=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 11-03-2015 18:00 − Donnerstag 12-03-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Cyber Security in Supply Chain Management: Part 1 ***
---------------------------------------------
Introduction Cyber security is generally thought of as various types of security devices like firewalls, Web Application Firewall (WAF), IDS/IPS, SIEM, DLP etc. to safeguard network, applications and data. But what if, for example, the deployed security solutions have a bug inside? The latest example of this is exposing of a vulnerability in Lenovo notebooks.
---------------------------------------------
http://resources.infosecinstitute.com/cyber-security-in-supply-chain-manage…
*** Paper: Windows 10 patching process may leave enterprises vulnerable to zero-day attacks ***
---------------------------------------------
Aryeh Goretsky gives advice on how to adapt to Windows 10s patching strategy.Patching is hard, especially when the code base is old and the bugs are buried deeply. This was highlighted once again this week when Microsoft released a patch for a vulnerability that was thought to have been patched almost five years ago, but which could still be exploited.In fact, six out of the last eight Patch Tuesdays have included patches that have caused problems for some Windows users.Probably in response to...
---------------------------------------------
http://www.virusbtn.com/blog/2015/03_12.xml?rss
*** Microsoft SHA-2 Advisory Causing "Infinite Loop" Issues ***
---------------------------------------------
Windows users are having issues with a security update issued this week meant to add SHA-2 code-signing and verification support to Windows 7 and Windows Server 2008 R2 machines.
---------------------------------------------
http://threatpost.com/microsoft-sha-2-advisory-causing-infinite-loop-issues…
*** Schwerwiegende Sicherheitslücke im Shop-System xt:Commerce ***
---------------------------------------------
Derzeit klafft eine Sicherheitslücke im aktuellen Versionszweig des verbreiteten Online-Shop-Systems xt:Commerce. Ein Patch ist bereits verfügbar.
---------------------------------------------
http://heise.de/-2573755
*** Who got the bad SSL Certificate? Using tshark to analyze the SSL handshake., (Thu, Mar 12th) ***
---------------------------------------------
Ever wonder if any of your users connect to sites with bad SSL certificates? I ran into this issue recently when debugging some SSL issues, and ended up with thisquick tshark and shell script trickto extract the necessary information from a packet capture. First, you may want to compare the host name your clients connect to, to the host name returned as part of the certificate. While the Host header is encrypted and not accessible, modern SSL libraries use Server Name Indication (SNI) as part...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19455&rss
*** Defending Against PoS RAM Scrapers ***
---------------------------------------------
Stealing payment card data has become an everyday crime that yields quick monetary gains. Attackers aim to steal the data stored in the magnetic stripe of payment cards, optionally clone the cards, and run charges on the accounts associated with them. The topic of PoS RAM scraper malware always prompts businesses and retailers to ask...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CYPwDbRGFfc/
*** Dropbox Patches Remotely Exploitable Vulnerability in SDK ***
---------------------------------------------
Developers at Dropbox recently fixed a remotely exploitable vulnerability in the Android SDK version of the app that enabled attackers to connect applications on some devices to a Dropbox account without the users consent.
