=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 15-04-2015 18:00 − Donnerstag 16-04-2015 18:00
Handler: Alexander Riepl
Co-Handler: Robert Waldner
*** Impacts of a Hack on a Magento Ecommerce Website ***
---------------------------------------------
Recently we wrote about the impacts of a hacked website and how it is important to give website visitors a safe online experience In this post, I'll show you how a hacked website results in almost immediate loss of money. We are not talking about drive-by infections that can be prevented by using a good anti-virus, updated software, and extensions like NoScript. ... This time, we're talking about using legitimate sites that have absolutely no externally visible signs of compromise.
---------------------------------------------
https://blog.sucuri.net/2015/04/impacts-of-a-hack-on-a-magento-ecommerce-we…
*** Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2015-096
Project: Services (third-party module)
Version: 7.x
Date: 2015-April-15
Security risk: 16/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Access bypass, Arbitrary PHP code execution
---------------------------------------------
https://www.drupal.org/node/2471879
*** Display Suite - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-095 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2015-095
Project: Display Suite (third-party module)
Version: 7.x
Date: 2015-April-15
Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross Site Scripting
---------------------------------------------
https://www.drupal.org/node/2471733
*** The Delicate Art of Remote Checks - A Glance Into MS15-034 ***
---------------------------------------------
Recently, the research team posted a testing script for the MS15-034 vulnerability to pastebin for the greater community to test. We received some feedback about how exactly we figured out how to check, and remote checks in general.
---------------------------------------------
http://blog.beyondtrust.com/the-delicate-art-of-remote-checks-a-glance-into…
*** Denial of Service Attacks Possible with OpenSSL Vulnerability CVE-2015-1787 ***
---------------------------------------------
On March 19 we wrote about how OpenSSL disclosed and fixed 13 vulnerabilities to address several security holes. Among the vulnerabilities addressed was CVE-2015-1787, which can result in a complete denial of service on an application compiled with OpenSSL library. This blog post will tackle how the bug can be exploited ...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Q6dMoVlcsE4/
*** Exploit kits (still) pushing Teslacrypt ransomware, (Thu, Apr 16th) ***
---------------------------------------------
Teslacrypt is a form of ransomware that was first noted in January of this year. This malware apparently targets video game-related files. Ive seen Teslacrypt dropped by the Sweet Orange exploit kit (EK), and its also been dropped by Nuclear EK. McAfee saw it dropped by Angler EK last month.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19581&rss
*** New POS Malware Emerges - Punkey ***
---------------------------------------------
During a recent United States Secret Service investigation, Trustwave encountered a new family of POS malware, that we named Punkey. It appears to have evolved from the NewPOSthings family of malware first discovered by Dennis Schwarz and Dave Loftus at...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges…
*** IBM stellt seine Security-Datenbank ins Netz ***
---------------------------------------------
IBM Security macht seine IT-Sicherheitsdatenbank künftig auf der Sharing-Plattform X-Force Exchange in der Cloud zugänglich.
---------------------------------------------
http://heise.de/-2608795
*** crossdomain.xml : Beware of Wildcards ***
---------------------------------------------
This blog entry will describe a wide spread Flash vulnerability that affected many big websites including paypal.com. The description will picture the state of the website paypal.com and ebay.com in 2013-2014. The vulnerabilities were completely fixed two weeks ago. Therefore, it is not possible to reproduce this vulnerability as-is.
---------------------------------------------
http://blog.h3xstream.com/2015/04/crossdomainxml-beware-of-wildcards.html
*** Cisco Secure Access Control Server Dashboard Page Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/viewAlert.x?alertId=38403
*** Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IOS XR Software BVI Routed Packet Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 14-04-2015 18:00 − Mittwoch 15-04-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Adobe Security Bulletins Posted ***
---------------------------------------------
The following Security Bulletins have been posted today: APSB15-06: Security updates available for Adobe Flash Player APSB15-07: Security update: hotfixes available for ColdFusion APSB15-08: Security bulletin available ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1190
*** MSRT April: Unskal, Saluchtra, Dexter and IeEnablerCby ***
---------------------------------------------
This month we added four new malware families to the Malicious Software Removal Tool: Win32/Saluchtra, Win32/Dexter, Win32/Unskal and Win32/IeEnablerCby, further protecting customers against malicious activity. IeEnablerCby is ..
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/04/14/msrt-april-unskal-saluch…
*** Cisco TelePresence Collaboration Desk and Room Endpoints HTML Redirect Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38350
*** Cisco Web Security Appliance Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38351
*** Critical Patch Update - April 2015 ***
---------------------------------------------
This Critical Patch Update contains 98 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is ..
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
*** Solaris Third Party Bulletin - April 2015 ***
---------------------------------------------
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.h…
*** Alte Xorg-Lücke bedroht haufenweise Drittsoftware ***
---------------------------------------------
Die Lücke wurde bereits 2013 gestopft. Programme, die unter der Verwendung von Headern aus verwundbaren Versionen übersetzt wurden, sind allerdings nach wie vor angreifbar.
---------------------------------------------
http://heise.de/-2606536
*** What the Ridiculous Fuck, D-Link?! ***
---------------------------------------------
As mentioned in an update to my post on the HNAP bug in the DIR-890L, the same bug was reported earlier this year in the DIR-645, and a patch was released. D-Link ..
---------------------------------------------
http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/
*** Das Imperium schlägt zurück: Hacker-Gruppen ziehen gegeneinander zu Felde ***
---------------------------------------------
Zwei Cyberspionage-Gruppen kamen sich in die Quere und attackierten sich wechselseitig. Sicherheitsforscher sehen hier einen neuen Trend, bei dem sich Hacker-Gruppen gezielt gegenseitig anfeinden.
---------------------------------------------
http://heise.de/-2607493
*** Microsoft Security Bulletin Summary for April 2015 ***
---------------------------------------------
This bulletin summary lists security bulletins released for April 2015. For information about how to receive automatic notifications whenever Microsoft security bulletins are ..
