Daily January 2017

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - Dienstag 31-01-2017
by Daily end-of-shift report 31 Jan '17

31 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-01-2017 18:00 − Dienstag 31-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Printer Security *** --------------------------------------------- TL;DR: In this blog post we give an overview of attack scenarios based on network printers, and show the possibilities of an attacker who has access to a vulnerable printer. We present our evaluation of 20 different printer models and show that each of .. --------------------------------------------- https://web-in-security.blogspot.co.at/2017/01/printer-security.html *** CVE-2017-5521: Bypassing Authentication on NETGEAR Routers *** --------------------------------------------- Home routers are the first and sometimes last line of defense for a network. Despite this fact, many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market. As security researchers, .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassin… *** Erpressungs-Trojaner Sage nutzt Bleeding-Edge-Krypto-Funktionen *** --------------------------------------------- Eine neue Ransomware-Familie orientiert sich bei der Verschlüsselung mit Curve25519 und ChaCha20 am oberen Ende des derzeit zur Verfügung stehenden Repertoires von Krypto-Funktionen. --------------------------------------------- https://heise.de/-3610664 *** DSA-3776 chromium-browser - security update *** --------------------------------------------- https://www.debian.org/security/2017/dsa-3776 *** HTTPS: Das halbe Web ist nun verschlüsselt *** --------------------------------------------- Verschlüsselter Traffic überholt laut Mozilla unverschlüsselte Verbindungen – Anstieg um zehn Prozent in einem Jahr --------------------------------------------- http://derstandard.at/2000051841631 *** We see you, ransomware flingers, testing out your baddest stuff on... Germany? *** --------------------------------------------- Securobods file data hostage report A security firm has floated the theory that malware authors are using German firms as a testing ground for their wares prior to wider distribution. --------------------------------------------- www.theregister.co.uk/2017/01/31/ransomware_sitrep_report/ *** Google zahlte letztes Jahr drei Millionen Dollar an Sicherheitsforscher *** --------------------------------------------- Mehr als je zuvor im Bug-Bounty-Programm – Je Fast eine Million für Android- und Chrome-Bugs --------------------------------------------- http://derstandard.at/2000051858649 *** Sicherheitsupdate: Angreifer könnten Sophos Web Appliance über Kommandozeile entern *** --------------------------------------------- Wer sein Netzwerk mit der Web Appliance von Sophos abschottet, sollte zügig prüfen, ob die aktuelle Software in Version 4.3.1 schon verfügbar ist. Diese Ausgabe schließt zwei Sicherheitslücken. --------------------------------------------- https://heise.de/-3612070 *** Sophisticated cyber attacks increase, while overall volume falls *** --------------------------------------------- NTT quarterly report highlights rise in sophistication but 35 per cent drop in overall attack volumes in Q4 2016 --------------------------------------------- https://www.htbridge.com/blog/sophisticated-cyber-attacks-increase-while-ov… *** Viele Lücken in tcpdump – Bedrohungen noch nicht in Gänze geklärt *** --------------------------------------------- Die aktuelle Version des Netzwerk-Sniffers rüstet sich gegen zahlreiche Schwachstellen, ist aber noch nicht überall verfügbar. --------------------------------------------- https://heise.de/-3612240 *** Tschechische Regierung meldet Hackerangriff auf E-Mail-Konten *** --------------------------------------------- Experten sollen Parallelen zu Hackerangriff auf Demokratische Partei in den USA vergangenes Jahr sehen --------------------------------------------- http://derstandard.at/2000051866541-406 *** Nested, Targeted Attacks Built for Reconnaissance *** --------------------------------------------- Researchers say NATO members were targeted for reconnaissance over the holidays by attacks using malicious OLE objects. --------------------------------------------- http://threatpost.com/nested-targeted-attacks-built-for-reconnaissance/1234… *** Usenix Enigma: Mit Sensorenmanipulation das Internet of Things verwirren *** --------------------------------------------- Autonome Systeme verlassen sich auf Sensoren, um ihre Umwelt zu verstehen. Ein Wissenschaftler hat auf der Sicherheitskonferenz Usenix Enigma demonstriert, wie sich .. --------------------------------------------- http://www.golem.de/news/usenix-enigma-mit-sensorenmanipulation-das-interne…

