=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 15-09-2016 18:00 − Freitag 16-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3668 mailman - security update ***
---------------------------------------------
It was discovered that there was a CSRF vulnerability in mailman, aweb-based mailing list manager, which could allow an attacker to obtaina users password.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3668
*** Yokogawa STARDOM Authentication Bypass Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an authentication bypass vulnerability in the Yokogawa STARDOM controller.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-01
*** ABB DataManagerPro Credential Management Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a credential management vulnerability in ABB’s DataManagerPro application.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-02
*** Trane Tracer SC Sensitive Information Exposure Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for an information exposure vulnerability in Trane U.S. Inc.’s Tracer SC field panel.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-16-259-03
*** Attack Leverages Windows Safe Mode ***
---------------------------------------------
Researchers say a proof-of-concept attack using Windows Safe Mode can lead to credential theft and allow hackers to move laterally within a corporate network.
---------------------------------------------
http://threatpost.com/attack-leverages-windows-safe-mode/120622/
*** Ransomware Getting More Targeted, Expensive ***
---------------------------------------------
I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his ..
---------------------------------------------
http://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensi…
*** DSA-3670 tomcat8 - security update ***
---------------------------------------------
Dawid Golunski of LegalHackers discovered that the Tomcat init scriptperformed unsafe file handling, which could result in local privilegeescalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3670
*** DSA-3669 tomcat7 - security update ***
---------------------------------------------
Dawid Golunski of LegalHackers discovered that the Tomcat init scriptperformed unsafe file handling, which could result in local privilegeescalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3669
*** Necurs – the Heavyweight Malware Spammer ***
---------------------------------------------
Today we want to dwell upon a pesky botnet that goes by the name of Necurs, and in particular its spamming activities. The botnet has been responsible for a massive ..
---------------------------------------------
http://trustwave.com/Resources/SpiderLabs-Blog/Necurs-%e2%80%93-the-Heavywe…
*** Trend Micro Internet Security vulnerability where files may be excluded as scan targets ***
---------------------------------------------
Trend Micro Internet Security provided by Trend Micro Incorporated contains a vulnerability where arbitrary files or folders may be excluded as scan targets.
---------------------------------------------
http://jvn.jp/en/jp/JVN98126322/
*** Splunk Enterprise and Splunk Lite vulnerable to cross-site scripting ***
---------------------------------------------
Splunk Enterprise and Splunk Lite contain a cross-site scripting vulnerability.Note that this vulnerability is different from JVN#74244518.
---------------------------------------------
http://jvn.jp/en/jp/JVN71462075/
*** Gefährliche Inhalte effektiver erkennen: Google baut Webseiten-Scan aus ***
---------------------------------------------
Webmaster können ihre Seiten nun noch tiefgehender nach unter anderem Malware-Verweisen und gefährlichen Downloads durchsuchen lassen.
---------------------------------------------
http://heise.de/-3325042
*** Erste Sicherheitslücken im Krypto-Messenger Signal entdeckt ***
---------------------------------------------
Ein Programmierfehler in Signal erlaubt die Manipulation von Dateianhängen. Über einen zweiten hätten Angreifer Schadcode aus der Ferne einschleusen können, hätte ein dritter Bug diesen Angriff nicht verhindert.
---------------------------------------------
http://heise.de/-3325242
*** Erpressungstrojaner: Stampado verschlüsselt von Ransomware verschlüsselte Dateien ***
---------------------------------------------
Ein neuer Erpressungstrojaner hat eine besonders gemeine Taktik: Verschlüsselt werden Dateien, die bereits von anderer Ransomware verschlüsselt wurden. Zum Glück gibt es Abhilfe.
---------------------------------------------
http://www.golem.de/news/erpressungstrojaner-stampado-verschluesselt-von-ra…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 14-09-2016 18:00 − Donnerstag 15-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Cisco IOS and IOS XE Software IOx Local Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework code of the Cisco Local Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco WebEx Meetings Server Remote Command Execution Vulnerability ***
---------------------------------------------
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system.The vulnerability is due ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Unified Computing System Command Line Interface Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in the command-line interface (CLI) of the Cisco Unified Computing System (UCS) Manager and UCS 6200 Series Fabric Interconnects could allow an authenticated, local attacker to access the underlying operating system ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Fog Director for IOx Arbitrary File Write Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco Fog Director for IOx could allow an authenticated, remote attacker to write a file to arbitrary locations. The vulnerability is due to insufficient input validation. An attacker could exploit this ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** iOS 10 schließt Sicherheitslücken in Tastatur und Sandbox ***
---------------------------------------------
Das Update auf iOS 10.0.1 räumt sieben Schwachpunkte aus, darunter eine mögliche Preisgabe 'sensibler Informationen' durch die Autokorrektur des Keyboards. watchOS 3 stopft eine Lücke.
---------------------------------------------
http://heise.de/-3323066
*** DSA-3666 mysql-5.5 - security update ***
---------------------------------------------
Dawid Golunski discovered that the mysqld_safe wrapper provided by theMySQL database server insufficiently restricted the load path for custommalloc implementations, which could result in privilege escalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3666
*** Science press site hacked; hackers release .. random crap ***
---------------------------------------------
http://arstechnica.com/science/2016/09/science-press-site-hacked-hackers-re…
*** Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation ***
---------------------------------------------
All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/cryptocurrencies-a-target-for-cybercri…
*** Russian Hackers Get Bolder in Anti-Doping Agency Attack ***
---------------------------------------------
The attack on the World Anti-Doping Agency, following the DNC hack, signals Russian hackers emerging from the shadows to brazenly flaunt their work.
---------------------------------------------
https://www.wired.com/2016/09/anti-doping-agency-attack-shows-russian-hacke…
*** Virtueller Schiffsdiebstahl bei Star Citizen ***
---------------------------------------------
Im bisher noch unfertigen Weltraumepos Star Citizen kann man für hunderte Euros virtuelle Raumschiffe kaufen. Nun häufen sich anscheinend Angriffe auf die Konten der Spieler, mit dem Ziel, diese Schiffe zu klauen.
