=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 28-10-2016 18:00 − Montag 31-10-2016 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
*** Of course smart homes are targets for hackers ***
---------------------------------------------
The Wirecutter, an in-depth comparative review site for various electrical and electronic devices, just published an opinion piece on whether users should be worried about security issues in IoT devices. The summary: avoid devices that dont require passwords (or dont force you to change a default and devices that want you to disable security, follow general network security best practices but otherwise dont worry - criminals arent likely to target you.This is terrible, irresponsible advice. Its
---------------------------------------------
http://mjg59.dreamwidth.org/45483.html
*** Ensuring that ICS/SCADA isn't our next IoT nightmare ***
---------------------------------------------
The DDoS chaos of the past month tells us that we need to work together to ensure future standards and reduce security risks
---------------------------------------------
https://nakedsecurity.sophos.com/2016/10/28/ensuring-that-icsscada-isnt-our…
*** Volatility Bot: Automated Memory Analysis, (Sun, Oct 30th) ***
---------------------------------------------
Few weeks ago Ive attended the SANS DFIR Summit in Prague, and one of the very interesting talks was from Martin Korman (@MartinKorman), who presented a new tool he developed: Volatility Bot. According to his description, Volatility Bot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. Not only does it automatically extract the executable...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21655&rss
*** Masque Attack Abuses iOS's Code Signing to Spoof Apps and Bypass Privacy Protection ***
---------------------------------------------
First reported in 2014, Masque Attack allowed hackers to replace a genuine app from the App Store with a malformed, enterprise-signed app that had the same Bundle Identifier (Bundle ID). Apple subsequently patched the vulnerabilities (CVE-2015-3772 and CVE-2015-3725), but while it closed a door, scammers seemed to have opened a window. Haima's repackaged, adware-laden apps and its native helper application prove that App Store scammers are still at it.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ffHuC_yu178/
*** DDOS-Attacke gegen Server legt Wiener TU-Informatiker lahm ***
---------------------------------------------
Eine DDOS-Attacke gegen Server der Fachschaft Informatik der TU Wien hat zu Webseiten-Ausfällen geführt.
---------------------------------------------
https://futurezone.at/digital-life/ddos-attacke-gegen-server-legt-wiener-tu…
*** Joomla websites attacked en masse using recently patched exploits ***
---------------------------------------------
Attackers are aggressively attacking Joomla-based websites by exploiting two critical vulnerabilities patched last week.The flaws allow the creation of accounts with elevated privileges on websites built with the popular Joomla content management system, even if account registration is disabled. They were patched in Joomla 3.6.4, released Tuesday.Hackers didnt waste any time reverse engineering the patches to understand how the two vulnerabilities can be exploited to compromise websites,...
---------------------------------------------
http://www.csoonline.com/article/3136933/security/joomla-websites-attacked-…
*** CardComplete-Phishingmail: 3-D Secure Aktualisierung ***
---------------------------------------------
In einer vermeintlichen CardComplete-Benachrichtigung heißt es, dass Kreditkarteninhaber/innen ihr 3-D Secure Verfahren aktualisieren müssen. Dazu sollen sie eine Website aufrufen und ihre persönlichen Kreditkarteninformationen bekannt geben. In Wahrheit stammt die E-Mail von Kriminellen, die damit sensible Daten stehlen.
---------------------------------------------
https://www.watchlist-internet.at/phishing/cardcomplete-phishingmail-3-d-se…
*** "AtomBombing": Forscher warnen vor "unpatchbarer" Windows-Lücke ***
---------------------------------------------
Angeblich alle Windows-Systeme betroffen - Gefahrenpotenzial allerdings unklar
---------------------------------------------
http://derstandard.at/2000046630311
*** Cybercrime-Report 2015: Elf Prozent mehr Anzeigen in Österreich ***
---------------------------------------------
Mehr Fälle bei Internetbetrug, Erpressung und Datenmissbrauch
---------------------------------------------
http://derstandard.at/2000046762022
*** The Week in Ransomware - October 28 2016 - Locky, Angry Duck, and More! ***
---------------------------------------------
Lots and lots of little ransomware and in-dev variants released this week. Of particular note is the quick release of two Locky variants that used .sh*t and then a day later the .thor extension for encrypted files.
---------------------------------------------
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-octobe…
*** Security Advisory: OpenSSL vulnerability CVE-2016-2181 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59298921.html?…
*** Vuln: Moodle CVE-2016-7919 Information Disclosure Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93971
*** GNU tar 1.29 Extract Pathname Bypass ***
---------------------------------------------
Topic: GNU tar 1.29 Extract Pathname Bypass Risk: Low Text: - t216 special vulnerability release -- Vulnerability: POINTYFEATHER aka Tar extract pathname bypass ...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100254
*** About the security content of iOS 10.1.1 ***
---------------------------------------------
This document describes the security content of iOS 10.1.1.
