Daily February 2016

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - Montag 15-02-2016
by Daily end-of-shift report 15 Feb '16

15 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 12-02-2016 18:00 − Montag 15-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** A Look Behind The Skype Malvertising Campaign *** --------------------------------------------- As reported by F-Secure, a recent malvertising campaign has been hitting several top publishers to push the Angler exploit kit and install the TeslaCrypt ransomware, according to the Finnish company. Some of these infections happened via Skype, which displays ad banners within its product. --------------------------------------------- https://blog.malwarebytes.org/malvertising-2/2016/02/a-look-behind-the-skyp… *** Fake SUPEE-5344 Patch Steals Payment Details *** --------------------------------------------- In case you don't know, SUPEE-5344 is an official security patch to the infamous Magento shoplift bug. That bug allows bad actors to obtain admin access to vulnerable Magento sites. While the patch was released February 2015 many sites unfortunately did .. --------------------------------------------- https://blog.sucuri.net/2016/02/fake-supee-5344-patch-steals-payment-detail… *** VMware VMSA-2015-0007.3 has been Re-released, (Sat, Feb 13th) *** --------------------------------------------- VMware has re-issue VMSA-2015-0007.3 today after they found an earlier fix for CVE-2016-2342 was incomplete. Affected ESXi versions are: 5.0, 5.1 and 5.5. Advisory can be .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20727 *** Critical Fixes Issued for Windows, Java, Flash *** --------------------------------------------- Microsoft Windows users and those with Adobe Flash Player or Java installed, its time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security updates for its Flash Player software that plugs at least 22 security holes in the widely-used browser plugin. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks. --------------------------------------------- http://krebsonsecurity.com/2016/02/criticial-fixes-issued-for-windows-java-… *** Verschlüsselungs-Trojaner: mp3-Variante von TeslaCrypt *** --------------------------------------------- Leser gaben der Redaktion Hinweise auf verschlüsselte Dateien mit der Endung .mp3. Die scheint eine neue Variante des Verschlüsselungs-Trojaners TeslaCrypt zu erzeugen. --------------------------------------------- http://heise.de/-3101992 *** DSA-3477 iceweasel - security update *** --------------------------------------------- Holger Fuhrmannek discovered that missing input sanitising in theGraphite font rendering engine could result in the execution of arbitrarycode. --------------------------------------------- https://www.debian.org/security/2016/dsa-3477 *** Nigerianischer Astronaut im All verloren: Spam begeistert Netz *** --------------------------------------------- Nutzer können angeblich ein Investment von drei Millionen Dollar verdoppeln --------------------------------------------- http://derstandard.at/2000031110981 *** IT-Sicherheit: Immer mehr komplexe Angriffe auf Firmen *** --------------------------------------------- Neuer Cybersicherheits-Bericht zeigt erhöhte Gefahrenlage im Internet --------------------------------------------- http://derstandard.at/2000031119634 *** Mazar Bot Actively Targeting Android Devices *** --------------------------------------------- Researchers at Heimdal Security report public attacks against Android devices using the Mazar bot, which was advertised months ago in a Russian cybercrime forum. --------------------------------------------- http://threatpost.com/mazar-bot-actively-targeting-android-devices/116240/ *** Update auf Version 1.17: Veracrypt soll jetzt doppelt so schnell sein *** --------------------------------------------- Veracrypt ist einer der beliebtesten Nachfolger des eingestellten Truecrypt - ein Update bringt jetzt neue Funktionen. Ausserdem soll das Laden von Containern deutlich schneller vonstattengehen - bislang einer der grössten Kritikpunkte .. --------------------------------------------- http://www.golem.de/news/update-auf-version-1-17-veracrypt-soll-jetzt-doppe… *** Virus legte Krankenhaus in Deutschland lahm *** --------------------------------------------- "Befunde mussten persönlich, per Telefon oder Fax übermittelt werden" --------------------------------------------- http://derstandard.at/2000031136914 *** [R1] Nessus < 6.5.5 Multiple Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2016-02 *** Reflecting on Recent iOS and Android Security Updates *** --------------------------------------------- The last thirty days proven to be yet another exciting time for the mobile security ecosystem. Apple and Google released updates for their respective mobile operating systems that fix several critical issues - including some in the kernel that may be exploited remotely. --------------------------------------------- https://blog.zimperium.com/reflecting-on-recent-ios-and-android-security-up…

1 0

Tageszusammenfassung - Freitag 12-02-2016
by Daily end-of-shift report 12 Feb '16

