler. --------------------------------------------- http://heise.de/-3159439 *** Snort Covert Channels *** --------------------------------------------- Lab 3: Covert Channels Covert channels are used by outside attackers to establish communications with the compromised system, or by malicious insiders to secretly transfer data to unauthorized locations. There are various implementations .. --------------------------------------------- http://resources.infosecinstitute.com/snort-covert-channels/ *** Security best practices for git users *** --------------------------------------------- In recent years git has become one of most popular SCM/Version Control systems. Usage in some high-profile open-source projects like Linux or Raspberry Pi and support from vendors like GitHub and GitLab definitively helped to gain fame. As .. --------------------------------------------- http://resources.infosecinstitute.com/security-best-practices-for-git-users/ *** PowerWare 'Fileless Infection' Deepens Ransomware Conundrum for Healthcare Providers *** --------------------------------------------- The recent wave of ransomware attacks on healthcare institutions is not only raising questions about contingency planning, but also about whether healthcare is becoming the 'go-to' target for cyber extortionists looking to make quick .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/powerware-fileless-inf… *** DFN-CERT PGP-Schlüssel *** --------------------------------------------- https://www.dfn-cert.de/aktuell/dfn-cert-schluessel.html *** Cisco Firepower Malware Block Bypass Vulnerability *** --------------------------------------------- A vulnerability in the malicious file detection and blocking features of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Let Me Get That Door for You: Remote Root Vulnerability in HID Door Controllers *** --------------------------------------------- If you've ever been inside an airport, university campus, hospital, government complex, or office building, you've probably seen one of HID's brand of card readers standing guard over a restricted area. HID is one of the world's largest .. --------------------------------------------- http://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-… *** The Linux Remaiten malware is building a Botnet of IoT devices *** --------------------------------------------- Experts from the ESET firm have spotted a new threat in the wild dubbed Remaiten that targets embedded systems to recruit them in a botnet. ESET is actively monitoring malicious codes that target IoT systems such as routers, gateways .. --------------------------------------------- http://securityaffairs.co/wordpress/45820/iot/linux-remaiten-iot-botnet.html *** Ransomware Petya - a technical review *** --------------------------------------------- In March 24, researchers at G DATA received a sample of a new type of ransomware which was dubbed 'Petya'. Unlike other types of ransomware, Petya prevents the operating system from starting by manipulating the MBR and installing its own .. --------------------------------------------- https://blog.gdatasoftware.com/2016/03/28226-ransomware-petya-a-technical-r…

1 0

Tageszusammenfassung - Mittwoch 30-03-2016
by Daily end-of-shift report 30 Mar '16

30 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-03-2016 18:00 − Mittwoch 30-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** CareFusion Pyxis SupplyStation System Vulnerabilities *** --------------------------------------------- This medical advisory contains mitigation details for numerous third-party software vulnerabilities in end-of-life versions of CareFusion's Pyxis SupplyStation system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-16-089-01 *** Websites Hacked Redirect to Porn from PDF / DOC Links *** --------------------------------------------- We write a lot about various blackhat SEO hacks on this blog and most of you are already familiar with such things as doorways, cloaking and SEO poisoning. This time we'll tell you about yet another interesting blackhat SEO attack that we've been watching for the last year. Let's begin with .. --------------------------------------------- https://blog.sucuri.net/2016/03/pdf-doc-urls-redirect-to-porn.html *** CloudFlare <= 1.3.20 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8428 *** The Topology of Malicious Activity on IPv4 *** --------------------------------------------- There has been a great deal of academic and industry focus on identifying malicious activity across autonomous systems, and for good reasons. Over 50% of 'good' Internet traffic comes from large, ocean-like ASes pushing content from companies like Netflix, Google, Facebook, Apple and Amazon. However, .. --------------------------------------------- http://www.suchin.co/2016/03/23/Topology-Of-Malicious-Activity/ *** Betriebssystem: OpenBSD 5.9 filtert weitgehend Systemaufrufe *** --------------------------------------------- Die Funktion zum Filtern und Beschränken von Systemaufrufen ist in OpenBSD 5.9 um viele Anwendungen erweitert worden. Außerdem unterstützt das System nun neuere Laptops besser - dank UEFI und WLAN nach 802.11n. --------------------------------------------- http://www.golem.de/news/betriebssystem-openbsd-5-9-filtert-weitgehend-syst… *** Scammers Impersonate ISPs in New Tech Support Campaign *** --------------------------------------------- Scammers devise a new ploy to trick users into thinking their own ISP is warning them about malware. --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/03/scammers-impersonate-… *** [HTB23298]: Multiple Vulnerabilities in CubeCart *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in popular open source shopping software CubeCart. The discovered vulnerabilities allow a remote attacker to compromise vulnerable website and its databases, and conduct sophisticated attacks against its users. --------------------------------------------- https://www.htbridge.com/advisory/HTB23298 *** System Integrity Protection: Apples rootfreie Zone ist gar nicht so rootfrei *** --------------------------------------------- Apple will mit El Capitan verhindern, dass böse Jungs mit Root-Rechten ihr System kaputt machen. Leider hat das auch als Rootless bekannte Sicherheitskonzept viele Lücken und funktioniert deswegen momentan nicht ganz. --------------------------------------------- http://heise.de/-3157130 *** Der Liebling aller Cyber-Kriminellen: Flash *** --------------------------------------------- In den Top-15 der am meisten genutzten Sicherheitslücken finden sich allein 13 Schwachstellen in Flash, berichten die Antiviren-Experten der finnischen Firma F-Secure. --------------------------------------------- http://heise.de/-3157553

1 0

Tageszusammenfassung - Dienstag 29-03-2016
by Daily end-of-shift report 29 Mar '16

