October 2017 - Daily

Tageszusammenfassung - 31.10.2017
by Daily end-of-shift report 31 Oct '17

31 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 30-10-2017 18:00 − Dienstag 31-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Flaws in Googles Bug Tracker Exposed Companys Vulnerability Database ∗∗∗ --------------------------------------------- A Romanian bug hunter has found three flaws in Googles official bug tracker, one of which could have been used to exposed sensitive vulnerabilities to unauthorized intruders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flaws-in-googles-bug-tracker… ∗∗∗ New VibWrite System Uses Finger Vibrations to Authenticate Users ∗∗∗ --------------------------------------------- Rutgers engineers have created a new type of user authentication system that relies on transmitting vibrations through a surface and having the user touch the surface to generate a unique signature. This signature is then used to approve or deny a user access to an app, room, or building. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/new-vibwrite-system-uses-f… ∗∗∗ Tales from the blockchain ∗∗∗ --------------------------------------------- We will tell you two unusual success stories that happened on the "miner front". The first story echoes the TinyNuke event and, in many respects gives an idea of the situation with miners. The second one proves that to get crypto-currency, you don’t need to "burn" the processor. --------------------------------------------- http://securelist.com/tales-from-the-blockchain/82971/ ∗∗∗ Engineers at Work: Automatic Static Detection of Malicious JavaScript ∗∗∗ --------------------------------------------- Our engineers at work examine the automatic static detection of malicious JavaScript. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/10/engineers-work-automati… ∗∗∗ Say what? Another reCaptcha attack, now against audio challenges ∗∗∗ --------------------------------------------- unCaptcha is the sound of security crumbling Whatever Google has in mind to replace its reCaptcha had better be ready soon: another research group has found a way to defeat it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/31/uncaptcha_r… ∗∗∗ Ebury and Mayhem server malware families still active ∗∗∗ --------------------------------------------- Ebury and Mayhem, two families of Linux server malware, about which VB published papers back in 2014, are still active and have received recent updates. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/10/ebury-and-mayhem-server-malw… ∗∗∗ [SANS ISC] Some Powershell Malicious Code ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.org: "Some Powershell Malicious Code". Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new [...] --------------------------------------------- https://blog.rootshell.be/2017/10/31/sans-isc-powershell-malicious-code/ ∗∗∗ WordPress 4.8.3 Security Release ∗∗∗ --------------------------------------------- WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. --------------------------------------------- https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ ∗∗∗ IoT-Botnetz ist wohl kleiner als angenommen ∗∗∗ --------------------------------------------- Aktuellen Analysen zufolge soll das Reaper-Botnetz mit 10.000 bis 20.000 IoT-Geräten wesentlich kleiner sein als zuvor angenommen. Der zugrunde liegende optimierte Mirai-Quellcode birgt aber viel Potenzial für erfolgreiche (DDoS-)Angriffe. --------------------------------------------- https://heise.de/-3876165 ∗∗∗ WhatsApp Messenger-Konto läuft nicht ab ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte WhatsApp-E-Mail. Darin behaupten sie, dass das Konto von Nutzer/innen ablaufe. Das Konto müssen Kund/innen für die weitere Verwendung des Programms verlängern. Dafür ist die Bekanntgabe von Kreditkartendaten notwendig. Wer der betrügerischen Aufforderung nachkommt, wird Opfer eines Datendiebstahls. --------------------------------------------- https://www.watchlist-internet.at/phishing/whatsapp-messenger-konto-laeuft-… ∗∗∗ Antimalware Day: Genesis of viruses… and computer defense techniques ∗∗∗ --------------------------------------------- To honor the work of Dr. Fred Cohen and Professor Len Adleman, and the foundation they laid for research of computer threats, we decided to declare November 3 as the first ever Antimalware Day. --------------------------------------------- https://www.welivesecurity.com/2017/10/31/antimalware-day-genesis-viruses/ ===================== = Vulnerabilities = ===================== ∗∗∗ ABB FOX515T ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper input validation vulnerability in ABBs FOX515T communication interface. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-304-01 ∗∗∗ Trihedral Engineering Limited VTScada ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper access control and uncontrolled search path element vulnerabilities in Trihedral Engineering Limiteds VTScada software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-304-02 ∗∗∗ NetIQ Access Manager 4.2 Support Pack 5 4.2.5.0-17 ∗∗∗ --------------------------------------------- Abstract: NetIQ Access Manager 4.2 Support Pack 5 build (version 4.2.5.0-17). This file contains updates for services contained in the NetIQ Access Manager 4.2 product. NetIQ recommends that all customers running Access Manager 4.2 release code apply this patch. The purpose of the patch is to provide a bundle of fixes for issues that have surfaced since NetIQ Access Manager 4.2 was released. These fixes include updates to the Access Gateway Appliance, Access Gateway Service, Identity Server, [...] --------------------------------------------- https://download.novell.com/Download?buildid=HcH_x-A_kgo~ ∗∗∗ Microsoft Windows 10 Creators Update 32-bit Ring-0 Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017100212 ∗∗∗ DSA-4011 quagga - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-4011 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ HPESBHF03788 rev.1 - Hewlett Packard Enterprise Intelligent Management Center flexFileUpload Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03788en_us ∗∗∗ RPC portmapper vulnerability CVE-1999-0632 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K62832776 ∗∗∗ Apache OpenOffice patches four vulnerabilities in 4.1.4 update ∗∗∗ --------------------------------------------- https://www.scmagazineuk.com/news/apache-openoffice-patches-four-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2017
by Daily end-of-shift report 30 Oct '17

30 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-10-2017 18:00 − Montag 30-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Cybercrime-Report 2016: Zahl der Anzeigen 2016 fast um ein Drittel gestiegen ∗∗∗ --------------------------------------------- Das Bundeskriminalamt präsentierte am 30. Oktober 2017 den Cybercrime-Report 2016. Demnach ist die Zahl der Cybercrime-Anzeigen 2016 im Vergleich zum Jahr davor um fast ein Drittel gestiegen. --------------------------------------------- http://www.bmi.gv.at/news.aspx?id=5062565A4F35476A2B38453D ∗∗∗ Matrix Ransomware Being Distributed by the RIG Exploit Kit ∗∗∗ --------------------------------------------- The Matrix Ransomware has started to be distributed through the RIG exploit kit. This article will provide information on what vulnerabilities are being targeted and how to protect yourself. --------------------------------------------- https://www.bleepingcomputer.com/news/security/matrix-ransomware-being-dist… ∗∗∗ Firefox to Get a Better Password Manager ∗∗∗ --------------------------------------------- Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefoxs built-in password management." --------------------------------------------- https://www.bleepingcomputer.com/news/software/firefox-to-get-a-better-pass… ∗∗∗ Pharmahersteller: Merck musste wegen NotPetya-Angriff Medikamente leihen ∗∗∗ --------------------------------------------- Auch das Pharmaunternehmen Merck Sharp und Dohme merkt den NotPetya-Angriff in seiner Bilanz: Rund 375 Millionen US-Dollar Ausfall gibt das Unternehmen durch die Ransomware an. Um den Betrieb trotz Produktionsausfällen aufrechtzuerhalten, hat sich die Firma sogar Medikamente bei den US-Behörden geliehen. --------------------------------------------- https://www.golem.de/news/pharmahersteller-merck-musste-wegen-notpetya-angr… ∗∗∗ Freie Linux-Firmware: Google will Server ohne Intel ME und UEFI ∗∗∗ --------------------------------------------- Nach dem Motto "Habt ihr Angst? Wir schon!" arbeitet ein Team von Googles Coreboot-Entwicklern mit Kollegen daran, Intels ME und das proprietäre UEFI auch in Servern unschädlich zu machen. Und das wohl mit Erfolg. --------------------------------------------- https://www.golem.de/news/freie-linux-firmware-google-will-server-ohne-inte… ∗∗∗ "Catch-All" Google Chrome Malicious Extension Steals All Posted Data, (Fri, Oct 27th) ∗∗∗ --------------------------------------------- It seems that malicious Google Chrome extensions are on the rise. A couple of months ago, I posted here about two of them which stole user credentials posted on banking websites and alike. Now, while analyzing a phishing e-mail, I went through a new malware with a slight different approach: instead of monitoring specific URLs and focusing .. --------------------------------------------- https://isc.sans.edu/diary/rss/22976 ∗∗∗ IOActive disclosed 2 critical flaws in global satellite telecommunications Inmarsat’s SATCOM systems ∗∗∗ --------------------------------------------- Flaws in Stratos Global AmosConnect 8 PC-based SATCOM service impact thousands of customers worldwide running the newest version of the platform that is used in vessels. Security researchers at IOActive have disclosed critical security vulnerabilities in the maritime Stratos Global’s AmosConnect 8.4.0 satellite-based shipboard communication .. --------------------------------------------- http://securityaffairs.co/wordpress/64902/breaking-news/satcom-amosconnect-… ∗∗∗ Hackers Can Steal Windows Login Credentials Without User Interaction ∗∗∗ --------------------------------------------- Microsoft has patched only recent versions Windows against a dangerous hack that could allow attackers to steal Windows NTLM password hashes without any user interaction. The hack is easy to carry out and doesn't involve advanced technical skills to pull off. All the attacker needs to do is to place a malicious SCF file inside publicly accessible Windows folders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-steal-windows-lo… ∗∗∗ McAfee stoppt Einblick in den Quellcode ∗∗∗ --------------------------------------------- Der amerikanische Antivirenspezialist gibt im Rahmen eines grundsätzlichen Strategiewechsels seit einiger Zeit fremden Regierungen keinen Zugang mehr zum Quellcode. --------------------------------------------- https://heise.de/-3875393 ∗∗∗ HTTPS-Verschlüsselung: Google verabschiedet sich vom Pinning ∗∗∗ --------------------------------------------- Das Festnageln von Zertifikaten sollte gegen Missbrauch schützen. In der Praxis wurde es jedoch selten eingesetzt. Zu kompliziert und zu fehlerträchtig lautet nun das Verdikt; demnächst soll die Unterstützung aus Chrome wieder entfernt werden. --------------------------------------------- https://heise.de/-3876078 ∗∗∗ Windigo Still not Windigone: An Ebury Update ∗∗∗ --------------------------------------------- In 2014, ESET researchers wrote a blog post about an OpenSSH backdoor and credential stealer called Linux/Ebury In 2017, the team found a new Ebury .. --------------------------------------------- https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4008 wget - security update ∗∗∗ --------------------------------------------- Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code when connecting to a malicious HTTP server. --------------------------------------------- https://www.debian.org/security/2017/dsa-4008 ∗∗∗ DSA-4010 git-annex - security update ∗∗∗ --------------------------------------------- It was discovered that git-annex, a tool to manage files with git without checking their contents in, did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command. --------------------------------------------- https://www.debian.org/security/2017/dsa-4010 ∗∗∗ Oracle Security Alert Advisory - CVE-2017-10151 ∗∗∗ --------------------------------------------- This Security Alert addresses CVE-2017-10151, a vulnerability affecting Oracle Identity Manager. This vulnerability has a CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack. The Patch Availability Document referenced below provides a full workaround for this vulnerability, and will be updated when patches in addition to the workaround are available. --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-40… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ F5 Security Advisories ∗∗∗ --------------------------------------------- https://support.f5.com/csp/new-updated-articles ∗∗∗ Security Advisory - Permission Control Vulnerability in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171030-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2017
by Daily end-of-shift report 27 Oct '17