---------------------------------------------
https://support.apple.com/en-us/HT207287
*** Vulnerabilities in InfraPower PPS-02-S Q213V1 ***
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
---------------------------------------------
*** InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities ***
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
---------------------------------------------
Next End-of-Shift report: 2016-11-02
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 27-10-2016 18:00 − Freitag 28-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Vuln: HP Business Service Management CVE-2016-4392 Cross Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93933
*** MS16-128 - Critical: Security Update for Adobe Flash Player (3201860) - Version: 1.0 ***
https://technet.microsoft.com/en-us/library/security/MS16-128
*** Vuln: Python urllib3 CVE-2016-9015 TLS Certificate Validation Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93941
*** Vuln: Apache Tomcat Security Manager CVE-2016-6796 Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93944
*** iTunes 12.5.2 for Windows ***
---------------------------------------------
https://support.apple.com/kb/HT207274
*** iPrint Appliance 2.1 Patch 1 ***
---------------------------------------------
https://download.novell.com/Download?buildid=AmZsfGf_NQ4~
*** Malvertising ***
---------------------------------------------
Unsere Kollegen vom niederländischen NCSC haben eben ihr "Cyber Security Assessment Netherlands 2016" auch auf Englisch veröffentlicht. Da steckt viel Arbeit ..
---------------------------------------------
http://www.cert.at/services/blog/20161028083404-1815.html
*** Researchers tag new brace of bugs in NTP, but theyre fixable ***
---------------------------------------------
However, because these are protocol vulnerabilities, the researchers fixing NTP is more important. They propose replacing the current model with one that uses more ..
---------------------------------------------
http://www.theregister.co.uk/2016/10/28/researchers_tag_new_brace_of_bugs_i…
*** Honeywell Experion PKS Improper Input Validation Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a denial-of-service condition caused by an improper input validation vulnerability in Honeywell’s Experion Process Knowledge System platform.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-301-01
*** Bugtraq: [security bulletin] HPSBMU03653 rev.1 - HPE System Management Homepage (SMH), Remote Arbitrary Code Execution, Cross-Site Scripting (XSS), Denial of Service (DoS), Unauthorized Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539646
*** Bugtraq: [security bulletin] HPSBHF3549 ThinkPwn UEFI BIOS SmmRuntime Escalation of Privilege ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539645
*** Der Bot im Babyfon ***
---------------------------------------------
In ein Heimnetzwerk integrierte IoT-Geräte bauen oftmals selbstständig eine Verbindung zum Internet auf, indem sie den Router des Nutzers per UPnP (Universal Plug and Play) so konfigurieren, dass eine Portweiterleitung ..
---------------------------------------------
https://www.bsi-fuer-buerger.de/BSIFB/DE/Service/Aktuell/Informationen/Arti…
*** Researchers expose Mirai vuln that could be used to hack back against botnet ***
---------------------------------------------
Exploit can halt attacks from IoT devices Security researchers have discovered flaws in the Mirai ..
---------------------------------------------
www.theregister.co.uk/2016/10/28/mirai_botnet_hack_back/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 25-10-2016 18:00 − Donnerstag 27-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Asterisk users need to patch DoS bug ***
---------------------------------------------
Overlap dialling lets attacker shut down system Asterisk users need to get busy with a patch.
---------------------------------------------
www.theregister.co.uk/2016/10/25/asterisk_patch_dos_bug/
*** Denial of Service Vulnerability in Citrix License Server ***
---------------------------------------------
A vulnerability has been identified in the Citrix License Server for Windows and Citrix License Server VPX that could allow a remote ..
---------------------------------------------
https://support.citrix.com/article/CTX217430
*** Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware ***
---------------------------------------------
https://support.citrix.com/article/CTX216642
*** Memory Permission Weakness in Citrix XenApp and XenDesktop ***
---------------------------------------------
https://support.citrix.com/article/CTX215460
*** Security Advisory - PXN Defense Mechanism Failure Vulnerability in Huawei Mobile Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161026-…
*** VMSA-2016-0017 ***
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0017.html
*** Security Advisory - Two Information Leak Vulnerabilities in ION Memory Management Module of Huawei Smart Phone ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161026-…
*** Cisco Identity Services Engine SQL Injection Vulnerability ***
---------------------------------------------
A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Siemens SICAM RTU Devices Denial-of-Service Vulnerability ***
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-299-01
*** Bundeskriminalamt gibt Tipps zum Schutz mobiler Geräte ***
---------------------------------------------
http://derstandard.at/2000046518819
*** Security updates available for Adobe Flash Player (APSB16-36) ***
---------------------------------------------
A Security Bulletin (APSB16-36) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability, and Adobe ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1416
*** Vulnerability in Linux Kernel Affecting Cisco Products: October 2016 ***
---------------------------------------------
On October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Installer of 7-Zip for Windows may insecurely load Dynamic Link Libraries ***
---------------------------------------------
http://jvn.jp/en/jp/JVN76780067/
*** Cisco Email Security Appliance Malformed DGN File Attachment Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Prime Collaboration Provisioning Cross-Site Scripting Vulnerability ***
---------------------------------------------
Multiple vulnerabilities in the web framework code of the Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to conduct a ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco IP Interoperability and Collaboration System Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework code of the Cisco IP Interoperability and Collaboration System (IPICS) could allow an unauthenticated, ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email and Web Security Appliance JAR Advanced Malware Protection DoS Vulnerability ***
---------------------------------------------
A vulnerability in Advanced Malware Protection (AMP) for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email Security Appliance FTP Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in local FTP to the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition when the FTP application unexpectedly quits.The ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email Security Appliance Drop Bypass Vulnerability ***
---------------------------------------------
A vulnerability in the configured security policies, including drop email filtering, in Cisco AsyncOS for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass a configured drop filter by ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email Security Appliance Corrupted Attachment Fields Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Email Security Appliance Advanced Malware Protection Attachment Scanning Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the email attachment scanning functionality of the Advanced Malware Protection ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Remote Code Execution Vulnerabilities Plague LibTIFF Library ***
---------------------------------------------
Three vulnerabilities, all which can lead to remote code execution, exist in the LibTIFF library.