---------------------------------------------
https://technet.microsoft.com/library/security/ms15-apr
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 13-04-2015 18:00 − Dienstag 14-04-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco Web Security Appliance Python File Processing Privilege Escalation Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38306
*** Linux 4.0 freigegeben: Sicherheitslücken im laufenden Betrieb korrigieren ***
---------------------------------------------
Bei Linux 4.0 lassen sich Sicherheitslücken ohne Neustart des Systems beheben. Ein verzögertes Aktualisieren von Dateieigenschaften soll die Performance von Ext4 verbessern.
---------------------------------------------
http://heise.de/-2600691
*** A Tale of Two Exploits ***
---------------------------------------------
CVE-2015-0336 is a type confusion vulnerability in the AS2 NetConnection class. I reported this issue in January and soon wrote a proof-of-concept exploit for the bug. The issue was patched by Adobe in March and less than a ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html
*** Bioazih RAT: How clean-file metadata can help keep you safe ***
---------------------------------------------
As mentioned in our previous blog post about the Microsoft Clean-File Metadata initiative, there are a number of benefits for our partners and customers who use our clean or released-file metadata, specifically during antimalware whitelisting efforts. Using the authoritative metadata manifest ..
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/04/13/bioazih-rat-how-clean-fi…
*** New Trojan for Linux attacks websites ***
---------------------------------------------
April 13, 2015 Doctor Web security researchers have examined a new Trojan that can infect computers with Linux operating system. This malicious program possesses the ability to scan remote websites for vulnerabilities and to attack resources with the specified HTTP protocol addresses. Criminals can ..
---------------------------------------------
http://news.drweb.com/show/?i=9386&lng=en&c=9
*** IT-Sicherheit: Auch Medizintechnik lässt sich hacken ***
---------------------------------------------
Überdosis nicht mehr ausgeschlossen: Der Sicherheitsforscher Billy Rios kann eine in Krankenhäusern verwendete Infusionspumpe über das Intranet manipulieren.
---------------------------------------------
http://www.golem.de/news/it-sicherheit-auch-medizintechnik-laesst-sich-hack…
*** As Ransomware Attacks Evolve, More Potential Victims Are at Risk ***
---------------------------------------------
In early December, as most people were dealing with the stress of looking for the perfect holiday gifts and planning out their upcoming celebrations, police officers in ..
---------------------------------------------
http://threatpost.com/as-ransomware-attacks-evolve-more-potential-victims-a…
*** Sicherheitssoftware klemmt Windows vom IPv6-Internet ab ***
---------------------------------------------
Die Sicherheitssoftware Warsaw 1.5.1 für Windows blockiert Internetserver, die sowohl über IPv6 als auch IPv4 erreichbar sind. Betroffen sind vor allem mehrere Millionen brasilianischer Windows-Geräte, deren Nutzer Homebanking betreiben.
---------------------------------------------
http://heise.de/-2603192
*** TV5Monde - A (tentative) technical analysis ***
---------------------------------------------
As it may appear surprising that a TV station can be forced to stop broadcasting after having its website defaced and social network accounts controlled by some hackers, I've tried to collect publicly available technical information and improve my understanding of this interesting issue. Below you ..
---------------------------------------------
http://www.fixsing.com/tv5monde-a-tentative-technical-analysis/
*** Hardening IIS Security ***
---------------------------------------------
Security is an essential part of a web application and should be taken into consideration from the first stage of the development process. A website couldn't ever be secure enough unless you would undertake necessary security ..
---------------------------------------------
http://resources.infosecinstitute.com/hardening-iis-security/
*** Verschlüsselung: Auch Mozilla will HTTPS zum Standard machen ***
---------------------------------------------
Ein Vorschlag von Mozilla sieht vor, dass der Firefox-Browser künftig bestimmte neue Features nur noch über HTTPS-Verbindungen zulässt. Langfristig wird angestrebt, dass alle Webseiten HTTPS benutzen.
---------------------------------------------
http://www.golem.de/news/verschluesselung-auch-mozilla-will-https-zum-stand…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 10-04-2015 18:00 − Montag 13-04-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco Web Security Appliance Pickle Python Module Arbitrary Code Execution Vulnerability ***
---------------------------------------------
A vulnerability in the status checking process of support remote access tunnels in the Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to execute arbitrary Python code on a targeted system.
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38305
*** Hacking the D-Link DIR-890L ***
---------------------------------------------
The past 6 months have been incredibly busy, and I haven't been keeping up with D-Link's latest shenanigans. In need of some entertainment, I went to their web page today and was greeted by this atrocity: I think the most ..
---------------------------------------------
http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/
*** Reversing Belkin's WPS Pin Algorithm ***
---------------------------------------------
After finding D-Link's WPS algorithm, I was curious to see which vendors might have similar algorithms, so I grabbed some Belkin firmware and started dissecting it. This particular firmware uses the SuperTask! RTOS, and in fact uses the ..
---------------------------------------------
http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/
*** Digital Certificates: Who Can You Trust? ***
---------------------------------------------
Digital certificates are the backbone of the Public Key Infrastructure (PKI), which is the basis of trust online. Digital certificates are often compared to signatures; we can trust a document because it has a signature, or certificate authority (CA) by someone we trust. Simply put, ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/digital-certific…
*** APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation ***
---------------------------------------------
Having some of the world's most active economies, Asia Pacific countries are more likely to be a target of targeted attacks than the rest of the world. In Operation Quantum Entanglement, Pacific Ring of Fire: PlugX / Kaba and other FireEye reports, we have highlighted how Northeast Asian countries have been ..
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.h…
*** Polizeiorganisation Interpol verstärkt Kampf gegen Cyberkriminalität ***
---------------------------------------------
Zum Kampf gegen die Internetkriminalität und andere neue Bedrohungen hat die internationale Polizeiorganisation Interpol ein Forschungszentrum in Singapur eröffnet. Der Interpol-Weltkomplex für Innovation (IGCI) soll ..