27 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-10-2017 18:00 − Freitag 27-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Reaper IoT botnet aint so scary, contains fewer than 20,000 drones ∗∗∗ --------------------------------------------- But numbers arent everything, are they, Dyn? The Reaper IoT botnet is nowhere near as threatening as previously suggested, according to new research.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/27/reaper_iot_… ∗∗∗ A Bug in a Popular Maritime Platform Left Ships Exposed ∗∗∗ --------------------------------------------- The AmosConnect 8 web platform has vulnerabilities that could allow data to be exposed—underscoring deeper problems with maritime security. --------------------------------------------- https://www.wired.com/story/bug-in-popular-maritime-platform-isnt-getting-f… ∗∗∗ SANS Reading Room ∗∗∗ --------------------------------------------- The SANS Reading Room features over 2,730 original computer security white papers in 105 different categories. --------------------------------------------- https://www.sans.org/reading-room/ ∗∗∗ Sicherheitslücken in FortiOS mit hohem Angriffsrisiko ∗∗∗ --------------------------------------------- Im Betriebssystem FortiOS klaffen zwei Schwachstellen. Sicherheitsupdates reparieren das System. --------------------------------------------- https://heise.de/-3873331 ∗∗∗ The race to quantum supremacy and its cybersecurity impact ∗∗∗ --------------------------------------------- Quantum computing uses the power of atoms to perform memory and processing tasks and remains a theoretical concept. However, it is widely believed that its creation is possible. Most experts now agree that the creation of a quantum computer is simply a matter of engineering, and that the theoretical application will happen. Optimistic estimates for commercialization by the private sector vary between 5 and 15 years, while more conservative estimates by academics put it at [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/26/quantum-supremacy/ ∗∗∗ Please don’t buy this: smart locks ∗∗∗ --------------------------------------------- The announcement of Amazon Key, a smart lock paired with a security camera that lets couriers into your home, spawned our new series called "Please dont buy this." --------------------------------------------- https://blog.malwarebytes.com/security-world/2017/10/please-dont-buy-this-s… ∗∗∗ How to secure your router to prevent IoT threats? ∗∗∗ --------------------------------------------- The router is the first device that you must consider, since it not only controls the perimeter of your network, but all your traffic and information pass through it. --------------------------------------------- https://www.welivesecurity.com/2017/10/26/secure-your-router-prevent-iot-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II ∗∗∗ --------------------------------------------- On October 16th, 2017, a research paper with the title of "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" was made publicly available. This paper discusses seven vulnerabilities affecting session key negotiation in both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols. These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ BlackBerry powered by Android Security Bulletin – October 2017 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ BlackBerry response to the impact of the vulnerabilities known as KRACK on BlackBerry products ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Korenix JetNet ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-299-01 ∗∗∗ Rockwell Automation Stratix 5100 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-299-02 ∗∗∗ Bugtraq: October 2017 - Bamboo - Critical Security Advisory ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541424 ∗∗∗ DFN-CERT-2017-1898/">F-Secure KEY: Mehrere Schwachstellen ermöglichen das Ausspähen von Anmeldeinformationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1898/ ∗∗∗ DFN-CERT-2017-1904/">GNU Wget: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1904/ ∗∗∗ DFN-CERT-2017-1905/">Node.js: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1905/ ∗∗∗ DFN-CERT-2017-1890/">PHP: Mehrere Schwachstellen ermöglichen u.a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1890/ ∗∗∗ F5 Security Advisories ∗∗∗ --------------------------------------------- https://support.f5.com/csp/new-updated-articles ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Notice - Statement on Multiple Security Vulnerabilities in WPA/WPA2 ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20171017-01-… ∗∗∗ Security Advisory - Permission Control Vulnerability in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171027-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2017
by Daily end-of-shift report 25 Oct '17

25 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-10-2017 18:00 − Mittwoch 25-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Whois Maintainer Accidentally Makes Password Hashes Available For Download ∗∗∗ --------------------------------------------- Whois maintainer for Asia Pacific notifies customers of an error where hashed authentication details for were inadvertently available for download. --------------------------------------------- http://threatpost.com/whois-maintainer-accidentally-makes-password-hashes-a… ∗∗∗ Malvertising Campaign Redirects Browsers To Terror Exploit Kit ∗∗∗ --------------------------------------------- Hackers behind the Terror exploit kit ramp up distribution via a two-month long malvertising campaign. --------------------------------------------- http://threatpost.com/malvertising-campaign-redirects-browsers-to-terror-ex… ∗∗∗ #BadRabbit: Wohl immer mehr Ziele von neuem Kryptotrojaner getroffen ∗∗∗ --------------------------------------------- Die russische Nachrichtenagentur Interfax ist am Dienstag durch einen Hackerangriff lahmgelegt worden. Fast alle Server seien betroffen, sagte der stellvertretende Generaldirektor Alexej Gorschkow. Es sei unklar, wann das Problem behoben werden könne. --------------------------------------------- https://heise.de/-3870349 ∗∗∗ DUHK: Zufallszahlengenerator ermöglicht Abhör-Attacke auf zehntausende Geräte ∗∗∗ --------------------------------------------- Mehr als 25.000 übers Internet erreichbare Fortinet-Geräte sind anfällig für passive Lauschangriffe gegen verschlüsselte Verbindungen. Verantwortlich ist fehlender Zufall. --------------------------------------------- https://heise.de/-3872013 ∗∗∗ Secure remote browsing: A different approach to thwart ever-changing threats ∗∗∗ --------------------------------------------- A defense-in-depth strategy is essential to modern enterprises, and organizations must deepen their defenses as quickly as possible to fully protect themselves. One promising technology proposes to achieve this by removing web browsing activity from endpoints altogether, while still enabling users to seamlessly and securely interact with the web-based content they need in order to do their jobs. The key to this approach? Secure remote browsing. --------------------------------------------- https://www.helpnetsecurity.com/2017/10/25/secure-remote-browsing/ ∗∗∗ Dell Lost Control of Key Customer Support Domain for a Month in 2017 ∗∗∗ --------------------------------------------- A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned. There is a program installed on virtually all Dell computers called "Dell Backup and Recovery Application." Its designed to help customers restore their data and computers to their pristine, factory default state should a problem occur [...] --------------------------------------------- https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-suppo… ∗∗∗ Digital forensics: How to recover deleted files ∗∗∗ --------------------------------------------- What happens exactly when you delete a file, and how easy or hard is it to recover deleted files? Learn the differences between delete, erase, and overwrite according to digital forensics. --------------------------------------------- https://blog.malwarebytes.com/security-world/2017/10/digital-forensics-reco… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS DoS on webUI through params JSON parameter ∗∗∗ --------------------------------------------- An authenticated user may pass a specially crafted payload to the params parameter of the JSON web API (URLs with /json) , which can cause the web user interface to be temporarily unresponsive. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-206 ∗∗∗ FortiOS web GUI logindisclaimer redir parameter XSS vulnerability ∗∗∗ --------------------------------------------- A reflected XSS vulnerability exists in FortiOS web GUI "Login Disclaimer" redir parameter. It is potentially exploitable by a remote unauthenticated attacker, via sending a maliciously crafted URL to a victim who has an open session on the web GUI. Visiting that malicious URL may cause the execution of arbitrary javascript code in the security context of the victims browser. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-113 ∗∗∗ osTicket 1.10.1 Shell Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017100187 ∗∗∗ DSA-4006 mupdf - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-4006 ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025973 ∗∗∗ IBM Security Bulletin: The BigFix Platform has vulnerabilities that have been addressed in patch releases ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009673 ∗∗∗ IBM Security Bulletin: Network Time Protocol (NTP) vulnerability in AIX which is used by IBM OS Images in IBM PureApplication Systems (CVE-2016-9310) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009301 ∗∗∗ IBM Security Bulletin: A vulnerability in the agent core framework affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004193 ∗∗∗ XSA-236 ∗∗∗ --------------------------------------------- http://xenbits.xen.org/xsa/advisory-236.html Next End-of-Day report: 2017-10-27 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2017
by Daily end-of-shift report 24 Oct '17