---------------------------------------------
http://threatpost.com/remote-code-execution-vulnerabilities-plague-libtiff-…
*** Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054 ***
---------------------------------------------
This module enables you to run NCBI BLAST jobs on the host system.The module doesnt sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be ..
---------------------------------------------
https://www.drupal.org/node/2822366
*** Office 2013 can now block macros to help prevent infection ***
---------------------------------------------
In response to the growing trend of macro-based threats, a new feature in Office 2016 allows an enterprise administrator to block users from running macros ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-blo…
*** Joomla! squashes critical privileged account creation holes ***
---------------------------------------------
Borked two factor authentication also fixed Joomla! has revealed its patched twin critical flaws allowing attackers to bypass rules and create elevated privilege accounts.
---------------------------------------------
www.theregister.co.uk/2016/10/27/joomla_squashes_critical_privileged_accoun…
*** Three LibTIFF bugs found, only two patched ***
---------------------------------------------
Buffer overruns, remote code execution, you know the drill LibTIFF has three bugs that let booby-trapped files pwn a target - and only two of them have been patched.
---------------------------------------------
www.theregister.co.uk/2016/10/27/three_libtiff_bugs_found_only_two_patched/
*** Inside the Gootkit C&C server ***
---------------------------------------------
In September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable feature: an extra check of the environment ..
---------------------------------------------
http://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/
*** Citrix XenServer Security Update for CVE-2016-7777 ***
---------------------------------------------
A security vulnerability has been identified in Citrix XenServer that may allow malicious user code within an HVM guest VM to read or modify the contents of ..
---------------------------------------------
https://support.citrix.com/article/CTX217363
*** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability (CVE-2016-3092) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21993043
*** Are the Days of “Booter” Services Numbered? ***
---------------------------------------------
It may soon become easier for Internet service providers to anticipate and block certain types of online assaults launched by Web-based attack-for-hire services known as "booter" or "stresser" services, new research released today suggests.
---------------------------------------------
https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbere…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 24-10-2016 18:00 − Dienstag 25-10-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** iOS 10.1 ***
---------------------------------------------
https://support.apple.com/kb/HT207271
*** IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers ***
---------------------------------------------
A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last weeks massive attack that disrupted Twitter and ..
---------------------------------------------
https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-le…
*** Locky Ransomwares new .SHIT Extension shows that you cant Polish a Turd ***
---------------------------------------------
To further show how ransomware is such a pile of crap, a new version of Locky has been released that appends the .shit extension on encrypted files. Like previous ..
---------------------------------------------
http://www.bleepingcomputer.com/news/security/locky-ransomwares-new-shit-ex…
*** DSA-3698 php5 - security update ***
---------------------------------------------
Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3698
*** Critical Patch Update - October 2016 ***
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
*** Kryptologe Hellman: NSA propagiert mittlerweile Verschlüsselung ***
---------------------------------------------
Daten verlässlich zu verschlüsseln auch für Sicherheit von Staaten wichtig – Zusammensetzen sicherer Komponenten macht außerdem noch lange kein sicheres System
---------------------------------------------
http://derstandard.at/2000046466661
*** Wosign und Startcom: Mozilla veröffentlicht Details des TLS-Rauswurfs ***
---------------------------------------------
Mozillas Firefox-Browser wird keine TLS-Zertifikate der beiden skandalträchtigen Certificate Authorities mehr akzeptieren. Wie dies genau umgesetzt wird, hat die Stiftung nun erläutert.
---------------------------------------------
http://www.golem.de/news/wosign-und-startcom-mozilla-veroeffentlicht-detail…
*** Certificate Transparency: Betrug mit TLS-Zertifikaten wird fast unmöglich ***
---------------------------------------------
Alle TLS-Zertifizierungsstellen müssen ab nächstem Herbst ihre Zertifikate vor der Ausstellung in ein öffentliches Log eintragen. Mittels Certificate Transparency kann Fehlverhalten bei der Zertifikatsausstellung leichter entdeckt werden - das TLS-Zertifikatssystem insgesamt wird vertrauenswürdiger.
---------------------------------------------
http://www.golem.de/news/certificate-transparency-betrug-mit-tsl-zertifikat…
*** [20161002] - Core - Elevated Privileges ***
---------------------------------------------
Incorrect use of unfiltered data allows for users to register on a site with elevated privileges. Affected Installs Joomla! CMS versions 3.4.4 through 3.6.3 Solution Upgrade to ..