29 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-03-2016 18:00 − Dienstag 29-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Deutsche Hoster vermehrt im Fokus von Cyberkriminellen *** --------------------------------------------- Immer stärker nutzen Cyberkriminelle die technisch hochentwickelten Internet-Infrastrukturen der ersten Welt. Immer beliebter werden bei ihnen deutsche Hoster zum Verteilen ihrer Schadsoftware. --------------------------------------------- http://heise.de/-3151832 *** Basic Snort Rules Syntax and Usage *** --------------------------------------------- In this series of lab exercises we will demonstrate various techniques in writing Snort rules, from basic rules syntax to writing rules aimed at detecting specific types of attacks. We will also examine some basic approaches .. --------------------------------------------- http://resources.infosecinstitute.com/snort-rules-workshop-part-one/ *** TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart *** --------------------------------------------- Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/TWSL2016-006--Multiple-… *** CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/03/flash-up-to-2000306.html *** Neue Infektions-Masche: Erpressungs-Trojaner missbraucht Windows PowerShell *** --------------------------------------------- Die neu entdeckte Ransomware PowerWare bemächtigt sich der Windows PowerShell, um Computer zu infizieren und Daten zu verschlüsseln. --------------------------------------------- http://heise.de/-3151892 *** Every Tool in the Tool Box *** --------------------------------------------- When I teach people about reverse engineering, I often hear the following statement: "I got the right answer, but I cheated to get it". They are typically talking about using dynamic analysis to get an answer versus statically analyzing .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Every-Tool-in-the-Tool-Box/ *** DSA-3532 quagga - security update *** --------------------------------------------- Kostya Kortchinsky discovered a stack-based buffer overflowvulnerability in the VPNv4 NLRI parser in bgpd in quagga, a BGP/OSPF/RIProuting daemon. A remote attacker can exploit this flaw to cause adenial of service (daemon crash), or potentially, execution of arbitrarycode, if bgpd is configured with BGP peers enabled for VPNv4. --------------------------------------------- https://www.debian.org/security/2016/dsa-3532 *** Improving Bash Forensics Capabilities *** --------------------------------------------- Bash is the default user shell in most Linux distributions. In case of incidents affecting a UNIX server, they are chances that a Bash shell will be .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20887 *** Life After the Isolated Heap *** --------------------------------------------- Over the past few months, Adobe has introduced a number of changes to the Flash Player heap with the goal of reducing the exploitability of certain types of vulnerabilities in Flash, especially use-after-frees. I wrote an exploit involving two bugs .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/03/life-after-isolated-heap.html *** APPLE-SA-2016-03-28-1 OS X: Flash Player plug-in blocked *** --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Mar/msg00007.ht… *** DSA-3533 openvswitch - security update *** --------------------------------------------- Kashyap Thimmaraju and Bhargava Shastry discovered a remotelytriggerable buffer overflow vulnerability in openvswitch, a productionquality, multilayer virtual switch implementation. Specially craftedMPLS packets could overflow .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3533 *** "Collecting Serial Data for ICS Network Security Monitoring" *** --------------------------------------------- Below is a postby SANS ICS515 - ICS Active Defense and Incident Response instructor Mark Bristow. Adversaries across the capability spectrum are increasingly targeting Industrial Control System (ICS) environments. Malware such as .. --------------------------------------------- http://ics.sans.org/blog/2016/03/29/collecting-serial-data-for-ics-network-… *** Why PCI DSS cannot replace common sense and holistic risk assessment *** --------------------------------------------- Cybersecurity compliance is not designed to eliminate data breaches or stop cybercrime. --------------------------------------------- https://www.htbridge.com/blog/why-pci-dss-cannot-replace-common-sense-and-h… *** Printers all over the US 'hacked' to spew anti-Semitic fliers *** --------------------------------------------- Andrew 'Weev' Auernheimer, one of the two men who were prosecuted and convicted for harvesting e-mails and authentication IDs of 114,000 early-adopters of Apple's iPad from AT&T's .. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/29/printers-us-hacked-anti-semitic-… *** Xen Security Advisory 172 (CVE-2016-3158, CVE-2016-3159) - broken AMD FPU FIP/FDP/FOP leak workaround *** --------------------------------------------- There is a workaround in Xen to deal with the fact that AMD CPUs dont load the x86 registers FIP (and possibly FCS), FDP (and possibly FDS), and FOP from memory (via XRSTOR or FXRSTOR) when there is no pending unmasked exception. (See XSA-52.) However, this workaround does not cover all possible input cases. --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2016-03/msg00001.html *** Google-Entwickler: NPM-Malware könnte sich als Wurm verbreiten *** --------------------------------------------- Wegen einiger Design-Prinzipien der Node-Paktverwaltung NPM könne sich ein schadhaftes Modul wie ein Wurm im gesamten System verbreiten, warnt ein Google-Entwickler. Gegen die Sicherheitslücke hilft vorerst nur Handarbeit. --------------------------------------------- http://www.golem.de/news/google-entwickler-npm-malware-koennte-sich-als-wur… *** Petya: Den Erpressungs-Trojaner stoppen, bevor er die Festplatten verschlüsselt *** --------------------------------------------- Die Ransomware Petya zielt auf deutschsprachige Opfer und sorgt dafür, dass deren Rechner nicht mehr starten. Der Trojaner verschlüsselt ausserdem die Festplatten, das kann man aber verhindern, wenn man ihn rechtzeitig stoppt. --------------------------------------------- http://heise.de/-3153388 *** Lücke in populärer Anrufer-ID-App Truecaller legt Nutzerdaten offen *** --------------------------------------------- http://derstandard.at/2000033814462

1 0

Tageszusammenfassung - Freitag 25-03-2016
by Daily end-of-shift report 25 Mar '16

25 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-03-2016 18:00 − Freitag 25-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** DFN-CERT-2016-0510/">Xen, QEMU: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes mit den Rechten des Dienstes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0510/ *** USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems *** --------------------------------------------- A Trojan program, dubbed USB Thief by researchers at security firm ESET, infects USB drives that contain portable installations of popular applications such as Firefox, NotePad++, or TrueCrypt, and it also seems to be designed to steal information from so-called air-gapped computers. "In the case we .. --------------------------------------------- https://it.slashdot.org/story/16/03/24/184255/usb-trojan-hides-in-portable-… *** F5: sol93122894: OpenSSL vulnerability CVE-2016-0705 *** --------------------------------------------- OpenSSL handling of malformed DSA private keys may cause memory corruption and possibly stop the handling process. --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/93/sol93122894.html *** Tenable: [R1] Log Correlation Engine (LCE) 4.8.0 Updates Libxml2 *** --------------------------------------------- The Log Correlation Engine (LCE) uses the third-party Libxml2 library for some XML parsing routines. A vulnerability was found and patched in Libxml2 recently. Tenable has not evaluated this vulnerability beyond acknowledging that user-supplied XML .. --------------------------------------------- http://www.tenable.com/security/tns-2016-06 *** Cogent DataHub Elevation of Privilege Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a privilege elevation vulnerability in the Cogent DataHub application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01 *** SQL Injection Cheat Sheet *** --------------------------------------------- What is an SQL Injection Cheat Sheet? An SQL injection cheat sheet is a resource in which you can find detailed technical information about the many different variants of the SQL Injection vulnerability. This cheat sheet is of good .. --------------------------------------------- https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ *** Erpressungstrojaner: "Petya" befällt deutschsprachiges Gebiet *** --------------------------------------------- Die Ransomware verbreitet sich über Dropbox und zwingt Windows-User, Geld für die Entsperrung ihres Computers zu zahlen. --------------------------------------------- http://derstandard.at/2000033657066

1 0

Tageszusammenfassung - Donnerstag 24-03-2016
by Daily end-of-shift report 24 Mar '16

24 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-03-2016 18:00 − Donnerstag 24-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Cisco IOS and IOS XE and Cisco Unified Communications Manager Software Session Initiation Protocol Memory Leak Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletin: IBM Forms Server vulnerability identified in Webform Server (CVE-2016-0223) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21977574 *** Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC5022 16Gb SAN and EN4023 10Gb Scalable Switches *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099273 *** Security Bulletin: Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for BladeCenter *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099272 *** Cisco Network Convergence System 6000 Series Routers SCP and SFTP Modules Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Zyxel MAX3XX Series Wimax CPEs Hardcoded Root Password *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030135 *** Measuring SMTP STARTTLS Deployment Quality *** --------------------------------------------- At Yahoo, our users send and receive billions of emails everyday. We work to make Yahoo Mail easy to use, personalized, and secure for our hundreds of millions of users around the world. In line with our efforts to protect our users .. --------------------------------------------- https://yahoo-security.tumblr.com/post/141495385400/measuring-smtp-starttls… *** Kerberos Kadmind Null Pointer Dereference in process_db_args() Lets Remote Authenticated Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1035399 *** CA Single Sign-On Agent Input Validation Flaws Let Remote Users Obtain Potentially Sensitive Information and Cause Denial of Service Conditions *** --------------------------------------------- http://www.securitytracker.com/id/1035389 *** Researchers find hole in SIP, Apple's newest protection feature *** --------------------------------------------- System Integrity Protection pwned Security researchers have discovered a vulnerability that creates a means for hackers to circumvent Apple's newest protection .. --------------------------------------------- www.theregister.co.uk/2016/03/24/macosx_security_bypass/ *** Nemucods CRYPTED Ransomware Can Be Neutralized with This Decrypter *** --------------------------------------------- Victims that had their computers locked by a ransomware that uses the CRYPTED file extension can now free their files using a special decrypter created by Emsisoft security .. --------------------------------------------- http://news.softpedia.com/news/nemucod-s-crypted-ransomware-can-be-neutrali… *** RCE flaw affects DVRs sold by over 70 different vendor *** --------------------------------------------- RSA security researcher Rotem Kerner has discovered a remote code execution vulnerability that affects digital video recorders (DVRs) sold by more than 70 different vendors around the world. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/24/rce-flaw-dvrs-70-vendors/ *** Erpressungs-Trojaner Petya riegelt den gesamten Rechner ab *** --------------------------------------------- Eine neue Ransomware hat es aktuell auf deutschsprachige Windows-Nutzer abgesehen. Petya wird über Dropbox verteilt und manipuliert die Festplatte, wodurch das Betriebssystem nicht mehr ausgeführt werden kann. --------------------------------------------- http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-d… *** VU#279472: Granite Data Services AMF framework fails to properly parse XML input containing a reference to external entities *** --------------------------------------------- http://www.kb.cert.org/vuls/id/279472 *** RedDoor: Erpresser drohen mit DDoS-Attacken auf deutsche Webseiten *** --------------------------------------------- Zahlt uns 3 Bitcoin oder wir legen eure Webseite lahm – mit dieser Drohung erpresst eine Gruppe gerade Firmen in Deutschland, Österreich und der Schweiz. Angeblich soll es sich dabei allerdings um einen Bluff handeln. --------------------------------------------- http://heise.de/-3151565 *** Emergency Java Patch Re-Issued for 2013 Vulnerability *** --------------------------------------------- Oracle yesterday released an emergency patch for a Java vulnerability that was improperly patched in 2013. --------------------------------------------- http://threatpost.com/emergency-java-patch-re-issued-for-2013-vulnerability…