24 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 23-10-2017 18:00 − Dienstag 24-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achieving Online Anonymity Using Tails OS ∗∗∗ --------------------------------------------- Achieving anonymity while browsing the internet is the main concern for many people; everybody wants to make their communications secure and private. However, few in the world have really achieved this objective and many are still facing difficulties and trying different techniques to achieve online privacy. The InfoSec community has produced various tools and techniques that utilize the TOR network to send the data securely and privately. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/achieving-online-anony… ∗∗∗ DUHK Crypto Attack Recovers Encryption Keys, Exposes VPN Connections, More ∗∗∗ --------------------------------------------- After last week we had the KRACK and ROCA cryptographic attacks, this week has gotten off to a similarly "great" start with the publication of a new crypto attack known as DUHK (Dont Use Hard-coded Keys) [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/duhk-crypto-attack-recovers-… ∗∗∗ Stop relying on file extensions, (Tue, Oct 24th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting file in my spam trap. It was called '16509878451.XLAM'. To be honest, I was not aware of this extension and I found this on the web: "A file with the XLAM file extension is an Excel Macro-Enabled Add-In file that [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22962 ∗∗∗ Study: 18% of fed agencies embrace DMARC yet 25% of email fraudulent, unauthenticated ∗∗∗ --------------------------------------------- Of the 18 percent of agencies that do have DMARC in play, only half are maximizing the benefits of the standard by quarantining or rejecting unauthenticated email to prevent domain name spoofing. --------------------------------------------- https://www.scmagazine.com/study-18-of-fed-agencies-embrace-dmarc-yet-25-of… ∗∗∗ News Feature: Google Security interview "human solutions - the way to go." ∗∗∗ --------------------------------------------- Google has launched of a range of personal and corporate security enhancements (below) this month. Google security expert Allison Miller, spoke to SC about the organisations approach to security and privacy concerns. --------------------------------------------- https://www.scmagazine.com/news-feature-google-security-interview-human-sol… ∗∗∗ Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta ∗∗∗ --------------------------------------------- Plus: Azure gets all Cray-cray A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/23/fyi_windows… ∗∗∗ Let’s Enhance ! How we found @rogerkver’s $1000 wallet obfuscated private key. ∗∗∗ --------------------------------------------- We could have simply named this post “How great QR code are and how we recovered one from almost nothing” but it’s much more interesting when the QR code is the key to a $1000 Bitcoin wallet. --------------------------------------------- https://medium.com/@SassanoM/lets-enhance-how-we-found-rogerkver-s-1000-wal… ∗∗∗ Android-Schädling Lokibot ist eine Transformer-Malware ∗∗∗ --------------------------------------------- In erster Linie ist Lokibot auf Bankdaten aus. Wer gegen den Trojaner vorgeht, bekommt ein anderes Gesicht des Schädlings zu sehen und sieht sich mit Erpressung konfrontiert. --------------------------------------------- https://heise.de/-3868947 ∗∗∗ Hackerangriff: Russische Nachrichtenagentur Interfax wohl von Kryptotrojaner getroffen ∗∗∗ --------------------------------------------- Die russische Nachrichtenagentur Interfax ist am Dienstag durch einen Hackerangriff lahmgelegt worden. Fast alle Server seien betroffen, sagte der stellvertretende Generaldirektor Alexej Gorschkow. Es sei unklar, wann das Problem behoben werden könne. --------------------------------------------- https://heise.de/-3870349 ∗∗∗ Reaper: Calm Before the IoT Security Storm? ∗∗∗ --------------------------------------------- Its been just over a year since the world witnessed some of the worlds top online Web sites being taken down for much of the day by "Mirai," a zombie malware strain that enslaved "Internet of Things" (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks. Now, experts are sounding the alarm about the emergence of what appears to be a far more powerful strain of IoT attack malware [...] --------------------------------------------- https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-sto… ∗∗∗ Keine Aktualisierung bei Netflix notwendig ∗∗∗ --------------------------------------------- Datendiebe versenden eine gefälschte Netflix-Nachricht. Darin fordern sie Kund/innen dazu auf, dass sie ihre Zahlungsinformationen auf einer Website aktualisieren. Wer das macht, übermittelt sensible Daten an die Betrüger/innen. Sie können auf Kosten ihres Opfers einkaufen gehen und Verbrechen unter seinem Namen begehen. --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-aktualisierung-bei-netflix… ∗∗∗ Reducing Vulnerability to Cyberattacks ∗∗∗ --------------------------------------------- The need for secure systems is a growing priority for Industry Control System (ICS) operators. Recent high profile cyber-attacks against critical infrastructure, coupled with the growing list of published equipment [...] --------------------------------------------- http://blog.schneider-electric.com/cyber-security/2017/10/23/reducing-vulne… ∗∗∗ Kiev metro hit with a new variant of the infamous Diskcoder ransomware ∗∗∗ --------------------------------------------- Public sources have confirmed that computer systems in the Kiev Metro, Odessa naval port, Odessa airport, Ukrainian ministries of infrastructure and finance, and also a number of organizations in Russia are among the affected organizations.The post Kiev metro hit with a new variant of the infamous Diskcoder ransomware appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamo… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix XenServer Security Update for CVE-2017-15597 ∗∗∗ --------------------------------------------- A security vulnerability has been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise the host. --------------------------------------------- https://support.citrix.com/article/CTX229057 ∗∗∗ Cisco Spark Hybrid Calendar Service Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect Java Server Faces (JSF) used by WebSphere Application Server (CVE-2017-1583, CVE-2011-4343) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008707 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Functional Tester (CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008877 ∗∗∗ IBM Security Bulletin: IBM Streams may be affected by XMLsoft Libxml2 vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009670 ∗∗∗ IBM Security Bulletin: IBM Streams may be affected by XMLsoft Libxml2 vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009715 ∗∗∗ cURL Buffer Overread in Processing IMAP FETCH Response Data Lets Remote Users Deny Service or Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039644 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2017
by Daily end-of-shift report 23 Oct '17

23 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-10-2017 18:00 − Montag 23-10-2017 18:00 Handler: Nina Bieringer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ National Cybersecurity Awareness Month – Words to Avoid ∗∗∗ --------------------------------------------- TGIF (Thank Goodness, It’s Friday)! Yes, I altered the ‘G’ to be politically correct, but being politically correct has little...The post National Cybersecurity Awareness Month – Words to Avoid appeared first on BeyondTrust. --------------------------------------------- https://www.beyondtrust.com/blog/national-cybersecurity-awareness-month-wor… ∗∗∗ Performing & Preventing SSL Stripping: A Plain-English Primer ∗∗∗ --------------------------------------------- Over the past few days we learnt about a new attack that posed a serious weakness in the encryption protocol used to secure all modern Wi-Fi networks. The KRACK Attack effectively allows interception of traffic on wireless networks secured by the WPA2 protocol. Whilst it is possible to backward patch [...] --------------------------------------------- https://blog.cloudflare.com/performing-preventing-ssl-stripping-a-plain-eng… ∗∗∗ Krack-Angriff: AVM liefert erste Updates für Repeater und Powerline ∗∗∗ --------------------------------------------- Nach dem Bekanntwerden der WPA2-Schwäche Krack hat AVM nun erste Geräte gepatcht. Weitere Patches sollen folgen, jedoch nicht für Fritzboxen. --------------------------------------------- https://www.golem.de/news/krack-angriff-avm-liefert-erste-updates-fuer-repe… ∗∗∗ Mirai-Nachfolger: Experten warnen vor "Cyber-Hurrican" durch neues Botnetz ∗∗∗ --------------------------------------------- Kriminelle nutzen Sicherheitslücken in IoT-Geräten zum Aufbau eines großen Botnetzes aus. Dabei verwendet der Bot Code von Mirai, unterscheidet sich jedoch von seinem prominenten Vorgänger. --------------------------------------------- https://www.golem.de/news/mirai-nachfolger-experten-warnen-vor-cyber-hurric… ∗∗∗ Security+ Domain #6: Cryptography ∗∗∗ --------------------------------------------- Cryptography falls into the sixth and last domain of CompTIA’s Security+ exam (SYO-401) and contributes 12% to the exam score. The Security+ exam tests the candidate’s knowledge of cryptography and how it relates to the security of networked and stand-alone systems in organizations. To pass the Security+ exam, the candidates must understand both symmetric and [...] --------------------------------------------- http://resources.infosecinstitute.com/security-domain-6-cryptography/ ∗∗∗ Introducing Windows Defender Application Control ∗∗∗ --------------------------------------------- Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control flips the model from one where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Many organizations, like [...] --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/10/23/introducing-windows-def… ∗∗∗ Google to add "DNS over TLS" security feature to Android OS ∗∗∗ --------------------------------------------- No doubt your Internet Service Provides (ISPs), or network-level hackers cannot spy on https communications. But do you know — ISPs can still see all of your DNS requests, allowing them to know what websites you visit. Google is working on a new security feature for Android that could prevent your Internet traffic from network spoofing attacks. Almost every Internet activity starts with a [...] --------------------------------------------- https://thehackernews.com/2017/10/android-dns-over-tls.html ∗∗∗ TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors ∗∗∗ --------------------------------------------- Original release date: October 20, 2017 | Last revised: October 21, 2017 Systems Affected Domain ControllersFile ServersEmail Servers Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA17-293A ∗∗∗ New FakeNet-NG Feature: Content-Based Protocol Detection ∗∗∗ --------------------------------------------- I (Matthew Haigh) recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and adapts to SSL so that any protocol can be used with SSL and handled appropriately by FakeNet-NG. We were motivated to add this feature since it was a feature of the original FakeNet and it was [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-p… ∗∗∗ Krypto-Mining im Browser: Software-Hersteller wollen Nutzer besser schützen ∗∗∗ --------------------------------------------- Mining-Skripte zwacken beim Surfen heimlich Rechenleistung zum Schürfen von Krypto-Währungen ab. Adblocker- und Browser-Hersteller erarbeiten Gegenstrategien. Einige Skript-Entwickler reagieren ihrerseits, indem sie Nutzer künftig um Erlaubnis fragen. --------------------------------------------- https://heise.de/-3865577 ∗∗∗ Kanadischer Geheimdienst veröffentlicht erstmals Sicherheitssoftware ∗∗∗ --------------------------------------------- CSE gilt als besonders schweigsam. Nun überraschen die Spione mit der Herausgabe eines Dateiformats sowie eines Frameworks. Es soll helfen, in vielen Dateien gleichzeitig Malware aufzuspüren. --------------------------------------------- https://heise.de/-3867343 ∗∗∗ Mac-Shareware-Downloads mit signiertem Trojaner ∗∗∗ --------------------------------------------- Die Apps Folx und Elmedia Player wurden nach einem Hack über deren Websites inklusive der "Proton"-Malware vertrieben. Der Hersteller empfiehlt eine Neuinstallation betroffener Maschinen. --------------------------------------------- https://heise.de/-3867420 ∗∗∗ "Cyber Conflict" Decoy Document Used In Real Cyber Conflict ∗∗∗ --------------------------------------------- This post was authored by Warren Mercer, Paul Rascagneres and Vitor VenturaUpdate 10/23: CCDCOE released a statement today on their websiteIntroductionCisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a deceptive flyer relating to the Cyber Conflict U.S. conference. --------------------------------------------- http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco AMP for Endpoints Static Key Vulnerability ∗∗∗ --------------------------------------------- On October 20th, 2017, Cisco PSIRT was notified by the internal product team of a security vulnerability in the Cisco AMP For Endpoints application that would allow an authenticated, local attacker to access a static key value stored in the local application software.The vulnerability is due to the use of a static key value stored in the application used to encrypt the connector protection password. An attacker could exploit this vulnerability by gaining local, administrative access to a [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1859: OpenJFX: Zwei Schwachstellen ermöglichen eine komplette Kompromittierung der Software ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1859/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009296 ∗∗∗ IBM Security Bulletin: IBM b-type Network/Storage switches is affected by Open Source OpenSSL Vulnerabilities (OpenSSL and Node.JS consumers). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010726 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in cURL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009692 ∗∗∗ BMC Remedy IT Service Management Suite Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information and Conduct Cross-Site Scripting Attacks and Let Remote Authenticated Users Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039637 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2017
by Daily end-of-shift report 20 Oct '17