---------------------------------------------
http://heise.de/-3323060
*** DSA-3667 chromium-browser - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3667
*** Erpressungs-Trojaner Locky nun mit Autopilot ***
---------------------------------------------
Sicherheitsforschern zufolge kann Locky sein Schadenswerk jetzt auch offline ohne Kontakt zum Command-and-Control-Server der Kriminellen verrichten.
---------------------------------------------
http://heise.de/-3324553
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 13-09-2016 18:00 − Mittwoch 14-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** MS16-SEP - Microsoft Security Bulletin Summary for September 2016 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for September 2016.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-SEP
*** Announcing the Project Zero Prize ***
---------------------------------------------
Posted by Natalie Silvanovich, Exploit EnthusiastDespite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we've decided to start our own contest: The Project Zero Prize.The goal of this contest is to find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the...
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/09/announcing-project-zero-prize…
*** MSRT September 2016 release feature: Prifou ***
---------------------------------------------
As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this September includes detections for: BrowserModifier:Win32/Prifou TrojanClicker:Win32/NightClick Trojan:Win32/Suweezy Trojan:Win32/Xadupi This blog discusses BrowserModifier:Win32/Prifou (Prifou). Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-rel…
*** Angst vor Spam: Swisscom deaktiviert mehrere Tausend Mailaccounts ***
---------------------------------------------
Weil die Kunden zu einfache E-Mail-Passwörter gewählt hatten, sperrte die Swisscom Tausende Accounts. Das Unternehmen fürchtet offenbar, sonst auf Spam-Blacklists von Google oder anderen Providern zu landen. Die Kunden müssen nun aktiv werden.
---------------------------------------------
http://www.golem.de/news/angst-vor-spam-swisscom-deaktiviert-mehrere-tausen…
*** Letzter klassischer Microsoft-Patchday bringt sieben kritische Updates ***
---------------------------------------------
Heute können Windows-Admins zum letzten Mal auswählen, welche Windows-Updates sie am monatlichen Patchday installieren wollen. Ab nächsten Monat gibt es dann nur noch monolithische Rollup-Pakete.
---------------------------------------------
http://heise.de/-3321310
*** Adobe-Patchday: Flash jetzt patchen! ***
---------------------------------------------
Kritische Lücken im Flash Player erlauben das Kapern von Rechnern. Adobe hat Updates veröffentlicht, um diese zu stopfen. Ebenso erhalten die eBook-Software Digital Editions und die Entwicklungswerkzeuge von AIR Patches.
---------------------------------------------
http://heise.de/-3321895
*** Rio 2016: Fancybear veröffentlicht medizinische Daten von US-Sportlern ***
---------------------------------------------
Vertrauliche medizinische Daten von US-Sportlern stehen im Netz. Angeblich russische Hacker haben mehrere Datensätze veröffentlicht, die Unregelmäßigkeiten bei Dopingkontrollen beweisen sollen. Die Wada ist entsetzt - und spricht von legalen Ausnahmegenehmigungen.
---------------------------------------------
http://www.golem.de/news/rio-2016-fancybear-veroeffentlicht-medizinische-da…
*** Exploit Attempts for Drupal RESTWS .x Module Vulnerability, (Wed, Sep 14th) ***
---------------------------------------------
Attackers usually dont have to worry much about Drupal administrators applying patches. The majority of exploit attempts I see in our honeypots use pretty ancient vulnerabilities. So I was happy to see a script kiddie go the extra mile and use a vulnerabilityreleased in July of this year [1] [2]. The vulnerability itself is very straight forward. The attacker can send arbitrary php code that will be executed on the server. No special encoding beyond URL encoding appears to be required. Here is...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21481&rss
*** Geldautomaten: Hintermann von Skimmingbande muss fünf Jahre in Haft ***
---------------------------------------------
Eine Skimmingbande hat in Sachsen fast 270.000 Euro mit gefälschten Bankkarten erbeutet. Die Tat fand bereits im Jahr 2011 statt, nun wurde ein Hintermann der Gruppe zu einer Freiheitsstrafe verurteilt.
---------------------------------------------
http://www.golem.de/news/geldautomaten-hintermann-von-skimmingbande-muss-fu…
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 12-09-2016 18:00 − Dienstag 13-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** FortiClient Unencrypted Password Vulnerability ***
---------------------------------------------
FOne of the processes in FortiClient stores VPN credentials unencrypted in memory. A malicious attacker who compromised the workstation could dump the credentials.
---------------------------------------------
http://fortiguard.com/advisory/FG-IR-16-021
*** FortiClient DLL Hijacking vulnerability ***
---------------------------------------------
When executed, the FortiClient installer (FortiClientOnlineInstaller.exe), if downloaded before August 11th, 2016 (build 0842), would attempt to load DLLs from the directory where it resides.
---------------------------------------------
http://fortiguard.com/advisory/FG-IR-16-046
*** Türkische Hacker griffen offenbar österreichische Nationalbank an ***
---------------------------------------------
Es handelt sich laut Kurier um dieselbe Gruppe, die schon den Flughafen Wien-Schwechat angegriffen hat
---------------------------------------------
http://derstandard.at/2000044275176
*** Gefälschte A1 Online Rechnung im Postfach ***
---------------------------------------------
Mit vermeintlichen papierlosen A1 Rechnungen wollen Kriminelle, dass Empfänger/innen eine Website aufrufen und dort die Datei „A1_rechnung.zip“ öffnen. Sie verbirgt Schadsoftware. Wer diese ausführt, installiert Programme, die den Computer unbrauchbar machen oder Bankdaten stehlen. Am sichersten ist es, wenn Sie die Nachrichten löschen.