1 0

Tageszusammenfassung - Montag 30-01-2017
by Daily end-of-shift report 30 Jan '17

30 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-01-2017 18:00 − Montag 30-01-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Dridex Returns With Windows UAC Bypass Method *** --------------------------------------------- Dridex banking malware returns with a new bypass technique that allows the malware to execute without triggering a Windows UAC alert to the user. --------------------------------------------- http://threatpost.com/dridex-returns-with-windows-uac-bypass-method/123420/ *** What Keeps My Honeypot Busy These Days, (Fri, Jan 27th) *** --------------------------------------------- Sometimes, it isnt the new and sophisticated attacks that keep your honeypots (and with that: you) busy, but things that make you go that works?. Looking over my honeypot today, I had a couple experiences like this. First of all, the old TR-064 NTP Server exploit that became big news when the Mirai botnet adopted it. Since then, most of the servers that hosted the follow-up code no longer deliver. But this doesnt prevent thousands of existing bots to persistently attempt the exploit. In... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21995&rss *** ATM "Shimmers" Target Chip-Based Cards *** --------------------------------------------- Several readers have called attention to warnings coming out of Canada about a supposed new form of ATM skimming called "shimming." Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Heres a brief primer on shimming attacks, and why they succeed. --------------------------------------------- https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/ *** Request for Packets and Logs - TCP 5358, (Sat, Jan 28th) *** --------------------------------------------- pStarting Sunday (22 Jan 17), there was a huge spike this week against TCP 5358. If anyone has logs or packets (traffic) that might help identify what it is can submit them via our a href="https://isc.sans.edu/contact.html"contact/a page would be appreciated. This is a snapshot as to what was reported so far this week in DShield./p p width:500px" //p p[1] https://isc.sans.edu/contact.html/p p-----------br / Guy Bruneau a href="http://www.ipss.ca/"IPSS Inc./abr / --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21997&rss *** Adblock Plus: Staatsanwaltschaft durchsucht Werbeblocker-Anbieter Eyeo *** --------------------------------------------- Der Kölner Adblocker-Anbieter Eyeo hat nun auch Ärger mit der Justiz. Hintergrund dürfte der Streit über die Frage sein, wer für die Erstellung von Filterregeln in der Easylist verantwortlich ist. --------------------------------------------- http://www.golem.de/news/adblock-plus-staatsanwaltschaft-durchsucht-werbebl… *** XSender: The Source of All the Recent XMPP Spam *** --------------------------------------------- In recent months, security researchers, hackers, and other dwellers of the cyber-criminal underground have noticed an uptick in XMPP (formerly Jabber) spam. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/xsender-the-source-of-all-th… *** Facebook: Sicheres Einloggen per USB-Stick *** --------------------------------------------- Die Zwei-Faktor-Authentifizierung bei Facebook kann nun auch per Fido-USB-Sticks oder NFC-Tags erfolgen. --------------------------------------------- https://futurezone.at/digital-life/facebook-sicheres-einloggen-per-usb-stic… *** A Shakeup in Russia's Top Cybercrime Unit *** --------------------------------------------- A chief criticism I heard from readers of my book, Spam Nation: The Inside Story of Organized Cybercrime, was that it dealt primarily with petty crooks involved in petty crimes, while ignoring more substantive security issues like government surveillance and cyber war. But now it appears that the chief antagonist of Spam Nation is at the dead center of an international scandal involving the hacking of U.S. state electoral boards in Arizona and Illinois, the sacking of Russias top cybercrime... --------------------------------------------- https://krebsonsecurity.com/2017/01/a-shakeup-in-russias-top-cybercrime-uni… *** Überwachungskameras von Washington DC mit Ransomware infiziert *** --------------------------------------------- Nur acht Tage vor Trumps Angelobung wurde das Netzwerk der Überwachungskameras in der US-Hauptstadt angegriffen und teilweise lahmgelegt. --------------------------------------------- https://futurezone.at/digital-life/ueberwachungskameras-von-washington-dc-m… *** Google auf dem Weg zur unabhängigen Root-CA *** --------------------------------------------- Künftig will das Unternehmen über den Google Trust Service eigene SSL-/TLS-Zertifikate ausstellen. Diese sollen bei Google-Diensten und Angeboten des Google-Mutterkonzerns Alphabet zum Einsatz kommen. --------------------------------------------- https://heise.de/-3610041 *** Averting ransomware epidemics in corporate networks with Windows Defender ATP *** --------------------------------------------- Microsoft security researchers continue to observe ransomware campaigns blanketing the market and indiscriminately hitting potential targets. Unsurprisingly, these campaigns also continue to use email and the web as primary delivery mechanisms. Also, it appears that most corporate victims are simply caught by the wide nets cast by ransomware operators. Unlike cyberespionage groups, ransomware operators do... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epi… *** Kritische Lücke in WebEx: Cisco stellt offensichtlich finale Sicherheitsupdates bereit *** --------------------------------------------- Nach mehreren vermeintlich abgesicherten Version von WebEx hat Cisco nun eigenen Angaben zufolge vollwertige Sicherheitsupdates veröffentlicht. Einige Unklarheiten bleiben aber. --------------------------------------------- https://heise.de/-3610749 *** [2017-01-30] XSS and CSRF vulnerabiliies in multiple Ubiquiti Networks products *** --------------------------------------------- Many products of Ubiquiti Networks are affected by a cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user. Furthermore, different actions on the system can be triggered by CSRF attacks. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0 *** --------------------------------------------- Microsoft is aware of a security vulnerability in the public version of ASP.NET Core MVC 1.1.0 where a malformed HTTP request could lead to a denial of service. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4010983 *** Cryptkeeper Sets the same password "p" for everything independently of user input *** --------------------------------------------- https://www.reddit.com/r/netsec/comments/5r16na/cryptkeeper_sets_the_same_p… *** DSA-3775 tcpdump - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in tcpdump, a command-linenetwork traffic analyzer. These vulnerabilities might result in denialof service or the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3775 *** TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities *** --------------------------------------------- The administration interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed via the redirect_url GET parameter is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted... --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php *** Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF *** --------------------------------------------- SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize user-supplied input to several parameters. Attackers can exploit this weakness to execute arbitrary HTML and script code in a users browser session. The WAF was bypassed via form-based CSRF. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5392.php *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Samba affect IBM Spectrum Scale SMB protocol access method (CVE-2016-2126, 2016-2125) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009714 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in SSL affects IBM DataPower Gateways (CVE-2016-8610) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=swg21997764 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 27-01-2017
by Daily end-of-shift report 27 Jan '17