20 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-10-2017 18:00 − Freitag 20-10-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KRACK-Entdecker: "Sicherheitsupdates einfordern" ∗∗∗ --------------------------------------------- Der belgische Sicherheitsforscher Mathy Vanhoef, der die Sicherheitslücke KRACK in WLAN-Netzwerken entdeckt hat, geht davon aus, dass viele Geräte kein Update erhalten werden. --------------------------------------------- https://futurezone.at/digital-life/krack-entdecker-sicherheitsupdates-einfo… ∗∗∗ Canadian spooks release their own malware detection tool ∗∗∗ --------------------------------------------- Canuck NSA/GCHQ equivalent open-sources Assemblyline, to make us all as safe as Canada Canadas Communications Security Establishment has open-sourced its own malware detection tool.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/20/canadian_co… ===================== = Vulnerabilities = ===================== ∗∗∗ Boston Scientific ZOOM LATITUDE PRM Vulnerabilities ∗∗∗ --------------------------------------------- This advisory contains compensating controls for use of hard-coded cryptographic key and missing encryption of sensitive data vulnerabilities in Boston Scientific’s ZOOM LATITUDE Programmer/Recorder/Monitor Model 3120. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-292-01 ∗∗∗ SpiderControl MicroBrowser ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path element vulnerability in SpiderControls MicroBrowser. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-292-01 ∗∗∗ Cisco Nexus Series Switches CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI of Cisco NX-OS System Software running on Cisco Nexus Series Switches could allow an authenticated, local attacker to perform a command injection attack.The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco-Updates schließen mehrere Lücken ∗∗∗ --------------------------------------------- Mit aktuellen Updates schließt Cisco insgesamt 17 Sicherheitslücken. Eine davon ist kritisch und erlaubt den Remote-Zugriff auf die Cloud Services Platform (CSP) 2100. --------------------------------------------- https://heise.de/-3865704 ∗∗∗ Oracle Critical Patch Update Advisory - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ∗∗∗ Security Notice - Statement on App Lock Bypass Vulnerability in Huawei EMUI ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170922-01-… ∗∗∗ IBM Security Bulletin: A vulnerability in libsoup affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025834 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Apache HTTPD affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025773 ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix (CVE-2017-1583, CVE-2011-4343) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009704 ∗∗∗ IBM Security Bulletin: Vulnerabilities in MariaDB affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025771 ∗∗∗ IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025779 ∗∗∗ IBM Security Bulletin: Vulnerabilities in TigerVNC affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025772 ∗∗∗ IBM Security Bulletin: Vulnerabilities in glibc affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025781 ∗∗∗ IBM Security Bulletin: Vulnerabilities in PostgreSQL affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025764 ∗∗∗ IBM Security Bulletin: A vulnerability in OpenLDAP affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025766 ∗∗∗ IBM Security Bulletin: Vulnerabilities in git affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025756 ∗∗∗ IBM Security Bulletin: A vulnerability in Spice affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025754 ∗∗∗ IBM Security Bulletin: Vulnerabilities in tcpdump affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025768 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Planning Analytics Express and IBM Cognos Express. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009518 ∗∗∗ SafeNet External Network HSM script vulnerability CVE-2017-6165 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74759095 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2017
by Daily end-of-shift report 19 Oct '17

19 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-10-2017 18:00 − Donnerstag 19-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BoundHook Attack Exploits Intel Skylake MPX Feature ∗∗∗ --------------------------------------------- A new attack method takes advantage a feature in Intel’s Skylake microprocessor allowing for post-intrusion application hooking and stealth manipulation of applications. --------------------------------------------- http://threatpost.com/boundhook-attack-exploits-intel-skylake-mpx-feature/1… ∗∗∗ US-CERT study predicts machine learning, transport systems to become security risks ∗∗∗ --------------------------------------------- Youve been warned The Carnegie-Mellon Universitys Software Engineering Institute has nominated transport systems, machine learning, and smart robots as needing better cyber-security risk and threat analysis. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/19/cert_cc_thr… ∗∗∗ A Look at Locky Ransomware’s Recent Spam Activities ∗∗∗ --------------------------------------------- Ransomware has been one of the most prevalent, prolific, and pervasive threats in the 2017 threat landscape, with financial losses among enterprises and end users now likely to have reached billions of dollars. Locky ransomware, in particular, has come a long way since first emerging in early 2016. Despite the number of times it apparently spent in hiatus, Locky remains a relevant and credible threat given its impact on end users and especially businesses. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/sDep2mrz5v0/ ∗∗∗ New Attacker Scanning for SSH Private Keys on Websites ∗∗∗ --------------------------------------------- Wordfence is seeing a significant spike in SSH private key scanning activity. We are releasing this advisory to ensure that our customers and the broader WordPress community are aware of this new activity and of the risk of making private SSH keys public, and to explain how to avoid this problem. --------------------------------------------- https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/ ∗∗∗ Baselining Servers to Detect Outliers ∗∗∗ --------------------------------------------- This week I came across an interesting incident response scenario that was more likely a blind hunt. The starting point was the suspicion that a breach may have occurred in one or more of ~500 web servers of a big company on a given date range, even though there was no evidence of leaked data or any other IOC to guide the investigation. To overcome [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22940 ===================== = Vulnerabilities = ===================== ∗∗∗ KRACK Key Reinstall in FT Handshake - PoC ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017100142 ∗∗∗ Bugtraq: WebKitGTK+ Security Advisory WSA-2017-0008 ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541370 ∗∗∗ DFN-CERT-2017-1836: Lucene/Solr: Eine Schwachstelle ermöglicht die Ausführung beliebigen Prorgammcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1836/ ∗∗∗ DFN-CERT-2017-1837: Suricata: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1837/ ∗∗∗ DFN-CERT-2017-1846: GitLab: Mehrere Schwachstellen ermöglichen u.a. Cross-Site-Scripting-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1846/ ∗∗∗ Cisco Security Advisories and Alerts ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory – Multiple “BlueBorne” vulnerabilities on Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171018-… ∗∗∗ Security Advisory - App Lock Bypass Vulnerability in Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171019-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2017
by Daily end-of-shift report 18 Oct '17

18 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-10-2017 18:00 − Mittwoch 18-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RSA-Sicherheitslücke: Infineon erzeugt Millionen unsicherer Krypto-Schlüssel ∗∗∗ --------------------------------------------- RSA-Schlüssel von Hardware-Kryptomodulen der Firma Infineon lassen sich knacken. Das betrifft unter anderem Debian-Entwickler, Anbieter qualifizierter Signatursysteme, TPM-Chips in Laptops und estnische Personalausweise. --------------------------------------------- https://www.golem.de/news/rsa-sicherheitsluecke-infineon-erzeugt-millionen-… ∗∗∗ Browser security beyond sandboxing ∗∗∗ --------------------------------------------- Security is now a strong differentiator in picking the right browser. We all use browsers for day-to-day activities like staying in touch with loved ones, but also for editing sensitive private and corporate documents, and even managing our financial assets. A single compromise through a web browser can have catastrophic results. It doesn’t help that... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/10/18/browser-security-beyond… ∗∗∗ uBlock Origin ad-blocker knocked for blocking hack attack squawking ∗∗∗ --------------------------------------------- Block all the things! No, wait, not the XSS security alerts Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from sounding the alarm on hacking attacks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/17/ublock_orig… ∗∗∗ Hancitor malspam uses DDE attack ∗∗∗ --------------------------------------------- Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16. Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsofts Dynamic Data Exchange (DDE) technique. --------------------------------------------- https://isc.sans.edu/diary/22936 ∗∗∗ Klage wegen Urheberrechtsverletzung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- In erfundenen Schreiben behaupten unbekannte Absender/innen, dass Empfänger/innen eine Urheberrechtsverletzung begangen haben und deshalb verklagt werden. Für weiterführende Informationen dazu sollen Adressat/innen eine ZIP-Datei herunterladen. Sie verbirgt Schadsoftware und darf nicht geöffnet werden. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/klage-wegen-urheberrechtsve… ===================== = Vulnerabilities = ===================== ∗∗∗ HPESBHF03789 rev.2 - Certain HPE Gen9 Systems with HP Trusted Platform Module v2.0 Option, Unauthorized Access to Data ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified in the "HP Trusted Platform Module 2.0 Option" kit. This optional kit is available for HPE Gen9 systems with firmware version 5.51. The vulnerability in TPM firmware 5.51 is that new mathematical methods exist such that RSA keys generated by the TPM 2.0 with firmware 5.51 are cryptographically weakened. This vulnerability could lead to local and remote unauthorized access to data. --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en… ∗∗∗ Progea Movicon SCADA/HMI ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-290-01 ∗∗∗ IC3 Issues Alert on IoT Devices ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/17/IC3-Issues-Alert-I… ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Standard Taglibs affects IBM Connections Portlets For WebSphere Portal (CVE-2015-0254) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006285 ∗∗∗ IBM Security Bulletin: A vulnerability in OpenSSL affects IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool (CVE-2017-3735) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025909 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct FTP+ ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009532 ∗∗∗ JSA10826 - 2017-10 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 17.1R1 release ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10826&actp=RSS ∗∗∗ Critical Patch Update - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ∗∗∗ Solaris Third Party Bulletin - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinoct2017-3958668.h… ∗∗∗ Oracle Linux Bulletin - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2017-4005… ∗∗∗ Oracle VM Server for x86 Bulletin - October 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2017-400589… ∗∗∗ Multiple vulnerabilities in Linksys E-series products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ Multiple vulnerabilities in Afian AB FileRun ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ SSA-523365 (Last Update 2017-10-18): Vulnerability in SIMATIC PCS 7 ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-523365… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2017
by Daily end-of-shift report 17 Oct '17