---------------------------------------------
http://heise.de/-2599811
*** Windows XP noch auf zehntausenden Berliner Behörden-PCs ***
---------------------------------------------
Seit einem Jahr gibt es keine offiziellen Patches mehr für Windows XP. Dennoch ist das fast 14 Jahre alte Betriebssystem noch weiter verbreitet, als Sicherheitsexperten lieb ist. In der Berliner Verwaltung sollen es sogar noch zehntausende PCs sein. Der Datenschutzbeauftragte Alexander Dix fordert nun die Abschaltung aller Behördenrechner.
---------------------------------------------
http://derstandard.at/2000014223975
*** Zero Access Malware ***
---------------------------------------------
The Zero Access trojan (Maxx++, Sierief, Crimeware) has affected millions of computers worldwide, and it is the number one cause of cyber click fraud and Bitcoin mining on the Internet. Once the trojan has been delivered into the system, it ..
---------------------------------------------
http://resources.infosecinstitute.com/zero-access-malware/
*** Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months ***
---------------------------------------------
Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT, a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda.AT variant first appeared in ..
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-…
*** How to bypass Google's Santa LOCKDOWN mode ***
---------------------------------------------
Santa is a binary whitelisting/blacklisting system made by Google's Macintosh Operations Team. While I refer to it as Google's Santa it is not an official Google product. It is based on a kernel extension and userland components to ..
---------------------------------------------
https://reverse.put.as/2015/04/13/how-to-bypass-googles-santa-lockdown-mode/
*** Huthos VPS Provider: Totally legit, 1000% not a criminal organization - Andrew Morris ***
---------------------------------------------
I observed a hacker trying to compromise one of my internet-facing Linux servers and repurpose it to sell to unknowing legitimate customers.
---------------------------------------------
http://morris.guru/huthos-the-totally-100-legit-vps-provider/
*** OS X 10.10.3 soll gegen Adware helfen ***
---------------------------------------------
Apple hat weitere Massnahmen gegen Adware ergriffen, die verstärkt kostenlosen Mac-Programmen beim Download beigelegt wird und unter anderem Browser-Einstellungen ändert.
---------------------------------------------
http://heise.de/-2601940
*** VU#672268: Microsoft Windows NTLM automatically authenticates via SMB when following a file:// URL ***
---------------------------------------------
Software running on Microsoft Windows that utilizes HTTP requests can be forwarded to a file:// protocol on a malicious server, which causes Windows to automatically attempt authentication via SMB to the malicious server in some circumstances. The ..
---------------------------------------------
http://www.kb.cert.org/vuls/id/672268
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 09-04-2015 18:00 − Freitag 10-04-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Beebone: FBI und Europol legen Wurm-Netz lahm ***
---------------------------------------------
Das interessante am ausgeschalteten Beebone-Botnetz ist der Schädling dahinter: Es handelt sich um einen Downloader, der anderen Unrat nachlädt, sich selber weiter verbreitet und dabei ständig mutiert.
---------------------------------------------
http://heise.de/-2598111
*** How To Create a Website Backup Strategy ***
---------------------------------------------
We've all heard it million times before - backups are important. Still, the reality is that even today, backups remain one of the most overlooked and under-utilized precautions we can take to protect our vital data. Why are backups so important Put simply, a good set of backups can save your website when absolutely everythingRead More
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/II8TR_qV6OA/how-to-create-a-w…
*** 122 online forums compromised to redirect visitors to Fiesta exploit kit ***
---------------------------------------------
Over a hundred forum websites have been compromised and injected with code that redirects users to sites hosting the Fiesta exploit kit, Cyphort researchers have found. These are not highly popular...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/4VryRaL3aoc/malware_news.…
*** Don't Be Fodder for China's "Great Cannon" ***
---------------------------------------------
China has been actively diverting unencrypted Web traffic destined for its top online search service -- Baidu.com -- so that some visitors from outside of the country were unwittingly enlisted in a novel and unsettling series of denial-of-service attacks aimed at sidelining sites that distribute anti-censorship tools, according to research released this week.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/-n1M-QyvCoA/
*** Cisco and Level 3 team up to squash brute force server hijackers ***
---------------------------------------------
#DownWithSSHPsychos Cisco and service provider Level 3 have teamed up take down netblocks linked to brute-force hack kingpins SSHPsychos, severely degrading (but not destroying) the groups potential to hack servers in the process.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/04/10/sshpsychos_…
*** In eigener Sache: Wartungsarbeiten 16. 4. 2015 ***
---------------------------------------------
In eigener Sache: Wartungsarbeiten 16.4.2015 | 10. April 2015 | Am Donnerstag, 16. April 2015, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies kann zu kurzen Service-Ausfällen führen (jeweils im Bereich weniger Minuten). Es gehen dabei keine Daten (zb Emails) verloren, es kann sich nur die Bearbeitung etwas verzögern. In dringenden Fällen können sie uns wie gewohnt telefonisch unter +43 1 505 64 16 78 erreichen.