12 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 11-02-2016 18:00 − Freitag 12-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** SC Congress: "flakey kettles and dolls that swear at you" *** --------------------------------------------- Ken Munro, managing director of Pen Test Partners, showed the SC Congress just how easy it is to crack a whole range of IoT nonsense --------------------------------------------- http://www.scmagazine.com/sc-congress-flakey-kettles-and-dolls-that-swear-a… *** Determining Physical Location on the Internet *** --------------------------------------------- Interesting research: "CPV: Delay-based Location Verification for the Internet": Abstract: The number of location-aware services over the Internet continues growing. Some of these require the clients geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g.,... --------------------------------------------- https://www.schneier.com/blog/archives/2016/02/determining_phy.html *** New Trojan threatens users' bank accounts *** --------------------------------------------- February 12, 2016 Banking Trojans are considered to be one of the most dangerous threats. Not only they have a complex architecture but they are also capable to perform a wide variety of functions. Yet, some attackers do not disdain to contrive rather primitive malicious programs such as, for example, Trojan.Proxy2.102, which was examined by Doctor Web specialists. Trojan.Proxy2.102 steals money from victims' bank accounts using the following method. Once launched, it installs a root... --------------------------------------------- http://news.drweb.com/show/?i=9840&lng=en&c=9 *** Vermehrte Scans und Workarounds zu Ciscos ASA-Lücke *** --------------------------------------------- Die Angreifer sammeln offenbar bereits aktiv Informationen zu möglicherweise verwundbaren Systemen, während die Verteidiger noch mit den Tücken des Updates kämpfen. --------------------------------------------- http://heise.de/-3100443 *** Download.com and Others Bundle Superfish-Style HTTPS Breaking Adware *** --------------------------------------------- It's a scary time to be a Windows user. Lenovo was bundling HTTPS-hijacking Superfish adware, Comodo ships with an even worse security hole called PrivDog, and dozens of other apps like LavaSoft are doing the same. It's really bad, but if you want your encrypted web sessions to be hijacked just head to CNET Downloads or any freeware site, because they are all bundling HTTPS-breaking adware now. --------------------------------------------- http://www.howtogeek.com/210265/download.com-and-others-bundle-superfish-st… *** How to Avoid Potentially Unwanted Programs *** --------------------------------------------- We've come up with a PUPs cheat sheet that businesses can use to train IT staff and users. A little PUPs awareness, if you will. Read on to learn more about how you get PUPs, Categories: Online SecurityTags: avoidpotentially unwanted programsPUP(Read more...) --------------------------------------------- https://blog.malwarebytes.org/online-security/2016/02/how-to-avoid-potentia… *** How to use the traffic light protocol - TLP *** --------------------------------------------- The TLP or Traffic Light Protocol is a set of designations designed to help sharing of sensitive information. It has been widely adopted in the CSIRT and security community. The originator of the information labels the information with one of four colours. These colours indicate what further dissemination, if any, can be undertaken by the recipient. Note that the colours only mark the level of dissemination, not the sensitivity level (although they often align). --------------------------------------------- https://www.vanimpe.eu/2015/08/21/use-traffic-light-protocol-tlp/ *** D-Link DSL-2750B Remote Command Execution *** --------------------------------------------- Topic: D-Link DSL-2750B Remote Command Execution Risk: High Text:After some playing around Ive noticed something interesting during login phase: by sending wrong credentials, user is redirec... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020128 *** Sophos UTM 9 Cross Site Scripting *** --------------------------------------------- Topic: Sophos UTM 9 Cross Site Scripting Risk: Low Text: -- Vendor: -- Sophos (https://www.sophos.com) -- Affected Products/Versions: -- Produc... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020117 *** ASUS Router Administrative Interface Exposure *** --------------------------------------------- Topic: ASUS Router Administrative Interface Exposure Risk: Low Text:Asus wireless routers running ASUSWRT firmware (in other words, anything with an RT- in the model name) have a design flaw in w... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020116 *** ZCM 11.3.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.3.x --------------------------------------------- https://download.novell.com/Download?buildid=vt0EO0DgaX8~ *** ZCM 11.4.x - Fix for CVE-2015-5970 ZCM ZENworks ChangePassword XPath Injection Information Disclosure Vulnerability - See TID 7017240 *** --------------------------------------------- Abstract: Vulnerability overview: CVE-2015-5970 An XPath injection exists in the ChangePassword RPC method implementation. By combining this with an entity reference to a file on the appliance, an attacker can exfiltrate arbitrary text files from the vulnerable device.This issue has been found and reported by cpnrodzc7 working with HPs Zero Day Initiative (ZDI-CAN-3136). Patch overview: This patch contains the necessary files and installation information to correct the below issue on ZCM 11.4.x --------------------------------------------- https://download.novell.com/Download?buildid=SOM6P0NdZ5U~ *** PostgreSQL Bugs Let Remote Users Deny Service and Let Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1035005 *** DFN-CERT-2016-0260: Mozilla Firefox, Firefox ESR: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0260/ *** DFN-CERT-2016-0263: Cacti: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0263/

1 0

Tageszusammenfassung - Donnerstag 11-02-2016
by Daily end-of-shift report 11 Feb '16

11 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 10-02-2016 18:00 − Donnerstag 11-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Critical bug found in Cisco ASA products, attackers are scanning for affected devices *** --------------------------------------------- Several Cisco Adaptive Security Appliance (ASA) products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code exec... --------------------------------------------- http://www.net-security.org/secworld.php?id=19427 *** Some notes on VirusTotal. *** --------------------------------------------- Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about...read moreThe post Some notes on VirusTotal. appeared first on Webroot Threat Blog. --------------------------------------------- http://www.webroot.com/blog/2016/02/09/some-notes-on-virustotal/ *** Seo-moz.com SEO Spam Campaign *** --------------------------------------------- Here at Sucuri we handle countless cases of SEO spam. This malware involves a website being compromised in order to spread (mostly pharmaceutical) advertisements by linking visitors to unwanted websites and stuffing spam keywords into the site. These links and keywords help the spam websites to rank higher in search engines like Google, sending evenRead More The post Seo-moz.com SEO Spam Campaign appeared first on Sucuri Blog. --------------------------------------------- https://blog.sucuri.net/2016/02/seo-moz-com-seo-spam-campaign.html *** Malvertising Via Skype Delivers Angler *** --------------------------------------------- A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack. An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users. This did not really bother us much until last night, when we... --------------------------------------------- https://labsblog.f-secure.com/2016/02/10/malvertising-via-skype-delivers-an… *** Tomcat IR with XOR.DDoS, (Thu, Feb 11th) *** --------------------------------------------- Apache Tomcat is a java based web service that is used for different applications. While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response "> "> ">0 S root 31847 1 0 80 0 - 1124641 futex_ 2015 ? 02:36:33 /usr/bin/java -classpath /usr/share/apache-tomcat-7.0.65/bin/bootstrap.jar ">Here you can see that it is running from /usr/share/apache-tomcat-7.0.65. ">The Tomcat configurations --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20721&rss *** Building automation systems are so bad IBM hacked one for free *** --------------------------------------------- Remote sites owned as router, controller and server all fall to pen-test team An IBM-led penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicise the horrid state of embedded device security. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/11/building_au… *** How Malware Detects Virtualized Environment, and its Countermeasures - An Overview *** --------------------------------------------- Virtual Machines are usually considered a good way to analyze malware as they can provide an isolated environment for the malware to trigger but their actions can be controlled and intercepted. However, modern age malware detects their environment in which they are running, and if they detect they are running in VM, they sustain their... --------------------------------------------- http://resources.infosecinstitute.com/how-malware-detects-virtualized-envir… *** DFN-CERT-2016-0252: Cisco Adaptive Security Appliance Software: Eine Schwachstelle ermöglicht die Übernahme der Systemkontrolle *** --------------------------------------------- Eine Schwachstelle in der Cisco Adaptive Security Appliances Software ermöglicht einem entfernten, nicht authentifizierten Angreifer beliebigen Programmcode auszuführen und so die Kontrolle über ein betroffenes System zu übernehmen, auch ist die Durchführung eines Denial-of-Service-Angriffs möglich. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0252/ *** ZDI-16-163: Dell SonicWALL GMS Virtual Appliance Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-163/ *** ZDI-16-164: Dell SonicWALL GMS Virtual Appliance Multiple Remote Code Execution Vulnerabilities *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL GMS Virtual Appliance. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-164/ *** Cisco Spark Representational State Transfer Interface Information Disclosure Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Unauthorized Access Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Spark Representational State Transfer Interface Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Advanced Malware Protection and Email Security Appliance Proxy Engine Security Bypass Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that could allow a malicious, unprivileged user to perform privileged operations or execute commands. --------------------------------------------- https://support.citrix.com/article/CTX206001 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libssh2 affects PowerKVM (CVE-2015-1782) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023318 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in curl affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1023307 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects Tivoli Storage Manager Operations Center and Tivoli Storage Manager Client Management Service (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976362 --------------------------------------------- *** IBM Security Bulletin:Security Bulletin: Vulnerability in IBM Java Runtime affect AppScan Source (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976569 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in cpio affects PowerKVM (CVE-2014-9112) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023298 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Linux Kernel affects PowerKVM (CVE-2016-0728) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023279 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Netezza Platform Software clients (CVE-2015-3194) *** http://www.ibm.com/support/docview.wss?uid=swg21976419 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Order Management is affected by Apache Commons Collections security vulnerabilities (CVE-2015-7450) *** http://www.ibm.com/support/docview.wss?uid=swg21975793 --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerability in Liberty for Java for IBM Bluemix (CVE-2015-7417) *** http://www.ibm.com/support/docview.wss?uid=swg21976218 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM JAVA Runtime affect AppScan Source (CVE-2015-4872) *** http://www.ibm.com/support/docview.wss?uid=swg21976159 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 10-02-2016
by Daily end-of-shift report 10 Feb '16