1 0

Tageszusammenfassung - Mittwoch 23-03-2016
by Daily end-of-shift report 23 Mar '16

23 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-03-2016 18:00 − Mittwoch 23-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** What was all that about a scary iMessage flaw? Your three-minute guide *** --------------------------------------------- On Sunday, we were warned that hackers could read our iMessages texts, photos and videos. Should I be worried? As it turns out: no. If youre even a little curious about cryptography and secure programming, though, it should interest and amuse you. --------------------------------------------- http://www.theregister.co.uk/2016/03/23/imessages_flaw_details/ *** Google publishes list of Certificate Authorities it doesnt trust *** --------------------------------------------- Thawte experiment aims to expose issuers of dodgy creds Googles announced another expansion to the security information offered in its transparency projects: its now going to track certificates you might not want to trust. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/23/google_now_… *** Abusing Oracles, (Wed, Mar 23rd) *** --------------------------------------------- No, no this has nothing to do with Oracle Corporation! This diary is about abusing encryption and decryption Oracles. First a bit of a background story. Most of the days I do web and mobile application penetration testing. While technical vulnerabilities, such as SQL Injection, XSS and similar are still commonly found, in last couple of years I would maybe dare to say that the Direct Object Reference (DOR) vulnerabilities have become prevalent. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20875&rss *** Libmcrypt - Incorrect S-Boxes for GOST cipher (2008, unfixed) *** --------------------------------------------- PHP just decided to abandon the trash fire that is libmcrypt. There were (are?) still other projects that use(d) it, so Im sharing this link in the interest of strongly encouraging projects to drop it like a lead balloon. This is far from the only problem with it ... --------------------------------------------- https://www.reddit.com/r/netsec/comments/4bl8xu/libmcrypt_incorrect_sboxes_… *** Microsoft Adds New Feature in Office 2016 That Can Block Macro Malware *** --------------------------------------------- Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware. ... Sysadmins can now block macros that connect to the Internet ... "This feature can be controlled via Group Policy and configured per application," Microsoft explains. "It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint --------------------------------------------- http://news.softpedia.com/news/microsoft-adds-new-feature-in-office-2016-th… *** GroupWise 2014 R2 Hot Patch 1 - Windows Full Multilingual *** --------------------------------------------- Abstract: GroupWise 2014 R2 Hot Patch 1 has been released. Be aware that there are security fixes in this release. Please see the Security section for details. --------------------------------------------- https://download.novell.com/Download?buildid=AA7ZB93KAjc~ *** GroupWise 2014 R2 Hot Patch 1 - Windows Client Multilingual *** --------------------------------------------- Abstract: GroupWise 2014 R2 Hot Patch 1 has been released. Be aware that there are security fixes in this release. Please see the Security section for details. --------------------------------------------- https://download.novell.com/Download?buildid=dxd3rzvGvig~ *** GroupWise 2014 R2 Hot Patch 1 - Linux Full Multilingual *** --------------------------------------------- Abstract: GroupWise 2014 R2 Hot Patch 1 has been released. Be aware that there are security fixes in this release. Please see the Security section for details. --------------------------------------------- https://download.novell.com/Download?buildid=Wxix0_fCdmI~ *** sol51518670: Linux kernel vulnerability CVE-2015-2922 *** --------------------------------------------- The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. (CVE-2015-2922) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/51/sol51518670.html *** F5 Security Advisory: Apache Tomcat 6.x vulnerabilities CVE-2015-5174, CVE-2015-5345, CVE-2016-0706, and CVE-2016-0714 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/30/sol30971148.html?… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco IOS and NX-OS Software Locator/ID Separation Protocol Packet Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Software Wide Area Application Services Express Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Fragmentation Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software DHCPv6 Relay Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** ZDI-16-210: IBM Informix portmap Service Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local users to execute arbitrary code on vulnerable installations of IBM Informix. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- www.zerodayinitiative.com/advisories/ZDI-16-210/ *** ZDI-16-209: IBM Informix nsrexecd Service Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local users to execute arbitrary code on vulnerable installations of IBM Informix. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-209/ *** ZDI-16-208: IBM Informix nsrd Service Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local users to execute arbitrary code on vulnerable installations of IBM Informix. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-208/

1 0

Tageszusammenfassung - Dienstag 22-03-2016
by Daily end-of-shift report 22 Mar '16

22 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-03-2016 18:00 − Dienstag 22-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Moodle Bugs Let Remote Authenticated Users Obtain Potentially Sensitive Information and Bypass Security Restrictions and Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035333 *** Libxml2 Memory Allocation Error in xmlStringGetNodeList() Lets Remote Users Consume Excessive Memory Resources *** --------------------------------------------- http://www.securitytracker.com/id/1035335 *** D-Link DWR-932 Authentication Bypass / Password Disclosure *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030115 *** AsusTEK asio.sys MSR Manipulation *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030116 *** Google slings critical patch at exploited Linux kernel root hole *** --------------------------------------------- Android re-installation ahoy to sink privilege elevation that opens avenue for rooting apps Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices. --------------------------------------------- www.theregister.co.uk/2016/03/22/google_slings_critcial_patch_at_exploited_… *** IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affects IBM Rational DOORS Next Generation *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21978747 *** IBM Security Bulletin: Lotus Quickr 8.5 for WebSphere Portal January 2016 CPU (CVE-2016-0448) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21977579 *** Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM BladeCenter Advanced Management Module (AMM) (CVE-2015-7575) *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099195 *** IBM Security Bulletin: Vulnerability in Apache Cordova affects IBM MobileFirst Platform Foundation (CVE-2015-5256) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000109 *** Security Bulletin: Vulnerability in OpenSSH affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM BladeCenter (CVE-2015-5600) *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5098977 *** Samba-Entwickler warnen vor Lücke auch in Windows *** --------------------------------------------- Badlock heißt eine kritische Sicherheitslücke, die Samba-Entwickler in ihrer eigenen Software, aber auch in Windows entdeckt haben. Sie warnen die Betreiber solcher Server eindringlich, am 12. April Zeit für das Einspielen von Patches einzuplanen. --------------------------------------------- http://heise.de/-3148379 *** Deluge of Apple Patches Fix iMessage Crypto Bug, Much More *** --------------------------------------------- Apple deployed patches for nearly all of its products, including Safari, OS X, iOS, Apple TV's tvOS, and watchOS on Monday. --------------------------------------------- http://threatpost.com/deluge-of-apple-patches-fix-imessage-crypto-bug-much-… *** "E-ISAC and SANS Report On The Ukrainian Grid Attack" *** --------------------------------------------- Yesterday the SANS ICS team released its Defense Use Case (DUC) #5 analyzing the cyber-attack that impacted Ukraine on December 23, 2015. The paper is written from the perspective of what lessons that can be learned from the event. The .. --------------------------------------------- http://ics.sans.org/blog/2016/03/22/e-isac-and-sans-report-on-the-ukrainian… *** A look at Locky ransomware *** --------------------------------------------- The Locky ransomware was first spotted in the wild last month in February 2016. Locky came to limelight when it hit the Hollywood Hospital last month causing the hospital to pay bitcoins worth 17,000$ USD in ransom. Locky is known to .. --------------------------------------------- http://research.zscaler.com/2016/03/a-look-at-locky-ransomware.html