27 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-01-2017 18:00 − Freitag 27-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Zbot with legitimate applications on board *** --------------------------------------------- Recently, among the payloads delivered by exploit kits, we often find Terdot.A/Zloader - a downloader installing on the victim machine a ZeuS-based malware. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-appli… *** Phishers unleash simple but effective social engineering techniques using PDF attachments *** --------------------------------------------- The Gmail phishing attack is reportedly so effective that it tricks even technical users, but it may be just the tip of the iceberg. We're seeing similarly simple but clever social engineering tactics using PDF attachments. These deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/01/26/phishers-unleash-simple… *** Hintergrund: So hacken Maschinen *** --------------------------------------------- Team Shellphish war einer der Teilnehmer der Cyber Grand Challenge der DARPA; jetzt beschreiben sie ihren Mechanical Phish und dessen Strategie. --------------------------------------------- https://heise.de/-3608169 *** Bezahlung oder Kontosperre: Nationalbank warnt vor Telefonbetrug *** --------------------------------------------- Unbekannte fälschen Telefonnummer von Bank und Anwalt, um Opfer unter Druck zu setzen --------------------------------------------- http://derstandard.at/2000051638010 *** Security for Privacy on Data Protection Day *** --------------------------------------------- On 28th January, ENISA joins 47 countries of the Council of Europe and the EU institutions, agencies and bodies, to celebrate the 11th annual European Data Protection Day. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/security-for-privacy-on-data-pr… *** Sicherheitsupdate: Entwickler von TigerVNC raten zur zügigen Aktualisierung *** --------------------------------------------- Durch das Ausnutzen einer Lücke könnten Angreifer im Zuge einer Virtual-Network-Computing Session Clients kapern. --------------------------------------------- https://heise.de/-3609051 *** Cisco starts patching critical flaw in WebEx browser extension *** --------------------------------------------- Cisco Systems has started to patch a critical vulnerability in its WebEx collaboration and conferencing browser extension that could allow attackers to remotely execute malicious code on computers.The company released a patched version of the extension -- 1.0.7 -- for Google Chrome on Thursday and is working on similar patches for the Internet Explorer and Mozilla Firefox versions.The vulnerability was found by Google security researcher Tavis Ormandy and stemmed from the fact that the WebEx... --------------------------------------------- http://www.cio.com/article/3162014/security/cisco-starts-patching-critical-… *** Heartbleed: (Almost) three years later *** --------------------------------------------- Shodan recently published a report on the state of Heartbleed which was picked up by lots of media outlets. I took this as an opportunity to have a look at our statistics. Shodan performs its scan based on IP-addresses and makes the results searchable. CERT.at also runs daily scans, but these are based on the list of domains under the Austrian ccTLD .at. We published a first report on these results in the summer of 2014. Were close to the three... --------------------------------------------- http://www.cert.at/services/blog/20170127160051-1894_en.html *** Security Advisory: OpenSSH vulnerability CVE-2016-10011 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24324390.html?… *** IDM 4.5 Midrange BiDirectional Driver 201611271513 *** --------------------------------------------- Abstract: Identity Manager Midrange: IBM i (i5/OS and OS/400) driver patch for the Identity Manager versions 4.5 or higher. Driver version will show i5os Driver Version 4.5 Build Date 201611271513.To see the version run I5OSDRV/I5OSDRV OPTION(*VERSION)This patch also requires the driver activation from IDM 4.5Document ID: 5271130Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm45midrange20161127.tar.gz (47.54 MB)Products:Identity Manager 4.0.2Identity... --------------------------------------------- https://download.novell.com/Download?buildid=lY8lK_WKOeQ~ *** Bugtraq: ESA-2016-167: EMC Documentum D2 Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540060 *** Vuln: EMC PowerPath Virtual (Management) Appliance CVE-2016-0890 Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95832 *** Eaton ePDU Path Traversal Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a path traversal vulnerability in certain legacy Eaton ePDUs. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-026-01 *** Belden Hirschmann GECKO *** --------------------------------------------- This advisory contains mitigation details for a path traversal vulnerability in Beldens Hirschmann GECKO switch. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-026-02 *** RSA Web Threat Detection Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1037726 *** Vuln: Terminal Services Agent CVE-2017-5328 Spoofing Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95823 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) and Rational Directory Administrator (CVE-2016-5554, CVE-2016-5542) *** http://www.ibm.com/support/docview.wss?uid=swg21994101 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM BladeCenter Networking Switch products (CVE-2016-2183) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099533 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Flex System Networking Switch products (CVE-2016-2183) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099505 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM System Networking RackSwitch products (CVE-2016-2183) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099506 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 26-01-2017
by Daily end-of-shift report 26 Jan '17

26 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 25-01-2017 18:00 − Donnerstag 26-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** VirLocker's comeback; including recovery instructions *** --------------------------------------------- Virlocker is back, the nightmare is still real. But we have found a way to at least recover your important files even if the affected machine can be considered a loss.Categories: Malware Threat analysisTags: file infectingfile recoverymalwarepolymorphicransomwareself propagatingVirLockVirlocker(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/01/virlockers-comeback-i… *** Cisco WebEx code execution hole - what you need to know *** --------------------------------------------- Googles Project Zero found a serious hole in Ciscos WebEx browser extension that is nearly but not yet fully fixed. Heres what to do. --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/XBY4vnKgI4U/ *** Powerful Android RAT impersonates Netflix app *** --------------------------------------------- Mobile malware peddlers often make their malicious wares look like popular Android apps and push them to users through third-party app stores. The latest example of this is the fake Netflix app spotted by Zscaler researchers. The fake app looks genuine at first glance, as it sports the same icon the actual legitimate Netflix app uses. But once it is installed on a smartphone or tablet and the victim clicks on it, it vanishes from... --------------------------------------------- https://www.helpnetsecurity.com/2017/01/26/android-rat-netflix-app/ *** Android VPN Apps Caught Intercepting Traffic, Failing to Encrypt *** --------------------------------------------- New research released this week reveals that a large chunk of today Android VPN clients are a serious security and privacy risk, with some clients failing to encrypt traffic, and some even injecting ads in a customers browsing experience. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-vpn-apps-caught-inte… *** Shamoon disk-wiping attackers can now destroy virtual desktops, too *** --------------------------------------------- Mystery malware begins targeting a key disk-wiping defense. --------------------------------------------- https://arstechnica.com/security/2017/01/shamoon-disk-wiping-malware-can-no… *** Analysis of new Shamoon infections *** --------------------------------------------- All of the initial analysis pointed to Shamoon emerging in the Middle East. This however was not the end of the story since the campaign continues to target organizations in the Middle East from a variety of verticals. Indeed reports suggested that a further 15 Shamoon incidents had been reported from public to private sector. --------------------------------------------- https://www.helpnetsecurity.com/2017/01/26/shamoon-infections/ *** Gefälschte A1-Phishingmail: Neue Messaging-Plattform *** --------------------------------------------- Kriminelle versenden eine gefälschte A1 Online-Nachricht. Sie hat das Betreff "Maßnahme erforderlich: Neue Messaging-Plattform" und fordert von Empfänger/innen, dass sie ihre Zugangsdaten auf einer Website bekannt geben. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-a1-phishingmail-neue… *** OpenSSL Security Advisory [26 Jan 2017] *** --------------------------------------------- Truncated packet could crash via OOB read (CVE-2017-3731) Bad (EC)DHE parameters cause a client crash (CVE-2017-3730) BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) Montgomery multiplication may produce incorrect results (CVE-2016-7055) Support for version 1.0.1 ended on 31st December 2016. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. --------------------------------------------- https://www.openssl.org/news/secadv/20170126.txt *** DFN-CERT-2017-0154: Red Hat JBoss Core Services: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0154/ *** IETF IPv6 Protocol CVE-2016-10142 Denial of Service Vulnerability *** --------------------------------------------- CVE-2016-10142 kernel - IPV6 fragmentation flaw https://bugzilla.redhat.com/show_bug.cgi?id=1415908 --------------------------------------------- Generation of IPv6 Atomic Fragments Considered Harmful https://tools.ietf.org/html/rfc8021 --------------------------------------------- http://www.securityfocus.com/bid/95797/ *** Security Advisory: TMM vulnerability CVE-2016-9249 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71282001.html?… *** Bugtraq: ESA-2016-166: EMC Isilon OneFS Privilege Escalation Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540050 *** Vuln: Multiple TIBCO Products CVE-2017-3180 Multiple Unspecified Cross-Site Scripting Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/95699 *** Vuln: Autodesk FBX-SDK CVE-2016-9307 Multiple Buffer Overflow Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/95802 *** Vuln: Autodesk FBX-SDK CVE-2016-9304 Multiple Buffer Overflow Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/95799 *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983 ) *** --------------------------------------------- Multiple vulnerabilities have been identified in the IBM Websphere Application Server (WAS) that is embedded in IBM FSM. This update addresses these issues. CVE(s): CVE-2016-3092, CVE-2016-5986, CVE-2016-5983 Affected product(s) and affected version(s): Flex System Manager 1.3.4.0 Flex System Manager 1.3.3.0 Flex System Manager 1.3.2.1 Flex System Manager 1.3.2.0 Refer to the following reference URLs for... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1024555 *** IBM Security Bulletin: IBM Forms Experience Builder could be susceptible to Apache POI Vulnerabilities *** --------------------------------------------- IBM Forms Experience Builder could be susceptible to allowing for a denial of service, cause by an error in Apache POI Libraries CVE(s): CVE-2014-3574, CVE-2014-3529, CVE-2016-5000 Affected product(s) and affected version(s): IBM Forms Experience Builder 8.5 IBM Forms Experience Builder 8.5.1 IBM Forms Experience Builder 8.6 Refer to the following reference URLs for remediation and... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21997296 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) *** --------------------------------------------- There are multiple vulnerabilities in IBM Runtime Environment Java Version 1.5 and 1.7 that is used by FSM. These issues were disclosed as part of the IBM Java SDK updates in January and April 2016. This Bulletin addresses these vulnerabilities. CVE(s): CVE-2015-7575, CVE-2016-0448, CVE-2016-0475, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-0264, CVE-2016-3426 Affected product(s) and affected version(s): Flex... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1024558