17 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 16-10-2017 18:00 − Dienstag 17-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Heres a Video of the Latest ATM Malware Sold on the Dark Web ∗∗∗ --------------------------------------------- A hacker or hacker group is selling a strain of ATM malware that can make ATMs spit out cash just by connecting to its USB port and running the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/heres-a-video-of-the-latest-… ∗∗∗ Lenovo Quietly Patches Massive Bug Impacting Its Android Tablets and Zuk, Vibe Phones ∗∗∗ --------------------------------------------- Lenovo customers are being told to update their Android tablets and handsets to protect themselves against a handful of critical vulnerabilities impacting tens of millions of vulnerable Lenovo devices. --------------------------------------------- http://threatpost.com/lenovo-quietly-patches-massive-bug-impacting-its-andr… ∗∗∗ Estonia releases update on Digital ID card vulnerability ∗∗∗ --------------------------------------------- The Estonia government issued an update on a vulnerability potentially affecting digital use of ID cards issued since October 2014. --------------------------------------------- https://www.scmagazineuk.com/estonia-releases-update-on-digital-id-card-vul… ∗∗∗ Microsoft responded quietly after detecting secret database hack in 2013 ∗∗∗ --------------------------------------------- (Reuters) - Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database. --------------------------------------------- https://www.reuters.com/article/us-microsoft-cyber-insight/microsoft-respon… ∗∗∗ KRACK: Hersteller-Updates und Stellungnahmen ∗∗∗ --------------------------------------------- Mittlerweile haben einige von der WPA2-Lücke KRACK betroffene Hersteller Patches veröffentlicht, die die Gefahr abwehren. Andere meldeten sich in Stellungnahmen zu Wort. --------------------------------------------- https://heise.de/-3863455 ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory 2017-05: Security Update for OTRS Business Solution™ ∗∗∗ --------------------------------------------- October 17, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability. --------------------------------------------- https://www.otrs.com/security-advisory-2017-05-security-update-otrs-busines… ∗∗∗ BSRT-2017-006 Vulnerabilities in Workspaces Server components impact BlackBerry Workspaces ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ VU#307015: Infineon RSA library does not properly generate RSA key pairs ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/307015 ∗∗∗ VU#228519: Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/228519 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cross site scripting in Webtrekk Pixel ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/cross-site-scripting-in-webt… ∗∗∗ EMC NetWorker Buffer Overflow in nsrd Lets Remote Users Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039583 ∗∗∗ Java vulnerability CVE-2017-10053 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28418435 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2017
by Daily end-of-shift report 16 Oct '17

16 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-10-2017 18:00 − Montag 16-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TPM Chipsets Generate Insecure RSA Keys. Multiple Vendors Affected ∗∗∗ --------------------------------------------- Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecu… ∗∗∗ List of Firmware & Driver Updates for KRACK WPA2 Vulnerability ∗∗∗ --------------------------------------------- This article will contain an udpated list of firmware and driver updates that resolve the Krack WPA2 vulnerability. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-… ∗∗∗ Es steht KRACK auf dem Speiseplan! ∗∗∗ --------------------------------------------- [...] heute wurden Details zu den sogenannten "Key Reinstallation Attacks", kurz "KRACK", veröffentlicht (technisches Paper / Webseite). Kurz zusammengefasst stellen diese Schwachstellen die ersten [...] --------------------------------------------- http://www.cert.at/services/blog/20171016132413-2092.html ∗∗∗ Auto: Subaru-Funkschlüssel lässt sich einfach klonen ∗∗∗ --------------------------------------------- Autoschlüssel mit Funkverbindung sind ein beliebtes Ziel für Sicherheitsforscher - und oft eher Opfer als Gegner. Aktuell ist Subaru betroffen, zahlreiche Fahrzeuge des Herstellers sind für einen Angriff verwundbar. Das Unternehmen hat bislang nicht reagiert. --------------------------------------------- https://www.golem.de/news/auto-subaru-funkschluessel-laesst-sich-einfach-kl… ∗∗∗ Ukraine Police Warns of New NotPetya-Style Large Scale CyberAttack ∗∗∗ --------------------------------------------- Remember NotPetya? The Ransomware that shut down thousands of businesses, organisations and banks in Ukraine as well as different parts of Europe in June this year. Now, Ukrainian government authorities are once again warning its citizens to brace themselves for next wave of "large-scale" NotPetya-like cyber attack. According to a press release published Thursday by the Secret Service of [...] --------------------------------------------- https://thehackernews.com/2017/10/ukraine-notpetya-cyberattack.html ∗∗∗ How Power Grid Hacks Work, and When You Should Panic ∗∗∗ --------------------------------------------- After months of reports of energy grid breaches, time to distinguish the elite intrusions from just another spearphishing attack. --------------------------------------------- https://www.wired.com/story/hacking-a-power-grid-in-three-not-so-easy-steps ∗∗∗ Erneut Malware-Angriff auf Kreditkartendaten bei Hyatt ∗∗∗ --------------------------------------------- Wieder ist es Angreifern gelungen, Software in die IT-Systeme der Hotelkette Hyatt einzuschleusen, die Kreditkartendaten der Kunden abgriff. Das sei nun aber behoben, versichert das Unternehmen, das 2015 ähnlich angegriffen wurde. --------------------------------------------- https://heise.de/-3862121 ∗∗∗ Bank Austria überprüft keine Identität mit Probe-SMS ∗∗∗ --------------------------------------------- In einer gefälschten Bank Austria-Nachricht behaupten Kriminelle, dass Kund/innen ihre Identität mit einer Probe-SMS überprüfen lassen müssen. Dafür ist es notwendig, dass sie auf einer Website ihre Verfügernummer, ihr Passwort und ihre Telefonnummer bekannt geben. Es folgt ein Anruf der Täter/innen, mit dem sie die Bekanntgabe eines TAN-Codes fordern. Der TAN-Code ermöglicht es ihnen, das Geld ihrer Opfer zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/phishing/bank-austria-ueberprueft-keine-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- Adobe hat bekanntgegeben, dass es aktuell eine kritische Sicherheitslücke in Adobe Flash Player gibt, die auch bereits aktiv ausgenützt wird. CVE-Nummer: CVE-2017-11292 Entsprechend fehlerbereinigte Versionen sind verfügbar. Auswirkungen Durch Ausnützen dieser Lücke kann ein Angreifer laut Adobe beliebigen Code auf betroffenen Systemen [...] --------------------------------------------- https://www.cert.at/warnings/all/20171016.html ∗∗∗ Bugtraq: [RCESEC-2017-002][CVE-2017-14956] AlienVault USM v5.4.2 "/ossim/report/wizard_email.php" Cross-Site Request Forgery leading to Sensitive Information Disclosure ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541342 ∗∗∗ Vuln: Atlassian Bamboo CVE-2017-9514 Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101269 ∗∗∗ Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1814/: Jenkins: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1814/ ∗∗∗ Multiple vulnerabilities in OpenText Documentum Content Server ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541333 ∗∗∗ FortiWLC XSS injection via crafted HTTP POST request ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-106 ∗∗∗ FortiMail reflected XSS vulnerability under customized webmail login page ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-099 ∗∗∗ FortiWLC file management OS Command Injection vulnerability ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-119 ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171013-… ∗∗∗ IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q3 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009259 ∗∗∗ Multiple vulnerabilities in Micro Focus VisiBroker C++ ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ OpenSSL vulnerability CVE-2017-3735 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21462542 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2017
by Daily end-of-shift report 13 Oct '17