1 0

Tageszusammenfassung - Montag 21-03-2016
by Daily end-of-shift report 21 Mar '16

21 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-03-2016 18:00 − Montag 21-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Palo Alto Networks: VPN-Webinterface mit überlangen Benutzernamen angreifbar *** --------------------------------------------- Ein Sicherheitsforscher der Heidelberger Firma ERNW hat eine Remote-Code-Execution-Lücke auf einer Palo-Alto-Appliance gefunden. Verantwortlich dafür war ein fehlender Längencheck bei der Eingabe des Benutzernamens. --------------------------------------------- http://www.golem.de/news/palo-alto-networks-vpn-webinterface-mit-ueberlange… *** IBM Security Bulletin: Cross-site scripting vulnerability in IBM WebSphere Application Server (CVE-2016-0283) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21978293 *** FreeBSD crushes system-crashing bug *** --------------------------------------------- Time to upgrade, Unix-like OS-havers Sysadmins ought to patch their FreeBSD systems after an irritating bug was found in the kernel .. --------------------------------------------- www.theregister.co.uk/2016/03/18/freebsd_bug_patched/ *** Unplanmäßiger Android-Patch und noch einmal Stagefright *** --------------------------------------------- Knapp drei Wochen nach dem planmäßigen März-Update schließt Google eine Sicherheitslücke in Android, mit der sich Angreifer Root-Rechte erschleichen können. Derweil wurde ein weiterer Stagefright-Exploit bekannt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Unplanmaessiger-Android-Patch-und-no… *** Google offers binary comparison tool BinDiff for free *** --------------------------------------------- In case you missed it, Google announced on Friday that BinDiff, a comparison tool for binary files, can now be downloaded for free. The tool is used to spot differences and similarities in disassembled code, and is helpful for identifying and isolating fixes for vulnerabilities in vendor-supplied .. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/21/binary-comparison-tool-bindiff-f… *** Exploiting a Leaked Thread Handle *** --------------------------------------------- Once in awhile you'll find a bug that allows you to leak a handle opened in a privileged process into a lower privileged process. I found just such a bug in the Secondary Logon service on Windows, which was fixed this month as .. --------------------------------------------- http://googleprojectzero.blogspot.co.at/2016/03/exploiting-leaked-thread-ha… *** Erpresser rüsten nach: Verschlüsselungs-Trojaner TeslaCrypt 4.0 gesichtet *** --------------------------------------------- Sicherheitsforscher warnen vor einer neuen Version der Ransomware TeslaCrypt, die Computer infiziert und Daten chiffriert. Für Opfer ist es nun noch schwerer herauszufinden, was mit ihren Dateien passiert ist. --------------------------------------------- http://heise.de/-3145559 *** NIST releases updated telework guidance *** --------------------------------------------- The National Institute of Standards and Technology (NIST) released draft guidance for telework protocol, an update to the federal agencys initial documents drafted in 2009. --------------------------------------------- http://www.scmagazine.com/nist-releases-updated-telework-guidance/article/4… *** iOS URI Schemes Abuse *** --------------------------------------------- A set of URI schemes bugs that lead Safari to crash/freeze. --------------------------------------------- https://github.com/pwnsdx/iOS-URI-Schemes-Abuse-PoC *** OS X Malware Samples Analyzed *** --------------------------------------------- A couple of months ago, as we rang in 2016, we thought it would be interesting to take a quick look back at some OSX malware from 2015 and 2014. As reported by the team at Bit9+Carbon Black [1], 2015 marked 'the most prolific year in history for OS X .. --------------------------------------------- https://www.alienvault.com/open-threat-exchange/blog/os-x-malware-samples-a… *** Office für Mac: Microsoft veröffentlicht Sicherheits-Updates *** --------------------------------------------- Microsoft hat Updates für die OS-X-Versionen von Office 2011 und Office 2016 veröffentlicht, die eine kritische Schwachstelle schließen sollen. Die neue Version der Office-Suite baut die Sprachen-Unterstützung aus. --------------------------------------------- http://heise.de/-3146389

1 0

Tageszusammenfassung - Freitag 18-03-2016
by Daily end-of-shift report 18 Mar '16

18 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-03-2016 18:00 − Freitag 18-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Online Banking Threats in 2015: The Curious Case of DRIDEX's Prevalence *** --------------------------------------------- The thing about takedowns is that these do not necessarily wipe out the cybercriminal operations. In 2014, the ZeroAccess takedown has affected the botnet's click fraud operation, but its infections continued to soar. DRIDEX's .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/curious-case-dri… *** Mitre Takes On Critics, Set To Revamp CVE Vulnerability Reporting *** --------------------------------------------- Mitre Corporation will introduce a pilot program for classifying CVEs in response to critics who contend the agency is failing to keep pace with a massive influx CVE number requests. --------------------------------------------- http://threatpost.com/mitre-takes-on-critics-set-to-revamp-cve-vulnerabilit… *** Server Security: Indicators of Compromised Behavior with OSSEC *** --------------------------------------------- We leverage OSSEC extensively here at Sucuri to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Intrusion Detection System (HIDS); it has a powerful correlation and analysis engine that integrates log analysis, file integrity monitoring, rootkit detection, .. --------------------------------------------- https://blog.sucuri.net/2016/03/server-security-anomaly-behaviour-with-osse… *** No mas, Samas: What's in this ransomware's modus operandi? *** --------------------------------------------- We've seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them. It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims' pockets in exchange for .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-t… *** ABB Panel Builder 800 DLL Hijacking Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a DLL Hijacking vulnerability in the ABB Panel Builder 800 Version 5.1 application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-077-01 *** Apache ActiveMQ Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035328 *** Apache ActiveMQ Lets Remote Users Conduct Clickjacking Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035327 *** Android adware infiltrates devices' firmware, Trend Micro apps *** --------------------------------------------- Dubbed Gmobi by Dr. Web researchers, the malware comes in the form of a software development kit (SDK), and has been found in several legitimate applications by well-known companies, as well as in firmware for nearly 40 mobile .. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/18/android-adware-infiltrates-devic… *** SSA-151221 (Last Update 2016-03-18): Incorrect File Permissions in APOGEE Insight *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-151221… *** [HTB23293]: Remote Code Execution via CSRF in iTop *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present .. --------------------------------------------- https://www.htbridge.com/advisory/HTB23293 *** Lets Encrypt tritt CA/Browser Forum bei *** --------------------------------------------- Der nächste Schritt hin zu einer anerkannten Zertifizierungsstelle ist getan: Als Mitglied im CA/Browser Forum bewegt sich Let's Encrypt nun auf Augenhöhe mit Comodo, Symantec & Co. --------------------------------------------- http://heise.de/-3144202 *** Auch DDR4-Speicher für Bitflips anfällig *** --------------------------------------------- Offenbar sind mehr Arbeitsspeicher-Varianten für den Rowhammer-Angriff verwundbar, als bislang gedacht. Forscher haben jetzt einen Angriff auf DDR4-Speicher vorgestellt, auch professionelle Serverspeicher sollen betroffen sein. --------------------------------------------- http://www.golem.de/news/rowhammer-auch-ddr4-speicher-fuer-bitflips-anfaell… *** Sicherheits-Updates für Symantecs Endpoint Protection *** --------------------------------------------- Drei Lücken schließt das aktuelle Update für Symantecs Endpoint Protection (SEP), darunter eine SQL Injection. --------------------------------------------- http://heise.de/-3144528 *** Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke *** --------------------------------------------- You can change a password. You cant change fingerprints Around the world, banks are implementing biometric authentication systems for their customers as fraud cases increase - but experts warn biometrics should not be treated like a silver bullet for ID .. --------------------------------------------- www.theregister.co.uk/2016/03/18/biometrics_not_answer_online_banking_secur… *** Security: Neuer Stagefright-Exploit betrifft Millionen Android-Geräte *** --------------------------------------------- Stagefright bedroht viele nach wie vor ungepatchte Android-Geräte weltweit, gilt aber als schwierig auszunutzen. Eine neue Technik erfordert etwas Infrastruktur, dürfte aber größere praktische Relevanz haben. --------------------------------------------- http://www.golem.de/news/security-neuer-stagefright-exploit-betrifft-millio… *** DDoS-Attacken auf Schweizer Websites *** --------------------------------------------- In der Schweiz gab es in der vergangenen Woche eine Reihe von DDoS-Angriffen auf Online-Shops, die Schweizerischen Bundesbahnen und Finanzinstitute. In einem Fall wurden .. --------------------------------------------- http://heise.de/-3144854

1 0

Tageszusammenfassung - Donnerstag 17-03-2016
by Daily end-of-shift report 17 Mar '16