---------------------------------------------
https://developer.joomla.org/security-centre/660-20161002-core-elevated-pri…
*** [20161001] - Core - Account Creation ***
---------------------------------------------
Inadequate checks allows for users to register on a site when registration has been disabled. Affected Installs Joomla! CMS versions 3.4.4 ..
---------------------------------------------
https://developer.joomla.org/security-centre/659-20161001-core-account-crea…
*** BSI: Deutschland soll vernetzte Geräte besser schützen ***
---------------------------------------------
Nach einem Angriff auf die Internet-Infrastruktur hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) höhere Sicherheitsstandards verlangt.
---------------------------------------------
https://futurezone.at/netzpolitik/bsi-deutschland-soll-vernetzte-geraete-be…
*** Vulnerabilities in Slack could have led to account hijacking ***
---------------------------------------------
Persistence pays off as security researcher nets bug bounty for unearthing an access control bypass allowing attackers to reset passwords if they know the usernames.
---------------------------------------------
http://www.scmagazine.com/vulnerabilities-in-slack-could-have-led-to-accoun…
*** task_t considered harmful ***
---------------------------------------------
Posted by Ian Beer, Project ZeroThis post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/10/posted-by-ian-beer-project-ze…
Aufgrund des Feiertages am morgigen Mittwoch, den 26.10.2016, erscheint der nächste End-of-Shift Report erst am 27.10.2016.
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 21-10-2016 18:00 − Montag 24-10-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** In a BIND: Third parties distributed outdated, vulnerable ISC Domain Name System software ***
---------------------------------------------
The Internet Systems Consortium issued an advisory on Wednesday, warning that some third parties are distributing versions of ISCs BIND software that contain a high-severity vulnerability, which if exploited can trigger an assertion failure.
---------------------------------------------
http://www.scmagazine.com/in-a-bind-third-parties-distributed-outdated-vuln…
*** Credentials Stealer on Prestashop ***
---------------------------------------------
In a matter of hours, a big e-commerce website can have hundreds of credit card numbers stolen and used by attackers on other websites around the world. We commonly see ecommerce websites infected with credit card (CC) ..
---------------------------------------------
https://blog.sucuri.net/2016/10/credentials-stealer-prestashop.html
*** Hacked Cameras, DVRs Powered Today’s Massive Internet Outage ***
---------------------------------------------
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked "Internet of Things" (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.
---------------------------------------------
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-mass…
*** Beware of Hicurdismos: It’s a fake Microsoft Security Essentials installer that can lead to a support call scam ***
---------------------------------------------
Wouldn’t it be a shame if, in trying to secure your PC, you inadvertently install malware and run the risk of being scammed? We recently discovered a threat ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/10/21/beware-of-hicurdismos-i…
*** DSA-3697 kdepimlibs - security update ***
---------------------------------------------
Roland Tapken discovered that insufficient input sanitising in KMailsplain text viewer allowed the injection of HTML code.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3697
*** Policy Analyzer v3.1 PRE-RELEASE ***
---------------------------------------------
Lots of updates to Policy Analyzer in this unsigned, pre-release preview build — please post comments here to let me know how well it addresses your needs and what ..
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2016/10/22/policy-analyzer-v3-…
*** Sicherere Pornos: "https" soll Nutzer schützen ***
---------------------------------------------
Sicherheitsprotokoll schützt Privatsphäre – soll außerdem vor potenzielle Leaks verhindern
---------------------------------------------
http://derstandard.at/2000046090383
*** "Dirty Cow": Warnung vor "ekliger" Linux-Lücke ***
---------------------------------------------
Fehler erlaubt es Nutzern im Linux-Kernel Dateien zu überschreiben, für die sie Leserechte haben
---------------------------------------------
http://derstandard.at/2000046330107
*** FBI: Russe soll LinkedIn und Dropbox gehackt haben ***
---------------------------------------------
Der russische Staatsbürger wurde in Tschechien festgenommen
---------------------------------------------
http://derstandard.at/2000046330952
*** Request for Packets TCP 4786 - CVE-2016-6385, (Sat, Oct 22nd) ***
---------------------------------------------
We have received information about potential active reconnaissance for TCP 4786 which might be related to CVE-2016-6385 (Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability) an advisory released 28 Sep 2016. This ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21625
*** Mirai-Botnetz: Dyn bestätigt Angriff von zig-Millionen IP-Adressen ***
---------------------------------------------
Der Internet-Dienstleister Dyn hat erste Details zur schweren DDoS-Attacke vom vergangenen Freitag genannt. Demnach gab es drei Angriffswellen von unterschiedlichem Ausmaß.
---------------------------------------------
http://www.golem.de/news/mirai-botnetz-dyndns-bestaetigt-angriff-von-zig-mi…
*** Hohe Phishing-Quote: So einfach ließen sich US-Politiker hacken ***
---------------------------------------------
Die Veröffentlichungen von Wikileaks bringen die US-Politik in Schwierigkeiten. Die Hacks machen deutlich, welche Gefahren durch die Nutzung populärer E-Mail-Dienste wie Gmail entstehen.