---------------------------------------------
http://www.cert.at/services/blog/20150410112411-1466.html
*** Cisco Aggregate Services Router 9000 ASR9K Security Bypass Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38292
*** Red Hat JBoss XML External Entity Expansion Flaw Lets Remote Users Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1032017
*** VMSA-2015-0003.1 ***
---------------------------------------------
VMware product updates address critical information disclosure issue in JRE
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0003.html
*** f5 Security Advisories ***
---------------------------------------------
*** Security Advisory: FreeType vulnerabilities CVE-2014-9656 and CVE-2014-9659 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16380.htm…
*** Security Advisory: Linux kernel vulnerability CVE-2014-9683 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16381.htm…
*** Security Advisory: OpenSSL vulnerability CVE-2012-2110 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/200/sol16285.htm…
*** Security Advisory: Linux file utility vulnerabilities CVE-2014-8116 / CVE-2014-8117 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16347.htm…
*** Security Advisory: GnuPG vulnerability CVE-2013-4576 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16396.htm…
*** Security Advisory: Linux RPM vulnerability CVE-2013-6435 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16383.htm…
*** Security Advisory: Multiple MySQL vulnerabilities ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16389.htm…
*** Security Advisory: NTP vulnerability CVE-2014-9297 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16392.htm…
*** Security Advisory: Python vulnerability CVE-2006-4980 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16398.htm…
*** Security Advisory: Multiple MySQL vulnerabilities ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16385.htm…
*** Security Advisory: NTP vulnerability CVE-2014-9298 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16393.htm…
*** Security Advisory: Apache Tomcat vulnerability CVE-2014-0227 ***
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16344.htm…
*** DFN-CERT-2015-0483 - F5 Networks BIG-IP Protocol Security Module (PSM), F5 Networks BIG-IP Systeme: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ***
---------------------------------------------
08.04.2015
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0483/
*** DFN-CERT-2015-0318 - IBM Java, IBM Notes, IBM Domino: Mehrere Schwachstellen ermöglichen die Übernahme der Systemkontrolle ***
---------------------------------------------
10.03.2015
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0318/
*** Security_Advisory-Xen Vulnerabilities on Huawei FusionSphere products ***
---------------------------------------------
Apr 10, 2015 10:12
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor…
*** [2015-04-10] Unauthenticated Local File Disclosure in multiple TP-LINK products ***
---------------------------------------------
Attackers can read sensitive configuration files without prior authentication on multiple TP-LINK devices. These files e.g. include the administrator credentials and the WPA passphrase.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 08-04-2015 18:00 − Donnerstag 09-04-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Securing high-risk, third-party relationships ***
---------------------------------------------
High-profile attacks reveal that malicious hackers target third-party vendors and supply chain partners as a backdoor into their primary target, according to CyberArk Software. Organizations in e...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/vSpu1uYwxR4/secworld.php
*** AlienSpy RAT exploited to deliver the popular Citadel Trojan ***
---------------------------------------------
Security experts at Fidelis firm discovered that variants of the AlienSpy remote access trojan (RAT) are currently being used in global phishing campaigns. Cyber criminals have exploited the AlienSpy RAT to deliver the popular Citadel banking Trojan and maintain the persistence inside the targeted architecture with a backdoor mechanism. Criminal crews used AlienSpy RAT to compromise systems in...
---------------------------------------------
http://securityaffairs.co/wordpress/35802/cyber-crime/alienspy-rat-citadel-…
*** Apple aktualisiert Safari für OS X 10.8, 10.9 und 10.10 ***
---------------------------------------------
Mit den Versionen 8.0.5, 7.1.5 und 6.2.5 seines Browsers behebt Cupertino jede Menge Sicherheitslücken, darunter auch ein altes Problem im Privatmodus.
---------------------------------------------
http://heise.de/-2597649
*** 44 Relevant Cyber Security Conferences around the World ***
---------------------------------------------
Wherever you may be in the world, chances are there's a cyber security event happening near you this year. Cyber security conferences are important and necessary for the industry and for each of us, individually, because they help bring together the community. What's more, innovation often spurs after having a meaningful discussion with a peer or a mentor, or after being part of a conversation on your favorite topic in the field of information security.
---------------------------------------------
https://heimdalsecurity.com/blog/44-relevant-cyber-security-conferences-aro…
*** Polymorphic Beebone botnet sinkholed in international police operation ***
---------------------------------------------
On April 8, a global operation targeted the Beebone (also known as AAEH) botnet, a polymorphic downloader bot which installs various forms of malware on victims' computers. Initial figures show tha...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/MGj0qJKKZ0I/secworld.php
*** Deadly combination of Upatre and Dyre Trojans still actively targeting users ***
---------------------------------------------
Upatre (or Waski) is a downloader Trojan that has lately become the malware of choice for cyber crooks to deliver additional, more dangerous malware on users computers. A few weeks ago, Swiss and ...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/IJ4tqq_YAUU/malware_news.…
*** LG software disables Windows security feature, developer says ***
---------------------------------------------
LG Split Screen software that comes with the companys ultra wide monitors stealthily weakens Windows users defenses by deactivating the OS User Account Control (UAC) feature, developer Christopher ...
---------------------------------------------
http://feedproxy.google.com/~r/HelpNetSecurity/~3/1t_AM7tskik/secworld.php
*** Hidden backdoor API to root privileges in Apple OS X ***
---------------------------------------------
The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It's been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system.
---------------------------------------------
https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-pri…
*** The Banking Trojan Emotet: Detailed Analysis ***
---------------------------------------------
The Emotet Trojan is a highly automated and developing, territorially-targeted bank threat. Its small size, the dispersal methods used and the modular architecture, all make Emotet a very effective weapon for the cyber-criminal.
---------------------------------------------
http://securelist.com/analysis/69560/the-banking-trojan-emotet-detailed-ana…
*** Apple Leaves CNNIC Root in iOS, OSX Certificate Trust Lists ***
---------------------------------------------
When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether, Apple has kept the root certificates in its trusted store for both iOS and OSX. Apple on Wednesday released...