---------------------------------------------
https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-onl…
*** Cache Flooding in TYPO3 Frontend ***
---------------------------------------------
It has been discovered, that TYPO3 is vulnerable to Cache Flooding
---------------------------------------------
https://typo3.org/news/article/cache-flooding-in-typo3-frontend/
*** DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices ***
---------------------------------------------
Over the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to attack mobile devices. This attack vector is increasingly ..
---------------------------------------------
http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-troj…
*** Sicherheits-Updates für Xen-Hypervisor ***
---------------------------------------------
Insgesamt vier Sicherheitslücken erfordern Updates. Für Debian, Oracle VM und Fedora gibt es aktualisierte Pakete.
---------------------------------------------
http://heise.de/-3319523
*** "Pokémon Go": Fake-App spioniert Millionen Smartphones aus ***
---------------------------------------------
Spionieren Internet-Daten der User aus und installieren Adware auf dem Smartphone
---------------------------------------------
http://derstandard.at/2000044305667
*** Antivirenentwickler: John McAfee soll Morde und Vergewaltigung begangen haben ***
---------------------------------------------
Ein Dokumentarfilm erhebt schwere Anschuldigungen gegen John McAfee. Während seiner Zeit in Belize soll er zwei Männer getötet und eine Frau vergewaltigt haben. McAfee bestreitet alle Vorwürfe und unterstellt dem Filmteam Bestechung von Quellen.
---------------------------------------------
http://www.golem.de/news/antiviren-entwickler-john-mcafee-soll-morde-und-ve…
*** Neutrino EK’s Afraidgate pushed in malvertising attack ***
---------------------------------------------
With a rise in malvertising attacks lately, we take a look at an ad server pushing the Afraidgate, traditionally found on compromised sites.
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/exploits/2016/09/neutrino-eks-afra…
*** Security Bulletins Posted ***
---------------------------------------------
Adobe has published security bulletins for Adobe Digital Editions (APSB16-28), Adobe Flash Player (APSB16-29) and Adobe AIR SDK & Compiler (APSB16-31). Adobe recommends users update their product installations to the latest versions using ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1399
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 09-09-2016 18:00 − Montag 12-09-2016 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** DSA-3664 pdns - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in pdns, an authoritativeDNS server. The Common Vulnerabilities and Exposures project identifies ..
---------------------------------------------
https://www.debian.org/security/2016/dsa-3664
*** WordPress 4.6.1 stopft zwei Lücken ***
---------------------------------------------
Die Hersteller des CMS WordPress empfehlen, das Update auf WordPress 4.6.1 schnellstmöglich einzuspielen, da es zwei gefährliche Sicherheitslücken schließt. Installationen mit Auto-Update haben die neue Version automatisch in den vorigen Tagen bekommen.
---------------------------------------------
http://heise.de/-3317796
*** OSX.Mokes: Mächtige Mac-Malware entdeckt ***
---------------------------------------------
Ermöglicht Angreifern weitreichende Überwachung – sucht zudem System nach Daten ab
---------------------------------------------
http://derstandard.at/2000044172706
*** Android: Google-Sicherheitspatch vom September stopft erneute Stagefright-Lücke ***
---------------------------------------------
Google behebt im Security Bulletin vom September mehrere Fehler in Android, darunter eine vom eigenen Team Zero gefundene Erweiterung des Stagefright-Bugs. Der Patch ist an die Hersteller ausgeliefert, einige haben schon Updates bereitgestellt.
---------------------------------------------
http://heise.de/-3317825
*** Sicherheitsexperten finden IoT-Botnet ***
---------------------------------------------
Eine Linux-Malware greift aktuell IoT-Geräte wie IP-Kameras mit veralteter Firmware an. Das Besondere an diesem Schädling: Nach der Infektion verwischt er seine Spuren und bleibt nur im Arbeitsspeicher der Geräte präsent. Das erschwert die Analyse.
---------------------------------------------
http://heise.de/-3317830
*** WooCommerce <= 2.6.3 - Stored Cross Site Scripting (XSS) via REST API ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/8619
*** l+f: Anti-ROP Mainframe-Style ***
---------------------------------------------
Nach Intel, Microsoft, OpenBSD und diversen anderen stellt nun auch IBM seine eigene Anti-ROP-Technik vor.
---------------------------------------------
http://heise.de/-3317746
*** USB Killer: 50-Dollar-Stick zerstört Computer beim Anstecken ***
---------------------------------------------
Version 2.0 des Sticks veröffentlicht – Hochspannungsimpuls führt zu irreparablem Schaden
---------------------------------------------
http://derstandard.at/2000044216572
*** Gugi: from an SMS Trojan to a Mobile-Banking Trojan ***
---------------------------------------------
In the previous article, we described the mechanisms used by Trojan-Banker.AndroidOS.Gugi.c to bypass a number of new Android 6 security features. In this article, we review the entire Gugi mobile-banking Trojan family in more detail.
---------------------------------------------
http://securelist.com/blog/mobile/76023/gugi-from-an-sms-trojan-to-a-mobile…
*** Vdos: Betreiber des größten DDoS-Anbieters in Israel verhaftet ***
---------------------------------------------
Der Hack eines DDoS-Anbieters zeigt: Die Vermietung von Angriffskapazitäten ist ein einträgliches Geschäft. Ironischerweise versuchen die Anbieter, sich hinter dem DDoS-Schutz Cloudflare zu verstecken. Die Betreiber wurden mittlerweile in Israel festgenommen.
---------------------------------------------
http://www.golem.de/news/vdos-betreiber-des-groessten-ddos-anbieters-in-isr…
*** Remote Root Code Execution / Privilege Escalation (0day) ***
---------------------------------------------
An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.
---------------------------------------------
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution…
*** DSA-3665 openjpeg2 - security update ***
---------------------------------------------
Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression /decompression library, may result in denial of service or the executionof arbitrary code if a malformed JPEG 2000 file is processed.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3665
*** Linux Malware: Novelties in the Threat Landscape ***
---------------------------------------------
In the last couple of years, security firms have observed an increasing number of malware specifically designed to target Linux-based systems. Linux, like ..