---------------------------------------------
http://www.golem.de/news/hohe-phishing-quote-so-einfach-liessen-sich-us-pol…
*** Mozilla plots TLS 1.3 future for Firefox ***
---------------------------------------------
Quicker handshake starts encrypting data sooner Mozilla has decided it needs to lift its HTTPS game, and will default to TLS 1.3 in next years Firefox 52.…
---------------------------------------------
www.theregister.co.uk/2016/10/23/mozilla_plots_tls_13_future_for_firefox/
*** DDoS für 7.500 US-Dollar: Hacker verkaufen Zugang zu IoT-Botnetz im Darknet ***
---------------------------------------------
Der Zugang zum IoT-Botnetz Mirai setzt neuerdings keine technischen Kenntnisse mehr voraus, sondern nur genügend Finanzmittel - 7.500 US-Dollar. Außerdem bestätigte ein chinesischer Hersteller, dass seine Geräte Teil des ..
---------------------------------------------
http://www.golem.de/news/ddos-fuer-7-500-us-dollar-hacker-verkaufen-zugang-…
*** Gefälschte Verbund-Rechnung verschlüsselt Dateien ***
---------------------------------------------
Kriminelle versenden gefälschte Verbund-Rechnungen per E-Mail. Darin fordern sie Empfänger/innen auf, dass diese eine Website öffnen. Sie imitiert den Internetauftritt der ..
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-verbun…
*** Drammer: Rowhammer bringt zuverlässig Root-Zugriff auf Android ***
---------------------------------------------
Mit forcierten Bitflips im Arbeitsspeicher lassen sich leicht Root-Rechte auf Systemen erlangen. Forscher zeigen, dass dies auch zuverlässig auf Android-Telefonen ..
---------------------------------------------
http://www.golem.de/news/drammer-rowhammer-bringt-zuverlaessig-root-zugriff…
*** Trick Bot – Dyreza’s successor ***
---------------------------------------------
Recently, our analyst Jérôme Segura captured an interesting payload in the wild. It turned out to be a new bot, that, at the moment of the analysis, hadnt been described ..
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-suc…
*** From There to Here (But Not Back Again) ***
---------------------------------------------
Red Hat Product Security recently celebrated our 15th anniversary this summer and while I cannot claim to have been with Red Hat for that long (although I’m coming up ..
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/2712261
*** Analyzing Rig ***
---------------------------------------------
I recently Googled for a sleeping accommodation in "The Ardennes", a region of extensive forests in Southern Belgium. It wasnt surprised that by clicking on the fourth ..
---------------------------------------------
https://www.uperesia.com/analyzing-rig-exploit-kit
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 20-10-2016 18:00 − Freitag 21-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** iCloud Phishing Campaign Zycode Back From the Dead ***
---------------------------------------------
http://threatpost.com/icloud-phishing-campaign-zycode-back-from-the-dead/12…
*** EMC Avamar Data Store and Virtual Edition Unspecified Flaw Lets Remote Authenticated Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1037066
*** Hack.lu 2016 Wrap-Up Day #3 ***
---------------------------------------------
The third day is already over! I’m just back at home so it’s time for a last quick wrap-up before recovering before BruCON which is organized next week! Damien ..
---------------------------------------------
https://blog.rootshell.be/2016/10/20/hack-lu-2016-wrap-day-3/
*** Oracle Critical Patch Update Advisory - October 2016 ***
---------------------------------------------
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
*** Moxa EDR-810 Industrial Secure Router Privilege Escalation Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a privilege escalation vulnerability in Moxa’s EDR-810 Industrial Secure Router.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-294-01
*** “Most serious” Linux privilege-escalation bug ever is under active exploit (updated) ***
---------------------------------------------
While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation ..
http://arstechnica.com/security/2016/10/most-serious-linux-privilege-escala…
*** CVE-2016-2848: A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 ***
---------------------------------------------
A packet with a malformed options section can be used to deliberately trigger an assertion ..
---------------------------------------------
https://kb.isc.org/article/AA-01433/74/CVE-2016-2848
*** Nagios XI 5.2.9 Cross Site Scripting / Open Redirect ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016100203
*** Doctor Web examines new backdoor for Linux ***
---------------------------------------------
October 20, 2016 Most backdoor Trojans are created for Microsoft Windows; however, a few of them can infect Linux devices. This rare type of Trojan ..
---------------------------------------------
http://news.drweb.com/show/?i=10265&lng=en&c=9
*** Vuln: Multiple Synology DiskStation Products CVE-2016-6554 Insecure Default Password Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93805
*** Warnung vor gefälschter BAWAG PSK-Phishingmail ***
---------------------------------------------
In einer gefälschten BAWAG PSK-Nachricht behaupten Kriminelle, dass es „einer dringenden ..
---------------------------------------------
https://www.watchlist-internet.at/phishing/warnung-vor-gefaelschter-bawag-p…
*** Dridex - an old dog is learning new tricks ***
---------------------------------------------
A lot of things have been said and written about Dridex in the past few months. It has risen and fallen in prevalence and it was rumored that its makers collaborate ..
---------------------------------------------
https://blog.gdatasoftware.com/2016/10/29261-dridex-an-old-dog-is-learning-…
*** New ESET research paper puts Sednit under the microscope ***
---------------------------------------------
Security researchers at ESET have released their latest research into the notorious Sednit ..