17 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-03-2016 18:00 − Donnerstag 17-03-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Blundering ransomware uses backdoored crypto, unlock keys spewed *** --------------------------------------------- Hahah ... wait, what? A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware. --------------------------------------------- http://www.theregister.co.uk/2016/03/16/locky_ransomware_undone_for_now/ *** Netgear CG3000v2 Password Change Bypass *** --------------------------------------------- I noticed a security issue in my Netgear CG3000v2 cable modem, as provided by Optus (an Australian phone/communications provider). The "admin password" can be changed on the web interface, without providing the current password. The page http://192.168.0.1/SetPassword.asp prompts for old and new passwords (and repeat of new), but in fact ignores the old password provided, and changes the password to the new one, regardless. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030089 *** 2015-12-10: POODLE Vulnerability in RTU500 Series *** --------------------------------------------- Affected Products: RTU500 series firmware of release 10 less than version 10.8.6 and of release 11 less than 11.2.1. RTU500 series releases 9 and less are not affected. Summary: A vulnerability has recently been published that affects the SSL protocol 3.0 and is commonly referred to as “POODLE”. The vulnerability affects the product versions listed above. --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=1KGT090264&LanguageC… *** ADAC: Autos mit Keyless-Schlüssel sehr leichter zu stehlen *** --------------------------------------------- Diebe können sich eine Sicherheitslücke in der Funkverbindung zunutze machen --------------------------------------------- http://derstandard.at/2000033077997 *** APT Attackers Flying More False Flags Than Ever *** --------------------------------------------- Investigators continue to focus on attack attribution, but Kaspersky researchers speaking at CanSecWest 2016 caution that attackers are manipulating data used to tie attacks to perpetrators. --------------------------------------------- http://threatpost.com/apt-attackers-flying-more-false-flags-than-ever/11681… *** sol06223540: F5 TCP vulnerability CVE-2015-8240 *** --------------------------------------------- Improper handling of TCP options under some circumstances may cause a denial-of-service (DoS) condition. (CVE-2015-8240) Versions known to be vulnerable: 11.6.0 HF5, 11.5.3 HF2, 11.4.1 HF9 on various BIG-IP products --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/06/sol06223540.html *** Metaphor - A (real) reallife Stagefright exploit *** --------------------------------------------- The team here at NorthBit has built a working exploit affecting Android versions 2.2 - 4.0 and 5.0 - 5.1, while bypassing ASLR on versions 5.0 - 5.1 (as Android versions 2.2 - 4.0 do not implement ASLR). --------------------------------------------- https://www.exploit-db.com/docs/39527.pdf *** Xen XSA-171: I/O port access privilege escalation in x86-64 Linux *** --------------------------------------------- User mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-171.html *** BSI veröffentlicht Anforderungskatalog für Cloud Computing *** --------------------------------------------- Anhand des Katalogs können Kunden von Cloud-Dienstleistern herausfinden, wie es um die Informationssicherheit in einer Cloud steht. Aber auch Anbieter solcher Dienste können sich damit etwa auf eine anstehende Zertifizierung vorbereiten. --------------------------------------------- http://heise.de/-3141368 *** Introducing SHIPS - Centralized Password Management *** --------------------------------------------- The Shared Host Integrated Password System (SHIPS) is an open-source solution created by Geoff Walton from TrustedSec to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Our goal is to make post exploitation more difficult and provide a simplistic way to manage multiple systems in an environment where Windows does not necessarily support an alternative. SHIPS supports both Linux --------------------------------------------- https://www.trustedsec.com/january-2015/introducing-ships-centralized-local… *** New NIST Encryption Guidelines *** --------------------------------------------- NIST has published a draft of their new standard for encryption use: "NIST Special Publication 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms." In it, the Escrowed Encryption Standard from the 1990s, FIPS-185, is no longer certified. And Skipjack, NSAs symmetric algorithm from the same period, will no longer be certified. --------------------------------------------- https://www.schneier.com/blog/archives/2016/03/new_nist_encryp.html *** Scores of Serial Servers Plagued by Lack of Authentication, Encryption *** --------------------------------------------- Thousands of serial servers connected to the internet arent password protected and lack encryption, leaving any data that transfers between them and devices theyre connected to open to snooping, experts warn. --------------------------------------------- http://threatpost.com/scores-of-serial-servers-plagued-by-lack-of-authentic… *** VU#897144: Solarwinds Dameware Remote Mini Controller Windows service is vulnerable to stack buffer overflow *** --------------------------------------------- The Solarwinds Dameware Remote Mini Controller Windows service is vulnerable to stack buffer overflow. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-2345 Solarwinds Dameware Remote Mini Controller is a software for assisting in remote desktop connections for helpdesk support. --------------------------------------------- http://www.kb.cert.org/vuls/id/897144 *** Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks *** --------------------------------------------- This paper discusses different techniques that an attacker can use to bypass NoScript Security Suite Protection. These techniques can be used by malicious vectors in bypassing the default installation of NoScript. The paper also provides solutions and recommendations for end-users that can enhances the current protection of NoScript Security Suite. --------------------------------------------- https://mazinahmed.net/uploads/Bypassing%20NoScript%20Security%20Suite%20Us… *** Symantec Endpoint Protection Multiple Security Issues *** --------------------------------------------- Symantec Endpoint Protection (SEP) was susceptible to a number of security findings that could potentially result in an authorized but less privileged user gaining elevated access to the Management Console. SEP Client security mitigations can potentially be bypassed allowing arbitrary code execution on a targeted client. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** IBM Security Bulletin *** --------------------------------------------- *** IBM Rational DOORS Web Access is affected by Apache Tomcat vulnerabilities (CVE-2015-5345, CVE-2015-5351) *** http://www.ibm.com/support/docview.wss?uid=swg21978300 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-7575, CVE-2015-4872, CVE-2015-4893, CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21976573 --------------------------------------------- *** IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry (CVE-2015-7713, CVE-2015-5286) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023399 --------------------------------------------- *** IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry(CVE-2015-5163 CVE-2015-3241 CVE-2015-5223) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023469 --------------------------------------------- *** IBM Security Bulletin: OpenStack vulnerabilities affect IBM Cloud Manager with Openstack (CVE-2015-5163 CVE-2015-3241 CVE-2015-5223) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023470 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 16-03-2016
by Daily end-of-shift report 16 Mar '16