---------------------------------------------
http://resources.infosecinstitute.com/linux-malware-novelties-threat-landsc…
*** Payment Card Industry Council: Kreditkartenterminals bald mit Firmware-Update ***
---------------------------------------------
Skimming, Kreditkartenbetrug und manipulierte Bezahlterminals: Der Sicherheitstandard für EC- und Kreditkartenterminals wird überarbeitet. Künftig sollen die Geräte signierte Updates erhalten und gegen Laser resistent werden.
---------------------------------------------
http://www.golem.de/news/payment-card-industry-council-kreditkartenterminal…
*** LuaBot: Malware targeting cable modems ***
---------------------------------------------
CERT/CC released the Vulnerability Note VU#419568 and it got lots of media coverage. I did not provide any POCs during that time because I was pretty sure that those vulnerabilities were easily wormable... And guess what? Someone is actively exploiting those devices since May/2016.
---------------------------------------------
https://w00tsec.blogspot.co.at/2016/09/luabot-malware-targeting-cable-modem…
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 08-09-2016 18:00 − Freitag 09-09-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Cisco ACE30 Application Control Engine Module and Cisco ACE 4710 Application Control Engine Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the SSL/TLS functions of the Cisco ACE30 Application Control Engine Module and the Cisco ACE 4700 Series Application Control Engine Appliances could allow an unauthenticated, remote attacker to cause a denial of ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** DSA-3662 inspircd - security update ***
---------------------------------------------
It was discovered that incorrect SASL authentication in the InspircdIRC server may lead to users impersonating other users.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3662
*** ZDI-16-505: AlienVault Unified Security Management get_directive_kdb directive_id SQL Injection Remote Code Execution Vulnerability ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-505/
*** ZDI-16-504: AlienVault Unified Security Management Multiple PHP Scripts Remote Code Execution Vulnerabilities ***
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Unified Security Management. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-16-504/
*** Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware ***
---------------------------------------------
A number of security vulnerabilities have been identified in firmware used in the Lights Out Management (LOM) component across all NetScaler ..
---------------------------------------------
http://support.citrix.com/article/CTX216642
*** iPrint Appliance 2.0 Hot Patch 1 ***
---------------------------------------------
https://download.novell.com/Download?buildid=S7GK9olwBDk~
*** iPrint Appliance 2.1 Hot Patch 1 ***
---------------------------------------------
https://download.novell.com/Download?buildid=lVbNSynhgHU~
*** Asterisk RTP Session Management Bug Lets Remote Authenticated Users Consume Excessive Resources on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036750
*** Asterisk Error in Processing Unknown Endpoints Lets Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1036749
*** Collecting Users Credentials from Locked Devices, (Fri, Sep 9th) ***
---------------------------------------------
Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21461
*** Samsung Android Security Updates ***
---------------------------------------------
SMR-SEP-2016 - Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
---------------------------------------------
http://security.samsungmobile.com/smrupdate.html
*** Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files ***
---------------------------------------------
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-…
*** Your Seagate Central NAS could be hosting mining malware ***
---------------------------------------------
If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/09/seagate-central-nas-hosting-malw…
*** Chrome soll vor nicht verschlüsselnden Webseiten warnen ***
---------------------------------------------
Zunächst brandmarkt der Browser nur Seiten, die Passwörter oder Kreditkarteninformationen enthalten. Nach und nach soll die Warnung dann ausgeweitet werden.
---------------------------------------------
http://heise.de/-3317393
*** Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036758
*** HTTPS: Google Chrome will vor unverschlüsselten Webseiten warnen ***
---------------------------------------------
Wie umgehen mit unverschlüsselten Webseiten? Google will in Chrome künftig warnen, wenn unverschlüsselte Webseiten Passwörter und Kreditkartendaten abfragen. Doch das ist nur der Beginn der Planungen.
---------------------------------------------
http://www.golem.de/news/https-google-chrome-will-vor-unverschluesselten-we…
*** Asterisk RTP Session Management Bug Lets Remote Authenticated Users Consume Excessive Resources on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1036750
*** Asterisk Error in Processing Unknown Endpoints Lets Remote Users Cause the Target Service to Crash ***
---------------------------------------------
http://www.securitytracker.com/id/1036749
*** Collecting Users Credentials from Locked Devices, (Fri, Sep 9th) ***
---------------------------------------------
Its a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, its just a matter of time. The best ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21461
*** Samsung Android Security Updates ***
---------------------------------------------
SMR-SEP-2016 - Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
---------------------------------------------
http://security.samsungmobile.com/smrupdate.html
*** Picture Perfect: CryLocker Ransomware Uploads User Information as PNG Files ***
---------------------------------------------
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/picture-perfect-…
*** Your Seagate Central NAS could be hosting mining malware ***
---------------------------------------------
If you have discovered cryptocurrency mining malware on your system, have removed it, and got compromised again without an idea about how it happened, it could be that the ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/09/seagate-central-nas-hosting-malw…
*** Chrome soll vor nicht verschlüsselnden Webseiten warnen ***
---------------------------------------------
Zunächst brandmarkt der Browser nur Seiten, die Passwörter oder Kreditkarteninformationen enthalten. Nach und nach soll die Warnung dann ausgeweitet werden.
---------------------------------------------
http://heise.de/-3317393
*** Red Hat JBoss Enterprise Application Platform Input Validation Flaw Lets Remote Users Conduct HTTP Response Splitting and Content Injection Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1036758
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 07-09-2016 18:00 − Donnerstag 08-09-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Cisco Firepower Management Center and FireSIGHT System Software Session Fixation Vulnerability ***
---------------------------------------------
A vulnerability in session identification management functionality of the web-based management interface for Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to hijack a valid user session ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Firepower Management Center and FireSIGHT System Software Malware Bypass Vulnerability ***
---------------------------------------------
A vulnerability in the malicious file detection and blocking features of Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Cisco Firepower Management Center and FireSIGHT System Software Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web-based management interface of Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an authenticated, remote attacker ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Return to libstagefright: exploiting libutils on Android ***
---------------------------------------------
I’ve been investigating different fuzzing approaches on some Android devices recently, and this turned up the following rather interesting bug (CVE 2016-3861 fixed in the most recent Android Security Bulletin), deep in the ..