---------------------------------------------
http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sedni…
*** SSA-296574 (Last Update 2016-10-21): Denial of Service in SICAM RTU Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-296574…
*** Hax0rs sow Discord by using VoIP service to sling malware at gamers ***
---------------------------------------------
Not even playtimes safe these days Hackers abused a free VoIP service for gamers to distribute remote-access Trojans and other malware.
---------------------------------------------
www.theregister.co.uk/2016/10/21/gaming_voip_service_malware_abuse/
*** DDoS on Dyn Impacts Twitter, Spotify, Reddit ***
---------------------------------------------
Criminals this morning massively attacked Dyn, a company that provides core Internet services ..
---------------------------------------------
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-red…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 19-10-2016 18:00 − Donnerstag 20-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the local Certificate Authority (CA) feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system.The vulnerability is due to improper handling of ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Firepower Detection Engine HTTP Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the detection engine reassembly of HTTP packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the Snort process ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Meeting Server Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in Web Bridge for Cisco Meeting Server could allow an unauthenticated, remote attacker to retrieve memory from a connected server.The vulnerability is due to missing bounds checks in the Web Bridge functionality. An ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Meeting Server Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco ASA Software Identity Firewall Feature Buffer Overflow Vulnerability ***
---------------------------------------------
A vulnerability in the Identity Firewall feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Adult FriendFinder Vulnerability Leaves Millions Exposed ***
---------------------------------------------
Security experts are reporting popular adult website Adult FriendFinder has been compromised by hackers who have gained access to the sites backend servers.
---------------------------------------------
http://threatpost.com/adult-friendfinder-vulnerability-leaves-millions-expo…
*** The new .LNK between spam and Locky infection ***
---------------------------------------------
Just when it seems the Ransom:Win32/Locky activity has slowed down, our continuous monitoring of the ransomware family reveals a new workaround that the authors ..
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spa…
*** Hack.lu 2016 Wrap-Up Day #2 ***
---------------------------------------------
I'm just back from the second day of hack.lu. The day started early with Patrice Auffret about Metabrik! Patrice is a Perl addict and developed lot of CPAN ..
---------------------------------------------
https://blog.rootshell.be/2016/10/20/hack-lu-2016-wrap-day-2/
*** Researchers Bypass ASLR Protection On Intel Haswell CPUs ***
---------------------------------------------
An anonymous reader writes: "A team of scientists from two U.S. universities has devised ..
---------------------------------------------
https://news.slashdot.org/story/16/10/19/2358209/researchers-bypass-aslr-pr…
*** OWASP ModSecurity CRS Version 3.0 RC2 Released ***
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/OWASP-ModSecurity-CRS-Versio…
*** Novell: Storage Manager for eDirectory 5.0.0 ***
---------------------------------------------
https://download.novell.com/Download?buildid=4x6-1FswplA~
*** Security research tool had security problem ***
---------------------------------------------
Plugin for popular disassembler OllyDGB allowed man-in-the-middle diddle Security ..
---------------------------------------------
www.theregister.co.uk/2016/10/20/ollydgb_vulnerability/
*** Can I spam from here: An Unusually Clever Spambot Tests Blacklists ***
---------------------------------------------
Unit 42 researchers recently observed an unusually clever spambot's attempts to increase delivery efficacy by abusing reputation blacklist service ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/10/unit42-can-i-spam-from-h…
*** Bugtraq: [security bulletin] HPSBGN03663 rev.1 - HPE ArcSight WINC Connector, Remote Code Execution ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539609
*** Skyping and Typing the Latest Threat to Privacy ***
---------------------------------------------
Typing while using Skype or over other Voice over Internet Protocol (VoIP) services presents an opportunity for an attacker to record the conversation, separate ..
---------------------------------------------
https://threatpost.com/skyping-and-typing-the-latest-threat-to-privacy/1213…
*** The Kings In Your Castle Part #1 ***
---------------------------------------------
In March 2016 I presented together with Raphael Vinot at this year�s Troopers conference in Heidelberg. The talk treated research of targeted malware, ..
---------------------------------------------
https://cyber.wtf/2016/10/12/the-kings-in-your-castle-all-the-lame-threats-…
*** Palo Alto PAN-OS Input Validation Flaw in Monitor Tab Lets Remote Authenticated Users Conduct Cross-Site Scripting Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1037063
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 18-10-2016 18:00 − Mittwoch 19-10-2016 18:00
Handler: Robert Waldner
Co-Handler: n/a
*** Is it worth reporting ransomware? ***
---------------------------------------------
Answer: yes. Police forces badly need more people to tell them about attacks.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/10/18/is-it-worth-reporting-ransomwar…
*** Security Advisory: PHP vulnerability CVE-2015-8935 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/63/sol63712424.html?…
*** PHP Buffer Overflow in php_pcre_replace_impl() Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
A remote user can supply specially crafted data that, when processed by the target application, will trigger a heap overflow in php_pcre_replace_impl() in the PCRE component and execute arbitrary code on the target system.
...
[Editor's note: The vendor indicates that these other memory errors require strings on the order of 2GB to exploit and that memory_limit and max_input_size values on the target system should prevent exploitation.]