10 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 09-02-2016 18:00 − Mittwoch 10-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Fast Flux Bot Nets and Fluxer - Part 1 *** --------------------------------------------- This time well start a two-parter on fast flux bot nets including the concept of domain generation algorithms. --------------------------------------------- http://www.scmagazine.com/fast-flux-bot-nets-and-fluxer--part-1/article/473… *** DMA Locker Strikes Back *** --------------------------------------------- A few days ago we published a post about a new ransomware - DMA Locker (read more here). At that time, it was using a pretty simple way of storing keys. Having the original sample was enough to recover files. Unfortunately, the latest version (discovered February 8th) comes with several improvements and RSA key. Let's... --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/dma-locker-strikes-back/ *** Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months *** --------------------------------------------- Regen your keys ASAP Web hosting biz Linode broke the security in its customers virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/linode_ssh_… *** Skimmers Hijack ATM Network Cables *** --------------------------------------------- If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. --------------------------------------------- http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/ *** Patchday: Microsoft stopft 6 kritische Lücken, lässt alte Internet-Explorer-Versionen im Regen stehen *** --------------------------------------------- Es ist wieder einmal Zeit zum Updaten für Microsoft-Anwender. Wer noch ältere Versionen des Internet Explorer im Einsatz hat, muss jetzt schleunigst handeln. --------------------------------------------- http://heise.de/-3098499 *** The history of Cryptowall: a large scale cryptographic ransomware threat *** --------------------------------------------- This tracker focusses on tracking the development changes in the CryptoWall ransomware, it does not attempt to track every single CryptoWall sample that exists. It simply exists to track the family in a more higher level fashion, a few samples will be listed next to specific versions just for reference rather than bulk collection. The timeline below shows the development track of CryptoWall when new versions were first seen. Below the timeline you will find an overview. --------------------------------------------- https://www.cryptowalltracker.org/ *** Sparkle-Installer: Gatekeeper-Sicherung für Macs lässt sich umgehen *** --------------------------------------------- Viele App-Entwickler für Mac nutzen das Sparkle-Framwork für praktische Auto-Updates - und machen damit zahlreiche Mac-Programme angreifbar. Betroffen sind nicht nur VLC und uTorrent. --------------------------------------------- http://www.golem.de/news/man-in-the-middle-angriff-sparkle-installer-macht-… *** Cracking Damn Insecure and Vulnerable App (DIVA) - part 5: *** --------------------------------------------- In the first four articles, we have discussed solutions for the first eleven challenges in DIVA. In this last article of this series, we will discuss the remaining two challenges that are related to native code. In case if you missed the previous articles in this series, here are the links. http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… --------------------------------------------- http://resources.infosecinstitute.com/cracking-damn-insecure-and-vulnerable… *** Hijacking forgotten & misconfigured subdomains *** --------------------------------------------- Its been a while since my last blog post, so I decided to release a new tool. I think that we need more articles about "DNS hacking", I hope that you will learn something new here. --------------------------------------------- http://www.xexexe.cz/2016/02/hijacking-forgotten-misconfigured.html *** Network forensic analysis tool NetworkMiner 2.0 released *** --------------------------------------------- NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. ... --------------------------------------------- http://www.net-security.org/secworld.php?id=19421 *** MSRT February 2016 *** --------------------------------------------- The February release of the Microsoft Malicious Software Removal Tool (MSRT) includes updated detections for the following malware families: Bladabindi Gamarue Sality Kelihos Diplugem The updates include detections for the latest variants from these malware families. There were no new malware families added to the MSRT this month. The MSRT works in tandem with real-time... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/02/09/msrt-february-2016/ *** MS16-FEB - Microsoft Security Bulletin Summary for February 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-FEB *** Deception: Shine Bright Like a Diamond *** --------------------------------------------- ***German Summary: Projektpläne, Designs, Kundendaten: Die Kronjuwelen eines jeden Unternehmens gehören vor Cyberkriminellen unter allen Umständen versteckt - oder? Werfen Sie den Ködern aus, denn jetzt täuschen die Guten! Deception ("Täuschung") lautet der neue Cyber-Security-Ansatz, der nach Schätzungen des renommierten Marktforschungsunternehmens Gartner bereits 2018 in rund 10 % aller Unternehmen zum Einsatz kommen wird. Virtuelle Fallen... --------------------------------------------- http://blog.sec-consult.com/2016/02/deception-shine-bright-like-diamond.html *** Tollgrade SmartGrid Sensor Management System Software Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Tollgrade Communications, Inc.'s SmartGrid LightHouse Sensor Management System (SMS) Software EMS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-040-01 *** Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537490 *** Bugtraq: ESA-2016-010 EMC Documentum xCP Security Update for Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537489 *** Bugtraq: dotDefender Firewall CSRF *** --------------------------------------------- http://www.securityfocus.com/archive/1/537491 *** [2016-02-10] Yeager CMS multiple vulnerabilities *** --------------------------------------------- Yeager CMS suffers from multiple critical security issues including multiple SQL injections, arbitrary file upload, server-side request forgery and non-permanent cross-site scripting vulnerabilities. Unauthenticated attackers are able to compromise Yeager CMS in both application and database levels. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** DFN-CERT-2016-0237: Horde Application Framework: Zwei Schwachstellen ermöglichen einen Cross-Site-Scripting-Angriff *** --------------------------------------------- 09.02.2016 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-0237/ *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Collaboration Provisioning Local Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Enterprise Module Web Framework Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Video Communications Server Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Products Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect Liberty for Java for IBM Bluemix January 2016 CPU (CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448) *** http://www.ibm.com/support/docview.wss?uid=swg21976217 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Security SiteProtector System (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976042 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) (CVE-2016-0777, CVE-2016-0778) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023319 --------------------------------------------- *** IBM Security Bulletin: IBM Pure Power Integrated Manager (PPIM) is affected by vulnerabilities in ntp (CVE-2014-9750, CVE-2014-9751) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023291 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM Pure Power Integrated Manager (PPIM) (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=isg3T1023292 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects Watson Explorer (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974808 --------------------------------------------- *** IBM Security Bulletin: IBM Netezza SQL Extensions is vulnerable to an OpenSource PCRE Vulnerability (CVE-2015-8380, CVE-2015-8382, CVE-2015-8391) *** http://www.ibm.com/support/docview.wss?uid=swg21976124 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities identified in IBM Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2015-4872, CVE-2015-4911, CVE-2015-4893, CVE-2015-4803) *** http://www.ibm.com/support/docview.wss?uid=swg21971058 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21976393 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Mobile (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21976290 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Mobile (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21976295 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by an OpenSSH vulnerability (CVE-2008-5161) *** http://www.ibm.com/support/docview.wss?uid=swg21976082 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21975967 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM MQ Light (CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=swg21976345 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21975832 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis *** http://www.ibm.com/support/docview.wss?uid=swg21975544 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL and libcURL affect IBM Security Access Manager (CVE-2014-3613, CVE-2014-8150) *** http://www.ibm.com/support/docview.wss?uid=swg21974736 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM MQ Light (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976341 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 9-02-2016
by Daily end-of-shift report 09 Feb '16