---------------------------------------------
http://googleprojectzero.blogspot.com/2016/09/return-to-libstagefright-expl…
*** [R1] LCE 4.8.1 Fixes Multiple Third-party Library Vulnerabilities ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-14
*** Critical Flaws Found in Network Management Systems ***
---------------------------------------------
Four leading network management system providers patched nearly a dozen critical cross-site scripting vulnerabilities disclosed Wednesday by Rapid7.
---------------------------------------------
http://threatpost.com/critical-flaws-found-in-network-management-systems-2/…
*** Updated DShield Blocklist ***
---------------------------------------------
Earlier today, I updated how our block list is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21453&
*** Stealing login credentials from a locked PC or Mac just got easier ***
---------------------------------------------
20 seconds of physical access with a $50 device is all it takes.
---------------------------------------------
http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-l…
*** The Limits of SMS for 2-Factor Authentication ***
---------------------------------------------
A recent ping from a reader reminded me that Ive been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication ..
---------------------------------------------
http://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentic…
*** Erpressungstrojaner: FBI hofft auf mehr Anzeigen ***
---------------------------------------------
Die Erpresser, die Computer kapern und verschlüsseln, werden immer professioneller. In den USA wünscht sich das FBI möglichst viele Anzeigen der Opfer, da jede Information im Kampf gegen die Verbrecher helfen könne.
---------------------------------------------
http://heise.de/-3316101
*** Ten-year-old Windows Media Player hack is the new black, again ***
---------------------------------------------
Why bother buying a zero-day when casual piracy and old code can p0wn thousands? Net scum are still finding ways to take down users with a decade-old Windows Media Player attack.
---------------------------------------------
www.theregister.co.uk/2016/09/08/windows_media_player_malware_drm_security/
*** WordPress 4.6.1 upgrades security, fixes 15 bugs ***
---------------------------------------------
WordPress 4.6.1 is now available. This is a security release for all previous versions and all users are strongly encouraged to update their sites immediately. The two ..
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/08/wordpress-4-6-1-upgrades-securit…
*** Netzwerkanalyse: Version 2.2 von Wireshark freigegeben ***
---------------------------------------------
Version 2.2 von Wireshark versteht eine Reihe neuer Protokolle. Zudem spricht es selbst inzwischen JSON und kann Pakete in diesem Format exportieren.
---------------------------------------------
http://heise.de/-3316297
*** Denial of Service in extension "Speaking URLs for TYPO3" (realurl) ***
---------------------------------------------
https://typo3.org/news/article/denial-of-service-in-extension-speaking-urls…
*** Xen Security Advisory CVE-2016-7154 / XSA-188 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-188.html
*** Xen Security Advisory CVE-2016-7094 / XSA-187 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-187.html
*** Xen Security Advisory CVE-2016-7093 / XSA-186 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-186.html
*** Xen Security Advisory CVE-2016-7092 / XSA-185 ***
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-185.html
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious privileged code running within a guest VM to compromise the host.
---------------------------------------------
https://support.citrix.com/article/CTX216071
*** IBM Security Bulletin: A security vulnerability for cross-site scripting affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-2986) ***
---------------------------------------------
This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21989940
*** IBM Security Bulletin: A vulnerability in PostgreSQL affects IBM Security Access Manager version 9 (CVE-2016-0773) ***
---------------------------------------------
IBM Security Access Manager version 9 appliances are affected by a vulnerability in postgreSQL. CVE(s): CVE-2016-0773 Affected product(s) and affected version(s): IBM ..
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21989543
*** Urheberrecht: Datenpanne bei Abmahnsoftware ***
---------------------------------------------
Eine Kanzlei, die gegen unrechtmäßige Nutzung von Fotos vorgeht, nutzt offenbar Software, die nachlässig konfiguriert ist. Unberechtigte Nutzer konnten Daten zu Mandaten und Abmahnungen einsehen.
---------------------------------------------
http://www.golem.de/news/urheberrechte-datenpanne-bei-abmahnkanzlei-1609-12…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 06-09-2016 18:00 − Mittwoch 07-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Cleaning the Wp-Page Pharma Hack in WordPress ***
---------------------------------------------
Pharma hacks are common website infections categorized under SEO spam. With pharma hacks, the attacker exploits vulnerable websites to distribute pharmaceutical advertisements to visitors. Symptoms of a pharma hack include embedded links and anchor text on pages or modified listings in Search Engine Results Pages (SERPs). These attacks most often target search engines like Google...
---------------------------------------------
https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpre…
*** How to Set Up Your Own Malware Trap, (Tue, Sep 6th) ***
---------------------------------------------
I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware.Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular if they receive e-mail from sources other then your corporate e-mail system. Sadly, many corporations these days switch to cloud...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21447&rss
*** Google stopft letzte QuadRooter-Lücken in Android ***
---------------------------------------------
Im Rahmen seines allmonatliche Android-Patches stopft Google 47 Sicherheitslücken im Betriebssystem. Sieben der Lücken gelten als kritisch.
---------------------------------------------
http://heise.de/-3315023
*** Ungepatchte Lücken in Load-Balancern von Fortinet ***
---------------------------------------------
Fortinet hat mit einem Update eine Sicherheitslücke in seinen Load-Balancern der FortiWAN-Serie geschlossen. Andere Lücken scheinen davon aber unbenommen, was es Angreifern erlauben würde, Admin-Kommandos ohne entsprechende Rechte auszuführen.