---------------------------------------------
http://www.securitytracker.com/id/1037033
*** Security Advisory: TIFF vulnerability CVE-2015-7554 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/38/sol38871451.html?…
*** IDM 4.5 Midrange BiDirectional Driver 4.5 ***
---------------------------------------------
https://download.novell.com/Download?buildid=sQgqe1Stbog~
*** Hack.lu 2016 Wrap-Up Day #1 ***
---------------------------------------------
I'm back to Luxembourg for a new edition of hack.lu. In fact, I arrived yesterday afternoon to attend the MISP summit. It was a good opportunity to meet MISP users and to get fresh news about the project.
---------------------------------------------
https://blog.rootshell.be/2016/10/18/hack-lu-2016-wrap-day-1/
*** Oracle Java SE Multiple Flaws Let Remote Users Access Data, Partially Modify Data, and Gain Elevated Privileges ***
---------------------------------------------
Version(s): 6u121, 7u111, 8u102; Java SE Embedded: 8u101
Description: Multiple vulnerabilities were reported in Oracle Java SE. A remote user can access data on the target system. A remote user can modify data on the target system. A remote user can gain elevated privileges.
---------------------------------------------
http://www.securitytracker.com/id/1037040
*** Oracle Database Multiple Flaws Let Remote and Local Users Access and Modify Data and Gain Elevated Privileges and Let Local Users Deny Service ***
---------------------------------------------
Version(s): 11.2.0.4, 12.1.0.2
Description: Multiple vulnerabilities were reported in Oracle Database. A remote and local user can access data on the target system. A remote user can modify data on the target system. A local user can cause denial of service conditions on the target system. A local user can obtain elevated privileges on the target system. A remote authenticated user can gain elevated privileges.
---------------------------------------------
http://www.securitytracker.com/id/1037035
*** Vuln: Oracle Fusion Middleware CVE-2016-5531 Remote Security Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93730
*** MySQL Multiple Bugs Let Remote Users Access and Modify Data, Remote and Local Users Deny Service, and Local Users Modify Data and Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1037050
*** Solaris Multiple Bugs Let Remote and Local Users Access Data and Deny Service and Let Local Users Modify Data and Deny Service ***
---------------------------------------------
Version(s): 10, 11.3
Description: Multiple vulnerabilities were reported in Solaris. A remote or local user can access data on the target system. A remote or local user can cause denial of service conditions on the target system. A local user can modify data on the target system. A local user can obtain elevated privileges on the target system.
---------------------------------------------
http://www.securitytracker.com/id/1037048
*** Installer of Evernote for Windows may insecurely load Dynamic Link Libraries ***
---------------------------------------------
http://jvn.jp/en/jp/JVN03251132/
*** Schneider Electric PowerLogic PM8ECC Hard-coded Password Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a hard-coded password vulnerability in Schneider Electric's PowerLogic PM8ECC device.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-292-01
*** Cisco Talos: Vulnerability Spotlight: Foxit PDF Reader JBIG2 Parser Information Disclosure ***
---------------------------------------------
Talos has identified an information disclosure vulnerability in Foxit PDF Reader (TALOS-2016-0201/CVE-2016-8334). A wrongly bounded call to `memcpy`, while parsing jbig2 segments within a PDF file, can be triggered in Foxit PDF Reader causing an out-of-bounds heap memory to be read into a buffer.
---------------------------------------------
http://blog.talosintel.com/2016/10/foxit-pdf-jbig2.html
*** CAIDA: Spoofer ***
---------------------------------------------
We have developed and support a new client-server system for Windows, MacOS, and UNIX-like systems that periodically tests a networks ability to both send and receive packets with forged source IP addresses (spoofed packets). We are (in the process of) producing reports and visualizations that will inform operators, response teams, and policy analysts.
---------------------------------------------
https://www.caida.org/projects/spoofer/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Orchestrator, HTTP Server and bundling products shipped with Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2015-1788) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000137
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK for Node.js in IBM Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21992427
---------------------------------------------
*** IBM Security Bulletin: IBM TRIRIGA Application Platform Reflected Cross-Site Scripting (XSS) (CVE-2016-5980) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991992
---------------------------------------------
*** IBM Security Bulletin: Apache Commons FileUpload Vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-3092 ***
http://www.ibm.com/support/docview.wss?uid=swg21992457
---------------------------------------------
*** IBM Security Bulletin: Information disclosure vulnerability in IBM Websphere Application Server and IBM Websphere Application Server Liberty affects IBM BigFix Remote Control (CVE-2016-5986) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991987
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in PCRE affects IBM Tivoli Network Manager IP Edition (CVE-2016-1283) ***
http://www.ibm.com/support/docview.wss?uid=swg21991978
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 17-10-2016 18:00 − Dienstag 18-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** Security baseline for Windows 10 v1607 (“Anniversary edition”) and Windows Server 2016 ***
---------------------------------------------
Microsoft is pleased to announce the release of the security configuration baseline settings for Windows 10 version 1607, also known as “Anniversary edition” ..
---------------------------------------------
https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-f…
*** New-looking Sundown EK drops Smoke Loader, Kronos banker ***
---------------------------------------------
In this post we take a quick glance at some changes made to the Sundown exploit kit. The landing page has been tweaked and uses various obfuscation techniques. Sundown is used in some smaller campaigns and in this particular case ..