13 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-10-2017 18:00 − Freitag 13-10-2017 18:00 Handler: Olaf Schwarz Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Android DoubleLocker Ransomware Activates Every Time You Hit Home Button ∗∗∗ --------------------------------------------- A new ransomware targeting Android devices has been spotted in the wild. Codenamed DoubleLocker, the ransomware abuses Androids Accessibility service and reactivates itself every time the user presses the phones Home button. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-doublelocker-ransomw… ∗∗∗ Fehler in WSUS-Update: Windows-Clients booten nicht mehr ∗∗∗ --------------------------------------------- Fehlerhafte Update-Pakete für Windows 10 und Windows Server 2016, die Microsoft am letzten Patchday veröffentlicht hat, legten in den vergangenen Tagen Rechner in Unternehmensnetzwerken lahm. Betroffen waren nur Umgebungen mit WSUS und SCCM. --------------------------------------------- https://www.heise.de/newsticker/meldung/Fehler-in-WSUS-Update-Windows-Clien… ∗∗∗ Bug auf T-Mobile-Website ermöglichte den Abruf vertraulicher Kundendaten ∗∗∗ --------------------------------------------- In der Website t-mobile.com klaffte ein Sicherheitsleck, das die Abfrage von Kundendatensätzen durch potenzielle Angreifer erlaubte. --------------------------------------------- https://heise.de/-3860676 ∗∗∗ Malvertising on Equifax, TransUnion tied to third party script ∗∗∗ --------------------------------------------- Equifaxs website is once again infected, this time with malvertising that redirects to a fake Flash player. Further investigation reveals TransUnion was also targeted. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/10/equifax-transunion-we… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Patch Update - October 2017 ∗∗∗ --------------------------------------------- Critical Patch Update - October 2017 - Pre-Release Announcement --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ∗∗∗ ProMinent MultiFLEX M10a Controller ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-01 ∗∗∗ WECON Technology Co., Ltd. LeviStudio HMI Editor ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-02 ∗∗∗ Envitech Ltd. EnviDAS Ultimate ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-03 ∗∗∗ NXP Semiconductors MQX RTOS ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-04 ∗∗∗ Siemens BACnet Field Panels ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-285-05 ∗∗∗ DFN-CERT-2017-1812/">Xen: Mehrere Schwachstelle ermöglichen u.a. das Eskalieren von Privilegien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1812/ ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2, v5.0.2 and v5.0.2.1. (CVE-2017-10115 and CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009234 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009543 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008951 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by Open Source XStream Vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004066 ∗∗∗ Java SE vulnerability CVE-2017-10115 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91024405 ∗∗∗ Java SE vulnerability CVE-2017-10108 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52342540 ∗∗∗ Vulnerability in windows antivirus products (IK-SA-2017-0001) ∗∗∗ --------------------------------------------- http://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-w… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2017
by Daily end-of-shift report 12 Oct '17

12 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-10-2017 18:00 − Donnerstag 12-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices ∗∗∗ --------------------------------------------- Posted by Gal Beniamini, Project ZeroIn this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone.After developing a Wi-Fi firmware exploit in the previous blog post, we are left with the task of using our newly acquired access to gain control over the XNU kernel. To this end, we’ll begin by investigating the isolation mechanisms present on the iPhone. Next, we’ll explore the ways in which the host --------------------------------------------- http://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploitin… ∗∗∗ Kritische Sicherheitslücke in Thunderbird 52.4 geschlossen ∗∗∗ --------------------------------------------- Die Entwickler von Thunderbird haben sich in der aktuellen Version um mehrere Schwachstellen gekümmert. Wer die neue Version nicht installiert, könnte sich unter Umständen Schadcode einfangen. --------------------------------------------- https://heise.de/-3858847 ∗∗∗ Bankingtrojaner Retefe für macOS in deutscher Sprache ∗∗∗ --------------------------------------------- Eine neue Version vom Retefe-Schädling tarnt sich unter anderem als OS-X-Update und wird derzeit etwa über gefälschte DHL-Mails verteilt. Auch Windows-Nutzer sind gefährdet. --------------------------------------------- https://heise.de/-3859911 ∗∗∗ Hacker stahlen sensible Daten der australischen Rüstungsindustrie ∗∗∗ --------------------------------------------- Rüstungsminister Pyne sieht keine Gefahr für das Militär --------------------------------------------- http://derstandard.at/2000065885898 ∗∗∗ Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution ∗∗∗ --------------------------------------------- Researcher haben eine schwerwiegende Sicherheitslücke in Microsoft Office entdeckt. Beschreibung: Wenn ein Benutzer eine speziell präparierte Datei im Microsoft Excel-Format oder Microsoft Word-Format öffnet, kann in Folge ein Angreifer beliebigen Code, mit den Rechten des angemeldeten Benutzers, auf dem System ausführen. --------------------------------------------- http://www.cert.at/warnings/all/20171011.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3997 wordpress - security update ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in Wordpress, a web blogging tool.They would allow remote attackers to exploit path-traversal issues, perform SQLinjections and various cross-site scripting attacks. --------------------------------------------- https://www.debian.org/security/2017/dsa-3997 ∗∗∗ DSA-3998 nss - security update ∗∗∗ --------------------------------------------- Martin Thomson discovered that nss, the Mozilla Network Security Servicelibrary, is prone to a use-after-free vulnerability in the TLS 1.2implementation when handshake hashes are generated. A remote attackercan take advantage of this flaw to cause an application using the nsslibrary to crash, resulting in a denial of service, or potentially toexecute arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3998 ∗∗∗ JSA10809 - 2017-10 Security Bulletin: SRX Series: Cryptographic weakness in SRX300 Series TPM Firmware (CVE-2017-10606) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10809&actp=RSS ∗∗∗ JSA10810 - 2017-10 Security Bulletin: Junos: rpd core due to receipt of specially crafted BGP packet (CVE-2017-10607) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10810&actp=RSS ∗∗∗ JSA10817 - 2017-10 Security Bulletin: Junos OS: Denial of service vulnerabilities in telnetd (CVE-2017-10614, CVE-2017-10621) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10817&actp=RSS ∗∗∗ JSA10819 - 2017-10 Security Bulletin: Contrail: hard coded credentials (CVE-2017-10616) and XML External Entity (XXE) vulnerability (CVE-2017-10617) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10819&actp=RSS ∗∗∗ Java SE vulnerability CVE-2017-10078 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41815723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2017
by Daily end-of-shift report 11 Oct '17

11 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-10-2017 18:00 − Mittwoch 11-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Antivirus: Symantec will keine Code-Reviews durch Regierungen mehr ∗∗∗ --------------------------------------------- Aus Angst vor Spionage will die Sicherheitsfirma Symantec nach Angaben ihres CEO keine Regierungen mehr in den eigenen Code schauen lassen. Anlass war offenbar eine Anfrage der russischen Regierung. --------------------------------------------- https://www.golem.de/news/antivirus-symantec-will-keine-code-reviews-durch-… ∗∗∗ Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket ∗∗∗ --------------------------------------------- Global consulting firm Accenture is the latest giant organization leaving sensitive internal and customer data exposed in a publicly available Amazon Web Services S3 storage bucket. --------------------------------------------- http://threatpost.com/internal-accenture-data-customer-information-exposed-… ∗∗∗ October 2017 security update release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/10/10/october-2017-security-u… ∗∗∗ Credit Card Stealer Investigation Uncovers Malware Ring ∗∗∗ --------------------------------------------- During a recent investigation, I found a new piece of malicious code being used to steal credit card information from compromised Magento sites. What I didn’t know was how many domains would be uncovered as part of the malware campaign. Each of the malicious domain names was specifically chosen to appear as legitimate as possible to the website .. --------------------------------------------- https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-… ∗∗∗ iOS: So einfach lassen sich Passwörter von Apple-Nutzern stehlen ∗∗∗ --------------------------------------------- Softwareentwickler zeigt, wie leicht täuschend echt aussehende Passwort-Anfragen erstellt werden können --------------------------------------------- http://derstandard.at/2000065785641 ∗∗∗ BSI warnt nicht vor Kaspersky-Produkten ∗∗∗ --------------------------------------------- Russische Hacker sollen Virenscanner der russischen Firma genutzt haben --------------------------------------------- http://derstandard.at/2000065833977 ∗∗∗ October 2017 Office Update Release ∗∗∗ --------------------------------------------- The October 2017 Public Update releases for Office are now available! This month, there are 26 security updates and 27 non-security updates. All of the security and non-security updates are listed in .. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2017/10/10… ===================== = Vulnerabilities = ===================== ∗∗∗ LAVA Computer MFG Inc. Ether-Serial Link ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an authentication bypass by spoofing vulnerability in the LAVA Ether-Serial Links firmware. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-283-01 ∗∗∗ JanTek JTC-200 ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cross-site request forgery and improper authentication vulnerabilities in JanTeks JTC-200 TCP/IP converter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2017
by Daily end-of-shift report 10 Oct '17

10 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 09-10-2017 18:00 − Dienstag 10-10-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ATMii Malware Makes Windows 7 and Windows Vista ATMs Spit Out Cash ∗∗∗ --------------------------------------------- Security researchers have discovered a new ATM malware strain named ATMii that targets only ATMs running on Windows 7 and Windows Vista. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atmii-malware-makes-windows-… ∗∗∗ Changes in Password Best Practices ∗∗∗ --------------------------------------------- NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they dont help that much. Its better to allow people to use pass phrases.Stop it with password expiration. That was an old idea for an old way we used [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html ∗∗∗ The Absurdly Underestimated Dangers of CSV Injection ∗∗∗ --------------------------------------------- In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV. --------------------------------------------- http://georgemauer.net/2017/10/07/csv-injection.html ∗∗∗ Financial Times bekämpft Werbebetrug ∗∗∗ --------------------------------------------- Millionenverluste durch Domain-Spoofing: Werbenetzwerke verkauften Videowerbung für Leser der Financial Times, die aber tatsächlich auf anderen Websites ausgespielt wurde. --------------------------------------------- https://www.heise.de/newsticker/meldung/Financial-Times-bekaempft-Werbebetr… ∗∗∗ Google-Analyse: Microsoft patcht Windows 7/8 teilweise nicht ∗∗∗ --------------------------------------------- Forscher von Google haben nachgewiesen, dass Microsoft Sicherheitslücken in Windows 10 behoben hat, die gleichen Lücken in Windows 7 und 8 jedoch offen ließ. Patches kamen erst, als die Veröffentlichung durch Project Zero drohte. --------------------------------------------- https://heise.de/-3852695 ∗∗∗ Über 37.000 Chrome-Nutzer installierten gefälschte Adblock-Plus-Extension ∗∗∗ --------------------------------------------- Die Browser-Erweiterung Adblock Plus soll vor Werbung und Schadcode schützen. Eine kürzlich aus dem Chrome Web Store entfernte Extension gleichen Namens führte das genaue Gegenteil im Schilde. Im Zweifel ist eine Neuinstallation ratsam. --------------------------------------------- https://heise.de/-3854625 ∗∗∗ Sicherheits-App der Erste Bank ist Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Erste Bank und Sparkasse-Nachricht. Darin behaupten sie, dass das Konto von Kund/innen eingeschränkt worden sei und sie zur weiteren Benutzung eine Sicherheits-App installieren müssen. Die angebliche Sicherheits-App ist Schadsoftware. Wer sie isntalliert, ermöglicht Kriminellen Zugriff auf das eigene Konto. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/sicherheits-app-der-erste-b… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Security Patch Day – October 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/10/10/sap-security-patch-day-october-2017/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009289 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and Client Management Services (CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009293 ∗∗∗ IBM Security Bulletin: WebSphere Application Server Edge Caching Proxy may be vulnerable to HTTP response splitting (CVE-2017-1503) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006815 ∗∗∗ IBM Security Bulletin: Open Source Apache Cordova Android Vulnerabilities affect IBM Worklight and IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000350 ∗∗∗ IBM Security Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008829 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2017
by Daily end-of-shift report 09 Oct '17