16 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-03-2016 18:00 − Mittwoch 16-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Bugtraq: [security bulletin] HPSBGN03556 rev.1 - ArcSight ESM and ESM Express, Remote Arbitrary File Download, Local Arbitrary Command Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537801 *** Exploit Kits in 2015: Scale and Distribution *** --------------------------------------------- In the first part of this series of blog posts, we discussed what new developments and changes in the exploit kit landscape were seen in 2015. In this post, we look at the scale of the exploit kit problem - how many users were affected, .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/exploit-kits-201… *** Apache Struts Input Validation Flaw in I18NInterceptor Lets Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035272 *** Apache Struts Double OGNL Evaluation Lets Remote Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1035271 *** VMware vRealizes that vRealize has XSS bugs on Linux *** --------------------------------------------- Virtzillas also released first maintenance release for vRealize Automation A tricky Tuesday for VMwares vRealize products, which have received the first maintenance release for version 7 and also become the subject of a security alert. --------------------------------------------- www.theregister.co.uk/2016/03/16/vmware_vrealizes_that_vrealize_has_xss_bug… *** OpenSSH 7.2p1 xauth Command Injection / Bypass *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030083 *** TeslaCrypt 3.1? New Ransomware Strain Removes ShadowCopies via WMI *** --------------------------------------------- The authors of TeslaCrypt 3.1 ransomware understood that the common ransomware action of deleting shadow copies by executing "vssadmin Delete Shadows /All /Quiet" draws the defenders attention, and so they worked around that by using WMI. --------------------------------------------- http://www.minerva-labs.com/ *** subsearch *** --------------------------------------------- subsearch is a command line tool designed to brute force subdomain names. It is aimed at penetration testers and bug bounty hunters and has been built with a focus on speed, stealth and reporting. --------------------------------------------- https://github.com/gavia/subsearch *** Git Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1035290 *** FortiOS open redirect vulnerability *** --------------------------------------------- The FortiOS webui accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. The redirect input parameter is also prone to a cross site scripting. --------------------------------------------- http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability *** IBM Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-0448) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1021172 *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images (CVE-2016-0777, CVE-2016-0778) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21978487 *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM WebSphere MQ (CVE-2015-1788) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21972125 *** DDoSing with Other Peoples Botnets *** --------------------------------------------- While I was reverse engineering ZeroAccess in order to write a monitoring system, I had an idea which would allow me to use ZeroAccess C&C infrastructure to reflect and amplify a UDP based DDoS attack, which Id found to be beautifully ironic. After further analysis, I discovered it may even be possible to use non worker bots (which connect from behind NAT) to participate in the attack. --------------------------------------------- http://www.malwaretech.com/2016/03/ddosing-with-other-peoples-botnets.html *** DFN-CERT-2016-0461/">Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0461/ *** Nacktfotos von Prominenten: Verdächtiger gesteht Phishing-Angriff auf iCloud *** --------------------------------------------- Im Verfahren um die Veröffentlichung von privaten Promifotos hat sich der Verdächtige des Phishings schuldig bekannt. Doch mit der Veröffentlichung der Bilder will der Mann nichts zu tun haben. --------------------------------------------- http://www.golem.de/news/nacktfotos-von-prominenten-verdaechtiger-gesteht-p… *** HTTPS: 77 Prozent aller Google-Anfragen verschlüsselt *** --------------------------------------------- In seinem Transparenzbericht dokumentiert Google nun auch den Prozentsatz von Transportverschlüsselung bei seinen eigenen Diensten und Anfragen an Server der Suchmaschine. Vor allem der hohe Wert bei der Verteilung von Werbung überrascht. --------------------------------------------- http://heise.de/-3140351 *** Erpressungstrojaner auf Websites von New York Times und BBC *** --------------------------------------------- Potenziell Millionen Nutzer gefährdet, Sicherheitsforscher sehen Beleg für Schwächen des Werbenetzwerks --------------------------------------------- http://derstandard.at/2000033046874 *** AceDeceiver: iOS-Trojaner nutzt Schwachstellen in Apples DRM *** --------------------------------------------- Angreifern ist es einer Sicherheitsfirma zufolge gelungen, Schad-Software mehrfach ungehindert in den App Store zu bringen. Durch Schwachpunkte in Apples DRM FairPlay könne die Malware zudem auf iPhones gelangen - ohne Enterprise-Zertifikat. --------------------------------------------- http://heise.de/-3140627

1 0

Tageszusammenfassung - Dienstag 15-03-2016
by Daily end-of-shift report 15 Mar '16

15 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-03-2016 18:00 − Dienstag 15-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Typosquatters Target Mac Users With New '.om' Domain Scam *** --------------------------------------------- http://threatpost.com/typosquatters-target-apple-mac-users-with-new-om-doma… *** Juniper: Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) *** --------------------------------------------- On March 1, 2016, a cross-protocol attack was announced by OpenSSL that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10722 *** Citrix XenApp and XenDesktop Hardening Guidance *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/03/citrix_xenapp_andxe.ht… *** Complete Tour of PE and ELF: Part 2 *** --------------------------------------------- We covered some important sections in Part 1 of this series. In this part, we will cover some more complex data structures covering some important concepts of binaries. Here is what we are looking at: If you can recall in Optional header, .. --------------------------------------------- http://resources.infosecinstitute.com/complete-tour-of-pe-and-elf-part-2/ *** Adrian Dabrowski @ Troopers TelcoSecDay 2016 *** --------------------------------------------- Today Adrian Dabrowski gives his talk 'Towards Carrier Based IMSI Catcher Detection' at the TelcoSecDay 2016. Abstract: In this presentation we discuss multiple detection capabilities of IMSI Catchers (aka Stingray) from the network .. --------------------------------------------- https://www.sba-research.org/2016/03/15/adrian-dabrowski-troopers-telcosecd… *** How broken is SHA-1 really? *** --------------------------------------------- SHA-1 collisions may be found in the next few months, but that doesnt mean that fake SHA-1-based certificates will be created in the near future. Nevertheless, it is time for everyone, and those working in security in particular, to move away from outdated hash functions. Read more --------------------------------------------- https://www.virusbulletin.com/blog/2016/march-2016/how-broken-sha-1-really/ *** BSI-Leitfaden zum Umgang mit Erpressungs-Trojanern *** --------------------------------------------- Das BSI informiert in einem knappen Leitfaden Behörden und Unternehmen über die Bedrohung durch Krypto-Trojaner und wie man sich im Ernstfall verhalten sollte. --------------------------------------------- http://heise.de/-3135866 *** From Stolen Wallet to ID Theft, Wrongful Arrest *** --------------------------------------------- Its remarkable how quickly a stolen purse or wallet can morph into full-blow identity theft, and possibly even result in the victims wrongful arrest. All of the above was visited recently on a fellow infosec professional whose admitted lapse in physical security lead to a mistaken early morning arrest in front of his kids. --------------------------------------------- http://krebsonsecurity.com/2016/03/from-stolen-wallet-to-id-theft-wrongful-…

1 0

Tageszusammenfassung - Montag 14-03-2016
by Daily end-of-shift report 14 Mar '16

14 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-03-2016 18:00 − Montag 14-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** VU#713312: DTE Energy Insight app vulnerable to information exposure *** --------------------------------------------- The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers. --------------------------------------------- http://www.kb.cert.org/vuls/id/713312 *** Mehr als zwei Jahre alter Java-Security-Patch von Oracle immer noch verwundbar *** --------------------------------------------- Geht es nach dem Sicherheitsexperten Adam Gowdiak hat Oracle vor mehr als zwei Jahren eine Sicherheitslücke falsch bewertet und zudem bei dem Patch gepfuscht, der den Fehler eigentlich hätte beseitigen sollen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Mehr-als-zwei-Jahre-alter-Java-Secur… *** The Source of All Major Android Banking Trojans Just Got Updated To V2 *** --------------------------------------------- An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only .. --------------------------------------------- http://news.slashdot.org/story/16/03/12/1556259/the-source-of-all-major-and… *** Google Chrome Extension Caught Stealing Bitcoin From Users *** --------------------------------------------- An anonymous reader writes: Bitcoin exchange portal Bitstamp is warning users of a Google Chrome extension that steals their Bitcoin when making a transfer. According to Bitstamp, this extension contains malicious code that is redirecting .. --------------------------------------------- http://news.slashdot.org/story/16/03/12/2328254/google-chrome-extension-cau… *** Armada Collective is back, extorting Financial Intuitions in Switzerland *** --------------------------------------------- These extortion emails usually originate from free email service providers (such as Gmail or Openmail) and are being sent to the info@ email address of the targeted financial institution. Unlike the extortion attempts conducted by Armada Collective in September 2015, we are not aware of .. --------------------------------------------- http://www.govcert.admin.ch/blog/19/armada-collective-is-back-extorting-fin… *** Auto vulnerability scanners turn up mostly false positives *** --------------------------------------------- Automated vulnerability scanners turn up mostly false positives, but even the wild goose chase that results can be cheaper for businesses than manual processes, according to NCC Group security engineer Clint Gibler. --------------------------------------------- http://www.theregister.co.uk/2016/03/14/cheap_auto_vulnerability_scanners_c… *** SSA-833048 (Last Update 2016-03-14): Vulnerability in SIMATIC S7-1200 CPUs prior to V4 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-833048… *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects TS4500 (CVE-2015-7547) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1005695 *** IBM Security Bulletin: glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023395 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21975835 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SmartCloud Entry (CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023378 Botnets Plague the Web. This AI Is Out to Stop Them --------------------------------------------- A group of Israeli researchers believe they are the first to have discovered a way to locate botnets and identify who is behind them, by planting honeypots that gather information about attacks carried out by the network, and analyzing that data with machine learning programs. --------------------------------------------- https://motherboard.vice.com/read/botnets-plague-the-web-this-ai-is-out-to-… *** Broken 2013 Java Patch Leads to Sandbox Bypass *** --------------------------------------------- A patch for a critical 2013 Java vulnerability is incomplete, and exposes Java servers and clients to a sandbox bypass, researchers at Security Explorations of Poland said. --------------------------------------------- http://threatpost.com/broken-2013-java-patch-leads-to-sandbox-bypass/116757/

1 0

Tageszusammenfassung - Freitag 11-03-2016
by Daily end-of-shift report 11 Mar '16