---------------------------------------------
http://heise.de/-3315178
*** Keine Bestätigung persönlicher Daten bei Amazon erforderlich ***
---------------------------------------------
In einer Phishingmail schreiben Kriminelle, dass Amazon das Benutzerkonto von Empfänger/innen zeitweise eingefroren habe. Aus diesem Grund sollen Kund/innen ihre persönlichen Daten bestätigen. Dazu müssen sie einen Link aufrufen und Zugangsdaten auf einer Website bekannt geben. Das dürfen Nutzer/innen nicht tun!
---------------------------------------------
https://www.watchlist-internet.at/phishing/keine-bestaetigung-persoenlicher…
*** Back-dooring PE Files on Windows ***
---------------------------------------------
Introduction: Portable Executable (PE) files are very commonly used today. Many people download these files from the internet or get it from a friend and run it on their systems without realizing the dangers involved in running these kind of files. It is very easy to add malicious code to these files and have it...
---------------------------------------------
http://resources.infosecinstitute.com/back-dooring-pe-files-windows/
*** The Missing Piece - Sophisticated OS X Backdoor Discovered ***
---------------------------------------------
In a nutshell Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants.
---------------------------------------------
http://securelist.com/blog/research/75990/the-missing-piece-sophisticated-o…
*** A bite of Python ***
---------------------------------------------
Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked...
---------------------------------------------
https://access.redhat.com/blogs/766093/posts/2592591
*** OUCH! 2016 Newsletter ***
---------------------------------------------
September 2016: Email Dos and Donts
---------------------------------------------
https://securingthehuman.sans.org/resources/newsletters/ouch/2016
*** WordPress 4.6.1 Security and Maintenance Release ***
---------------------------------------------
https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance…
*** FortiWAN Multiple Vulnerabilities ***
---------------------------------------------
FortWan 4.2.4 and below is exposed to cross site scripting, information leak and escalation of privilege vulnerabilities.CVE-2016-4965 FortiWAN Non-administrative authenticated user having access privileges to the nslookup functionality can perform OS command injection in the root user contextCVE-20...
---------------------------------------------
http://fortiguard.com/advisory/fortiwan-multiple-vulnerabilities
*** [R5] PHP < 5.6.21 Vulnerabilities Affect Tenable SecurityCenter ***
---------------------------------------------
http://www.tenable.com/security/tns-2016-09
*** TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations ***
---------------------------------------------
Original release date: September 06, 2016 Systems Affected Network Infrastructure Devices Overview The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and...
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/TA16-250A
*** Security Advisory: Expat XML parser vulnerability CVE-2012-6702 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/65/sol65460334.html?…
*** Security Advisory: FreeType vulnerabilities CVE-2014-9746 and CVE-2014-9747 ***
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/k/52/sol52439336.html?…
*** Bugtraq: Infoblox Cross-site scripting vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539367
*** Bugtraq: [CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP splitting ***
---------------------------------------------
http://www.securityfocus.com/archive/1/539366
*** BMC BladeLogic Server Automation For Linux 8.7 Directory Dump ***
---------------------------------------------
Topic: BMC BladeLogic Server Automation For Linux 8.7 Directory Dump Risk: Medium Text:Title: Unauthenticated Arbitrary Directory Dump in BMC BladeLogic Server Automation Affected Software: BMC Bla...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090036
*** VU#282991: DEXIS Imaging Suite 10 contains hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#282991 DEXIS Imaging Suite 10 contains hard-coded credentials Original Release date: 07 Sep 2016 | Last revised: 07 Sep 2016 Overview DEXIS is a dental x-ray imaging software that manages patient records. DEXIS Imaging Suite 10 contains several hard-coded credentials allowing administrative or root access to the patient database. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6532 DEXIS Imaging Suite 10 contains several hard-coded database credentials...
---------------------------------------------
http://www.kb.cert.org/vuls/id/282991
*** VU#548399: Dentsply Sirona SchickTech CDR contains multiple hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#548399 Dentsply Sirona SchickTech CDR contains multiple hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Dentsply Sirona ShickTech CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 ShickTech CDR DICOM version 5 and below contains several hard-coded database...
---------------------------------------------
http://www.kb.cert.org/vuls/id/548399
*** VU#619767: Open Dental contains hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#619767 Open Dental contains hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview Open Dental is a medical dental records management software. Open Dental contains hard-coded default credentials allowing administrative or root access to the patient database. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6531Open Dental contains a hard-coded default database credential. An unauthenticated remote attacker with...
---------------------------------------------
http://www.kb.cert.org/vuls/id/619767
*** VU#548399: Dentsply Sirona CDR DICOM contains multiple hard-coded credentials ***
---------------------------------------------
Vulnerability Note VU#548399 Dentsply Sirona CDR DICOM contains multiple hard-coded credentials Original Release date: 06 Sep 2016 | Last revised: 06 Sep 2016 Overview The Dentsply Sirona (previously known as Shick Technologies) CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 Dentsply Sirona CDR DICOM version 5 and below...
---------------------------------------------
http://www.kb.cert.org/vuls/id/548399
*** Security Advisory - XML Bomb Vulnerability in AnyOffice ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-…
*** Security Advisory - Two Vulnerabilities in Huawei WS331a ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-…
*** Security Advisory - TCP Connection Hijack Vulnerability ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-…
*** Security Advisory - Information Leak Vulnerability in Certain Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2015/hw-455876
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in NTP affect AIX (CVE-2015-7974, CVE-2016-1550, CVE-2016-1551, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, CVE-2016-1547, CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955) ***
http://http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc
---------------------------------------------
*** IBM Security Bulletin: Two vulnerabilities in libvirt affect PowerKVM (CVE-2015-5313, CVE-2016-5008) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024185
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024229
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the Apache HTTP Server affects PowerKVM (CVE-2016-5387) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1024017
---------------------------------------------
*** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a Pluggable Authentication Module (PAM) vulnerability (CVE-2013-7041) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024221
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-1181, CVE-2016-1182 ***
http://www.ibm.com/support/docview.wss?uid=swg21988638
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center April 2016 CPU (CVE-2016-3426) ***
http://www.ibm.com/support/docview.wss?uid=swg21988636
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in libssh2 affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru Firmware and QLogic Virtual Fabric Extension Module for IBM BladeCenter (CVE-2016-0787) ***
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099450
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Rational Team Concert with potential for Cross-Site Scripting attack (CVE-2016-0331) ***
http://www.ibm.com/support/docview.wss?uid=swg21989899
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Taglibs vulnerability affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2015-0254 ***
http://www.ibm.com/support/docview.wss?uid=swg21988644
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in MD5 Signature and Hash Algorithm, glibc and OpenSSL affect IBM Netezza Firmware Diagnostics Tools ***
http://www-01.ibm.com/support/docview.wss?uid=swg21980965
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 05-09-2016 18:00 − Dienstag 06-09-2016 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops ***
---------------------------------------------
Whaling attackers fall for poison PDF invoices HITB Florian Lukavsky hacks criminals profiting from out of control multi-billion dollar CEO wire transfer scams and they hate him for it.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2016/09/06/hacker_hack…
*** House of Keys: 9 Months later... 40% Worse ***
---------------------------------------------
In November 2015 SEC Consult released the results of our study on hardcoded cryptographic secrets in embedded systems. Its time to summarize what has happened since.To accomplish the mammoth task of informing about 50 different vendors and various ISPs we teamed up with CERT/CC (VU#566724). We would really like to report that our efforts were successful, but as it turns out the number of devices on the web using known private keys for HTTPS server certificates has gone up by 40% in the last...
---------------------------------------------
http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.h…
*** Too many Cisco ASA boxes still open to an EXTRABACON attack ***
---------------------------------------------
Among the Equation Group exploits leaked by the Shadow Brokers, the one named EXTRABACON that targets Cisco ASA devices got the most attention from security researchers and attackers. It has been demonstrated that the original exploit can be easily modified to work on more recent versions of the Cisco ASA SSL VPN appliances, and researchers armed with honeypots noted that exploitation attempts started soon after the leak. You would think that news like this would...
---------------------------------------------
https://www.helpnetsecurity.com/2016/09/06/cisco-asa-still-open-extrabacon/
*** Digital Forensics According to the FORZA Model and Diamond Model for Intrusion Analysis ***
---------------------------------------------
The Bridge on the River Forza We can teach these barbarians a lesson in Western methods and efficiency that will put them to shame. -Colonel Nicholson (The Bridge on the River Kwai, 1957) Efficiency. Something we look to implement in everything we do, whether that be through the elimination of waste through Six Sigma, or other frameworks and methodologies, efficiency is what we strive for. When performing digital forensics, efficiency and rigor in our approach to ensure no stone left...
---------------------------------------------
https://feeds.feedblitz.com/~/192237180/0/alienvault-blogs~Digital-Forensic…
*** How False Positives can ruin your day - and how to stop them ***
---------------------------------------------
False positives can seriously ruin your day, and can cost enterprises serious money. Highlighted by a recent example, we share some key tips on how to mitigate false alerts.
---------------------------------------------
https://www.htbridge.com/blog/how-false-positives-can-ruin-your-day-and-how…
*** A week in security (Aug 28 - Sep 03) ***
---------------------------------------------
A compilation of notable security news and blog posts from August 28th to September 3rd. This week, we talked about browser-based fingerprinting; what was going on with the Mac app, Transmission; and a tech support scam that banked on an iPad error popping up on Windows systems.Categories: Security world Week in securityTags: recapweekly blog roundup(Read more...)
---------------------------------------------
https://blog.malwarebytes.com/security-world/2016/09/a-week-in-security-aug…
*** [2016-09-06] Private key for browser-trusted certificate embedded in multiple Aruba Networks / Alcatel-Lucent products ***
---------------------------------------------
A browser-trusted certificate including its private key is embedded in the firmware of several Aruba Networks/Alcatel-Lucent products. The certificate is used for providing user access to a captive portal via HTTPS as well as EAP connections for WPA2-Enterprise clients. An attacker can use this vulnerability to impersonate a captive portal or Wi-Fi AP and gain access to sensitive information.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016…
*** SSA-630413 (Last Update 2016-09-05): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-630413…
*** ArcServe UDP - Unquoted Service Path Privilege Escalation ***
---------------------------------------------
Topic: ArcServe UDP - Unquoted Service Path Privilege Escalation Risk: High Text:Title: ArcServe UDP - Unquoted Service Path Privilege Escalation CWE Class: CWE-427: Uncontrolled Search Path Element Date: 0...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090024
*** ArcServe UDP - Download Manager/Setup - DLL Hijacking ***
---------------------------------------------
Topic: ArcServe UDP - Download Manager/Setup - DLL Hijacking Risk: Medium Text:Title: ArcServe UDP - Download Manager/Setup - DLL Hijacking CWE Class: CWE-427: Uncontrolled Search Path Element Date: 04/09...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090030
*** ArcServe UDP - HTTP Installation MiTM ***
---------------------------------------------
Topic: ArcServe UDP - HTTP Installation MiTM Risk: Low Text:Title: ArcServe UDP - MiTM CWE Class: CWE-300: Channel Accessible by Non-Endpoint (Man-in-the-Middle) | CWE-319: Cleartext T...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2016090029
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Network Security Services (NSS) affects the IBM FlashSystem model V9000 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009104
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Network Security Services (NSS) affect the IBM FlashSystem models 840 and 900 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009103
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in Network Security Services (NSS) affects the IBM FlashSystem model V840 (CVE-2016-1978) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009102
---------------------------------------------
*** IBM Security Bulletin: BigInsights is affected by a vulnerability in DB2 (CVE-2014-0919, CVE-2016-0211) ***
http://www.ibm.com/support/docview.wss?uid=swg21987604
---------------------------------------------
*** IBM Security Bulletin: IBM Forms Viewer may be affected by an Apache Xerces-C XML Parser library vulnerability (CVE-2016-0729) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21988714
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem model V840 (CVE-2016-2107) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009106
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSL affects the IBM FlashSystem models 840 and 900 (CVE-2016-2107) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009105
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 02-09-2016 18:00 − Montag 05-09-2016 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** DNS tunneling threat drills into nearly half of networks tested ***
---------------------------------------------
InfoBloxs new report showed nearly half of all networks tested to show signs of DNS tunnelling
---------------------------------------------
http://www.scmagazine.com/dns-tunneling-threat-drills-into-nearly-half-of-n…
*** Android Patch Fixes Nexus 5X Critical Vulnerability ***
---------------------------------------------
Google patched an undocumented vulnerability that allowed attackers to bypass Nexus 5X devices lock screen via a forced memory dump that exposed the device owners password.