---------------------------------------------
http://threatpost.com/dropbox-patches-remotely-exploitable-vulnerability-in…
*** Inverted WordPress Trojan ***
---------------------------------------------
Trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, or send out spam, create doorways, inject hidden links or malware. The trojan modelRead More
---------------------------------------------
http://blog.sucuri.net/2015/03/inverted-wordpress-trojan.html
*** RSA Digital Certificate Manager Input Validation Flaws Permit Cross-Site Scripting and Denial of Service Attacks ***
---------------------------------------------
http://www.securitytracker.com/id/1031912
*** EMC Secure Remote Services GHOST / SQL Injection / Command Injection ***
---------------------------------------------
Topic: EMC Secure Remote Services GHOST / SQL Injection / Command Injection Risk: High Text:ESA-2015-040: EMC Secure Remote Services Virtual Edition Security Update for Multiple Vulnerabilities CVE Identifier: CVE-2...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030076
*** Google Android Integer Oveflow / Heap Corruption ***
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030079
*** phpMyAdmin Bug May Disclose CSRF Token to Remote Users ***
---------------------------------------------
http://www.securitytracker.com/id/1031871
*** Elipse E3 Process Control Vulnerability (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-15-069-04 Elipse E3 Process Control Vulnerability that was published March 10, 2015, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-069-04A
*** IBM Security Bulletin: Apache Tomcat request smuggling affects Algo Audit and Compliance (CVE-2014-0227) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21698437
*** IBM Security Bulletin: IBM PowerVC - Ceilometer DB2/MongoDB Backend Password Leak (CVE-2013-6384) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1020585
*** IBM Security Bulletin: GNU C library (glibc) vulnerability affects IBM/Cisco Switches and Directors (CVE-2015-0235) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=ssg1S1005122
*** IBM Security Bulletin: Multiple IBM InfoSphere Information Server components are affected by a vulnerability in the XML4C parser (CVE-2014-8901) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21696312
*** SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS) ***
---------------------------------------------
https://www.drupal.org/node/2450427
*** SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting (XSS) ***
---------------------------------------------
https://www.drupal.org/node/2450393
*** SA-CONTRIB-2015-075 - Perfecto - Open Redirect ***
---------------------------------------------
https://www.drupal.org/node/2450391
*** SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting (XSS) ***
---------------------------------------------
https://www.drupal.org/node/2450387
*** Pie Register 2.0.14 - Cross Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7842
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 10-03-2015 18:00 − Mittwoch 11-03-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Inside the EquationDrug Espionage Platform ***
---------------------------------------------
EquationDrug represents the main espionage platform from the Equation Group. It's been in use for over 10 years, replacing EquationLaser until it was itself replaced itself by the even more sophisticated GrayFish platform.
---------------------------------------------
http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage…
*** DroppedIn: Remotely Exploitable Vulnerability in the Dropbox SDK for Android ***
---------------------------------------------
The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1 (note: this vulnerability was resolved in Dropbox SDK for Android v1.6.2).
---------------------------------------------
http://securityintelligence.com/droppedin-remotely-exploitable-vulnerabilit…
*** Unpatched security vulnerabilities affecting Facebook ***
---------------------------------------------
A web security researcher from Portugal has discovered several vulnerabilities affecting Facebook that he considers to be serious, but hasnt had much success convincing the company of that, so he sha...
---------------------------------------------
http://www.net-security.org/secworld.php?id=18069
*** Reconnect tool for hacking Facebook is publicly available ***
---------------------------------------------
The security expert Egor Homakov from Sakurity firm has released the Reconnect tool that allows hackers to hijack accounts on sites that use Facebook logins. The security expert Security Egor Homakov has developed a hacking tool dubbed Reconnect that exploit a flaw in Facebook to hijack accounts on sites that use Facebook logins. Homakov, with works for...
---------------------------------------------
http://securityaffairs.co/wordpress/34705/hacking/reconnect-hacking-faceboo…
*** DDoS on UPNP Devices ***
---------------------------------------------
Denial of service (DOS) attack is an attempt to make a machine or a network resource unavailable to its users. It basically consists of methods to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet, and these attacks are sent by one person or a system. One common method of...
---------------------------------------------
http://resources.infosecinstitute.com/ddos-upnp-devices/
*** Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix ***
---------------------------------------------
In early January 2015, researcher Michael Heerklotz approached the Zero Day Initiative with details of a vulnerability in the Microsoft Windows operating system. We track this issue as ZDI-15-086. Unless otherwise noted, the technical details in this blog post are based on his detailed research.
---------------------------------------------
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-…
*** Threatglass has pcap files with exploit kit activity, (Tue, Mar 10th) ***
---------------------------------------------
Threatglassis a one way to find up-to-date examples of exploit kit traffic. Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity. Threatglassdoesnt explain what type of traffic youre looking at from the pcaps the site provides. Letslook at a page from last week on Thursday, March 5th 2015 [1]. This one isexploit kit activity. In the image below, youll find a link to the packet capture in the lower right-hand corner" /> Download the pcap and open...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19433&rss
*** n00bs CTF Labs by Infosec Institute ***
---------------------------------------------
n00bs CTF (Capture the Flag) Labs is a web application presented by Infosec Institute. It has 15 mini Capture the Flag challenges intended for beginners and newbies in the information security field or for any average infosec enthusiasts who haven't attended hacker conventions yet. So what is a CTF? In hacker conventions, CTF or Capture...