11 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-03-2016 18:00 − Freitag 11-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Locky Ransomware Spreading in Massive Spam Attack *** --------------------------------------------- Researchers are tracking a massive spam campaign pelting inboxes with Locky ransomware downloaders in the form of JavaScript attachments. --------------------------------------------- http://threatpost.com/locky-ransomware-spreading-in-massive-spam-attack/116… *** Deinstallieren oder Aktualisieren: Adobe verteilt Notfall-Update für Flash *** --------------------------------------------- Es kommt nicht überraschend: Adobe veröffentlicht wieder ein Notfall-Update für den Flash-Player. Wer ihn nicht bereits deinstalliert hat, sollte das Update installieren. Auch die Digital Editions und der Adobe Reader werden versorgt. --------------------------------------------- http://www.golem.de/news/deinstallieren-oder-aktualisieren-adobe-rollt-notf… *** Security Afterworks Spezial: Secure your Enterprise - Innovative Microsoft-Security-Lösungen im Enterprise- & Mobility-Umfeld *** --------------------------------------------- April 18, 2016 - 3:00 pm - 5:00 pm Microsoft Österreich Am Europlatz 3 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-spezial-secure-your… *** Files compromised by ransomware Trojan for OS X can be decrypted by Doctor Web *** --------------------------------------------- March 11, 2016 At the beginning of March, numerous mass media, websites, and blogs announced about the emergence of the first ever ransomware for Mac computers. Doctor Web specialists examined this malicious program, which was named Mac.Trojan.KeRanger.2, and they have developed a method that can help to decrypt files affected by this Trojan. Mac.Trojan.KeRanger.2 was first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file. --------------------------------------------- http://news.drweb.com/show/?i=9877&lng=en&c=9 *** Cerber Ransomware - New, But Mature *** --------------------------------------------- We take a look at Cerber, Ransomware named after the mythical multi-headed dog...Categories: Malware AnalysisTags: cerberransomware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/03/cerber-ransomware-new-bu… *** OpenSSH Security Advisory: x11fwd.adv *** --------------------------------------------- Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1). --------------------------------------------- http://www.openssh.com/txt/x11fwd.adv *** Cisco Gigabit Switch Router 12000 Series Routers Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Schneider Electric Telvent RTU Improper Ethernet Frame Padding Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability caused by an Institute of Electrical and Electronics Engineers (IEEE) conformance issue involving improper frame padding in Schneider Electric's Telvent SAGE 2300 and 2400 remote terminal units. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-070-01 *** VU#270232: Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability *** --------------------------------------------- Vulnerability Note VU#270232 Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability Original Release date: 10 Mar 2016 | Last revised: 10 Mar 2016 Overview Quagga, version 0.99.24.1 and earlier, contains a buffer overflow vulnerability in bgpd with BGP peers enabled for VPNv4 that may leveraged to gain code execution. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-2342Quagga is a software routing suite that implements numerous routing protocols for... --------------------------------------------- http://www.kb.cert.org/vuls/id/270232 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects Tivoli Provisioning Manager for OS deployment and Tivoli Provisioning Manager for Images (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21978194 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM DataPower Gateways (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977460 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Publishing Engine (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21978188 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM DataPower Gateways (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974969 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in the GSKit component of IBM DB2 LUW (CVE-2016-0201, CVE-2015-7420 & CVE-2015-7421) *** http://www.ibm.com/support/docview.wss?uid=swg21977787 --------------------------------------------- *** IBM Security Bulletin: Cross-Site Scripting Vulnerability with the UML Vizualization tools *** http://www.ibm.com/support/docview.wss?uid=swg21978003 --------------------------------------------- *** Security Bulletin: Vulnerability in lighttpd affects IBM Integrated Management Module (IMM)(CVE-2015-3200) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099226 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21978471 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 10-03-2016
by Daily end-of-shift report 10 Mar '16

10 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-03-2016 18:00 − Donnerstag 10-03-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** First Principles for Network Defenders: A Unified Theory for Security Practitioners *** --------------------------------------------- Great thinkers like Aristotle, Descartes and Elon Musk have said that, in order to solve really hard problems, you have to get back to first principles. First principles in a designated .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/03/first-principles-for-net… *** DSA-3509 rails - security update *** --------------------------------------------- Two vulnerabilities have been discovered in Rails, a web applicationframework written in Ruby. Both vulnerabilities affect Action Pack, whichhandles the web requests for Rails. --------------------------------------------- https://www.debian.org/security/2016/dsa-3509 *** Powershell Malware - No Hard drive, Just hard times, (Wed, Mar 9th) *** --------------------------------------------- ISC Reader Eric Volking submitted a very nice sample of some Powershell based malware. Lets take a look! The malware starts inthe traditional way, by launching itself with an .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20823 *** Bugtraq: [CORE-2016-0004] - SAP Download Manager Password Weak Encryption *** --------------------------------------------- http://www.securityfocus.com/archive/1/537746 *** Bugtraq: [CORE-2016-0003] - Samsung SW Update Tool MiTM *** --------------------------------------------- http://www.securityfocus.com/archive/1/537750 *** DSA-3512 libotr - security update *** --------------------------------------------- Markus Vervier of X41 D-Sec GmbH discovered an integer overflowvulnerability in libotr, an off-the-record (OTR) messaging library, inthe way how the sizes of portions of incoming messages were stored. Aremote attacker can exploit this .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3512 *** DSA-3511 bind9 - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3511 *** Security Advisory: BIND vulnerability CVE-2016-2088 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59692558.html *** Security Advisory: BIND vulnerability CVE-2016-1285 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/46/sol46264120.html *** Security Advisory: BIND vulnerability CVE-2016-1286 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/62/sol62012529.html *** Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015 *** --------------------------------------------- When a PDF is uploaded in Scald File, various tools can be executed if theyre installed on the server, to try to generate a thumbnail out of that PDF.This is mitigated by the need to have the sufficient permissions to upload a file in Scald, .. --------------------------------------------- https://www.drupal.org/node/2684601 *** Ransomware: "Von Zahlungen ist abzuraten" *** --------------------------------------------- DDoS-Attacken, CEO-Frauds und Ransomware: Angriffe auf Firmen nehmen zu. Die futurezone hat den Sicherheitsexperten Michael Krausz dazu befragt. --------------------------------------------- http://futurezone.at/digital-life/ransomware-von-zahlungen-ist-abzuraten/18… *** Erpressungs-Trojaner: Time-Machine-Backups anfällig *** --------------------------------------------- Die Entwickler der OS-X-Ransomware KeRanger haben auch Time-Machine-Backups als Angriffsziel erwogen. Tatsächlich ist es möglich, selbst ohne Admin-Rechte Dokumente in der Datensicherung zu verändern. --------------------------------------------- http://heise.de/-3131762 *** TRUST 2016, organized by SBA Research *** --------------------------------------------- August 29, 2016 - August 30, 2016 - All Day Vienna University of Technology Gußhausstraße 27-29 Vienna --------------------------------------------- https://www.sba-research.org/events/trust-2016-organized-by-sba-research/ *** Kritische Lücke in Jabber-Verschlüsselung OTR *** --------------------------------------------- Das Protokoll Off-the-Record (OTR) und dessen Umsetzung galt als eigentlich als recht sicher. Doch jetzt entdeckten Forscher eine kritische Lücke, die es Angreifern erlaubt, eigenen Code einzuschleusen und auszuführen. Updates schließen das Loch. --------------------------------------------- http://heise.de/-3130396 *** PlugX malware: A good hacker is an apologetic hacker *** --------------------------------------------- Sometimes malware writers put messages in their malware. We found one such message in PlugX dropper. And it was pretty melodramatic .. --------------------------------------------- http://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is… *** [R4] OpenSSL 20160301 Advisory Affects Tenable Nessus *** --------------------------------------------- https://www.tenable.com/security/tns-2016-03 *** Apple Software Update 2.2 *** --------------------------------------------- Impact: An attacker in a privileged network position may be able to control the contents of the updates window --------------------------------------------- https://support.apple.com/en-us/HT206091 *** Vulnerabilities in multiple third party TYPO3 CMS extensions *** --------------------------------------------- It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to unsafe comparison of XSRF/CSRF token, multiple full path disclosure vulnerabilities, multiple XSS vulnerabilities, insecure password generation in JavaScript. --------------------------------------------- https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-… *** Security: Drown gefährdet weiterhin zahlreiche Webdienste *** --------------------------------------------- Wie schnell patchen Serverbetreiber die Drown-Sicherheitslücke? Offenbar zu langsam, sagen mehrere Sicherheitsfirmen. Bei Heartbleed lief es deutlich besser. --------------------------------------------- http://www.golem.de/news/security-drown-gefaehrdet-weiterhin-zahlreiche-web… *** Android mobile banking trojan uses layered defenses to avoid removal *** --------------------------------------------- Researchers at ESET have spotted a new Android banking trojan that camouflages itself as a legitimate mobile banking app, but instead of giving access to a persons bank account it steals login credentials. --------------------------------------------- http://www.scmagazine.com/android-mobile-banking-trojan-uses-layered-defens… *** Cisco Prime LAN Management Solution Default Decryption Key Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Updates Available for Adobe Flash Player (APSB16-08) *** --------------------------------------------- A Security Bulletin (APSB16-08) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1327