09 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 08-02-2016 18:00 − Dienstag 09-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Gate To Nuclear EK Uses Fake CloudFlare DDoS Check *** --------------------------------------------- This rogue CloudFlare page hides a malicious payload. Categories: ExploitKits Tags: cloudflareEKNuclear(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/gate-to-nuclear-ek-uses-f… *** Patching Complex Web Vulnerabilities Using ModSecurity WAF *** --------------------------------------------- In this blog post we will demonstrate complicated examples of common web application vulnerabilities, and see how they can be mitigated with ModSecurity WAF. --------------------------------------------- https://www.htbridge.com/blog/patching-complex-web-vulnerabilities-using-mo… *** Its 2016 and a font file can own your computer *** --------------------------------------------- Libgraphite font library buggy and vulnerable in Firefox, Thunderbird, WordPad and more says Talos Cisco-owned Talos has announced a bunch of font library bugs present in apps running on Windows and Linux, affecting client and-server-side machines. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/02/09/libgraphite… *** Power Grid Honeypot Puts Face on Attacks *** --------------------------------------------- Researchers from MalCrawler built a honeypot mimicking an electronic management system at the heart of a power grid, exposing attackers' behavior once they have access to critical infrastructure systems. --------------------------------------------- http://threatpost.com/power-grid-honeypot-puts-face-on-attacks/116217/ *** Russian hackers used malware to manipulate the Dollar/Ruble exchange rate *** --------------------------------------------- Russian-language hackers have managed to break into Russian regional bank Energobank, infect its systems, and gain unsanctioned access to its trading system terminals, which allowed them to manipulat... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3201 *** How to Hack the Power Grid Through Home Air Conditioners *** --------------------------------------------- Researchers show how hackers can manipulate the remote on-off device installed on some air conditioners to cause a blackout. --------------------------------------------- http://www.wired.com/2016/02/how-to-hack-the-power-grid-through-home-air-co… *** (Not only) Oracle Java Windows installer vulnerable *** --------------------------------------------- Oracle hat einen Out-of-Band Patch für Java 6, 7 und 8 für Windows veröffentlicht, mit dem eine Sicherheitslücke im Installationsprozess geschlossen wird. Es sind dazu bereits zahlreiche Medienberichte erschienen, in denen allerdings häufig die Tatsache ausser acht gelassen wird, dass es sich hier nicht um eine Java-spezifische Schwachstelle handelt. Das Problem - Stichwort "Binary Planting" -... --------------------------------------------- http://www.cert.at/services/blog/20160209102305-1678.html *** Security Bulletins Posted *** --------------------------------------------- Security Bulletins for Adobe Photoshop and Bridge (APSB16-03), Flash Player (APSB16-04), Adobe Experience Manager (APSB16-05) and Adobe Connect (APSB16-07) have been published. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant security bulletin. This... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1315 *** DSA-3472 wordpress - security update *** --------------------------------------------- Two vulnerabilities were discovered in wordpress, a web blogging tool.The Common Vulnerabilities and Exposures project identifies thefollowing problems: --------------------------------------------- https://www.debian.org/security/2016/dsa-3472 *** DSA-3471 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3471 *** DSA-3470 qemu-kvm - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu-kvm, a fullvirtualization solution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3470 *** DSA-3469 qemu - security update *** --------------------------------------------- Several vulnerabilities were discovered in qemu, a full virtualizationsolution on x86 hardware. --------------------------------------------- https://www.debian.org/security/2016/dsa-3469 *** USN-2880-2: Firefox regression *** --------------------------------------------- Ubuntu Security Notice USN-2880-28th February, 2016firefox regressionA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryUSN-2880-1 introduced a regression in Firefox.Software description firefox - Mozilla Open Source web browser DetailsUSN-2880-1 fixed vulnerabilities in Firefox. This update introduced aregression which caused Firefox to crash on startup with some configurations.This update fixes the problem.We apologize --------------------------------------------- http://www.ubuntu.com/usn/usn-2880-2/