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-e…
*** Magento Credit Card Swiper Exports to Image ***
---------------------------------------------
Over the past year we have seen a rash of credit card swipers in Magento and other ecommerce-based websites. In fact, we have been finding new variants nearly every week. It is no surprise that ecommerce sites are ..
---------------------------------------------
https://blog.sucuri.net/2016/10/magento-credit-card-swiper-exports-image.ht…
*** ZDI-16-570: Novell NetIQ Sentinel Commons DiskFileItem Deserialization of Untrusted Data Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetIQ Sentinel. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-570/
*** Security Advisory - Hardcoded SSH Key Vulnerability in Some Huawei Storage Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161017-…
*** Audit sees VeraCrypt kils critical password recovery, cipher flaws ***
---------------------------------------------
Patches slung at 11 bad bugs Security researchers have found eight critical, three medium, and 15 low ..
---------------------------------------------
www.theregister.co.uk/2016/10/18/veracrypt_audit/
*** iOS 10.0.3 ***
---------------------------------------------
https://support.apple.com/en-us/HT207263
*** Hajime: Analysis of a decentralized internet worm for IoT devices [PDF] ***
---------------------------------------------
Though worms which target IoT devices are not new, they are rising in prominence lately due to the generally wea k security such devices have. What makes Hajime ..
---------------------------------------------
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
*** Netzob: Reverse Engineering Communication Protocols ***
---------------------------------------------
Netzob is an open source tool for reverse engineering, traffic generation and fuzzing of ..
---------------------------------------------
https://www.netzob.org/
*** Halfway there! Firefox users now visit over 50% of pages via HTTPS ***
---------------------------------------------
Mozilla telemetry shows sites using HTTPS for more secure browsing now outnumber plain old HTTP.
---------------------------------------------
https://nakedsecurity.sophos.com/2016/10/18/halfway-there-firefox-users-now…
*** Malware verkauft: 22-Jähriger muss in Deutschland vor Gericht ***
---------------------------------------------
Ein 22-Jähriger soll in 4.000 Fällen Trojaner, Viren und andere Malware verkauft haben. Jetzt muss er sich dafür vor Gericht verantworten.
--------------------------------------------
-
https://futurezone.at/digital-life/malware-verkauft-22-jaehriger-muss-in-de…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 14-10-2016 18:00 − Montag 17-10-2016 18:00
Handler: Robert Waldner
Co-Handler: Alexander Riepl
*** pseudoDarkleech Rig EK ***
---------------------------------------------
Since Monday 2016-10-03, the pseudoDarkleech campaign has been using Rig exploit kit (EK) to distribute Cerber ransomware." /> Shown above: An infection chain of events. Let" /> Shown above:" /> Shown above: UDP traffic seen ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21595
*** Sierra Wireless Mitigations Against Mirai Malware ***
---------------------------------------------
NCCIC/ICS-CERT received a technical bulletin from the Sierra Wireless company, outlining mitigations to secure Airlink Cellular Gateway devices affected by (or at risk of) the “Mirai” malware. While the Sierra Wireless ..
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-286-01
*** Vuln: Magento CMS Multiple Cross-Site Request Forgery Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/93576
*** Vuln: Magento CMS Flash File Uploader Cross Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93575
*** Vuln: PHP password_verify() Function Out-of-Bounds Read Denial of Service Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/93578
*** Maldoc VBA Anti-Analysis ***
---------------------------------------------
I was asked for help with the analysis of sample 7c9505f2c041ba588bed854258344c43. Turns out this malicious Word document has some anti-analysis tricks (here is an older diary entry with other anti-analysis tricks). Here is the analysis with oledump.py: Stream 8 contains VBA ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21599
*** Symantec observed a surge of spam emails using malicious WSF files ***
---------------------------------------------
Symantec observed a significant increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments. Experts from Symantec are observing a significant increase in the number of email-based ..
---------------------------------------------
http://securityaffairs.co/wordpress/52341/cyber-crime/spam-wsf-files.html
*** Analyzing Office Maldocs With Decoder.xls, (Sun, Oct 16th) ***
---------------------------------------------
In my last diary entry, I show how to decode VBA maldoc strings with Excel. A similar technique can be used to decode a payload (like shellcode). I explain ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21601
*** Outlook-on-Android alternative Nine leaked Exchange Server creds ***
---------------------------------------------
Patches slung to fix popular third-party email app Staff logging into Exchange Server through a popular app could have placed their enterprise credentials at risk through a since-closed vulnerability.
---------------------------------------------
www.theregister.co.uk/2016/10/17/outlook_app_slapped_in_maninthemiddle_didd…
*** VMSA-2016-0016 ***
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2016-0016.html
*** IBM Security Bulletin:Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director (CVE-2016-0264, CVE-2016-3426) ***
---------------------------------------------
There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version ..
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024427
*** No More Ransom adds law enforcement partners from 13 new countries ***
---------------------------------------------
Intel Security and Kaspersky Labs today announced that 13 law enforcement agencies have joined No More Ransom, a partnership between cybersecurity industry and law enforcement organizations to provide ransomware victims education and decryption tools through www.nomoreransom.org. Intel ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/no-ransom-adds-law-enforcement-partner…