1 0

Tageszusammenfassung - Mittwoch 25-01-2017
by Daily end-of-shift report 25 Jan '17

25 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-01-2017 18:00 − Mittwoch 25-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Kritische Sicherheitslücke in der Webshop-Software Shopware *** --------------------------------------------- Die vor allem in Deutschland beliebte Software aus Schöppingen hat eine Schwachstelle, über die Angreifer beliebigen Schadcode ausführen können. --------------------------------------------- https://heise.de/-3606627 *** VB2016 paper: Great crypto failures *** --------------------------------------------- Crypto is hard, and malware authors often make mistakes. At VB2016, Check Point researchers Yaniv Balmas and Ben Herzog discussed the whys and hows of some of the crypto blunders made by malware authors. Today, we publish their paper and the recording of their presentation. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/01/vb2016-paper-great-crypto-fa… *** Call for Papers: VB2017 *** --------------------------------------------- We have opened the Call for Papers for VB2017. We are particularly interested in receiving submissions from those working outside the security industry itself. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/01/call-papers-vb2017/ *** Malicious SVG Files in the Wild, (Tue, Jan 24th) *** --------------------------------------------- In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or Scalable Vector Graphics) are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system,SVG files are handled by Internet Explorer by default. From a file format point... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21971&rss *** Sicherheitspatch: Western Digital My Cloud Mirror empfänglich für Schadcode *** --------------------------------------------- Besitzer des Netzwerkspeichers sollten aus Sicherheitsgründen prüfen, dass sie die aktuelle Firmware installiert haben. --------------------------------------------- https://heise.de/-3606909 *** Trojan Transforms Linux Devices into Proxies for Malicious Traffic *** --------------------------------------------- Security researchers have uncovered a new trojan that targets Linux devices that is capable of transforming infected machines into proxy servers and relay malicious traffic, hiding the true origin of attacks or other nefarious activities. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojan-transforms-linux-devi… *** Capturing Pattern-Lock Authentication *** --------------------------------------------- Interesting research -- "Cracking Android Pattern Lock in Five Attempts": Abstract: Pattern lock is widely used as a mechanism for authentication and authorization on Android devices. In this paper, we demonstrate a novel video-based attack to reconstruct Android lock patterns from video footage filmed u sing a mobile phone camera. Unlike prior attacks on pattern lock, our approach does not require the video to capture any content displayed on the screen. Instead, we employ a computer... --------------------------------------------- https://www.schneier.com/blog/archives/2017/01/capturing_patte.html *** Wartungsarbeiten Dienstag, 31. 1. 2017 *** --------------------------------------------- http://www.cert.at/services/blog/20170125134029-1890.html *** Detecting threat actors in recent German industrial attacks with Windows Defender ATP *** --------------------------------------------- When a Germany-based industrial conglomerate disclosed in December 2016 that it was breached early that year, the breach was revealed to be a professionally run industrial espionage attack. According to the German press, the intruders used the Winnti family of malware as their main implant, giving them persistent access to the conglomerate's network as early... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors… *** Lücke in Samsung-Handys: Endlos-Bootschleife durch Killer-SMS *** --------------------------------------------- Samsung hat eine Lücke in älteren Geräten gestopft, die missbraucht werden kann, diese in eine Bootschleife zu versetzen und Angreifern wahrscheinlich auch die Möglichkeit gibt, Schadcode auszuführen. Geräte anderer Hersteller sind wohl noch verwundbar. --------------------------------------------- https://heise.de/-3607266 *** DFN-CERT-2017-0142: Mozilla Firefox, Firefox ESR, Tor Browser: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0142/ *** IDM 4.5 SAP User Driver Version 4.0.1.0 *** --------------------------------------------- Abstract: Patch update for the NetIQ Identity Manager SAP User Manager driver with the SAP JCO version 3. This patch will take the driver version to 4.0.1.0. You must have IDM 4.5 or later to use this driver. You should only use this patch if you are using SAP JCO3. It will not work with SAP JCO2. NetIQ recommends that users of SAP JCO2 transition to SAP JCO3 and use the IDM SAP User Manager driver for JCO3. Future versions of IDM do not support SAP JCO2.Document ID: 5269090Security Alert:... --------------------------------------------- https://download.novell.com/Download?buildid=juq3iF7EF5o~ *** Citrix Provisioning Services Multiple Security Updates *** --------------------------------------------- https://support.citrix.com/article/CTX219580 *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- https://support.citrix.com/article/CTX220112 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability affecting FileNet Content Manager and IBM Content Foundation (CVE-2013-5462) *** http://www.ibm.com/support/docview.wss?uid=swg21994241 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector for SAP Applications (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996483 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Enterprise Content Management System Monitor *** http://www-01.ibm.com/support/docview.wss?uid=swg21997196 --------------------------------------------- *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Authentication Bypass Vulnerability in the Find Phone Function of some Huawei Smart Phones *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-… --------------------------------------------- *** Security Advisory - Two Security Vulnerabilities in Huawei EMUI *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-… --------------------------------------------- *** Security Advisory - Improper Permission Control Vulnerability in Huawei Vmall Alert Service *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Adaptive Security Appliance CX Context-Aware Security Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco TelePresence Multipoint Control Unit Remote Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Expressway Series and TelePresence VCS Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco WebEx Browser Extension Remote Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** HP Security Bulletins *** --------------------------------------------- *** Bugtraq: [security bulletin] HPSBGN03690 rev.1 - HPE Real User Monitor (RUM), Remote Disclosure of Information *** http://www.securityfocus.com/archive/1/540044 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBST03642 rev.3 - HPE StoreVirtual Products running LeftHand OS using OpenSSL and OpenSSH, Remote Arbitrary Code Execution, Denial of Service (DoS), Disclosure of Sensitive Information, Unauthorized Access *** http://www.securityfocus.com/archive/1/540048 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBHF03695 rev.1 - HPE Ethernet Adaptors, Remote Denial of Service (DoS) *** http://www.securityfocus.com/archive/1/540047 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBHF03441 rev.2 - HPE iLO 3, iLO 4 and iLO 4 mRCA, Remote Multiple Vulnerabilities *** http://www.securityfocus.com/archive/1/540046 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 24-01-2017
by Daily end-of-shift report 24 Jan '17