1 0

Tageszusammenfassung - Montag 8-02-2016
by Daily end-of-shift report 08 Feb '16

08 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 05-02-2016 18:00 − Montag 08-02-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Magento PCI Compliance Issues and Theft Over TLS *** --------------------------------------------- With about 30% of the market share, Magento is gradually becoming a "WordPress" of the ecommerce world. Like WordPress, it becomes a major target for hackers due to its popularity. However, in the case of Magento, the main goal that hackers pursue is to steal money, either from shop customers or the shop owners. During... --------------------------------------------- https://blog.sucuri.net/2016/02/theft-over-tls-or-illusion-of-pci-complianc… *** Extracting and distributing information on incidents, or what is PROKI *** --------------------------------------------- In the last blogpost, I promised to write something about our new project PROKI. PROKI is the abbreviation of the Czech phrase for "prediction and protection against cyber incidents" and in this project, our team set two goals for itself. --------------------------------------------- http://en.blog.nic.cz/2016/02/05/extracting-and-distributing-information-on… *** GitHub bug bounty hunting *** --------------------------------------------- Last month, I went hunting for security bugs in GitHub, a popular platform for sharing and collaborating on code. After spending many hours mapping out GitHub's infrastructure, and testing for weaknesses without any significant results or leads, I shifted my focus to the service providers. This is a write-up about two of the issues I found, which both have since been addressed. --------------------------------------------- https://medium.com/@ircbot/github-bug-bounty-hunting-741de324be1c *** Netgear-Router-Software: Schwachstelle ermöglicht Dateiupload und Download *** --------------------------------------------- Die Router-Verwaltungssoftware Netgear Management System hat ein Sicherheitsproblem. Angreifer können zwischen einer Remote-Code-Execution und einer Directory-Traversal-Schwachstelle wählen. Einen Patch gibt es bislang nicht. --------------------------------------------- http://www.golem.de/news/netgear-router-software-schwachstelle-ermoeglicht-… *** Bankomat-Trick: Geld abheben, Kontostand bleibt gleich *** --------------------------------------------- Die Angriffe auf Finanzinstitute werden immer erfinderischer. Eine neue Schadsoftware bucht Finanzbeträge aufs Konto zurück, nachdem diese bei Bankomaten abgehoben wurden. --------------------------------------------- http://futurezone.at/digital-life/bankomat-trick-geld-abheben-kontostand-bl… *** T9000 backdoor steals documents, records Skype conversations, victims actions *** --------------------------------------------- A new backdoor Trojan with spyware capabilities is being used in targeted attacks against organizations based in the United States. It has been dubbed T9000, since its a newer, improved version of th... --------------------------------------------- http://www.net-security.org/malware_news.php?id=3199 *** Avast SafeZone Browser Lets Attackers Access Your Filesystem *** --------------------------------------------- Just two days after Comodos Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, its now Avasts turn to be scorned for failing to provide a "secure" browser for its users. --------------------------------------------- http://news.softpedia.com/news/avast-safezone-browser-lets-attackers-access… *** Adwind: FAQ *** --------------------------------------------- Adwind - a cross-platform RAT, multifunctional malware program which is distributed through a single malware-as-a-service platform. Different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organizations around the world. --------------------------------------------- http://securelist.com/blog/research/73660/adwind-faq/ *** Java installer flaw shows why you should clear your Downloads folder *** --------------------------------------------- On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason is that older Java... --------------------------------------------- http://www.cio.com/article/3030707/security/java-installer-flaw-shows-why-y… *** Netgear Pro NMS 300 Code Execution / File Download *** --------------------------------------------- Topic: Netgear Pro NMS 300 Code Execution / File Download Risk: High Text:>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 >> Discovered by Pedro ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016020070 *** Oracle Security Alert for CVE-2016-0603 - 5 February 2016 *** --------------------------------------------- To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious web site and download files into the user's system before installing Java SE 6, 7 or 8. Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-28743… *** Bugtraq: [security bulletin] HPSBGN03434 rev.1 - HP Continuous Delivery Automation using Java Deserialization, Remote Arbitrary Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/537461 *** Bugtraq: [security bulletin] HPSBHF03431 rev.2 - HPE Network Switches, local Bypass of Security Restrictions, Indirect Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/537460 *** 0Day Vulnerabilities in Advantech WebAccess *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-146/ http://www.zerodayinitiative.com/advisories/ZDI-16-147/ http://www.zerodayinitiative.com/advisories/ZDI-16-148/ http://www.zerodayinitiative.com/advisories/ZDI-16-149/ http://www.zerodayinitiative.com/advisories/ZDI-16-150/ http://www.zerodayinitiative.com/advisories/ZDI-16-151/ http://www.zerodayinitiative.com/advisories/ZDI-16-152/ http://www.zerodayinitiative.com/advisories/ZDI-16-153/ http://www.zerodayinitiative.com/advisories/ZDI-16-154/ http://www.zerodayinitiative.com/advisories/ZDI-16-155/ --------------------------------------------- *** SSA-253230 (Last Update 2016-02-08): Vulnerabilities in SIMATIC S7-1500 CPU *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-253230… *** Bugtraq: Local Microsoft Windows 7 / 8 / 10 Buffer Overflow via Third-Party USB-Driver (ser2co64.sys) *** --------------------------------------------- http://www.securityfocus.com/archive/1/537471 *** WooCommerce - Store Toolkit Plugin Privilege Escalation <= 1.5.6 *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8385 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in net-snmp affects IBM DataPower Gateways (CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21975340 --------------------------------------------- *** IBM Security Bulletin: A cross-site scripting vulnerability has been identified in IBM Security Access Manager for Web (CVE-2015-8531) *** http://www.ibm.com/support/docview.wss?uid=swg21974651 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by multiple NTP vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21974652 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Net-SNMP affect IBM Security Access Manager for Web (CVE-2014-3565, CVE-2015-5621) *** http://www.ibm.com/support/docview.wss?uid=swg21974644 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM QRadar SIEM, and QRadar Incident Forensics (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21976113 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM DataPower Gateways (CVE-2015-7575) *** http://www.ibm.com/support/docview.wss?uid=swg21974965 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability found in IBM WebSphere Commerce (CVE-2015-7444) *** http://www.ibm.com/support/docview.wss?uid=swg21974307 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Web is affected by Network Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182, CVE-2015-7183) *** http://www.ibm.com/support/docview.wss?uid=swg21974648 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by Network Security Services (NSS) vulnerabilities (CVE-2015-7181, CVE-2015-7182, CVE-2015-7183) *** http://www.ibm.com/support/docview.wss?uid=swg21974650 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Web (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21974750 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Security Access Manager for Mobile (CVE-2015-7421, CVE-2015-7420) *** http://www.ibm.com/support/docview.wss?uid=swg21974747 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Access Manager for Mobile *** http://www.ibm.com/support/docview.wss?uid=swg21973139 --------------------------------------------- *** IBM Security Bulletin: A libxml vulnerability affects IBM Security Access Manager for Web (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21974737 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in XML processing affects IBM DataPower Gateways (CVE-2015-1819) *** http://www.ibm.com/support/docview.wss?uid=swg21975341 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Storage Manager ASNODENAME Vulnerability (CVE-2015-7408) *** http://www.ibm.com/support/docview.wss?uid=swg21975957 --------------------------------------------- *** IBM Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access Manager for Web (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=swg21974738 --------------------------------------------- *** IBM Security Bulletin: A Linux-PAM vulnerability affects IBM Security Access Manager for Mobile (CVE-2015-3238) *** http://www.ibm.com/support/docview.wss?uid=swg21975882 --------------------------------------------- *** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2014-8121) *** http://www.ibm.com/support/docview.wss?uid=swg21974653 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nss-softokn affects IBM Security Access Manager for Web (CVE-2015-2730) *** http://www.ibm.com/support/docview.wss?uid=swg21974657 --------------------------------------------- *** IBM Security Bulletin: OpenSSL as used in IBM QRadar SIEM is vulnerable to a Denial of Service attack, and Sensitive Information Exposure. (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196) *** http://www.ibm.com/support/docview.wss?uid=swg21976148 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 5-02-2016
by Daily end-of-shift report 05 Feb '16