---------------------------------------------
http://threatpost.com/apple-leaves-cnnic-root-in-ios-osx-certificate-trust-…
*** TA15-098A: AAEH ***
---------------------------------------------
Original release date: April 09, 2015 Systems Affected Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012 Overview AAEH is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including password stealers, rootkits, fake antivirus, and ransomware.The United States Department of Homeland Security (DHS), in collaboration with Europol, the Federal Bureau of Investigation (FBI) and...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA15-098A
*** ZDI-15-119: IBM Tivoli Storage Manager FastBack CRYPTO_S_EncryptBufferToBuffer Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Storage Manager FastBack. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/OQuaNiGQOf8/
*** ZDI-15-118: IBM Tivoli Storage Manager FastBack Mount CMountDismount::GetVaultDump Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager FastBack. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/RumTeWThXlw/
*** DFN-CERT-2015-0484 - F5 Networks BIG-IP Protocol Security Module (PSM), F5 Networks BIG-IP Systeme: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ***
---------------------------------------------
08.04.2015
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0484/
*** DFN-CERT-2015-0477 - MantisBT: Mehrere Schwachstellen ermöglichen u. a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
08.04.2015
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0477/
*** Asterisk TLS Certificate Validation Flaw With Null Byte in Common Name Lets Remote Users Bypass Certificate Validation ***
---------------------------------------------
http://www.securitytracker.com/id/1032052
*** CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2015-094Project: CiviCRM private report (third-party module)Version: 6.x, 7.xDate: 2015-April-08 Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryDescriptionCiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission.The
---------------------------------------------
https://www.drupal.org/node/2467697
*** [2015-04-09] Multiple XSS & XSRF vulnerabilities in Comalatech Comala Workflows ***
---------------------------------------------
XSS and XSRF vulnerabilities within the Confluence plugin Comala Workflows of Comalatech enable an attacker to perform unauthorized actions in the name of another logged-in user and attack other users of the web application with JavaScript code, browser exploits or Trojan horses.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015…
*** Juniper Security Advisories ***
---------------------------------------------
*** JSA10679 - 2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory. ***
http://kb.juniper.net/index?page=content&id=JSA10679&actp=RSS
*** JSA10680 - 2015-04 Security Bulletin: OpenSSL 19th March 2015 advisory ***
http://kb.juniper.net/index?page=content&id=JSA10680&actp=RSS
*** JSA10678 - 2015-04 Security Bulletin: Junos: Insufficient entropy on QFX3500 and QFX3600 platforms when the system boots up (CVE-2015-3006) ***
http://kb.juniper.net/index?page=content&id=JSA10678&actp=RSS
*** JSA10677 - 2015-04 Security Bulletin: SRX Series: Cross-Site-Scripting Vulnerability in Dynamic VPN (CVE-2015-3005). ***
http://kb.juniper.net/index?page=content&id=JSA10677&actp=RSS
*** JSA10676 - 2015-04 Security Bulletin: SRX Series: ISC BIND vulnerability denial of service in delegation handling (CVE-2014-8500) ***
http://kb.juniper.net/index?page=content&id=JSA10676&actp=RSS
*** JSA10675 - 2015-04 Security Bulletin: Junos J-Web: Clickjacking vulnerability (CVE-2015-3004) ***
http://kb.juniper.net/index?page=content&id=JSA10675&actp=RSS
*** JSA10674 - 2015-04 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2015-3003) ***
http://kb.juniper.net/index?page=content&id=JSA10674&actp=RSS
*** JSA10673 - 2015-04 Security Bulletin: IDP: Multiple vulnerabilities addressed by third party software updates. ***
http://kb.juniper.net/index?page=content&id=JSA10673&actp=RSS
*** JSA10672 - 2015-04 Security Bulletin: SRX Series: disconnecting from console may not automatically log out (CVE-2015-3002) ***
http://kb.juniper.net/index?page=content&id=JSA10672&actp=RSS
*** Apple Security Advisories ***
---------------------------------------------
Apple TV 7.2
https://support.apple.com/kb/HT204662
*** iOS 8.3 ***
https://support.apple.com/kb/HT204661
*** OS X Yosemite 10.10.3 and Security Update 2015-004 ***
https://support.apple.com/kb/HT204659
*** Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 ***
https://support.apple.com/kb/HT204658
*** OS X Yosemite 10.10.3 Combo Update ***
https://support.apple.com/kb/DL1804
*** OS X Yosemite 10.10.3 Update ***
https://support.apple.com/kb/DL1805
*** Security Update 2015-004 Mountain Lion ***
https://support.apple.com/kb/DL1802
*** Security Update 2015-004 Mavericks ***
https://support.apple.com/kb/DL1803
*** iOS 8.3 ***
https://support.apple.com/kb/DL1806
*** Xcode 6.3 ***
https://support.apple.com/kb/HT204663
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 07-04-2015 18:00 − Mittwoch 08-04-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Gmail Problems Due to Expired Certificate (April 6, 2015) ***
---------------------------------------------
Because Google allowed a servers security certificate to expire, Gmail users experienced problems for several hours on April 4.......
---------------------------------------------
http://www.sans.org/newsletters/newsbites/r/17/27/302
*** Aw snap! How hideous HTML can crash Chrome tabs in one click ***
---------------------------------------------
Watch out for drive-by browser bombs - for now, at least A bug in the most recent version of the Chrome allows miscreants to crash browser tabs simply by embedding a link with a malformed URL in the HTML of a page.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/04/07/chrome_awsn…
*** Drive-by-login attack identified and used in lieu of spear phishing campaigns ***
---------------------------------------------
A new attack, drive-by-logins, allows attackers to target specific victims on sites they trust.
---------------------------------------------
http://www.scmagazine.com/high-tech-bridge-identifies-new-attack-method-pos…
*** Nuclear Exploit-Kit mit Google Ads ausgeliefert ***
---------------------------------------------
Googles Werbebanner lieferten für mehrere Stunden ein gefährliches Exploit-Kit aus, das die Rechner vieler nichtsahnender Opfer mit Schadcode infiziert haben könnte.
---------------------------------------------
http://heise.de/-2596908
*** Most top corporates still Heartbleeding over the internet ***
---------------------------------------------
Australia crowned global head-in-sand champion A depressing 76 percent of the top 2000 global organisations have public facing systems still exposed to Heartbleed, researchers say.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/04/08/still_bleed…
*** Your home automation things are a security nightmare ***
---------------------------------------------
Veracode tests leave lazy devs red-faced Its not just home broadband routers that have hopeless security: according to security outfit Veracode, cloudy home automation outfits also need to hang their collective heads in shame.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/04/08/your_home_a…
*** Why cybersecurity is vital during the vendor selection process ***
---------------------------------------------
You likely have a list of criteria to check through during the hiring process of a vendor, but if you havent added cybersecurity standards to that list, you should.
---------------------------------------------
http://www.scmagazine.com/why-cybersecurity-is-vital-during-the-vendor-sele…
*** l+f: Updated euer WordPress oder ISIS kommt! ***
---------------------------------------------
Das FBI schlägt Alarm: Sympathisanten des Islamischen Staates hacken haufenweise WordPress-Seiten.
---------------------------------------------
http://heise.de/-2596912
*** Guide outlines specifications of smart card-based PACS ***
---------------------------------------------
Smart cards are increasingly accepted as the credential of choice for securely authenticating identity, determining appropriate levels of information access and controlling physical access. To furt...
---------------------------------------------
http://www.net-security.org/secworld.php?id=18179
*** A flawed ransomware encryptor ***
---------------------------------------------
Last autumn, we discovered the first sample of an interesting new encryptor, TorLocker. The Trojan encrypts all files with AES-256 + RSA-2048 and uses the Tor network to contact its "owners".
---------------------------------------------
http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/
*** New Tor version fixes issues that can crash hidden services and clients ***
---------------------------------------------
Two new versions of the Tor anonymity software have been released on Tuesday, with fixes for two security issues that can be exploited to crash hidden services and clients visiting them. The first ...
---------------------------------------------
http://www.net-security.org/secworld.php?id=18180
*** Don't judge the risk by the logo ***
---------------------------------------------
It's been almost a year since the OpenSSL Heartbleed vulnerability, a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the...
---------------------------------------------
https://securityblog.redhat.com/2015/04/08/dont-judge-the-risk-by-the-logo/
*** NTP Project ntpd reference implementation contains multiple vulnerabilities ***
---------------------------------------------
NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.
---------------------------------------------
https://www.kb.cert.org/vuls/id/374268
*** Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products ***
---------------------------------------------
cisco-sa-20150408-ntpd
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco ASA FirePOWER Services and Cisco ASA CX Services Crafted Packets Denial of Service Vulnerability ***
---------------------------------------------
cisco-sa-20150408-cxfp
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in Cisco ASA Software ***
---------------------------------------------
cisco-sa-20150408-asa
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** HPSBHF03310 rev.1 - HP Thin Clients running Windows Embedded Standard 7 (WES7) or Windows Embedded Standard 2009 (WES09) with HP Easy Deploy, Remote Elevation of Privilege, Execution of Code ***
---------------------------------------------
Potential security vulnerabilities have been identified with certain HP Thin Clients running Windows Embedded Standard 7 (WES7) and Windows Embedded Standard 2009 (WES09) and all versions of HP Easy Deploy. The vulnerabilities could be exploited remotely to allow elevation of privilege and execution of code.
---------------------------------------------
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04629160
*** SSA-487246 (Last Update 2015-04-08): Vulnerabilities in SIMATIC HMI Devices ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit…
*** FreeBSD IPv6 Router Advertisement Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1032043
*** DSA-3214 mailman - security update ***
---------------------------------------------
A path traversal vulnerability was discovered in Mailman, the mailinglist manager. Installations using a transport script (such aspostfix-to-mailman.py) to interface with their MTA instead of staticaliases were vulnerable to a path traversal attack. To successfullyexploit this, an attacker needs write access on the local file system.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3214
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 03-04-2015 18:00 − Dienstag 07-04-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** On Demand Webinar: Monitoring Linux/UNIX Privileged Users ***
---------------------------------------------
On Demand Webinar - Randy Franklin Smith looks at how to audit what admins do inside Linux and UNIX with sudo's logging capabilities. Then, the BeyondTrust team will walk through how to augment sudo for complete control and auditing over UNIX and Linux user activity.
---------------------------------------------
http://blog.beyondtrust.com/on-demand-webinar-monitoring-linuxunix-privileg…
*** Dyre Wolf malware steals more than $1 million, bypasses 2FA protection ***
---------------------------------------------
Campaign is crude and brazen, but rakes in cash anyway.
---------------------------------------------
http://feeds.arstechnica.com/~r/arstechnica/security/~3/dSucTqiLvNI/
*** Angler Exploit Kit Utilizing 302 Cushioning and Domain Shadowing ***
---------------------------------------------
Overview Angler Exploit Kit is one of the most prevalent and advanced exploit kits in use today and is continually evolving. Angler continues to utilize malvertising to push landing pages and malicious actors are still registering domains solely for serving exploits, but recently, weve noticed an increase in two new infection vectors - 302 Cushioning and Domain Shadowing. 302 Cushioning, or a
---------------------------------------------
http://feedproxy.google.com/~r/zscaler/research/~3/JUMaL-rqARE/angler-explo…
*** Bugs in Tor exploited to run DoS against black markets ***
---------------------------------------------
A severe vulnerability in Tor network was exploited by attackers to run denial of service attacks against two underground black markets. An operator of an underground black market hosted on the Tor network revealed that hit site suffered a DoS attack that exploited a flaw in Tor architecture. The event is not isolated, a similar...
---------------------------------------------
http://securityaffairs.co/wordpress/35663/hacking/bugs-in-tor-dos.html
*** Bring Out Your Dead: An Update on the PCI relevance of SSLv3 ***
---------------------------------------------
In October, a tidal wave of discussion surrounding SSLv3 hit the information security community with the release of the POODLE attack vector. This served to heat up existing discussions about when and how organizations would give SSLv3 the final thump...
---------------------------------------------
https://www.ambiron.com/Resources/SpiderLabs-Blog/Bring-Out-Your-Dead--An-U…
*** A severe arbitrary code execution in BitTorrent Sync affects various products ***
---------------------------------------------
A security expert has discovered a severe vulnerability in BitTorrent Sync that can be exploited by a remote attacker to execute arbitrary code on a vulnerable machine. The security expert Andrea Micalizzi, also known as "rgod", has discovered a serious vulnerability in BitTorrent Sync (CVE-2015-2846) can be exploited by a remote attacker to execute arbitrary code.