09 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-10-2017 18:00 − Montag 09-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitssoftware: Schlangenöl oder notwendiges Übel? ∗∗∗ --------------------------------------------- Als Schlangenöl wurden in Zeiten des Wilden Westens vorwiegend medizinische Produkte und Hilfsmittel bezeichnet, deren Wirkung wenig bis keinen Ursprung in den darin verwendeten Zutaten hatte oder schlicht nicht existent war. Der Begriff wird mittlerweile auch im Software-Kontext für Produkte verwendet, die mehr versprechen, als sie halten können. Besonders .. --------------------------------------------- https://www.dfn-cert.de/aktuell/sicherheitssoftware-schlangenoel.html ∗∗∗ Foren-Tool Disqus gehackt: 17,5 Millionen User betroffen ∗∗∗ --------------------------------------------- Der Vorfall, bei dem Usernamen und Passwörter abgegriffen wurden, ereignete sich bereits vor fünf Jahren. Disqus will bis jetzt nichts davon gewusst haben. --------------------------------------------- https://futurezone.at/digital-life/foren-tool-disqus-gehackt-17-5-millionen… ∗∗∗ Passwortmanager im Vergleich: Das letzte Passwort, das du dir jemals merken musst ∗∗∗ --------------------------------------------- Menschen scheinen nicht dafür gemacht, sich sehr viele komplizierte Passwörter zu merken. Abhilfe schaffen Passwortmanager. Wir haben die Lösungen von Keepass, Lastpass, 1Password und Dashlane verglichen - und bei allen Stärken gefunden. --------------------------------------------- https://www.golem.de/news/passwortmanager-im-vergleich-das-letzte-passwort-… ∗∗∗ After selling his site for millions, founder hacked it for a second payday ∗∗∗ --------------------------------------------- Rigzone founder sentenced for data duplication scheme "Operation Resume Hoard" was going well. Initiated around April 1, 2015, it represented David W. Kents plan to build the membership of his oil and gas industry .. --------------------------------------------- www.theregister.co.uk/2017/10/07/after_selling_site_for_millions_founder_ha… ∗∗∗ Dnsmasq: A Reality Check and Remediation Practices ∗∗∗ --------------------------------------------- Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/dnsmasq-reality-… ∗∗∗ John Kellys Hacked Phone Could Be a Major National Security Issue ∗∗∗ --------------------------------------------- When the former head of the Department of Homeland Security and current White House Chief of Staffs personal smartphone gets hacked, nothing good can happen. --------------------------------------------- https://www.wired.com/story/john-kelly-hacked-phone ∗∗∗ TLS 1.3: Security-Devices verhindern die Einführung ∗∗∗ --------------------------------------------- Alle Security-Experten sind sich einig, dass der Standard TLS 1.3 ein deutlicher Schritt zu mehr Sicherheit im Internet wäre. Doch ausgerechnet Security-Devices, die Verschlüsselung aufbrechen, verhindern die Einführung auf nicht absehbare Zeit. --------------------------------------------- https://heise.de/-3852819 ∗∗∗ Testing Security Keys ∗∗∗ --------------------------------------------- http://www.imperialviolet.org/2017/10/08/securitykeytest.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3993 tor - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3993 ∗∗∗ DSA-3994 nautilus - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3994 ∗∗∗ Symantec Endpoint Encryption / Symantec Encryption Desktop DoS ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… ∗∗∗ HPESBHF03777 rev.2 - HPE Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2017
by Daily end-of-shift report 06 Oct '17

06 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-10-2017 18:00 − Freitag 06-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers Hijack Ongoing Email Conversations to Insert Malicious Documents ∗∗∗ --------------------------------------------- A group of hackers is using a sophisticated technique of hijacking ongoing email conversations to insert malicious documents that appear to be coming from a legitimate source and infect other targets participating in the same conversational thread. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-ongoing-email… ∗∗∗ IT-Sicherheit: Für das FBI Botnetze ausschalten ∗∗∗ --------------------------------------------- Der deutsche IT-Sicherheitsforscher Tillmann Werner hat der US-Behörde FBI geholfen, einen gefährlichen Hacker zu jagen. --------------------------------------------- https://www.golem.de/news/it-sicherheit-fuer-das-fbi-botnetze-ausschalten-1… ∗∗∗ Geheimdienste: Wenn Hacker Hacker hacken, scheitert die Attribution ∗∗∗ --------------------------------------------- Einen Hack bis zu seinem Ursprung zurückzuverfolgen, gilt im IT-Sicherheitsbereich als schwieriges Geschäft. Neue Forschungen von Kaspersky zeigen, dass die Situation noch verfahrener ist, als bislang angenommen. --------------------------------------------- https://www.golem.de/news/geheimdienste-wenn-hacker-hacker-hacken-scheitert… ∗∗∗ Whats in a cable? The dangers of unauthorized cables, (Fri, Oct 6th) ∗∗∗ --------------------------------------------- As data speeds have increased over the last few years, and interface ports have become more and more multi-functioning and integrated, cables have started to pose a very particular and real danger. So far, they often have been ignored and considered "dumb wires". But far from that, many cables these days hold logic chips of their own and in some cases even upgradable (replaceable) firmware. --------------------------------------------- https://isc.sans.edu/diary/rss/22904 ∗∗∗ Dumb bug of the week: Apples macOS reveals your encrypted drives password in the hint box ∗∗∗ --------------------------------------------- High Sierra update derided by devs as half-baked | Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/apple_patch… ∗∗∗ Wenn Facebook-Freund/innen nach Geld fragen ∗∗∗ --------------------------------------------- Nachdem Facebook-Konten erfolgreich gehackt wurden, versuchen Betrüger daraus Kapital zu schlagen. Aus diesem Grund schreiben sie Kontakte an und erfinden Geschichten, um an schnelles Geld zu kommen. Um kein Opfer dieser Masche zu werden, sollte den Inhalten nicht leichtfertig geglaubt werden. --------------------------------------------- https://www.watchlist-internet.at/facebook-betrug/wenn-facebook-freundinnen… ∗∗∗ Cyber-Sicherheit am Arbeitsplatz: Persönliche Daten im Internet schützen ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/ECSM_BSI_06… ===================== = Vulnerabilities = ===================== ∗∗∗ GE CIMPLICITY ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in GEs CIMPLICITY. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01 ∗∗∗ ZDI-17-838: (0Day) Microsoft Windows WAV File Uninitialized Pointer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to cause a denial-of-service condition on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-838/ ∗∗∗ DFN-CERT-2017-1757: Ruby: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1757/ ∗∗∗ HPESBHF03786 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Notes ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009253 ∗∗∗ IBM Security Bulletin: Multiple DB2 vulnerabilities affect IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1105, CVE-2017-1297) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009194 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Open Source zlib affect IBM Netezza SQL Extensions ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001212 ∗∗∗ Linux kernel vulnerability CVE-2017-14106 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K62178133 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2017
by Daily end-of-shift report 05 Oct '17

05 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-10-2017 18:00 − Donnerstag 05-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mozilla to End All Firefox Support for XP and Vista in June 2018 ∗∗∗ --------------------------------------------- Mozilla announced today plans to discontinue any support for the Firefox browser on Windows XP and Vista in June 2018. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/software/mozilla-to-end-all-firefox-s… ∗∗∗ Avast: Ccleaner-Malware hat drei Stufen und verschont 64-Bit-PCs ∗∗∗ --------------------------------------------- Die Malware in einer Ccleaner-Version hatte mindestens drei Stufen - von der ersten waren 1,65 Millionen Personen betroffen. Wer ein 64-Bit-Windows nutzt, soll allerdings nichts zu befürchten haben. --------------------------------------------- https://www.golem.de/news/avast-ccleaner-malware-hat-drei-stufen-und-versch… ∗∗∗ Security Awareness Month: How to Help Friends and Family, (Wed, Oct 4th) ∗∗∗ --------------------------------------------- For the last few years, October has been "Security Awareness Month", with various organizations using it to promote security awareness. We have done a few "themed" diaries around security awareness in past years, but for the most part, there isn't that much new to say for our core audience. Security awareness is however still a big issue for the rest of humanity, and if you are looking for advice to help friends and family become more security-aware, then the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22896 ∗∗∗ SYSCON Backdoor Uses FTP as a C&C Channel ∗∗∗ --------------------------------------------- Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Mw_aCJ0nNos/ ∗∗∗ Common Sense in EDI Security ∗∗∗ --------------------------------------------- [...] Looking at these examples, we can see that security is a process, a chain of events; for security measures to succeed, every link in the chain of events must be as secure as possible. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/common-… ∗∗∗ Outsmarting grid security threats ∗∗∗ --------------------------------------------- Almost two-thirds (63 percent) of utility executives believe their country faces at least a moderate risk of electricity supply interruption from a cyberattack on electric distribution grids in the next five years. The Accenture survey of more than 100 utilities executives from over 20 countries revealed interruptions to the power supply from cyberattacks is the most serious concern, cited by 57 percent of respondents. Just as worrying is the physical threat to the distribution grid. --------------------------------------------- https://www.helpnetsecurity.com/2017/10/05/grid-security-threats/ ∗∗∗ PoC for several Magento vulnerabilities released, update now! ∗∗∗ --------------------------------------------- DefenseCode has published proof of concept code for two CSRF and stored XSS vulnerabilities affecting a number of versions of the popular e-commerce platform Magento. Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop. About the vulnerabilities Security researcher Bosko Stankovic discovered the security flaws during a security audit of Magento [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/05/magento-vulnerability-poc-code/ ===================== = Vulnerabilities = ===================== ∗∗∗ iManager 3.0.4 ∗∗∗ --------------------------------------------- Abstract: This patch addresses important issues found since the original release of iManager 3.0. --------------------------------------------- https://download.novell.com/Download?buildid=r_GBmD8A9cU~ ∗∗∗ eDirectory 9.0.4 ∗∗∗ --------------------------------------------- Abstract: This update is being provided to resolve important issues found since the original release of Novell eDirectory 9.0. --------------------------------------------- https://download.novell.com/Download?buildid=WKnTKcctISw~ ∗∗∗ Apple security update for watchOS ∗∗∗ --------------------------------------------- watchOS 4.0.1 includes the security content of watchOS 4 and is available for Apple Watch Series 3 (GPS + Cellular). --------------------------------------------- https://support.apple.com/en-us/HT208163 ∗∗∗ DFN-CERT-2017-1736: Digium Asterisk, Digium Certified Asterisk: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1736/ ∗∗∗ DFN-CERT-2017-1750: cURL: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1750/ ∗∗∗ DFN-CERT-2017-1755: Sophos UTM Manager: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1755/ ∗∗∗ Cisco Security Advisories and Alerts ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-971654 (Last Update 2017-10-05): Authentication Bypass in 7KT PAC1200 Data Manager from the SENTRON Portfolio ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-971654… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2017
by Daily end-of-shift report 04 Oct '17

04 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-10-2017 18:00 − Mittwoch 04-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Announces New Tool to Investigate Memory Corruption Bugs ∗∗∗ --------------------------------------------- Microsoft announced yesterday a new tool that automates the process of detecting the root cause of memory corruption issues. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-new-too… ∗∗∗ New Rowhammer Attack Bypass Previously Proposed Countermeasures ∗∗∗ --------------------------------------------- Security researchers have come up with a variation of the Rowhammer attack that bypasses all previously proposed countermeasures. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rowhammer-attack-bypass-… ∗∗∗ Website Hosting: Security Awareness Can Reduce Costs ∗∗∗ --------------------------------------------- Website hosting security has matured in recent years. Naturally, the types of security issues have changed because of it. For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers, but this isn’t really a huge threat today. However, malware attacks and other website security-related issues at the account level are still very real problems – just ask anyone who has had their website defaced, redirected, or [...] --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/3W5Ls3JO36o/website-hosting-s… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3991 qemu - security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities were found in qemu, a fast processor emulator: --------------------------------------------- https://www.debian.org/security/2017/dsa-3991 ∗∗∗ Apple Releases Security Update for iOS ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 Apple has released iOS 11.0.2 to address vulnerabilities in previous versions of iOS. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apple-Releases-Sec… ∗∗∗ Apache Releases Security Updates for Apache Tomcat ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 The Apache Software Foundation has released Apache Tomcat 9.0.1 and 8.5.23 to address a vulnerability in previous versions of the software. A remote attacker could exploit this vulnerability to take control of an affected server. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apache-Releases-Se… ∗∗∗ Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Advisories ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Linux kernel vulnerability CVE-2017-14489 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71796229 ∗∗∗ HPESBMU03753 rev.2 - HPE System Management Homepage for Windows and Linux, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03782 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03776 rev.1 - HPE Intelligent Management Center (iMC) Service Operation Management (SOM), Remote Arbitrary File Download ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03778 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03777 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03781 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2017
by Daily end-of-shift report 03 Oct '17

03 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 02-10-2017 18:00 − Dienstag 03-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Three WordPress Plugin Zero-Days Exploited in the Wild ∗∗∗ --------------------------------------------- Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/three-wordpress-plugin-zero-… ∗∗∗ Security Bugs in Dnsmasq Affect Computers, Smartphones, Routers, IoT Devices ∗∗∗ --------------------------------------------- Security researchers at Google have found seven security bugs in the Dnsmasq application that put an inestimable number of desktops, servers, smartphones, routers, and other IoT devices at risk of hacking. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-bugs-in-dnsmasq-aff… ∗∗∗ Cyber Security Challenge: Das Team Austria steht fest ∗∗∗ --------------------------------------------- Nach dem Finale ist vor dem Finale: Die Sieger der Austria Cyber Security Challenge trainieren jetzt für den Sieg im europäischen Hacker-Wettbewerb. --------------------------------------------- https://futurezone.at/digital-life/cyber-security-challenge-das-team-austri… ∗∗∗ Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices ∗∗∗ --------------------------------------------- Netgear patches over a dozen vulnerabilities impacting its routers, switches and NAS devices. --------------------------------------------- http://threatpost.com/netgear-fixes-50-vulnerabilities-in-routers-switches-… ∗∗∗ E-Mail Tracking ∗∗∗ --------------------------------------------- Interesting survey paper: on the privacy implications of e-mail tracking: Abstract: We show that the simple act of viewing emails contains privacy pitfalls for the unwary. We assembled a corpus of commercial mailing-list emails, and find a network of hundreds of third parties that track email recipients via methods such as embedded pixels. About 30% of emails leak the recipients email address to one or more of these third parties when they are viewed. In the majority of cases, these leaks are [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/10/e-mail_tracking.html ∗∗∗ Outdated vendor systems leaving finance industry at risk ∗∗∗ --------------------------------------------- BitSight data scientists found that in most cases, companies in the finance industry supply chain are not meeting the same security standards that finance companies hold for their own organizations. The spread of BitSight Security Ratings amongst Finance Firms and monitored Legal, Technology, and Business Services organizations as of September 1st, 2017. "While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/03/outdated-vendor-systems/ ∗∗∗ Threat Hunting Part 2: Hunting on ICS Networks ∗∗∗ --------------------------------------------- In this edition of the Dragos Threat Hunting on ICS network series, we will compare threat hunting on industrial networks with concepts from the wider threat hunting community. We will also look at how the unique characteristics of industrial networks can be used to an advantage as network defense professionals [...] --------------------------------------------- https://dragos.com/blog/20170927-ThreatHuntingSeriesPart2.html ===================== = Vulnerabilities = ===================== ∗∗∗ Dnsmasq Contains Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 Dnsmasq versions 2.77 and prior contain multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Dnsmasq-Contains-M… ∗∗∗ Android Security Bulletin—October 2017 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2017-10-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2017
by Daily end-of-shift report 02 Oct '17

02 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-09-2017 18:00 − Montag 02-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Mobile Forensics Process: Steps & Types ∗∗∗ --------------------------------------------- Introduction: Importance of Mobile Forensics The term "mobile devices" encompasses a wide array of gadgets ranging from mobile phones, smartphones, tablets, and GPS units to wearables and PDAs. What they all have in common is the fact that they can contain a lot of user information. Mobile devices are right in the middle of three[...] --------------------------------------------- http://resources.infosecinstitute.com/mobile-forensics-process-steps-types/ ∗∗∗ Investigating Security Incidents with Passive DNS, (Mon, Oct 2nd) ∗∗∗ --------------------------------------------- Sometimes when you need to investigate a security incident or to check for suspicious activity, you become frustrated because the online resource that youre trying to reach has already been cleaned. We cannot blame system administrators and webmasters who are just doing their job. If some servers or websites remains compromised for weeks, others are very quickly restored/patched/cleaned to get rid of the malicious content. Its the same for domain names. Domains registered only for malicious [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22886 ∗∗∗ DNSSEC Key Signing Key Rollover Postponed ∗∗∗ --------------------------------------------- Original release date: September 29, 2017 The Internet Corporation for Assigned Names and Numbers (ICANN) has announced that the change to the Root Zone Key Signing Key (KSK) scheduled for October 11, 2017, has been postponed. A new date for the Key Roll has not yet been determined.DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/09/29/DNSSEC-Key-Signing… ∗∗∗ European Cyber Security Month: United against Cyber Security Threats ∗∗∗ --------------------------------------------- October 2017 is European Cyber Security Month and this year marks the 5th year anniversary of the European Cyber Security Month campaign. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/european-cyber-security-month-u… ∗∗∗ Good Analysis = Understanding(tools + logs + normal) ∗∗∗ --------------------------------------------- We had a reader send an email in a couple of weeks ago asking about understanding the flags field when looking at data in a report. He didnt understand what the "flags" were referring to or what the actual flags mean. "They don’t appear related to TCP header flags like I’ve normally seen...S is the most common but I occasionally see RSA, RUS and a few others." --------------------------------------------- https://isc.sans.edu/forums/diary/Good+Analysis+Understandingtools+logs+nor… ===================== = Vulnerabilities = ===================== ∗∗∗ eDirectory 9.0.4 ∗∗∗ --------------------------------------------- Abstract: This update is being provided to resolve important issues found since the original release of Novell eDirectory 9.0. --------------------------------------------- https://download.novell.com/Download?buildid=WKnTKcctISw~ ∗∗∗ iManager 3.0.4 ∗∗∗ --------------------------------------------- Abstract: This patch addresses important issues found since the original release of iManager 3.0. --------------------------------------------- https://download.novell.com/Download?buildid=r_GBmD8A9cU~ ∗∗∗ XSA-245 ARM: Some memory not scrubbed at boot ∗∗∗ --------------------------------------------- Impact: Sensitive information from one domain before a reboot might be visible to another domain after a reboot. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-245.html ∗∗∗ Vuln: SolarWinds Network Performance Monitor CVE-2017-9538 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101066 ∗∗∗ DFN-CERT-2017-1723: GitLab: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebiger Befehle ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1723/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-535640 (Last Update 2017-10-02): Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640… ∗∗∗ HPESBMU03753 rev.2 - HPE System Management Homepage for Windows and Linux, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily October 2017