05 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 04-02-2016 18:00 − Freitag 05-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WP-Invoice <= 4.1.0 - Multiple Vulnerabilities *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8378 *** User Meta Manager <= 3.4.6 - Authenticated Blind SQL Injection *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8380 *** User Meta Manager <= 3.4.6 - Privilege Escalation *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8379 *** Racing MIDI messages in Chrome *** --------------------------------------------- This is a guest blog post by Oliver Chang from the Chrome Security team.This post is about an exceptionally bad use after free bug in Chrome's browser process that affected Linux, Chrome OS and OS X. What makes this bug interesting is the fact that it could be directly triggered from the web without .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/02/racing-midi-messages-in-chrom… *** DSA-3466 krb5 - security update *** --------------------------------------------- Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3466 *** Neutrino Exploit Kit Not Responding - Bug or Feature? *** --------------------------------------------- A couple of weeks ago we were looking at some exploit kits in one of our lab environments and noticed a decline in the number of Neutrino instances were seeing. This sent us on yet another journey to investigate Neutrino .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Neutrino-Exploit-Kit-Not-Res… *** Chrome picks up bonus security features on Windows 10 *** --------------------------------------------- The Windows 10 November update (version 1511, build 10586) included a handful of new security features to provide protection against some security issues that have kept on popping up in Windows for a number of years. Google yesterday added source .. --------------------------------------------- http://arstechnica.com/information-technology/2016/02/chrome-picks-up-bonus… *** A trip through the spam filters: more malspam with zip attachments containing .js files *** --------------------------------------------- I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something Ive covered previously in ISC .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20697 *** Verschlüsselungs-Trojaner TeslaCrypt 2 geknackt; Kriminelle rüsten nach *** --------------------------------------------- Opfer des berüchtigten Verschlüsselungs-Trojaners TeslaCrypt können aufatmen: Das kostenlose Tool TeslaDecoder kann zumindest die Dateien der Version 2 entschlüsseln. Doch die Betrüger schlafen nicht: Aktuell kursiert schon Version 3. --------------------------------------------- http://heise.de/-3092667 *** Eset NOD32 Antivirus 9 gefährdet https-Verschlüsselung *** --------------------------------------------- Eset NOD32 Antivirus 9 installiert einen SSL-Filter, der sich in die Verschlüsselung einklinkt. Wie heise Security entdeckte, akzeptiert er dabei unter Umständen gefälschte Zertifikate; ein Update des Herstellers beseitigt den Fehler. --------------------------------------------- http://heise.de/-3095024 *** Dridex: Botnet verteilt Virenscanner *** --------------------------------------------- Gelingt es Cyberkriminellen, ihre Malware auf fremden Rechnern einzuschleusen, nutzen sie dies mitunter aus, um sie zum Teil eines Botnets zu machen. Über ihre Server steuern sie die kompromittierten Computer und nutzen ihre .. --------------------------------------------- http://derstandard.at/2000030450321 *** The Malware Museum @ Internet Archive *** --------------------------------------------- Here's what submitting a virus sample looked like back in the days of 5" floppy disks. And now you can see classic viruses in action at The Malware Museum. Do you feel like emulating old malware inside a MS-DOS Virtual Machine inside .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/05/the-malware-museum-internet-archiv… *** Positive Research Center *** --------------------------------------------- In December 2015, I found a critical vulnerability in one of PayPal business websites (manager.paypal.com). It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe Java object deserialization and to access production databases. I immediately reported this bug to PayPal security team, and it was fixed promptly. --------------------------------------------- http://blog.ptsecurity.com/2016/02/paypal-remote-code-execution.html

1 0

Tageszusammenfassung - Donnerstag 4-02-2016
by Daily end-of-shift report 04 Feb '16

04 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 03-02-2016 18:00 − Donnerstag 04-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Weiterhin etliche IP-Kameras von Aldi unzureichend geschützt *** --------------------------------------------- Nach wie vor ist mindestens eine dreistellige Zahl der bei Aldi verkauften Maginon-Kameras ohne Passwort über das Internet steuerbar. Unterdessen hat sich herausgestellt, dass der Hersteller bereits im Juni 2015 informiert wurde. --------------------------------------------- http://heise.de/-3092642 *** Cisco Unified Communications Manager SQL Injection Vulnerability *** --------------------------------------------- A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** CERT: Poor password policy leaves OpenELEC operating system vulnerable to hackers *** --------------------------------------------- The CERT Division at Carnegie Mellon University yesterday issued an alert detailing a password vulnerability in the Open Embedded Linux Entertainment Center operating system. --------------------------------------------- http://www.scmagazine.com/cert-poor-password-policy-leaves-openelec-operati… *** Macro Redux: the Premium Package *** --------------------------------------------- Earlier this week we came across an interesting spam email. It was targeted at one of our customers in the retail industry. It contained a Microsoft Word document (MD5 = b74604d0081e68e91d64b361601d79c4) with a rather small macro in it. All that macro did was save a copy of the document as RTF, open it and then .. --------------------------------------------- http://labs.bromium.com/2016/02/03/macro-redux-the-premium-package/ *** Cisco Jabber Guest Server HTTP Web-Based Management Interface Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the HTTP web-based management interface of the Cisco Jabber Guest application could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Fake Adobe Flash Update OS X Malware *** --------------------------------------------- Yesterday, while investigating some Facebook click-bait, I came across a fake Flash update that is targeting OS X users. Fake flash updates have been very common to infect OS X. They do not rely on a vulnerability in the operating system. Instead, the user is asked to willingly install them, by making .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20693 *** No More Deceptive Download Buttons *** --------------------------------------------- In November, we announced that Safe Browsing would protect you from social engineering attacks - deceptive tactics that try to trick you into doing something dangerous, like installing unwanted software or revealing your personal information (for example, passwords, phone numbers, or credit cards). You may .. --------------------------------------------- https://googleonlinesecurity.blogspot.co.uk/2016/02/no-more-deceptive-downl… *** l+f: Web-Dienst prüft Präsenz sicherheitsrelevanter HTTP-Header *** --------------------------------------------- Mit securityheaders.io kann man herausfinden, welche Schutzfunktionen ein Server über die HTTP-Header scharf schaltet. --------------------------------------------- http://heise.de/-3095001

1 0

Tageszusammenfassung - Mittwoch 3-02-2016
by Daily end-of-shift report 03 Feb '16

03 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 02-02-2016 18:00 − Mittwoch 03-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** WordPress 4.4.2 Security and Maintenance Release *** --------------------------------------------- https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance… *** Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities *** --------------------------------------------- A vulnerability in the web framework code of Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Sauter moduWeb Vision Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for three vulnerabilities in Sauter's moduWeb Vision application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01 *** GE SNMP/Web Interface Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for two vulnerabilities in the GE SNMP/Web Interface adapter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02 *** DMA Locker: New Ransomware, But No Reason To Panic *** --------------------------------------------- A new piece of ransomware which looks a little clumsy. --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/draft-dma-locker-a-new-ransomwar… *** Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available *** --------------------------------------------- The Enhanced Mitigation Experience Toolkit (EMET) benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives. It does this by anticipating, diverting, .. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-exper… *** DSA-3465 openjdk-6 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, information disclosure, denial of service and insecure cryptography. --------------------------------------------- https://www.debian.org/security/2016/dsa-3465 *** Bypassing Bitrix WAF via tiny regexp error *** --------------------------------------------- Bitrix24 is one of the first and most secure cross-platform corporate software with integrated WAF and RASP. Lets see how we can bypass them. --------------------------------------------- https://www.htbridge.com/blog/bypassing-bitrix-web-application-firewall-via… *** Smartphone-Security: Root-Backdoor macht Mediatek-Smartphones angreifbar *** --------------------------------------------- Eine Debug-Funktion für Vergleichstests im chinesischen Markt führt dazu, dass zahlreiche Smartphones mit Mediatek-Chipsatz verwundbar sind. Angreifer können eine lokale Root-Shell aktivieren. Auch Geräte auf dem deutschen Markt könnten betroffen sein. --------------------------------------------- http://www.golem.de/news/smartphone-security-root-backdoor-macht-mediatek-s… *** l+f: Neuland, USA *** --------------------------------------------- Das Milliardenprojekt F-35 verzögert sich um mindestens ein Jahr, weil Techniker aus Sicherheitsgründen nicht auf eine Datenbank zugreifen können. --------------------------------------------- http://heise.de/-3092005 *** MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock part 2) *** --------------------------------------------- In September 2014 during the shellshock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via shellshock attack, with the details can be read in-->[here] Today I found an interesting ELF x32 sample that was reported several hours back, the infection vector is also ShellShock, the .. --------------------------------------------- http://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.ht… *** Comodo: "Sicherer" Browser mit groben Sicherheitsdefiziten *** --------------------------------------------- Google warnt vor der Verwendung - Hebelt Same Origin Policy des Browsers --------------------------------------------- http://derstandard.at/2000030313692 *** Thunderstrike 2: Sicherheitsforscher arbeiten inzwischen für Apple *** --------------------------------------------- Der Mac-Hersteller hat eine Sicherheitsfirma übernommen, die an der Entwicklung von "Thunderstrike 2" beteiligt war. Die Forscher zeigten Schwachstellen, die das Einschleusen eines Schädlings auf Firmware-Ebene ermöglichen – nicht nur auf Macs. --------------------------------------------- http://heise.de/-3092644 *** Phishing-Angriff: Nutzer sollen Amazon-Zertifikat installieren *** --------------------------------------------- Phishing-Angriffe gehören zu den nervigen Alltäglichkeiten von Internetnutzern. Eine spezielle Masche versucht jetzt, Android-Nutzer zur Installation eines angeblichen Sicherheitszertifikates zu bewegen. Komisch, dass das Zertifikat die Endung .apk aufweist. --------------------------------------------- http://www.golem.de/news/phishing-angriff-nutzer-sollen-amazon-zertifikat-i… *** Cisco Nexus 9000 Series ACI Mode Switch ICMP Record Route Vulnerability *** --------------------------------------------- A vulnerability in the ICMP implementation in the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch could allow an unauthenticated, remote attacker to cause the switch to reload, resulting in a denial of service (DoS) condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Application Policy Infrastructure Controller Access Control Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control (RBAC) of the Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated remote user to make configuration changes outside of their configured access privileges. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA-CX and Cisco Prime Security Manager Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control of Cisco ASA-CX and Cisco Prime Security Manager (PRSM) could allow an authenticated, remote attacker to change the password of any user on the system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Bypass Windows AppLocker *** --------------------------------------------- AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running. --------------------------------------------- http://en.wooyun.io/2016/01/28/Bypass-Windows-AppLocker.html

1 0

Tageszusammenfassung - Dienstag 2-02-2016
by Daily end-of-shift report 02 Feb '16

02 Feb '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 01-02-2016 18:00 − Dienstag 02-02-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Cyberangriff auf A1 verursacht Ausfall des mobilen Netzes *** --------------------------------------------- Attacken seit Samstag - Zeitpunkt der Fehlerbehebung noch nicht in Sicht --------------------------------------------- http://derstandard.at/2000030190051 *** red|blue: A Soft-ish Introduction to Malware Analysis for Incident Responders *** --------------------------------------------- One of my resolutions for the New Year is to spend more time conducting behavioral and static analysis of malicious PE files. I recently spent time watching some of the Cybrary Malware Reverse Engineering material and wanted to document my efforts here and share my notes and additional thoughts with you. --------------------------------------------- http://www.redblue.team/2016/02/a-soft-introduction-to-malware-analysis.html *** Malwarebytes Anti-Malware Vulnerability Disclosure *** --------------------------------------------- In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally .. --------------------------------------------- https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulner… *** Massive Admedia/Adverting iFrame Infection *** --------------------------------------------- This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files. The distinguishing features of this malware are: 32 hex digit comments at the beginning and end of the malicious .. --------------------------------------------- https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection… *** Google plugs Android vulns *** --------------------------------------------- Happy days if you own a Nexus Five "critical," four "high" severity and one merely "moderate" bug make up the menu of Android security patches, which are now available for Nexus devices and .. --------------------------------------------- www.theregister.co.uk/2016/02/02/google_plugs_android_vulns/ *** Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution *** --------------------------------------------- The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .DQP project file with a large array of bytes inserted in the Description element. Successful exploitation could allow execution of arbitrary code on the affected machine. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php *** Austrian Mobile Phone Signature is vulnerable against phishing and MitM attacks *** --------------------------------------------- Talking with various people about the Two Factor Authentication (2FA) which is used in Austria to access public services led to my impression that most people think that the system is really secure. While it is more secure than a simple user/password combination its by far not that secure. In this .. --------------------------------------------- http://robert.penz.name/1224/austrian-mobile-phone-signature-is-vulnerable-… *** Aktuelle Spamwelle (Dridex) *** --------------------------------------------- In den letzten Tagen gibt es vermehrt Berichte darüber, dass die Malware Dridex nach einer kurzen Winterpause wieder verstärkt aktiv ist. --------------------------------------------- http://www.cert.at/services/blog/20160202110607-1661.html *** Cyberbetrug bei FACC: Aktionäre fordern Konsequenzen *** --------------------------------------------- Rasinger: "Das schließt auch personelle Konsequenzen mit ein" – Zeitung: Ablöse von Finanzchefin zu erwarten --------------------------------------------- http://derstandard.at/2000030230502-375 *** Apache verpetzt möglicherweise Tor Hidden Services *** --------------------------------------------- In seiner Standard-Konfiguration liefert der beliebte Web-Server-Dienst Informationen, die die Anonymitäts-Versprechen eines Tor Hidden Services gefährden. Diese anonymen Tor-Dienste sind der Kern des oft zitierten "Dark Net". --------------------------------------------- http://heise.de/-3090218 *** Crash Safari Follow-Up *** --------------------------------------------- It's been a week since short links to crashsafari.com went viral, and Google has finally killed the most prevalent link (goo.gl/78uQHK). More than three-quarters of a million clicks were made before the short link was disabled for violating .. --------------------------------------------- https://labsblog.f-secure.com/2016/02/02/crash-safari-follow-up/ *** A1 kämpft seit Samstag gegen Hackerangriffe *** --------------------------------------------- Ausfälle nach DDoS-Attacken zuerst im mobilen Netz, danach im Festnetz-Internet --------------------------------------------- http://derstandard.at/2000030190051 *** Targeted IPv6 Scans Using pool.ntp.org *** --------------------------------------------- IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=20681 *** Socat Warns Weak Prime Number Could Mean It's Backdoored *** --------------------------------------------- Socat published a security advisory warning users that a hard-coded 1024 Diffie-Hellman prime number was not prime, and that an attacker could listen and recover secrets from a key exchange. --------------------------------------------- http://threatpost.com/socat-warns-weak-prime-number-could-mean-its-backdoor… *** VU#719736: Fisher-Price Smart Toy platform allows some unauthenticated web API commands *** --------------------------------------------- The Fisher-Price Smart Toy bear is a new WiFi-connected Internet of Things (IoT) toy. The device utilizes network connectivity to provide more interactivity with children. --------------------------------------------- http://www.kb.cert.org/vuls/id/719736 *** Top Exploit Kits Round Up January Edition *** --------------------------------------------- A look at the top exploit kits.Categories: ExploitKits(Read more...) --------------------------------------------- https://blog.malwarebytes.org/exploitkits/2016/02/top-exploit-kits-round-up… *** MailPoet Newsletters <= 2.6.19 - Cross-Site Scripting (XSS) *** --------------------------------------------- https://wpvulndb.com/vulnerabilities/8373 *** Hacker wollen bei Nasa eingebrochen sein, um Chemtrails zu beweisen *** --------------------------------------------- Gruppierung "Anonsec" will 250 GB an Daten erbeutet und Kontrolle über eine Drohne übernommen haben --------------------------------------------- http://derstandard.at/2000030242744

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily February 2016