---------------------------------------------
http://threatpost.com/android-patch-fixes-nexus-5x-critical-vulnerability/1…
*** Cisco IOS Software Point-to-Point Tunneling Protocol Server Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in the implementation of Point-to-Point Tunneling Protocol (PPTP) server functionality in Cisco IOS Software could allow an unauthenticated, remote attacker to access data from a packet buffer that was previously ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Sundown EK – Stealing Its Way to the Top ***
---------------------------------------------
Sundown is one of the newest Exploit Kits on the market these days, and like many up-and-coming exploit kits before it, this means that it is in under constant development. With ..
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%e2%80%93-St…
*** Mailman Access Control Flaw in User Options Page Lets Remote Users Conduct Cross-Site Request Forgery Attacks ***
---------------------------------------------
Mailman Access Control Flaw in User Options Page Lets Remote Users Conduct Cross-Site Request Forgery Attacks
---------------------------------------------
http://www.securitytracker.com/id/1036728
*** ‘Flash Hijacks’ Add New Twist to Muggings ***
---------------------------------------------
A frequent crime in Brazil is a scheme in which thieves kidnap people as theyre leaving a bank, and free them only after theyve visited a number of ATMs to withdraw ..
---------------------------------------------
http://krebsonsecurity.com/2016/09/flash-hijacks-add-new-twist-to-muggings/
*** Telnet is not dead – at least not on ‘smart’ devices ***
---------------------------------------------
Depending on your age, you either might or might not have used Telnet to connect to remote computers in the past. But ..
---------------------------------------------
http://en.blog.nic.cz/2016/09/01/telnet-is-not-dead-at-least-not-on-smart-d…
*** "Wenn Ihre Daten in der Cloud sind, hat sie auch die NSA" ***
---------------------------------------------
Der Kryptologe Bart Preneel im futurezone-Interview über Verschlüsselung in der Nach-Snowden-Ära, Hintertüren und Quantenkryptographie.
---------------------------------------------
https://futurezone.at/science/wenn-ihre-daten-in-der-cloud-sind-hat-sie-auc…
*** Microsoft thought of the children and decided to ban some browsers ***
---------------------------------------------
Redmonds Family Settings now block browsers-without-filters by default, but which ones? Microsoft has updated its family filters to block some rival ..
---------------------------------------------
www.theregister.co.uk/2016/09/05/microsoft_thought_of_the_children_and_deci…
*** Hintergrund: Analysiert: Ransomware meets Info-Stealer - RAA und das diebische Pony, Teil II ***
---------------------------------------------
Wie diese Analysiert:-Folge enthüllt, weist die scheinbar perfekte Verschlüsselung des RAA-Trojaners doch Lücken auf. Auch der von RAA gestartete Passwort-Dieb kann sich mit seinen Anti-Debugging-Tricks der Analyse nicht entziehen.
---------------------------------------------
http://heise.de/-3303401
*** Fake attacks by insiders to fool companies ***
---------------------------------------------
Famous cybercrime groups and hacktivists “brands” may be a smokescreen to cover sophisticated insider attacks.
---------------------------------------------
https://www.htbridge.com/blog/fake-attacks-by-insiders-to-fool-companies.ht…
*** Security Advisory - Information Leak Vulnerability in Huawei eSpace IAD ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160905-…
*** Security Advisory - Multiple Security Vulnerabilities in Huawei HiSuite ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160905-…
*** BKA geht mit SOKO Clavis gegen Ransomware vor ***
---------------------------------------------
Nachdem sich in den vergangenen Wochen die Fälle häufen, will das Bundeskriminalamt nun gezielt gegen Ransomware vorgehen. Eine SOKO soll die Täter ausfindig machen.
---------------------------------------------
https://futurezone.at/netzpolitik/bka-geht-mit-soko-clavis-gegen-ransomware…
*** Sophos Windows users face black screens after false positive snafu ***
---------------------------------------------
Black is the new BSOD Users of Sophos’s security software were confronted with a black screen on starting up ..
---------------------------------------------
www.theregister.co.uk/2016/09/05/sophos_black_screen_snafu/
*** Vuln: Inspircd SSL Certificate Spoofing Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/92737
*** Totgesagte leben länger: Adobe poliert NPAPI-Flash auf Linux auf ***
---------------------------------------------
Entgegen so manch einem Meinungsartikel ist Flash noch lange nicht am Ende. Das muss wohl auch Adobe einsehen und frischt nun die veraltete NPAPI-Version unter Linux auf.
---------------------------------------------
http://heise.de/-3314084
*** 800.000 Klartext-Passwörter der Pornoseite Brazzers veröffentlicht ***
---------------------------------------------
Wieder ist ein großer Hack mit kopierten Nutzerdaten bekannt geworden und wieder scheint der Einbruch in die Server 2012 stattgefunden zu haben.
---------------------------------------------
http://heise.de/-3314087
*** Malware Delivered via .pub Files ***
---------------------------------------------
While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaignto deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=21443
*** Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems ***
---------------------------------------------
The Trend Micro Forward Looking Threat Research team recently obtained samples of a new rootkit family from one of our trusted partners. We are providing a ..
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-u…