24 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-01-2017 18:00 − Dienstag 24-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Java: Das Ende von MD5 und SHA-1 naht *** --------------------------------------------- Oracle hat angekündigt, dass mit seinem nächsten Quartalsupdate MD5 für die Signatur von JAR-Paketen ausgemustert wird. Ebenso soll das JDK nur noch in Ausnahmen SHA-1-Zertifikate anerkennen. --------------------------------------------- https://heise.de/-3606356 *** Elga ist laut Experten leicht zu hacken *** --------------------------------------------- Personal braucht für Zugriff nur ein Passwort. Das sei zu wenig, warnt ein Fachmann. --------------------------------------------- https://kurier.at/chronik%2Foesterreich/elga-ist-laut-experten-leicht-zu-ha… *** Sicherheitsupdate: Apple patcht Root-Exploits für fast alle Plattformen *** --------------------------------------------- Apple hat umfangreiche Sicherheitsupdates für alle Plattformen herausgegeben. Ein Root-Exploit im Kernel betrifft zahlreiche Geräte, darüber hinaus gibt es viele Fehler in Webkit und in verschiedenen Bibliotheken. --------------------------------------------- http://www.golem.de/news/sicherheitsupdate-apple-patcht-root-exploits-fuer-… *** Charger mobile ransomware steals contacts and SMS messages *** --------------------------------------------- Check Point's mobile security researchers have discovered a new ransomware in Google Play, dubbed Charger. Charger was found embedded in an app called EnergyRescue. The infected app steals contacts and SMS messages from the user's device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding payment. Researchers detected and quarantined the Android device of an unsuspecting customer employee who had unknowingly downloaded and... --------------------------------------------- https://www.helpnetsecurity.com/2017/01/24/charger-mobile-ransomware/ *** Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution *** --------------------------------------------- TL;DR: A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target users system. --------------------------------------------- https://bugs.chromium.org/p/project-zero/issues/detail?id=1096 *** Microsoft Reveals Windows Defender Security Center Scheduled for Creators Update *** --------------------------------------------- The Windows 10 Creators Update scheduled for launch later this year will include an upgrade of the default Windows Defender antivirus, which will feature a new settings panel named the Windows Defender Security Center. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-reveals-windows-d… *** Furby Rickroll demo: what fresh hell is this? *** --------------------------------------------- Toy-makers, please quit this rubbish, youre NO GOOD at security Heres your future botnet, world: connected kids toys that will Rickroll their owners while hosing big servers and guessing the nuclear codes. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/01/24/furby_rickr… *** HummingBad Android Malware Found in 20 Google Play Store Apps *** --------------------------------------------- HummingBad, an Android malware estimated to have touched over 85 million devices worldwide, was recently found in 46 new applications, 20 of which had even made their way into the official Play Store, passing Googles security checks. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hummingbad-android-malware-f… *** Advice to a New SCADA Engineer *** --------------------------------------------- Target Audience As I have come in contact with those new to industrial control systems - whether they be supervisor control and data acquisition (SCADA) systems, building automation, process automation, or what not - I have come to the conclusion that whether the individual is trade school educated or college educated, they are not prepared... --------------------------------------------- http://resources.infosecinstitute.com/advice-to-a-new-scada-engineer/ *** How to Have Fun With IPv6 Fragments and Scapy, (Mon, Jan 23rd) *** --------------------------------------------- I may extend this with a second entry later this week. But as so often, I found myself on a long flight with some time on my hands, and since the IETF just released a new RFC regarding IPv6 atomic fragments, I figured I will play a bit with scapy to kill time. [1] And well, this also makes good material for my IPv6 class [2]. This is supposed to entice you to play and experiment. Let me know if you find anything neat. Fragmentation is a necessary evil of packet networking. Packets will... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21963&rss *** Gefälschte A1 Online-Rechnung verbirgt Schadsoftware *** --------------------------------------------- Kriminelle versenden eine gefälschte A1 Online-Rechnung. Darin nennen sie ein hohes Verbindungsentgelt und das verbrauchte Datenvolumen. Der Nachricht ist die Datei "rechnung_1.zip" beigefügt. Sie verbirgt Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-onl… *** Ein Jahr alte Root-Schwachstelle in Systemd aufgetaucht *** --------------------------------------------- Die Entwickler des Init-Systems Systemd haben im vergangenen Jahr eine Lücke geschlossen, über die ein Angreifer Root-Rechte erlangen kann. Allerdings wurde diese Lücke zuerst unterschätzt und blieb unbeachtet. --------------------------------------------- https://heise.de/-3606599 *** Vuln: LibTIFF CVE-2017-5563 Heap Based Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95705 *** EMC Avamar Data Store and Avamar Virtual Edition File Ownership Error Lets Local Users Obtain Root Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1037667 *** RSA Security Analytics Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1037666 *** DFN-CERT-2017-0137: Apache Software Foundation Tomcat: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0137/ *** Security Advisory 2017-01: Security Update for OTRS Business Solution *** --------------------------------------------- January 24, 2017 - Please read carefully and check if the version of your OTRS system is affected by this vulnerability. --------------------------------------------- https://www.otrs.com/security-advisory-2017-01-security-update-otrs-busines… *** DFN-CERT-2017-0136: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. eine Privilegieneskalation *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0136/ *** Forthcoming OpenSSL releases *** --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2k, 1.1.0d. These releases will be made available on 26th January 2017 between approximately 1300-1700 UTC. They will fix several security defects with maximum severity "moderate". --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2017-January/000091.html *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: OpenSSH vulnerability CVE-2016-10009 *** https://support.f5.com:443/kb/en-us/solutions/public/k/31/sol31440025.html?… --------------------------------------------- *** Security Advisory: OpenSSH vulnerability CVE-2016-10010 *** https://support.f5.com:443/kb/en-us/solutions/public/k/64/sol64292204.html?… --------------------------------------------- *** Security Advisory: PHPMailer vulnerability CVE-2016-10033 *** https://support.f5.com:443/kb/en-us/solutions/public/k/74/sol74977440.html?… --------------------------------------------- *** Apple Security Updates *** --------------------------------------------- *** macOS Sierra 10.12.3 *** https://support.apple.com/kb/HT207483 --------------------------------------------- *** iOS 10.2.1 *** https://support.apple.com/kb/HT207482 --------------------------------------------- *** tvOS 10.1.1 *** https://support.apple.com/kb/HT207485 --------------------------------------------- *** watchOS 3.1.3 *** https://support.apple.com/kb/HT207487 --------------------------------------------- *** iCloud for Windows 6.1.1 *** https://support.apple.com/kb/HT207481 --------------------------------------------- *** Safari 10.0.3 *** https://support.apple.com/kb/HT207484 --------------------------------------------- *** iTunes 12.5.5 for Windows *** https://support.apple.com/kb/HT207486 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in sudo affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024766 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in expat affects PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024767 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Expat XML parser affects IBM Security Network Protection (CVE-2016-0718) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995440 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in GnuPG (gpg) affects PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024768 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Mozilla Network Security Services (NSS) affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024769 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in QEMU affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024770 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nettle affects PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024771 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in postgresql affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024772 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024773 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024775 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 23-01-2017
by Daily end-of-shift report 23 Jan '17