1 0

Tageszusammenfassung - Mittwoch 9-03-2016
by Daily end-of-shift report 09 Mar '16

09 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-03-2016 18:00 − Mittwoch 09-03-2016 18:00 Handler: n/a Co-Handler: Stephan Richter *** Apple denies researchers claims of bypassing iOS passcode using Siri *** --------------------------------------------- Vulnerability Lab researchers claim to have spotted multiple passcode bypass vulnerabilities in the latest Apple iOS systems. --------------------------------------------- http://www.scmagazine.com/researchers-says-ios-has-passcode-bypass-vulnerab… *** Microsoft-Patchday: Fünf kritische Lücken, alle Windows-Versionen betroffen *** --------------------------------------------- Microsoft verteilt diesen Monat insgesamt 13 Updates für WIndows, Office und seine beiden Browser Internet Explorer und Edge. Mehrere Lücken erlauben es, Windows-Rechner aus der Ferne zu kapern. --------------------------------------------- http://heise.de/-3131122 *** Trivial path for DDoS amplification attacks found by infosec bods *** --------------------------------------------- 600,000 servers are vulnerable to this little-known protocol Security researchers have discovered a new vector for DDoS amplification attacks - and its quite literally trivial. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/09/trivial_ddo… *** KeRanger Mac ransomware is a rewrite of Linux Encoder *** --------------------------------------------- KeRanger, the recently discovered first functional Mac ransomware, is a copy of Linux Encoder, the crypto-ransomware first unearthed and analyzed in November 2015 by Dr. Web researchers. "The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder", explained Catalin Cosoi, Chief Security Strategist at Bitdefender. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/09/keranger-mac-ransomware-rewrite-… *** A Wall Against Cryptowall? Some Tips for Preventing Ransomware, (Wed, Mar 9th) *** --------------------------------------------- A lot of attention has been paid lately to the Cryptowall / Ransomware family (as in crime family) of malware. What I get asked a lot by clients is how can I prepare / prevent an infection? Prepare is a good word in this case, it encompasses both prevention and setting up processes for dealing with the infection that will inevitably happen in spite of those preventative processes. Plus its the first step in the Preparation / Identification / Containment / Eradication / Restore Service / Lessons... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20821&rss *** Android-Sicherheitsupdates: Immer Ärger mit Stagefright *** --------------------------------------------- Google wird die Stagefright-Probleme nicht los. Auch das März-Update patcht mehrere kritische Lücken, die in den Multimedia-Diensten der Android-Geräte stecken. Updates für Nexus-Smartphones und -Tablets werden bereits verteilt. --------------------------------------------- http://heise.de/-3131138 *** RSA: Seven Attack Trends (March 3, 2016) *** --------------------------------------------- At the RSA Conference in San Francisco last week, SANS researchers described seven cyberattack trends that are likely to come up again and again over the course of this year: Weaponization of Windows PowerShell; Stagefright-like mobile vulnerabilities; Developer environment vulnerabilities like Xcode Ghost; Industrial Control System (ICS) attacks; Targeting unsecure third-party software components; Internet of (Evil) Things; and Ransomware... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/19/201 *** MS16-MAR - Microsoft Security Bulletin Summary for March 2016 - Version: 1.0 *** --------------------------------------------- V1.0 (March 8, 2016): Bulletin Summary published. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-MAR *** [R1] PHP < 5.6.18 / PCRE < 8.38 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- http://www.tenable.com/security/tns-2016-04 *** Bugtraq: [security bulletin] HPSBHF03557 rev.1 - HPE Networking Products using Comware 7 (CW7) running NTP, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537721 *** Persistent Cross-Site Scripting Vulnerability in Citrix XenMobile Server 10.x Web User Interface *** --------------------------------------------- This vulnerability could potentially be used to execute malicious client-side script in the same context as legitimate content from the web server; if this vulnerability is used to execute script in the browser of an authenticated administrator then the script may be able to gain access to the administrator's session or other potentially sensitive information. --------------------------------------------- https://support.citrix.com/article/CTX207499 *** Cisco Cable Modem with Digital Voice Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA Content Security and Control Security Services Module Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Wireless Residential Gateway with EDVA Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Wireless Residential Gateway Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Dienstag 8-03-2016
by Daily end-of-shift report 08 Mar '16

08 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-03-2016 18:00 − Dienstag 08-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** PhishLabs on the growing sophistication of business email scams *** --------------------------------------------- At the 2016 RSA Conference, CSOs Steve Ragan chats with Joseph Opacki from PhishLabs about how cyber-criminals are becoming increasingly smarter about targeting specific high-end business users to try and steal data or money. --------------------------------------------- http://www.cio.com/video/63026/phishlabs-on-the-growing-sophistication-of-b… *** Google plugs 19 holes in newest Android security update *** --------------------------------------------- In the March 2016 security update for the Android Open Source Project (AOSP), Google has fixed 19 security issues, seven of which are considered to be critical. Among these, and admittedly the most important to patch, are two remote code execution vulnerabilities in - yes, you've guessed it - Mediaserver. Mediaserver is a service in Android that allows the device to index media files that are located on it. The vulnerabilities in question (CVE-2016-0815, CVE-2016-0816)... --------------------------------------------- https://www.helpnetsecurity.com/2016/03/08/android-security-update/ *** Free and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 12: Controlled Use of Administrative Privileges *** --------------------------------------------- This is Part 12 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here: Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to… *** Cloud sellers who acted on Heartbleed sink when it comes to DROWN *** --------------------------------------------- An out-stretched arm slowly disappears... Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/08/drown_vulne… *** Erpressungs-Trojaner Keranger: Wie Sie Ihren Mac schützen *** --------------------------------------------- Erstmals zielt funktionstüchtige Ransomware auf OS-X-Nutzer ab. Nach der Infektion bleiben drei Tage, bis "Keranger" Dokumente verschlüsselt. Nutzer sollten prüfen, ob sie betroffen sind - und Gegenmaßnahmen ergreifen. --------------------------------------------- http://heise.de/-3130854 *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Digital Editions (APSB16-06) as well as Adobe Acrobat and Reader (APSB16-09) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. A security... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1322 *** DFN-CERT-2016-0402: ISC DHCP: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0402/ *** DFN-CERT-2016-0405: PuTTY: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0405/ *** DFN-CERT-2016-0400: BlackBerry powered by Android: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit den Rechten des Mediaservers *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0400/ *** Bugtraq: ESA-2016-012: EMC Documentum xCP - User Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537712 *** [R3] OpenSSL 20160301 Advisory Affects Tenable Nessus *** --------------------------------------------- http://www.tenable.com/security/tns-2016-03 *** Security Advisory: Libpng vulnerability CVE-2015-8472 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/81/sol81903701.html?… *** Security Advisory: OpenSSL vulnerabilities CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23196136.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) and OpenSSL vulnerabilities affect WebSphere Cast Iron. (CVE-2015-7547 CVE-2015-3193 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21978339 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix (CVE-2015-3197, CVE-2016-2086, CVE-2016-2216) *** http://www.ibm.com/support/docview.wss?uid=swg21977242 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen2 (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005618 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen3 (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005619 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM XIV Gen3 systems and IBM XIV Management Tools (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005615 ---------------------------------------------

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily