Daily July 2015

daily@lists.cert.at

1 participants
23 discussions

Tageszusammenfassung - Freitag 17-07-2015
by Daily end-of-shift report 17 Jul '15

17 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-07-2015 18:00 − Freitag 17-07-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** MSRT July 2015: Crowti *** --------------------------------------------- In our ongoing effort to provide malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month: Win32/Crowti Win32/Reveton Crowti, a file encryption threat, is one of the top prevalent ransomware families. We have recently seen it sent as a spam email attachment with formats similar to those shown below: Figure 1: Email spam samples delivering Crowti as an attachment As well as using spam emails as the entry point or infection... --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2015/07/14/msrt-july-2015-crowti.as… *** Running SAP? Checked for patches lately? Nows a good time *** --------------------------------------------- New round of fixes includes one for security bypass flaw SAP has released its July pack of security fixes, including critical patches one researcher says demand your urgent attention. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/07/17/running_sap… *** Ad networks beware; Google raises Red Screen of malware Dearth *** --------------------------------------------- Chrome to take shine off dodgy ad networks. Watch out dodgy ad slingers and news sites; Google is expanding its last line of defence Chrome feature to brand all security-slacker ad networks as unsafe. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/07/17/google_safe… *** Fake News App in Hacking Team Dump Designed to Bypass Google Play *** --------------------------------------------- Looking into the app's routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google's security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in… *** Significant Flash exploit mitigations are live in v18.0.0.209 *** --------------------------------------------- Whilst Project Zero has gained a reputation for vulnerability and exploitation research, thats not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can do with this data is to devise exploit mitigations. Sometimes, well take on exploit mitigations ourselves. Recently, weve been working with Adobe on Flash mitigations, and this post describes some significant mitigations have landed over the past couple of... --------------------------------------------- http://googleprojectzero.blogspot.co.at/2015/07/significant-flash-exploit-m… *** Save the Date: 2 November NCSRA-Symposium 2015 *** --------------------------------------------- For the second time the NCSC will be co-organizing the NCSRA Symposium, which will be held on 2 November during Alert Online (the Dutch national cyber security awareness campaign). This symposium offers possibilities for knowledge sharing and community building in cybersecurity research and innovation. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/save-the-date-2-november-nc… *** Process Explorer and VirusTotal, (Fri, Jul 17th) *** --------------------------------------------- About a year ago, Rob had a diary entry about checking a file from Process Explorer with VirusTotal. Did you know you can have all EXEs of running processes scanned with VirusTotal? In Process Explorer, add column VirusTotal: Enable VirusTotal checks: And accept the VirusTotal terms: And now you can see the VirusTotal scores: Process Explorer is not the only Sysinternals tool that comes with VirusTotal support. Ill showcase more tools in upcoming diary entries. Sysinternals:... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19931&rss *** SANS: Kostenloser Webcast: 5 Jahre nach Stuxnet: Was hat sich geändert, was nicht und was liegt vor uns *** --------------------------------------------- Wednesday, July 29, 2015 at 17:00 CEST Thomas Brandstetter | In der industriellen Welt war die Entdeckung der Stuxnet-Malware das markanteste Ereignis der letzten Jahre. Viele Präsentationen über Industrial Security haben seither mit dem Satz Seit Stuxnet ist alles anders begonnen. Anlässlich des 5-Jahres-Jubiläums der Entdeckung von Stuxnet lohnt es zu fragen: Stimmt das? Welche Auswirkungen hatte Stuxnet tatsächlich auf die industrielle Welt? Thomas Brandstetter war im... --------------------------------------------- https://www.sans.org/webcasts/5-years-stuxnet-changed-didnt-lies-100617 *** Flash-Updates für Linux und noch einmal für die Extended-Support-Version *** --------------------------------------------- Auch Linux-Nutzer, die nicht mit Chrome unterwegs sind, kommen nun in den Genuss des neuesten Flash-Updates. Außerdem müssen Extended-Support-Nutzer noch mal patchen. --------------------------------------------- http://heise.de/-2752440 *** Kommentar: Weg mit Flash! *** --------------------------------------------- Bei Adobes Plug-in stimmt die Balance aus Nutzen und Risiko nicht mehr. Es wird Zeit, dieses Relikt abzuschalten, meint Herbert Braun --------------------------------------------- http://heise.de/-2751583 *** TotoLink Routers Plagued By XSS, CSRF, RCE Bugs *** --------------------------------------------- A slew of routers manufactured in China are fraught with vulnerabilities, some which have existed in products for as long as six years. --------------------------------------------- http://threatpost.com/totolink-routers-plagued-by-xss-csrf-rce-bugs/113816 *** Bugtraq: Novell GroupWise 2014 WebAccess vulnerable to XSS attacks *** --------------------------------------------- http://www.securityfocus.com/archive/1/536023 *** Elasticsearch 1.6.0 Remote Code Execution *** --------------------------------------------- Topic: Elasticsearch 1.6.0 Remote Code Execution Risk: High Text:Summary: Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol that enables r... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015070089 *** Elasticsearch 1.6.0 Directory Traversal *** --------------------------------------------- Topic: Elasticsearch 1.6.0 Directory Traversal Risk: Medium Text:Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015070090 *** WP Backitup <= 1.9.1 - Backup File Disclosure *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8105 *** Cisco Prime Collaboration Assurance Web Interface Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=40003 *** EMC Documentum WebTop Lets Remote Users Redirect the Target User to an Arbitrary Site *** --------------------------------------------- http://www.securitytracker.com/id/1032965 *** EMC Documentum CenterStage Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1032966 *** Eaton's Cooper Power Series Form 6 Control and Idea/IdeaPlus Relays with Ethernet Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on January 6, 2015, and is now being released to the ICS-CERT web site. This advisory provides mitigation details for a predictable TCP sequence vulnerability in Eaton's Cooper Power Systems Form 6 and Idea/IdeaPLUS relays with Ethernet application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-15-006-01 *** SSA-732541 (Last Update 2015-07-17): Denial-of-Service Vulnerability in SIPROTEC 4 *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** IBM Security Bulletins *** --------------------------------------------- IBM Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2014-0230) IBM Security Bulletin: Open Source Apache Tomcat vulnerability and vulnerability in Diffie-Hellman ciphers affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2014-0230, CVE-2014-7810, CVE-2015-4000) IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Sterling Secure Proxy and Sterling External Authentication Server (CVE-2015-0488, CVE-2015-1916, CVE-2015-2808, CVE-2015-0478, CVE-2015-0204) IBM Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect Rational Application Developer for WebSphere Software (CVE-2015-4000, CVE-2015-1793) IBM Security Bulletin: Vulnerability in OpenSSL affects IBM SDK for Node.js (CVE-2015-1793) IBM Security Bulletin: Vulnerability in the Dojo Toolkit affects IBM Business Process Manager, which is shipped with IBM SmartCloud Orchestrator and IBM SmartCloud Orchestrator Enterprise (CVE-2014-8917) IBM Security Bulletin: Tivoli Workload Scheduler Distributed Potential Security vulnerabilities with IBM WebSphere Application Server (CVE-2015-1920) --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us

1 0

Tageszusammenfassung - Donnerstag 16-07-2015
by Daily end-of-shift report 16 Jul '15

16 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-07-2015 18:00 − Donnerstag 16-07-2015 18:00 Handler: Stephan Richter Co-Handler: n/a *** RC4 crypto: Get RID of it already, say boffins *** --------------------------------------------- This one simple attack busts WPA-TKIP in less than an hour ... As they explain here, the weakness of RC4 (inherited by systems using it) is based on biases in the RC4 keystream. The bias was already known, and is why vendors like Microsoft are working to deprecate it. Whats different in the new work is the acceleration of the cryptanalysis Vanhoef and Piessens carry out. --------------------------------------------- http://www.theregister.co.uk/2015/07/16/rc4_get_rid_of_it_already_say_boffi… *** RC4 in HTTPS & Verbreitung *** --------------------------------------------- RC4 gehört nicht zu den stärksten Verschlüsselungsmethoden, und sollte eigentlich nach RFC7465 (aktuell noch ein Draft) gar nicht mehr verwendet werden. Neue Angriffe ermöglichen im Nachhinein das entschlüsseln von sensitiven Informationen wie zum Beispiel Session cookies innerhalb von wenigen Tagen. In den letzten Wochen haben wir ca. 2 Millionen TLS Konfigurationen weltweit mittels dem Tool... --------------------------------------------- https://www.sba-research.org/2015/07/16/rc4-in-https-verbreitung/ *** Poodle-Nachspiel: Mace und weitere Lücken in TLS-Servern *** --------------------------------------------- Cisco, F5, Juniper, Fortinet: Ein Sicherheitsforscher hat eine Reihe von TLS-Servern entdeckt, die den sogenannten Message Authentication Code (MAC) von Verbindungen nicht prüfen. Andere Serverimplementierungen prüfen eine Checksumme am Ende des Handshakes nicht. --------------------------------------------- http://www.golem.de/news/poodle-nachspiel-mace-und-weitere-luecken-in-tls-s… *** Adobe's CVE-2015-5090 - Updating the Updater to become the bossman *** --------------------------------------------- Amongst the many bugs Adobe patched in July 2015, CVE-2015-5090 stands out as being worth a closer look. Adobe lists this vulnerability as a privilege escalation from low to medium integrity, but this doesn’t tell the whole story. In actuality, this bug can used to execute code with SYSTEM privileges, which could allow an attacker to completely take over a target. Since this affects the Adobe updater service, the bug exists in both Adobe Reader and Acrobat Pro. Both of these programs install the ARMSvc service (Updater) and both keep AdobeARM.exe/AdobeARMHelper.exe in c:\progra~1\common~1\Adobe\ARM\1.0. --------------------------------------------- http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adobe-s-CVE-2015-509… *** Mozilla Winter of Security is back! *** --------------------------------------------- The first edition of MWoS was a success, and a lot of fun for students and mentors, so we decided to run it again this year. For the 2015 edition, we are proposing six projects that directly contribute to our most impactful security tools. Students will be able to work on digital forensics with MIG, SSL/TLS configurations with Menagerie, certificate management with LetsEncrypt, security visualization with MozDef, and web security scanning with OWASP ZAP. --------------------------------------------- https://blog.mozilla.org/security/2015/07/15/mozilla-winter-of-security-is-… *** Understanding PCI compliance fines: Who is in charge of enforcing PCI? *** --------------------------------------------- If your business stores, processes, or transmits data from payment cards, then you are subject to the requirements of the PCI DSS. This set of security controls is designed to help merchants combat da... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/--jT_s5xAyE/article.php *** Researchers prove HTML5 can be used to hide malware *** --------------------------------------------- A group of Italian researchers have come up with new obfuscation techniques that can be used to dupe malware detection systems and allow malicious actors to execute successful drive-by download attack... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/9k3wj_RIqQ8/malware_news.… *** Authentication Bypass Bug Hits Siemens Energy Automation Device *** --------------------------------------------- An authentication bypass vulnerability in a Siemens device that's used in energy automation systems could allow an attacker to gain control of the device. The vulnerability is in the Siemens SICAM MIC, a small telecontrol system that performs a number of functions and includes an integrated Web server and several other features. The devices consist of... --------------------------------------------- http://threatpost.com/authentication-bypass-bug-hits-siemens-energy-automat… *** Are smart infrastructures experts in cyber security? *** --------------------------------------------- [...] Prof. Helmbrecht said: “Currently there is no clear definition of cyber security for smart infrastructures at an EU level. It will be beneficial to increase information sharing and coordination for example on public transport. As new technologies and applications are developed, their security aspects also need to be developed from the design phase, allowing for improved services, user experience and safety in a connected online world”. --------------------------------------------- http://www.enisa.europa.eu/media/news-items/are-smart-infrastructures-exper… *** Bugtraq: ESA-2015-122: EMC Documentum CenterStage Cross-site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/536014 *** Bugtraq: ESA-2015-123: EMC Documentum WebTop Open Redirect Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/536015 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us *** Cisco WebEx Meetings Server Remote Code Execution Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39938 *** Cisco Unified Intelligence Center Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39920 *** Cisco Email Security Appliance Malformed DMARC Policy Records File Modification Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39940 *** Oracle Critical Patch Update Advisory - July 2015 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html *** Oracle Critical Patch Update - July 2015 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html *** Solaris Third Party Bulletin - July 2015 *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.h…

1 0

Tageszusammenfassung - Mittwoch 15-07-2015
by Daily end-of-shift report 15 Jul '15

15 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-07-2015 18:00 − Mittwoch 15-07-2015 18:00 Handler: Robert Waldner Co-Handler: Otmar Lendl *** July 2015 Security Updates *** --------------------------------------------- Today we released security updates for Microsoft Windows, Microsoft Office, Microsoft SQL Server, and Internet Explorer. As a best practice, we encourage customers to apply security updates as soon as they are released. For more information about this month's security updates and advisories visit the Security TechNet Library. You can also follow the Microsoft Security Response Center (MSRC) team on Twitter at @MSFTSecResponse MSRC Team --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2015/07/14/july-2015-security-updat… https://technet.microsoft.com/en-us/library/security/MS15-JUL *** TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities *** --------------------------------------------- Original release date: July 14, 2015 Systems Affected Microsoft Windows systems with Adobe Flash Player installed. Overview Used in conjunction, recently disclosed vulnerabilities in Adobe Flash and Microsoft Windows may allow a remote attacker to execute arbitrary code with system privileges. Since attackers continue to target and find new vulnerabilities in popular, Internet-facing software, updating is not sufficient, and it is important to use exploit mitigation and other defensive --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA15-195A *** Microsoft Patch Tuesday July 2015 *** --------------------------------------------- Julys Patch Tuesday is here and brings with it a rather large 14 bulletins with 4 Critical and 10 Important rated patches. All combined this months release patches 59 vulnerabilities 29 of which are in the old stalwart Internet Explorer.... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday-July… *** Adobe, MS, Oracle Push Critical Security Fixes *** --------------------------------------------- This being the second Tuesday of the month, its officially Patch Tuesday. But its not just Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/GZ70l-ulAqw/ *** Oracle Critical Patch Update dichtet 193 Lücken ab *** --------------------------------------------- Wie üblich bei Oracles quartalsweisen Updates stopft die Firma massenweise Lücken in fast allen ihrer Produkte. Sogar die Ghost-Lücke vom Januar feiert ein Comeback. Besonders die Updates für Java und MySQL sollten baldigst installiert werden. --------------------------------------------- http://heise.de/-2750641 *** Microsoft Ends Support for Windows Server 2003, Migration a Must *** --------------------------------------------- End-of-life fun times are coming to infosec departments everywhere again. Just a year after the announcement of Windows XP's end-of-life, we see another body in the OS graveyard: Windows Server 2003. After July 14th, servers running this venerable OS will no longer be receiving any more security updates. This would leave you out in the cold --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/sr3phsOSoFM/ *** Microsoft Security Essentials is no longer available for Windows XP *** --------------------------------------------- We strongly recommend that you complete your migration to a supported operating system as soon as possible so that you can receive regular security updates to help protect your computer from malicious attacks. --------------------------------------------- http://windows.microsoft.com/en-us/windows/security-essentials-download?os=… *** Cisco Packet Data Network Gateway IP Stack Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39907 *** Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39872 *** Unit 42 Technical Analysis: Seaduke *** --------------------------------------------- Earlier this week Symantec released a blog post detailing a new Trojan used by the "Duke" family of malware. Within this blog post, a payload containing a function named "forkmeiamfamous" was mentioned. While performing some ... --------------------------------------------- http://feedproxy.google.com/~r/PaloAltoNetworks/~3/y_CGsjS6Bio/ *** An In-Depth Look at How Pawn Storm's Java Zero-Day Was Used *** --------------------------------------------- Operation Pawn Storm is a campaign known to target military, embassy, and defense contractor personnel from the United States and its allies. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns. Over the past year or so, we have seen numerous techniques and tactics --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/gJtU9nel0NM/ *** Hideouts for Lease: The Silent Role of Bulletproof Hosting Services in Cybercriminal Operations *** --------------------------------------------- What do LeaseWeb, Galkahost, and Spamz have in common? All of them, at one point or another, have functioned as cybercriminal hideouts in the form of bulletproof hosting services (BPHS). Simply put, BPHS is any hosting facility that can store any type of malicious content like phishing sites, pornography, and command-and-control (C&C) infrastructure. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Ojxl_6lsUjU/ *** DFN-CERT-2015-1068/ BlackBerry Link: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1068/ *** Rootkits: User Mode *** --------------------------------------------- In this article, we will learn about what rootkits are and how they operate. The focus will be on two types of Rootkits exploits: User Mode & Kernel Mode, what are the various ways in which rootkits exploit in both modes. --------------------------------------------- http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-1/ *** Rootkits: Kernel Mode *** --------------------------------------------- We have learned in part one of this series about the Rootkits and how they operate in User Mode, in this part of the series we will up the ante and look at the other part where rootkits operate, i.e. Kernel Mode. --------------------------------------------- http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-2/ *** Rootkits: User Mode & Kernel Mode-Part 2 *** --------------------------------------------- We have learned in part one of this series about the Rootkits and how they operate in User Mode, in this part of the series we will up the ante and look at the other part where rootkits operate, i.e. Kernel Mode. --------------------------------------------- http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-2/ *** FBI paid Hacking Team to identify Tor users *** --------------------------------------------- Documents leaked online after the Hacking Team data breach revealed that the company supported the FBI in the investigation on Tor users. While the security experts are continuing to analyze the impressive amount of data stolen from the Hacking Team, new revelation are circulating over the Internet. Among the clients of the Italian security firm, there ... --------------------------------------------- http://securityaffairs.co/wordpress/38601/cyber-crime/fbi-hacking-team-tor.… *** Government Grade Malware: a Look at HackingTeam's RAT *** --------------------------------------------- We have our hands on the code repositories of HackingTeam, and inside of them we've found the source code for a cross-platform, highly-featured, government-grade RAT (Remote Access Trojan). It's rare that we get to do analysis of complex malware at the source-code level, so I couldn't wait to write a blog about it! --------------------------------------------- http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hacki… *** Epic Games, Epic Fail: Forumers info blown into dust by hack *** --------------------------------------------- Company sorry for the inconvenience caused. Great Epic Games, known for its Unreal Engine and the Games of War series, sent a grovelling letter to its forum users this morning explaining that a hack "may have resulted in unauthorised access to your username, email address, password, and the date of birth you provided at registration." --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/07/15/epic_games_… *** Details on Internet-wide Scans from SBA *** --------------------------------------------- To clarify what we are scanning on the Internet, here are some details on the project and which tools we use. Most importantly: if you want your IP to be excluded from future scans, please send an email to abuse(a)sba-research.org. For quite some time now we scan Internet-wide for well-known ports that use TLS, most ... --------------------------------------------- https://www.sba-research.org/2015/07/15/details-on-internet-wide-scans-from…

1 0

Tageszusammenfassung - Dienstag 14-07-2015
by Daily end-of-shift report 14 Jul '15

14 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-07-2015 18:00 − Dienstag 14-07-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Been hacked? Now to decide if you chase the WHO or the HOW *** --------------------------------------------- Imagine a security researcher has plucked your customer invoice database from a command and control server. Youre nervous and angry. Your boss will soon be something worse and will probably want you to explain who pulled off the heist, and how. But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction. --------------------------------------------- http://www.theregister.co.uk/2015/07/14/attribution_feature/ *** Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems *** --------------------------------------------- Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running. They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops). However, the code can very likely work on AMI BIOS as well. A Hacking Team slideshow... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-use… *** Lowering Defenses to Increase Security *** --------------------------------------------- Starting at WhiteHat was a career change for me. I wasn't sure exactly what to expect, but I knew there was a lot of unfamiliar terminology: "MD5 signature", "base64", "cross-site request forgery", "'Referer' header", to name a few. When I started testing real websites, I was surprised that a lot of what I was doing... --------------------------------------------- https://blog.whitehatsec.com/lowering-defenses-to-increase-security/ *** Adobe Updates Flash Player, Shockwave and PDF Reader, (Tue, Jul 14th) *** --------------------------------------------- In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration. the latest (patched) versions are (thanks Dave!): - FlashPlayer 18.0.0.209 - Flash Player EST 13.0.0.305 - Reader 10.1.15 - Reader 11.0.12 - Shockwave Player">12.1.9.159 Bulletins: --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19917&rss *** Adobe: Look, honestly, we really do take Flash security seriously *** *** Mozilla: Right, THATS IT. You, Flash, behind the shed with me. *snick snack* *** *** FLASH MUST DIE, says Facebook security chief *** --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/adobe_respo… http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/firefox_blo… http://go.theregister.com/feed/www.theregister.co.uk/2015/07/14/facebook_fl… *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Acrobat and Reader (APSB15-15), Adobe Shockwave Player (APSB15-17) and Adobe Flash Player (APSB15-18) have been published. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1247 *** SSA-632547 (Last Update 2015-07-14): Authentication Bypass Vulnerability in SICAM MIC *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** VU#919604: Kaseya Virtual System Administrator contains multiple vulnerabilities *** --------------------------------------------- Vulnerability Note VU#919604 Kaseya Virtual System Administrator contains multiple vulnerabilities Original Release date: 13 Jul 2015 | Last revised: 13 Jul 2015 Overview Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities. Description CWE-22: Improper Limitation of Pathname to a Restricted Directory (Path Traversal) - CVE-2015-2862Kaseya VSA is an IT management platform with a help desk ticketing --------------------------------------------- http://www.kb.cert.org/vuls/id/919604 *** Cisco Vulnerability Alerts *** --------------------------------------------- *** Cisco Identity Services Engine Cross-Frame Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39871 *** Cisco TelePresence Integrator C Series Multiple Request Parameter Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39880 *** Cisco Identity Services Engine Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39873 *** Cisco Unified Communications Manager Denial of Service Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39877 *** Cisco FireSIGHT Management Center Cross-Site Scripting Vulnerabilities *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39879 *** Cisco Unified Communications Manager ccmivr Page Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/viewAlert.x?alertId=39905 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us *** Moodle Bugs Permit Cross-Site Scripting and Open Redirect Attacks and Let Remote Authenticated Users Modify Data *** --------------------------------------------- http://www.securitytracker.com/id/1032877 *** F5 Security Advisory: Multiple PHP CDF vulnerabilities CVE-2014-0237 and CVE-2014-0238 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16954.htm… *** DFN-CERT-2015-1009: Django: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1009/

1 0

Tageszusammenfassung - Montag 13-07-2015
by Daily end-of-shift report 13 Jul '15

13 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 10-07-2015 18:00 − Montag 13-07-2015 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Government Grade Malware: a Look at HackingTeam's RAT *** --------------------------------------------- Security researchers the world over have been digging through the massive HackingTeam dump for the past five days, and what we've found has been surprising. I've heard this situation called many things, and there's one description that I can definitely agree with: it's like Christmas for hackers. "On the fifth day of Christmas Bromium sent to... --------------------------------------------- http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hacki… *** Pawn Storm Update: Trend Micro Discovers New Java Zero-Day Exploit *** --------------------------------------------- Analysis and data by Brooks Li (Threats Analyst) and Feike Hacquebord (Senior Threat Researcher) Zero-day exploits continued to be used in targeted attacks because they are effective, given that software vendors have yet to create patches for them. Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/5OzXdZhhVhc/ *** New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak *** --------------------------------------------- After two Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) that surfaced from the said leak. Adobe has already released a security advisory after we reported the said zero-day. This vulnerability is rated as critical and... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rV5yri4x48E/ *** Mit Windows 10 kommen Updates automatisch *** --------------------------------------------- Windows 10-Kunden können sich künftig nur noch sehr begrenzt aussuchen, wann sie ein Update erhalten. --------------------------------------------- http://futurezone.at/produkte/mit-windows-10-kommen-updates-automatisch/141… *** Jump List Files Are OLE Files, (Sun, Jul 12th) *** --------------------------------------------- Jump List files are another type of files that are actually OLE files. They can contain useful data for forensic investigations. There are a couple of tools that can extract information from these files. Here you can see oledump analyzing an automatic Jump List file: The stream DestList contains the Jump List data: There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files: The plugin takes an option... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19911&rss *** Identifying the five principal methods of network attacks *** --------------------------------------------- Companies are underestimating the risk of failing to provide security training to non-technical staff. A new Intel Security study, which surveyed IT decision makers in European-based companies, fo... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/gSbxVIXvO94/secworld.php *** Mobile SSL failures: More common than they should be *** --------------------------------------------- Securing your mobile application traffic is apparently more difficult than it should be, as researchers Anthony Trummer and Tushar Dalvi discovered when looking into SSL/TLS usage on the Android opera... --------------------------------------------- http://feedproxy.google.com/~r/HelpNetSecurity/~3/dY8mHp2RDC4/article.php *** Identifying and exploiting IBM WebSphere Application Server *** --------------------------------------------- IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server. I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I... --------------------------------------------- https://k0st.wordpress.com/2015/07/13/identifying-and-exploiting-ibm-websph… *** Start Secure 2015 - Sicherheits-Start-ups gesucht *** --------------------------------------------- Der Wettbewerb "Start Secure 2015" wird gemeinsam vom Innenministerium und der futurezone veranstaltet. Als Organisationspartner fungieren SBA Research, das die Sieger-Start-ups auf Wunsch auch als Inkubator bei der Investorensuche berät, sowie das Kuratorium Sicheres Österreich. --------------------------------------------- http://futurezone.at/thema/start-ups/sicherheits-start-ups-gesucht/139.420.… *** Common Assessment Tool Cheatsheets *** --------------------------------------------- I have an unhealthy obsession for time savers when im doing pentest work. Since a lot of my time is spent on the command line I love cheatsheets. I thought id use this thread to post some of the more awesome cheat sheets I find... --------------------------------------------- https://forum.bugcrowd.com/t/common-assessment-tool-cheatsheets/502 *** Tunneling Data and Commands Over DNS to Bypass Firewalls *** --------------------------------------------- No matter how tightly you restrict outbound access from your network, you probably allow DNS queries to at least one server. Adversaries can abuse this "hole" in your firewall to exfiltrate data and establish stealthy Command and Control (C2) channels that are very difficult to block. ... I am struggling to come up with a solution to plug this firewall "hole", but I have a few risk mitigation recommendations:... --------------------------------------------- https://zeltser.com/c2-dns-tunneling/ *** Google Photo App Uploads Your Images To Cloud, Even After Uninstalling *** --------------------------------------------- Have you ever seen any mobile application working in the background silently even after you have uninstalled it completely? I have seen Google Photos app doing the same. Your Android smartphone continues to upload your phone photos to Google servers without your knowledge, even if you have already uninstalled the Google Photos app from your device. Nashville Business... --------------------------------------------- http://feedproxy.google.com/~r/TheHackersNews/~3/yxF2id-ZsHg/google-photo-a… *** "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory *** --------------------------------------------- Low-profile information-stealing Trojan is used only against high-value targets --------------------------------------------- http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon… *** BGP Hijacking - why you need to care! *** --------------------------------------------- This came across our desk this morning when we were putting together Dragon News Bytes. There is lots of talk about what has been discovered in the recent reporting on the data dump from the Hacking Team incident. A lot of the reporting discusses the ethics of the company's services and whom they have been selling them to. Concentrating for a moment on the technology deployed in this activity, it is suggested that BGP hijacking was involved. This is described the article entitled... --------------------------------------------- https://blog.team-cymru.org/2015/07/bgp-hijacking-why-do-you-need-to-care/ *** Allerletzter Aufruf: Support fÜr Windows 2003 Server endet *** --------------------------------------------- Am 14. Juli ist endgÜltig Schluss. FÜr Windows 2003 Server liefert Microsoft keine Updates mehr aus, auch nicht bei Sicherheitsproblemen. Wobei auch hier zu gelten scheint: Ausnahmen bestÄtigen die Regel. --------------------------------------------- http://www.heise.de/newsticker/meldung/Allerletzter-Aufruf-Support-fuer-Win… *** Hacking Team 0-day Flash Wave with Exploit Kits *** --------------------------------------------- https://www.f-secure.com/weblog/archives/00002819.html *** New PHP Releases Fix BACRONYM MySQL Flaw *** --------------------------------------------- Several new versions of PHP have been released, all of which contain a number of bug fixes, most notably a patch for the so-called BACKRONYM vulnerability in MySQL. That bug in MySQL is caused by a problem with the way that the database software handles requests for secure connections. Researchers at Duo Security disclosed the... --------------------------------------------- http://threatpost.com/new-php-releases-fix-bacronym-mysql-flaw/113740 *** The Adobe Flash Conundrum: Old Habits Die Hard *** --------------------------------------------- Is it time to hop off the endless cycle of Flash vulnerabilities and updates? Last week has not been great for Adobe Flash. The 440GB of leaked Hacking Team emails has become a treasure trove for vulnerability hunters. Over the past 7 days, Flash was hit by three separate vulnerabilities: CVE-2015-5119 CVE-2015-5122 CVE-2015-5123 At this time, only the... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/AmkybOPif7Y/ *** Bugtraq: ESA-2015-115: EMC RecoverPoint for Virtual Machines (VMs) Restriction Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/535981 *** Cisco Mobility Services Engine Control And Provisioning Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39825 *** Juniper Security Advisories *** --------------------------------------------- *** Juniper Junos IPv6 SEND Processing Flaw Lets Remote Users Deny Service *** http://www.securitytracker.com/id/1032849 *** Juniper Junos SRX Network Security Daemon Bug Lets Remote Users Deny Service *** http://www.securitytracker.com/id/1032848 *** Juniper Junos EX4600 and QFX Series Unspecified Flaw Lets Remote Users Deny Service *** http://www.securitytracker.com/id/1032847 *** Juniper Junos J-Web Bugs Let Remote Users Conduct Cross-Site Scripting and Denial of Service Attacks *** http://www.securitytracker.com/id/1032846 *** Bugtraq: [security bulletin] HPSBGN03373 rev.1 - HP Release Control running TLS, Remote Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/535983 *** Cisco WebEx Meeting Center Reflected Cross-Site Scripting Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39782 *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: Boost memory allocator vulnerability CVE-2012-2677 *** https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16946.htm… *** Security Advisory: Multiple SQLite vulnerabilities *** https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16950.htm… *** Security Advisory: Mailx vulnerabilities CVE-2004-2771 and CVE-2014-7844 *** https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16945.htm… *** Security Advisory: Expat vulnerabilities CVE-2012-0876 and CVE-2012-1148 *** https://support.f5.com:443/kb/en-us/solutions/public/16000/900/sol16949.htm… *** Splunk Enterprise and Splunk Light Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1032859 *** Squid CONNECT Method Peer Response Processing Flaw Lets Remote Users Bypass Security Controls *** --------------------------------------------- http://www.securitytracker.com/id/1032873 *** PHP 5.x Security Updates, (Sun, Jul 12th) *** --------------------------------------------- PHP 5.6.11, 5.5.27 and 5.4.43 were updated fixing numerous bugs in the various components of PHP including CVE-2015-3152. PHP recommend testing and upgrading to the current release. The binaries and packages are available here and the release notes here. [1] http://www.php.net/ChangeLog-5.php [2] http://windows.php.net/download/ ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19907&rss *** Joomla J2Store 3.1.6 SQL Injection *** --------------------------------------------- Topic: Joomla J2Store 3.1.6 SQL Injection Risk: Medium Text:J2Store v3.1.6, a Joomla! extension that adds basic store functionality to a Joomla! instance, suffered from two unauthenticate... --------------------------------------------- http://cxsecurity.com/issue/WLB-2015070053 *** DFN-CERT-2015-0907 FreeRADIUS: Eine Schwachstelle ermÖglicht das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-0907/ *** DFN-CERT-2015-1030 strongSwan: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2015-1030/

1 0

Tageszusammenfassung - Freitag 10-07-2015
by Daily end-of-shift report 10 Jul '15

10 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 09-07-2015 18:00 − Freitag 10-07-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Multiple vulnerabilities in Cisco TelePresence products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39798 http://tools.cisco.com/security/center/viewAlert.x?alertId=39802 http://tools.cisco.com/security/center/viewAlert.x?alertId=39801 http://tools.cisco.com/security/center/viewAlert.x?alertId=39795 http://tools.cisco.com/security/center/viewAlert.x?alertId=39796 http://tools.cisco.com/security/center/viewAlert.x?alertId=39800 http://tools.cisco.com/security/center/viewAlert.x?alertId=39797 *** VMSA-2015-0005 *** --------------------------------------------- VMware Workstation, Player and Horizon View Client for Windows do not set a discretionary access control list (DACL) for one of their processes. This may allow a local attacker to elevate their privileges and execute code in the security context of the affected process. --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2015-0005.html *** The Massive OPM Hack Actually Hit 21 Million People *** --------------------------------------------- The massive hack that struck the US Office of Personnel Management affected some 21.5 million people, all of them people who had information stolen about them from a backgrounds investigation database used for evaluating people who sought classified clearances from the government. --------------------------------------------- http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/ *** Yubikeys Zwei-Faktor-Authentifizierung unter Linux nutzen *** --------------------------------------------- Mit Hilfe des Yubikeys lässt sich eine verschlüsselte Systempartition unter Linux zusätzlich per Zwei-Faktor-Authentifizierung absichern. In dieser Kombination kann auch ein bequemeres Kennwort genutzt werden. --------------------------------------------- http://www.golem.de/news/systemverschluesselung-yubikeys-zwei-faktor-authen… *** Magento-Patch: Update soll Kundendaten-Leck stopfen *** --------------------------------------------- Im Shop-System Magento klaffen Lücken, die es Angreifern erlauben, Admin-Konten zu kapern und Kundendaten auszulesen. Der Hersteller hat jetzt einen Patch veröffentlicht, der Abhilfe schaffen soll. --------------------------------------------- http://heise.de/-2747984 *** Hacking Team Shows the World How Not to Stockpile Exploits *** --------------------------------------------- Bank robber Willie Sutton’s famous line about why he robs banks—“because that’s where the money is”—was particularly apt this week after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were spilled to the public, along with about 400 gigabytes of company emails and other data. --------------------------------------------- http://www.wired.com/2015/07/hacking-team-shows-world-not-stockpile-exploit… *** Rootkits: User Mode & Kernel Mode - Part 1 *** --------------------------------------------- In this article, we will learn about what rootkits are and how they operate. The focus will be on two types of Rootkits exploits: User Mode & Kernel Mode, what are the various ways in which rootkits exploit in both modes. In this Part we will learn .. --------------------------------------------- http://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-1/ *** Programmier-Tipps für die BIOS-Backdoor *** --------------------------------------------- Der Hacker Cr4sh erklärt, wie er eine Hintertür in die UEFI-Firmware eines Intel-Mainboards einbaut. Dabei zeigen sich einmal mehr kritische Lücken in der x86-Plattform, vor allem beim System Management Mode. --------------------------------------------- http://heise.de/-2748219

1 0

Tageszusammenfassung - Donnerstag 9-07-2015
by Daily end-of-shift report 09 Jul '15

09 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 08-07-2015 18:00 − Donnerstag 09-07-2015 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan... on July 1 *** --------------------------------------------- Earlier this week several vulnerabilities were disclosed as part of the leak of information from the Italian company Hacking Team. We've noted that this exploit is now in use by various exploit kits. However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan.... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Ys8noghmsHc/ *** Ding! Your RAT has been delivered *** --------------------------------------------- Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn't a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye... --------------------------------------------- http://blogs.cisco.com/security/talos/darkkomet-rat-spam *** Finnland: 17-jähriger Botnetz-Betreiber verurteilt *** --------------------------------------------- Über 50.000 Rechner für ein Botnetz gekapert, DDoS-Attacken geritten und Kreditkartendaten geklaut: Ein 17-jähriger Finne, angeblich Mitglied der Hackergruppe Lizard Squad, wird zu zwei Jahren auf Bewährung verurteilt. --------------------------------------------- http://heise.de/-2745646 *** Detecting Random - Finding Algorithmically chosen DNS names (DGA), (Thu, Jul 9th) *** --------------------------------------------- Most normal user traffic communicates via a hostname and not an IP address. So looking at traffic communicating directly by IP with no associated DNS request is a good thing do to. Some attackers use DNS names for their communications. There is also malware such as Skybot and the Styx exploit kit that use algorithmically chosen host name rather than IP addresses for their command and control channels. This malware uses what has been called DGA or Domain Generation Algorithms to create random... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19893&rss *** Happy Video Game Day 2015 *** --------------------------------------------- Gamers are being targeted more and more by malware, trojans, and keyloggers, especially those that participate in pay-to-play games and MMORPGs (Massively Multiplayer Online Role-Playing Game). Your accounts, personal identity, banking information and even credit card numbers can be stolen if you are playing without a cyber-security solution. The PC gaming market is increasing rapidly and is expected to reach $30.9 Billion in 2016, and with that, the targets are getting bigger and more... --------------------------------------------- http://www.webroot.com/blog/2015/07/08/happy-video-game-day-2015 *** Cisco PSIRT reporting Customers affected by ASA VPN DoS attacks, (Thu, Jul 9th) *** --------------------------------------------- Patch your firewalls! 2015-July-08 UPDATE:">Cisco PSIRT is aware of disruption to some Cisco customers with Cisco ASA devices affected by CVE-2014-3383, the Cisco ASA VPN Denial of Service Vulnerability that was disclosed in this Security Advisory. Traffic causing the disruption was isolated to a specific source IPv4 address. Cisco has engaged the provider and owner of that device and determined that the traffic was sent with no malicious intent. Cisco strongly recommends that customers... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19895&rss *** Sicherheitslücke: OpenSSL akzeptiert falsche Zertifikate *** --------------------------------------------- Ein OpenSSL-Update behebt eine kritische Sicherheitslücke. Mittels einiger Tricks kann ein Angreifer damit ein gewöhnliches Zertifikat zu einer Zertifizierungsstelle machen. Betroffen sind vor allem Clients. --------------------------------------------- http://www.golem.de/news/sicherheitsluecke-openssl-akzeptiert-falsche-zerti… *** OpenSSL CVE-2015-1793: Man-in-the-Middle Attack *** --------------------------------------------- As announced at the beginning of this week, OpenSSL has released the fix for CVE-2015-1793. --------------------------------------------- https://ma.ttias.be/openssl-cve-2015-1793-man-middle-attack/ *** OpenSSL Security Advisory [9 Jul 2015] *** --------------------------------------------- An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. (original advisory). Reported by Adam Langley and David Benjamin (Google/BoringSSL). --------------------------------------------- https://openssl.org/news/secadv_20150709.txt *** Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2015-132Project: Administration Views (third-party module)Version: 7.xDate: 2015-July-08Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescriptionAdministration Views module replaces overview/listing pages with actual views for superior usability.The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have --------------------------------------------- https://www.drupal.org/node/2529378

1 0

Tageszusammenfassung - Mittwoch 8-07-2015
by Daily end-of-shift report 08 Jul '15

08 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 07-07-2015 18:00 − Mittwoch 08-07-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Advisory for Adobe Flash Player (APSA15-03) *** --------------------------------------------- A Security Advisory (APSA15-03) has been published regarding a critical vulnerability (CVE-2015-5119) in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1223 *** Security Updates Available for Adobe Flash Player (APSB15-16) *** --------------------------------------------- A security bulletin (APSB15-16) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1228 *** Multiple vulnerabilities in Cisco products *** --------------------------------------------- http://tools.cisco.com/security/center/viewAlert.x?alertId=39675 http://tools.cisco.com/security/center/viewAlert.x?alertId=39643 http://tools.cisco.com/security/center/viewAlert.x?alertId=39641 http://tools.cisco.com/security/center/viewAlert.x?alertId=39623 *** CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits *** --------------------------------------------- http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxx… *** When ‘int’ is the new ‘short’ *** --------------------------------------------- This is going to be a quick post, just describing a particularly interesting Chrome issue that I found last month; how I found it; and what is interesting about it�I was looking through some Chrome networking code; and I noticed an interesting API design .. --------------------------------------------- http://googleprojectzero.blogspot.com/2015/07/when-int-is-new-short.html *** Windows 10 kann WLAN-Passwörter an Kontakte verteilen *** --------------------------------------------- In Windows 10 lässt sich das WLAN-Passwort automatisch an Facebook-Freunde oder Skype-Kontakte verteilen. Das erspart das lästige Diktieren von Kennwörtern bei Besuch, bringt aber auch Risiken mit sich. --------------------------------------------- http://www.golem.de/news/it-sicherheit-windows-10-kann-wlan-passwoerter-an-… *** Schwachstelle in Nameserversoftware BIND 9 *** --------------------------------------------- Ein Angreifer, der einen Nameserver mit aktivierter DNSSEC-Validierung dazu bringen kann, eine Zone mit speziellem Inhalt abzufragen, kann den Nameserver zum Absturz bringen. --------------------------------------------- https://cert.at/warnings/all/20150708.html *** "Zero-Day"-Sicherheitslücke in Adobe Flash Player (aktiv ausgenützt) - Patches jetzt verfügbar *** --------------------------------------------- Durch Ausnutzen dieser Lücke kann ein Angreifer vermutlich vollständige Kontrolle über betroffene Systeme erlangen. Damit sind alle Daten auf diesen Systemen, sowie alle durch diese erreichbaren (etwa durch Login, VPN etc.) Daten und Systeme gefährdet. --------------------------------------------- https://cert.at/warnings/all/20150708-2.html *** Dyre Banking Trojan Exploits CVE-2015-0057 *** --------------------------------------------- CVE-2015-0057 is a Use-After-Free vulnerability that exists in the win32k.sys component of the Windows Kernel which can be exploited to perform local privilege escalation. The vulnerability was reported to Microsoft by Udi Yavo, and, after the patch .. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.ht… *** Prenotification: Upcoming Security Updates for Adobe Acrobat and Reader (APSB15-15) *** --------------------------------------------- A prenotification security advisory has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, July 14, 2015. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1232 *** Wild Neutron – Economic espionage threat actor returns with new tricks *** --------------------------------------------- A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho”) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware. --------------------------------------------- https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-…

1 0

Tageszusammenfassung - Dienstag 7-07-2015
by Daily end-of-shift report 07 Jul '15

07 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Montag 06-07-2015 18:00 − Dienstag 07-07-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Security Advisory: BIG-IQ remote authentication vulnerability CVE-2015-4637 *** --------------------------------------------- When remote authentication is configured on the BIG-IQ system for a LDAP server that allows anonymous BIND operations, a unauthenticated user may obtain an authentication token from the REST API for any known (or guessed) LDAP user account and will receive all the access and privileges of that user account for REST API calls. (CVE-2015-4637) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16861.htm… *** Fraudulent BatteryBot Pro App Yanked from Google Play *** --------------------------------------------- A malicious Android app spoofing the popular BatteryBot Pro app has been pulled from Google Play. Researchers at Zscaler reported the app, which had a package name of com.polaris.BatteryIndicatorPro. The app requested excessive permissions from the user in an attempt to get full control of an .. --------------------------------------------- http://threatpost.com/fraudulent-batterybot-pro-app-yanked-from-google-play… *** Malvertisement - A Nuclear EK Tale *** --------------------------------------------- Over the past couple of years delivering malware via advertisements, or "malvertisement," has become one of the most popular methods of distribution for exploit kits. Like most trends in the world of Internet security, the longer it endures - the .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Malvertisement-%e2%80%9… *** Social Engineering - A Case Study *** --------------------------------------------- In this article, I am going to illustrate a real life social engineering hack that I did it for my friend. My friend saw some property ads on internet. He filled the query form for that ad, and after a day he got a call fraudulent call .. --------------------------------------------- http://resources.infosecinstitute.com/social-engineering-a-case-study/ *** Two major IT-Security Myths debunked *** --------------------------------------------- There are two statements G DATA’s security experts hear and read time and again: “I do not surf on porn websites, my computer can’t get infected” as well as “my computer does not hold anything valuable and I have nothing to hide – why should I be a target?” It would be a pleasure to confirm this, but, unfortunately, we do not live in an ideal world. The company’s latest Malware Report underlines why such sentences should be regarded as myths and IT-Security is important for everyone. --------------------------------------------- https://blog.gdatasoftware.com/blog/article/two-major-it-security-myths-deb… *** NewStatPress <= 1.0.4 - Reflected Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8081 *** NewStatPress <= 1.0.4 - SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8080 *** Safer Internet *** --------------------------------------------- Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend .. --------------------------------------------- http://securityblog.switch.ch/2015/07/07/safer-internet/ *** Kritischer OpenSSL-Patch voraus *** --------------------------------------------- Mit einer kurzen Notiz verkündet Mark J. Cox, dass man Donnerstag, den 9. Juli, ein Sicherheits-Update für OpenSSL veröffentlichen wolle. Dies sei der höchsten Sicherheitsstufe zuzurechnen (high). Das bedeutet, dass gängige Konfigurationen betroffen sind und die Lücke sich wahrscheinlich ausnutzen lässt, um Denial-of-Service-Angriffe durchzuführen, Daten zu klauen oder sogar betroffene System zu kapern. --------------------------------------------- http://heise.de/-2739804 *** Landeskriminalamt Salzburg warnt vor gefälschten Paketdienst-E-Mails *** --------------------------------------------- In Salzburg sind derzeit verstärkt Internet-Betrüger aktiv. Die Polizei warnt akut vor gefälschten E-Mails im Namen bekannter Paketdienste, die vorgeben, dass eine Postsendung unterwegs sei. Über einen Link könne man den aktuellen Paketstatus abrufen. Ein Klick darauf installiert in Wirklichkeit aber die Schadsoftware "CryptoLocker", welche die auf der Festplatte gespeicherten Daten verschlüsselt. --------------------------------------------- http://derstandard.at/2000018700461 *** Fuzzing: Auf Fehlersuche mit American Fuzzy Lop *** --------------------------------------------- Programme testweise mit massenhaft fehlerhaften Daten zu füttern, ist eine effektive Methode, um Fehler zu finden. Das sogenannte Fuzzing ist schon seit Jahrzehnten bekannt, doch bessere Tools und einige spektakuläre Funde von Sicherheitslücken haben zuletzt das Interesse daran erneut geweckt. --------------------------------------------- http://www.golem.de/news/fuzzing-auf-fehlersuche-mit-american-fuzzy-lop-150… *** New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries *** --------------------------------------------- Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family 'Gunpoder' based on the main malicious component name, .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2015/07/new-android-malware-fami… *** Hacked Hacking Team *** --------------------------------------------- Wie ja seit gestern gross durch die diversen Medien getrommelt wird (siehe etwa heise.de, derstandard.at), wurde das Unternehmen "Hacking Team" anscheinend selbst Opfer eines Angriffs. In den dabei geleakten Daten sind auch etliche Hinweise auf bislang unbekannte Exploits ("0-days") zu finden. Leider fehlt uns die Kapazität, die gesamten geleakten Daten (gut 160.000 Dateien mit insg. rund 400GB!) in endlicher Zeit selbst zu analysieren, daher müssen wir uns dabei auf die Community verlassen. --------------------------------------------- http://www.cert.at/services/blog/20150707141314-1556.html *** Attack of the Zombie Orkut Phishing Pages *** --------------------------------------------- Sometimes long dead websites are targeted by phishing pages. When those sites made use of single sign-on, the danger will never quite go away. Orkut may be gone, but the fake login pages persist .. --------------------------------------------- https://blog.malwarebytes.org/fraud-scam/2015/07/attack-of-the-zombie-orkut…

1 0

Tageszusammenfassung - Montag 6-07-2015
by Daily end-of-shift report 06 Jul '15

06 Jul '15

======================= = End-of-Shift report = ======================= Timeframe: Freitag 03-07-2015 18:00 − Montag 06-07-2015 18:00 Handler: Alexander Riepl Co-Handler: n/a *** [20150602] - Core - CSRF Protection *** --------------------------------------------- http://developer.joomla.org/security-centre/618-20150602-core-remote-code-e… *** [20150601] - Core - Open Redirect *** --------------------------------------------- http://developer.joomla.org/security-centre/617-20150601-core-open-redirect… *** This 20-year-old Student Has Written 100 Malware Programs in Two Years *** --------------------------------------------- Security firm Trend Micro has identified a 20-year-old Brazilian college student responsible for developing and distributing over 100 Banking Trojans selling each for around .. --------------------------------------------- http://thehackernews.com/2015/07/student-hacker.html *** A .BUP File Is An OLE File *** --------------------------------------------- Yesterday I mentioned that McAfee quarantine files on Windows (.BUP extension) are actually OLE files. Im going to write a couple of diary entries highlighting some file types that are OLE files, and .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19869 *** MMD-0036-2015 - KINS (or ZeusVM) v2.0.0.0 tookit (builder & panel) leaked. *** --------------------------------------------- The background KINS (or ZeusVM to be precised) v2.0.0.0 tookit (builder & panel) was leaked and spread all over the internet. On Jun 26th 2015 we were informed about this and after several internal discussion, considering that: "so .. --------------------------------------------- http://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.h… *** A fileless Ursnif doing some POS focused reco *** --------------------------------------------- http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.… *** BizCN gate actor changes from Fiesta to Nuclear exploit kit *** --------------------------------------------- Introduction An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15. I started writing about this actor in 2014 .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=19875 *** Don't Be Fooled By Phony Online Reviews *** --------------------------------------------- The Internet is a fantastic resource for researching the reputation of companies with which you may wish to do business. Unfortunately, this same ease-of-use can lull the unwary into falling for marketing scams originally perfected .. --------------------------------------------- http://krebsonsecurity.com/2015/07/dont-be-fooled-by-phony-online-reviews/ *** Spionagefirma Hacking Team: "Feind des Internets" selbst gehackt *** --------------------------------------------- Die italienische Überwachungsfirma Hacking Team wurde selbst Opfer eines massiven Hacks: Eindringlinge konnten rund 480 GB an internen Daten übernehmen und diese als Download bereitstellen. Auch der Twitter-Account des Unternehmens wurde übernommen und in "Hacked Team" umbenannt. Die veröffentlichten Informationen .. --------------------------------------------- http://derstandard.at/2000018630550 *** Blue-Pill-Lücke in Xen geschlossen *** --------------------------------------------- In der langen Liste der Sicherheits-Verbesserungen von Xen 4.5.1 finden sich auch eine Lücke, die den Ausbruch aus einer virtuellen Maschine erlaubt - und ein geheimnisvoller, noch undokumentierte Eintrag. --------------------------------------------- http://heise.de/-2736158 *** ManageEngine Password Manager Pro 8.1 SQL Injection *** --------------------------------------------- An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar. --------------------------------------------- http://cxsecurity.com/issue/WLB-2015070020 *** Insider Threats Defined *** --------------------------------------------- According to the second annual SANS survey on the security of the financial services sector, the number one threat companies are concerned about doesn’t relate to nation-states, organised criminal gangs or ‘APTs’. Rather the main worry revolves around insider threats – but what exactly is an insider threat and what can be done to detect and respond to these threats? --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/insider-threats-defined *** How to Deal with Reverse Domain Name Hijacking *** --------------------------------------------- The fact that one owns a trademark which is identical or confusingly similar to a domain name does not necessarily mean that she is entitled to that domain name. For .. --------------------------------------------- http://resources.infosecinstitute.com/how-to-deal-with-reverse-domain-name-… *** Rätselaufgaben gegen DDoS-Angriffe auf TLS *** --------------------------------------------- Ein Akamai-Mitarbeiter beschreibt, wie mit einfachen Rechenaufgaben DDoS-Angriffe durch Clients auf TLS-Verbindungen minimiert werden könnten. Die Idee ist zwar noch ein Entwurf, könnte aber als Erweiterung für TLS 1.3 standardisiert werden. --------------------------------------------- http://www.golem.de/news/ietf-raetselaufgaben-gegen-ddos-angriffe-auf-tls-1… *** AWS Best Practices for DDoS Resiliency (PDF) *** --------------------------------------------- http://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf *** No one expect command execution ! *** --------------------------------------------- Unix is a beautiful world where your shell gives you the power of launching any command you like. But sometimes, command can be used to launch another commands, and thats sometimes unexpected. --------------------------------------------- http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2015