23 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-01-2017 18:00 − Montag 23-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** PowerShell 5.1 for Windows 7 and later , (Fri, Jan 20th) *** --------------------------------------------- Microsoft has released Windows Management Framework 5.1 for windows 7 and later. WMF 5.1 upgrades Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 to the PowerShell, WMI, WinRM and SIL components that were released with Windows Server 2016 and Windows 10 Anniversary Edition.">">"> (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21957&rss *** Hotel zum vierten Mal von Hackern lahmgelegt *** --------------------------------------------- Das Seehotel Jägerwirt auf der Turracher Höhe ist bereits zum vierten Mal von Hackern heimgesucht und erpresst worden. Die elektronischen Zimmerschlüssel wurden lahmgelegt. Daher will man jetzt zu normalen Schlüsseln zurückkehren. --------------------------------------------- http://kaernten.orf.at/news/stories/2821290/ *** Stopping Malware With a Fake Virtual Machine *** --------------------------------------------- As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system... --------------------------------------------- https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtu… *** Wartungsarbeiten Dienstag, 24. 1. 2017 *** --------------------------------------------- Am Dienstag, 24. Jänner 2017, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen. Es gehen dabei keine Daten (zb Emails) verloren, die Bearbeitung kann sich allerdings verzögern. --------------------------------------------- http://www.cert.at/services/blog/20170120104523-1882.html *** The Week in Ransomware - January 20th 2017 - Satan RaaS, Spora, Locky, and More *** --------------------------------------------- This week we continue to see more ransomware being released as well as changes in the distribution of the larger ransomware infections. For example, Locky has had a very low distribution lately since the holidays, but according to the Cisco Talos Group, it is starting to pick up again. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-janua… *** Sage 2.0 Ransomware, (Sat, Jan 21st) *** --------------------------------------------- Introduction On Friday 2017-01-20, I checked on a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware Id never seen before called Sage. More specifically, it was Sage 2.0." /> Shown above: Its always fun to find ransomawre thats not Cerber or Locky. Sage is yet another family of ransomware in an already crowded field. It was noted on BleepingComputer forums back in December 2016 [1, 2], and Sage is apparently a variant of... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21959&rss *** Symantec schlampt erneut mit TLS-Zertifikaten *** --------------------------------------------- Offenbar haben mehrere von Symantec betriebene Certificate Authorities (CAs) unberechtigterweise über 100 TLS-Zertifikate ausgestellt. Das kann ein Auslesen des Datenverkehrs von HTTPS-geschützten Websites durch Dritte ermöglichen. --------------------------------------------- https://heise.de/-3604190 *** Android permissions and hypocrisy *** --------------------------------------------- I wrote a piece a few days ago about how the Meitu app asked for a bunch of permissions in ways that might concern people, but which were not actually any worse than many other apps. The fact that Android makes it so easy for apps to obtain data thats personally identifiable is of concern, but in the absence of another stable device identifier this is the sort of thing that capitalism is inherently going to end up making use of. Fundamentally, this is Googles problem to fix. --------------------------------------------- http://mjg59.dreamwidth.org/46403.html *** Researchers predict upsurge of Android banking malware *** --------------------------------------------- Android users, beware: source code and instructions for creating a potent Android banking Trojan have been leaked on a hacker forum, and researchers are expecting an onslaught of malware based on it. In fact, one has already been spotted. Masquerading as a variety of benign apps (e.g. Google Play) on third-party Android app markets, the Trojan - dubbed Android.BankBot.149.origin by Dr. Web researchers - is eminently capable. It can: Send and intercept text messages (including... --------------------------------------------- https://www.helpnetsecurity.com/2017/01/23/upsurge-android-banking-malware/ *** Massive Twitter Botnet Dormant Since 2013 *** --------------------------------------------- Researchers from the University College London have found a Twitter botnet of 350,000 bots that has been dormant since shortly after the accounts were registered. --------------------------------------------- http://threatpost.com/massive-twitter-botnet-dormant-since-2013/123246/ *** Heartbleed: OpenSSL hört nicht auf zu bluten *** --------------------------------------------- Eine Analyse der öffentlich im Internet erreichbaren Systeme zeigt, dass immer noch Hunderttausende für die OpenSSL-Lücke Heartbleed anfällig sind. Die bald drei Jahre alte Lücke findet sich demnach hauptsächlich in Mietservern der Cloud. --------------------------------------------- https://heise.de/-3605222 *** QNAP Storage Devices Firmware Update Flaw Lets Remote Users Access the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037663 *** DSA-3769 libphp-swiftmailer - security update *** --------------------------------------------- Dawid Golunski from LegalHackers discovered that PHP Swift Mailer, amailing solution for PHP, did not correctly validate user input. Thisallowed a remote attacker to execute arbitrary code by passingspecially formatted email addresses in specific email headers. --------------------------------------------- https://www.debian.org/security/2017/dsa-3769 *** DSA-3770 mariadb-10.0 - security update *** --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.29. Please see the MariaDB 10.0 Release Notes for furtherdetails:... --------------------------------------------- https://www.debian.org/security/2017/dsa-3770 *** DFN-CERT-2017-0123: OpenJPEG: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0123/ *** Security Notice - Statement on Flanker Revealing Privilege Elevation Vulnerability in Huawei EMUI Keyguard Application *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170123-01-… *** Vuln: Red Hat JBoss Enterprise Application Platform CVE-2016-8627 Remote Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95698 *** Security Advisories Relating to Symantec Products - Norton Download Manager DLL Loading *** --------------------------------------------- Symantec has released an update to address a DLL loading vulnerability detected in the Norton Download Manager for affected products --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** Vuln: Brocade Network Advisor CVE-2016-8204 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95695 *** Vuln: Brocade Network Advisor CVE-2016-8205 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95694 *** Vuln: Brocade Network Advisor CVE-2016-8206 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95692 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction (CVE-2016-5597, CVE-2016-5542) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997219 --------------------------------------------- *** IBM Security Bulletin: IBM Forms Experience Builder could be susceptible to a server-side request forgery (CVE-2016-6001) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991280 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099501 --------------------------------------------- *** IBM Security Bulletin: HTTP Response Splitting in WebSphere Application Server affects IBM Virtualization Engine TS7700 (CVE-2016-0359) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009661 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 20-01-2017
by Daily end-of-shift report 20 Jan '17