---------------------------------------------
http://securityaffairs.co/wordpress/35752/hacking/severe-flaw-bittorrent-sy…
*** SS7-Schwachstellen: Firewalls sollen Angriffe mildern ***
---------------------------------------------
Die Probleme im Protokoll SS7 lassen sich nicht ohne weiteres absichern, denn es wurden dafür nie entsprechende Sicherheitsmaßnahmen implementiert. Mit Firewalls können Provider Schwachstellen zumindest abmildern.
---------------------------------------------
http://www.golem.de/news/ss7-schwachstellen-firewalls-sollen-angriffe-milde…
*** Fuzzing: Wie man Heartbleed hätte finden können ***
---------------------------------------------
Vor einem Jahr machte der Heartbleed-Bug in OpenSSL Schlagzeilen - doch solche Bugs lassen sich mit Hilfe von Fuzzing-Technologien aufspüren. Wir haben das mit den Tools American Fuzzy Lop und Address Sanitizer nachvollzogen und den Heartbleed-Bug neu entdeckt.
---------------------------------------------
http://www.golem.de/news/fuzzing-wie-man-heartbleed-haette-finden-koennen-1…
*** Firefox-Update: Mozilla schaltet opportunistische Verschlüsselung wieder aus ***
---------------------------------------------
Nicht mal eine Woche nach Firefox 37 muss Mozilla nun Firefox 37.0.1 nachlegen. Das Sicherheits-Feature "opportunistic encryption" kann missbraucht werden, um die Sicherheit von SSL/TLS-Verbindungen zu untergraben und wurde wieder entfernt.
---------------------------------------------
http://heise.de/-2596576
*** Cell Phone Opsec ***
---------------------------------------------
Heres an article on making secret phone calls with cell phones. His step-by-step instructions for making a clandestine phone call are as follows: Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones arent changing locations); Leave your daily cell phone behind...
---------------------------------------------
https://www.schneier.com/blog/archives/2015/04/cell_phone_opse.html
*** ZDI-15-112: ManageEngine Desktop Central MSP InventorySWMeteringServlet domain File Upload Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-112/
*** ZDI-15-113: ManageEngine OpManager MultipartRequestServlet filename File Upload Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-113/
*** ZDI-15-114: ManageEngine Desktop Central MSP AndroidCheckInServlet UDID Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine Desktop Central MSP. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-114/
*** ZDI-15-115: BitTorrent Sync btsync: Protocol Command Injection Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of BitTorrent Sync. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-115/
*** ZDI-15-116: IBM Lotus Domino SSL2 Client Master Key Buffer Overflow Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Domino. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-116/
*** ZDI-15-117: IBM Lotus Domino LDAP ModifyRequest add Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Domino. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-15-117/
*** Security Advisory: OpenSSL vulnerability CVE-2015-0287 ***
---------------------------------------------
(SOL16318)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16318.htm…
*** Security Advisory: OpenSSL vulnerability CVE-2009-5146 ***
---------------------------------------------
(SOL16337)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16337.htm…
*** Security Advisory: Multiple MySQL vulnerabilities ***
---------------------------------------------
(SOL16355)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/300/sol16355.htm…
*** SA-CONTRIB-2015-065 - Registration codes - Multiple vulnerabilities ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2015-065Project: Registration codes (third-party module)Version: 6.x, 7.xDate: 2015-March-04 Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting, Cross Site Request ForgeryDescriptionRegistration codes module allows new account registrations only for users who provide a valid registration code. The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS
---------------------------------------------
https://www.drupal.org/node/2445955
*** OpenSSH 6.8 Insecure Functions ***
---------------------------------------------
Topic: OpenSSH 6.8 Insecure Functions Risk: Low Text:-=[Advanced Information Security Corp]=- Author: Nicholas Lemonias Report Date: 2/4/2015 Email: lem.nikolas (at) gmail ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015040029
*** IDM 4.0.2 ACF2 Driver Version 4.0.0.3 Patch 1 ***
---------------------------------------------
Abstract: IDM 4.0.2-4.5 Bi-Directional ACF2 Driver Version 4.0.0.3. This patch is for the Identity Manager 4.0.2 to 4.5 ACF2 Driver. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, RACFEXEC.XMTDocument ID: 5206570Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm402acf2_4003.tar.gz (2.55 MB)Products:Identity Manager 4.0.2Identity Manager 4.5Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=oJ3evaNQb2M~
*** IDM 4.0.2 RACF Driver Version 4.0.0.11 Patch 3 ***
---------------------------------------------
Abstract: IDM 4.0.2-4.5 Bi-Directional RACF Driver Version 4.0.0.11. This patch is for the Identity Manager 4.0.2 to 4.5 RACF Driver. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, RACFEXEC.XMTDocument ID: 5206551Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm402racf_40011.tar.gz (2.99 MB)Products:Identity Manager 4.0.2Identity Manager 4.5Superceded Patches:IDM 4.0.2 RACF Driver Version 4.0.0.8 Patch2
---------------------------------------------
https://download.novell.com/Download?buildid=6F0mcIA5UQs~
*** IDM 4.0.2-4.5 Top Secret Driver Version 3.6.1.10 Patch 1 ***
---------------------------------------------
Abstract: IDM 4.0.2-4.5 Bi-Directional Top Secret Driver Version 3.6.1.10. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, TSSEXEC.XMTDocument ID: 5206590Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm402topsecret_36110.tar.gz (2.66 MB)Products:Identity Manager 4.0.2Identity Manager 4.5Superceded Patches: None
---------------------------------------------
https://download.novell.com/Download?buildid=_WYyICODfL8~
*** Cisco Wireless LAN Controller HTML Help Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38222
*** HPSBMU03296 rev.1 - HP BladeSystem c-Class Onboard Administrator running OpenSSL, Remote Denial of Service (DoS) ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP BladeSystem c-Class Onboard Administrator. These vulnerabilities include the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04599440
*** HPSBGN03306 rev.1 - HP IceWall SSO MCRP, SSO Dfw, and SSO Agent running OpenSSL, Remote Denial of Service (DoS) ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP IceWall SSO MCRP, SSO Dfw, and SSO Agent running OpenSSL. The vulnerabilities could be exploited remotely resulting in Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04626468
*** DFN-CERT-2015-0463 - Google Chrome, Chromium, Ubuntu oxide-qt: Mehrere Schwachstellen ermöglichen u. a. das Ausführen beliebigen Programmcodes ***
---------------------------------------------
07.04.2015
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2015-0463/
*** Security Advisory: Persistent XSS in WP-Super-Cache ***
---------------------------------------------
Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version: 1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to wordpress.org). The security issue, as well as another bug-fixRead More
---------------------------------------------
http://blog.sucuri.net/2015/04/security-advisory-persistent-xss-in-wp-super…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 02-04-2015 18:00 − Freitag 03-04-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Website Malware - The SWF iFrame Injector Evolves ***
---------------------------------------------
Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, ..
---------------------------------------------
http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evol…
*** Audit Concludes No Backdoors in TrueCrypt ***
---------------------------------------------
Auditors performing a cryptanalysis of TrueCrypt found four vulnerabilities, but zero backdoors in the popular open source encryption software.
---------------------------------------------
http://threatpost.com/audit-concludes-no-backdoors-in-truecrypt/111994
*** Multiple vulnerabilities in Cisco products ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=38194http://tools.cisco.com/security/center/viewAlert.x?alertId=38193http://tools.cisco.com/security/center/viewAlert.x?alertId=38210
*** The Fine Line Between Ad and Adware: A Closer Look at the MDash SDK ***
---------------------------------------------
Just last month, there were reports that Google removed three apps from its Play Store as they were discovered to be adware in disguise. At the time of the discovery, the apps were said to have been downloaded into millions of devices, ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/the-fine-line-be…
*** VMSA-2015-0003 ***
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0003.html
*** All in One SEO Pack <= 2.2.5.1 - Authentication Bypass ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7881
*** Schneider Electric VAMPSET Software Buffer Overflow Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a vulnerability in the Schneider Electric VAMPSET software.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-15-092-01
*** SSH Fingerprints Are Important, (Fri, Apr 3rd) ***
---------------------------------------------
Some years ago, I was preparing Cisco certification exams. I connected via SSH to a new Cisco router, and was presented with this familiar dialog: This made me think: before proceeding, I wanted to obtain the fingerprint out-of-band, via a trusted channel, so that I could verify it. So I took a ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19543
*** Android Security - 2014 in Review ***
---------------------------------------------
https://static.googleusercontent.com/media/source.android.com/en/us/devices…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 01-04-2015 18:00 − Donnerstag 02-04-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Multiple vulnerabilities in Cisco products ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Phishing-Mails mit Anweisungen des Chefs oft erfolgreich ***
---------------------------------------------
Phishing-Mails werden immer raffinierter. So gibt es etwa getarnte Mails vom Boss an seine Mitarbeiter, Geld zu überweisen, die höchst erfolgreich sind.
---------------------------------------------
http://futurezone.at/digital-life/phishing-mails-mit-anweisungen-des-chefs-…
*** User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093 ***
---------------------------------------------
This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file (comma separated file).Some management URLs were not properly protected. A malicious user could trick an administrator ..
---------------------------------------------
https://www.drupal.org/node/2463949
*** Password Policy - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-090 ***
---------------------------------------------
The Password Policy module allows enforcing restrictions on user passwords by defining password policies.The module doesnt sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting ..
---------------------------------------------
https://www.drupal.org/node/2463835
*** NewPosThings Has New PoS Things ***
---------------------------------------------
Arbor Networks initially posted about a new point-of-sale (PoS) malware family named NewPosThings last September, which we detect as either TSPY_POSNEWT.SM or TSPY_POSNEWT.A. We are now ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has…
*** Google suspends CNNIC from Chromes certificate store ***
---------------------------------------------
Chinese certificate authority told to re-apply.When a web client, such as a browser, attempts to make an HTTPS connection, it needs to know that no man-in-the-middle attack is taking place. The web server therefore proves its ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/04_02b.xml
*** Frühjahrsputz bei Chrome: Fast 200 Adware-Plug-ins fliegen raus ***
---------------------------------------------
Google räumt im Chrome Web Store auf und verbannt reihenweise Adware-Erweiterungen, die Millionen von Nutzern mit Werbung genervt haben. In Zukunft sollen derartige Plagegeister erst gar nicht im Web Store landen.
---------------------------------------------
http://heise.de/-2595248
*** E-Mail-Sicherheit: Gedächtnislücken und Darkmail-Ideen ***
---------------------------------------------
Die Internet Engineering Task Force hat sich die Vertraulichkeit der Internetprotokolle auf die Fahnen geschrieben. Was lässt sich bei E-Mails noch machen? Zum Beispiel Metadaten verbergen. Auch gibt es Versuche, sichere E-Mail handlicher zu machen.
---------------------------------------------
http://heise.de/-2595167
*** Using the docker command to root the host (totally not a security issue) ***
---------------------------------------------
It is possible to do a few more things more with docker besides working with containers, such as creating a root shell on the host, overwriting system configuration files, reading restricted stuff, etc.
---------------------------------------------
http://reventlov.com/advisories/using-the-docker-command-to-root-the-host
*** Analysis of a Romanian Botnet ***
---------------------------------------------
Recently I noticed some strange entries in our web server log files. Specifically, someone was trying to exploit our servers using the ShellShock vulnerability (CVE-2014-6271) to execute a ..
---------------------------------------------
http://blog.politoinc.com/2015/04/analysis-of-a-romanian-botnet/
*** Verschlüsselung: Truecrypt-Audit findet kleinere Sicherheitsprobleme ***
---------------------------------------------
Die zweite Phase des Audits für die Verschlüsselungssoftware Truecrypt ist beendet. Dabei wurden die kryptographischen Funktionen untersucht. Einige Sicherheitsprobleme wurden entdeckt, sie treten aber nur in seltenen Fällen auf.
---------------------------------------------
http://www.golem.de/news/verschluesselung-truecrypt-audit-findet-kleinere-s…