20 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 19-01-2017 18:00 − Freitag 20-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Satan: A new ransomware-as-a-service *** --------------------------------------------- Ransomware as a Service (RaaS) has been growing steadily since it made its debut in 2015 with Tox. With the new Satan .. --------------------------------------------- https://www.webroot.com/blog/2017/01/19/satan-new-ransomware-service *** DSA-3767 mysql-5.5 - security update *** --------------------------------------------- Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3767 *** Unbreakable Locky ransomware is on the march again *** --------------------------------------------- Necrus botnet wakes up and starts fresh malware-cano Cisco is warning of possible return of a massive ransomware spam .. --------------------------------------------- www.theregister.co.uk/2017/01/20/locky_ransomware_horrorshow_returns/ *** Internetsicherheit 2016: Erpressungstrojaner boomen in Österreich *** --------------------------------------------- Unternehmen verstärkt im Visier von DDOS-Erpressern – Geheimdienste verstärkt tätig --------------------------------------------- http://derstandard.at/2000051229037 *** Angebliche Backdoor: Kryptographen kritisieren Whatsapp-Bericht des Guardian *** --------------------------------------------- Die Diskussion um die angebliche Backdoor in Whatsapp reißt nicht ab. Bekannte Sicherheitsforscher wie .. --------------------------------------------- http://www.golem.de/news/angebliche-backdoor-kryptographen-kritisieren-what… *** Social Engineering: Neue Angriffsmethode richtet sich gegen Firmen *** --------------------------------------------- In den letzten Tagen wurden der Melde- und Analysestelle Informationssicherung MELANI mehrere Fälle gemeldet, bei denen Betrüger Firmen anrufen, sich als .. --------------------------------------------- https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/social-… *** Achtung: Große Anzahl von Netgear-Routern lässt sich über Admin-Interface kapern *** --------------------------------------------- Gleich 30 Router-Modelle von Netgear enthalten eine Schwachstelle, die es Angreifern ermöglicht, die Admin-Passwörter der Geräte auszulesen und diese komplett zu übernehmen. Die Updates des Herstellers sollten umgehend eingespielt werden. --------------------------------------------- https://heise.de/-3603918 *** Wieder Ermittlungen gegen Skidata im Betriebsspionage-Verfahren *** --------------------------------------------- http://derstandard.at/2000051248975 *** ZDI-17-044: Apache Groovy MethodClosure Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations .. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-044/ *** ZDI-17-045: Adobe Reader DC XSLT apply-templates Heap-based Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-045/ *** ZDI-17-053: Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-053/

1 0

Tageszusammenfassung - Donnerstag 19-01-2017
by Daily end-of-shift report 19 Jan '17

19 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-01-2017 18:00 − Donnerstag 19-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Who is Anna-Senpai, the Mirai Worm Author? *** --------------------------------------------- On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that .. --------------------------------------------- https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-autho… *** Docker Patches Container Escape Vulnerability *** --------------------------------------------- Docker has patched a privilege escalation vulnerability that could lead to container escapes, allowing a hacker to affect operations of a host from inside a container. --------------------------------------------- http://threatpost.com/docker-patches-container-escape-vulnerability/123161/ *** Database Ransom Attacks Hit CouchDB and Hadoop Servers *** --------------------------------------------- For the past week, unknown groups of cyber-criminals have taken control of and wiped data from CouchDB and Hadoop databases, in some cases asking for a ransom fee to return the .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-… *** Adobes naughty Chrome telemetry code had XSS problem *** --------------------------------------------- Since patched, but a bad look for Adobe when it cant even get snoopware right Adobes pushed out a fix for its already-controversial Chrome telemetry extension after Project Zeros Tavis Ormandy found an .. --------------------------------------------- www.theregister.co.uk/2017/01/19/adobe_telemetry_patch_patched_against_xss/ *** Insecure Hadoop installs next in net scum crosshairs *** --------------------------------------------- Because MongoDB, Elasticsearch ransomware attacks are sooo last week Rinse-and-repeat ransomware attacks on data services left unsecured by dozy sysadmins are now hitting Hadoop instances. --------------------------------------------- www.theregister.co.uk/2017/01/19/insecure_hadoop_installs_under_attack/ *** Ex-Sysadmin fordert 200.000 Dollar für Nennung von Passwort *** --------------------------------------------- US-amerikanisches College wirft ehemaligem Mitarbeiter Erpressung vor --------------------------------------------- http://derstandard.at/2000050946919 *** Apple’s malware problem is accelerating *** --------------------------------------------- For a long time, one of the most common reasons for buying an Apple computer over a Windows-based one was that the former was less susceptible to viruses and other malware. However, the .. --------------------------------------------- https://www.helpnetsecurity.com/2017/01/19/apple-malware-problem-accelerati… *** Viren, Spam und Computerausfälle betreffen IT-Sicherheit bei KMU *** --------------------------------------------- Fehlendes Wissen und Angst vor Kosten wichtigste Gründe, warum Situation nicht verbessert wird --------------------------------------------- http://derstandard.at/2000051117771 *** DSA-3766 mapserver - security update *** --------------------------------------------- It was discovered that mapserver, a CGI-based framework for Internetmap services, was vulnerable to a stack-based overflow. This issueallowed a remote user to crash the service, or potentially execute arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3766 *** Google veröffentlicht Riesen-Patch-Paket für Android *** --------------------------------------------- 94 einzelne Lücken, 10 kritische Sicherheitsprobleme; Googles Android Security Bulletin für den Januar hat es in sich. --------------------------------------------- https://heise.de/-3603108 *** Forcepoint: Carbanak nutzt Google-Dienste für Malware-Hosting *** --------------------------------------------- Wer seine Malware auf einem Command-und-Control-Server hostet, läuft Gefahr, von Firewall-Regeln erkannt zu werden. Die Carbanak-Gruppe liefert Kommandos daher über Google-Docs aus. --------------------------------------------- http://www.golem.de/news/forcepoint-carbanak-nutzt-google-dienste-fuer-malw… *** Hackingvorwürfe: "Deutschland stellt Russland als Aggressor dar" *** --------------------------------------------- Russisches Außenamt beschwert sich über deutsche Vorgangsweise: "Keine Beweise vorgelegt" --------------------------------------------- http://derstandard.at/2000051188487 *** Samsung SmartCam-Kameras sind Freiwild für Botnetz-Betreiber *** --------------------------------------------- Forscher haben vor Jahren Lücken in der SmartCam SNH-1011 entdeckt, die von Samsung nur unzureichend geflickt wurden. Nun sind die IP-Kameras erneut angreifbar. --------------------------------------------- https://heise.de/-3603201

1 0

Tageszusammenfassung - Mittwoch 18-01-2017
by Daily end-of-shift report 18 Jan '17

18 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-01-2017 18:00 − Mittwoch 18-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Critical Patch Update - January 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html *** vBulletin Malware – When Hackers Compete for Backdoor Control *** --------------------------------------------- A common pattern we see in compromised websites is the presence of backdoors and other malicious code. During Q3 of 2016, we found that 72% of all compromises that we encountered had .. --------------------------------------------- https://blog.sucuri.net/2017/01/vbulletin-malware-hackers-compete-backdoor-… *** JSA10774 - 2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple OpenSSH and other third party software vulnerabilities affect NSM Appliance OS. *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10774&actp=RSS *** Kill it with fire: US-CERT warns admins to dump Server Message Block *** --------------------------------------------- Shadow Brokers may have loosed a zero-day, so youre better safe than sorry The US computer emergency readiness team .. --------------------------------------------- www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shad… *** Do web injections exist for Android? *** --------------------------------------------- Man-in-the-Browser (MITB) attacks can be implemented using various means, including malicious DLLs, rogue .. --------------------------------------------- http://securelist.com/blog/research/77118/do-web-injections-exist-for-andro… *** In Review: 2016’s Mobile Threat Landscape Brings Diversity, Scale, and Scope *** --------------------------------------------- 65 million: the number of times we’ve blocked mobile threats in 2016. By December 2016, the total number of unique samples of malicious Android apps we’ve collected and .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/2016-mobile-thre… *** Last call to replace SHA-1 certificates *** --------------------------------------------- http://blog.sec-consult.com/2017/01/last-call-to-replace-sha-1-certificates… *** The Carbanak gang is with a new modus operandi, Google services as C&C *** --------------------------------------------- The infamous Carbanak cybercrime gang is back and is leveraging Google services for command-and-control of its malicious codes. The dreaded Carbanak cybercrime gang is back .. --------------------------------------------- http://securityaffairs.co/wordpress/55427/cyber-crime/carbanak-google-servi… *** Spora Ransomware Offers Victims Unique Payment Options *** --------------------------------------------- Researchers are keeping close tabs on a new ransomware strain called Spora that offers victims unique payment options. --------------------------------------------- http://threatpost.com/spora-ransomware-offers-victims-unique-payment-option… *** Kritische Lücken in Java & Co: Oracle wirft Riesen-Patchpaket ab *** --------------------------------------------- Das neueste Critical Patch Update von Oracle enthält unter anderem Sicherheitsupdates für Java, MySQL und VirtualBox. Wie immer gibt es Patches für fast alle Produkte des Herstellers. --------------------------------------------- https://heise.de/-3601613 *** Ancient Mac backdoor discovered that targets medical research firms *** --------------------------------------------- More secure than PC? Ha! Security researchers at Malwarebytes have discovered a Mac backdoor using antiquated code that targets biomedical research facilities.… --------------------------------------------- ww.theregister.co.uk/2017/01/18/mac_malware/ *** Uncovering the Inner Workings of EyePyramid *** --------------------------------------------- Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner…

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily January 2017