---------------------------------------------
http://resources.infosecinstitute.com/n00bs-ctf-labs-infosec-institute/
*** Achtung: Panda-Virenscanner zerschießt Windows, nicht Neustarten! ***
---------------------------------------------
Die Antivirenschutz-Produkte von Panda Security haben wegen fehlerhaften Signaturen etliche Windows-Rechner lahm gelegt. Wer betroffen ist, soll die Füße still halten und das System nicht neu starten - da es unter Umständen nicht mehr hochfährt.
---------------------------------------------
http://heise.de/-2573233
*** Panda Antivirus: Gravierender Fehler im Virenscanner löscht Systemdateien ***
---------------------------------------------
Ein gravierender Fehler in Pandas Antivirensoftware kann unter Umständen zu einem vollkommen unbrauchbaren System führen. Panda bestätigt das Problem. Golem.de hat erste Hinweise erhalten, wie der Fehler zu stoppen ist. (Virenscanner, Applikationen)
---------------------------------------------
http://www.golem.de/news/panda-antivirus-gravierender-fehler-im-virenscanne…
*** Doctor Web: February 2015 virus activity review ***
---------------------------------------------
March 4, 2015 The shortest month of the year had its share of new malware. In early February, Doctor Web security researchers finished examining a complex multi-purpose malicious program for Linux, while at month's end, they published the results of their analysis of a new version of a backdoor for Mac OS X. As before, malicious programs for Android remained active throughout the month. PRINCIPAL TRENDS IN JANUARY New Linux Trojans Virus makers are still showing an interest in Mac OS X.
---------------------------------------------
http://news.drweb.com/show/?i=9316&lng=en&c=9
*** Ein Blick in die Zukunft der Handy-Malware ***
---------------------------------------------
Kaspersky hat eine Analyse zu einer Android-Malware veröffentlicht, die zwar aktuell nur in Russland aktiv ist, aber einen Vorgeschmack gibt, was demnächst auch bei uns passieren könnte: Wichtige Punkte daraus: Das Teil ist inzwischen so modular und gut geschützt, wie typische Windows Malware Frameworks Es enthält Code zum Anmelden des Opfers bei diversen Premium-Services Dabei kann es automatisch...
---------------------------------------------
http://www.cert.at/services/blog/20150311102554-1454.html
*** DSA-3177 mod-gnutls - security update ***
---------------------------------------------
Thomas Klute discovered that in mod-gnutls, an Apache module providingSSL and TLS encryption with GnuTLS, a bug caused the servers clientverify mode not to be considered at all, in case the directorysconfiguration was unset. Clients with invalid certificates were thenable to leverage this flaw in order to get access to that directory.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3177
*** DSA-3182 libssh2 - security update ***
---------------------------------------------
Mariusz Ziulek reported that libssh2, a SSH2 client-side library, wasreading and using the SSH_MSG_KEXINIT packet without doing sufficientrange checks when negotiating a new SSH session with a remote server. Amalicious attacker could man in the middle a real server and cause aclient using the libssh2 library to crash (denial of service) orotherwise read and use unintended memory areas in this process.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3182
*** Manage Engine AD Audit Manager Plus Cross Site Scripting ***
---------------------------------------------
Topic: Manage Engine AD Audit Manager Plus Cross Site Scripting Risk: Low Text: # Title:- Reflected cross-site scripting(XSS) Vulnerability in Manage Engine AD Audit Manager Plus Admin Panel(Bui...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030060
*** tcpdump Denial Of Service / Code Execution ***
---------------------------------------------
Topic: tcpdump Denial Of Service / Code Execution Risk: High Text:Hi, please find tcpdump 4.7.2 source code at: http://www.ca.tcpdump.org/beta/tcpdump-4.7.2.tar.gzhttp://www.ca.tcpdu...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030064
*** Cisco Intrusion Prevention System MainApp Secure Socket Layer Denial of Service Vulnerability ***
---------------------------------------------
cisco-sa-20150311-ips
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in Cisco TelePresence Video Communication Server, Cisco Expressway, and Cisco TelePresence Conductor ***
---------------------------------------------
cisco-sa-20150311-vcs
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** IBM Security Bulletin: Multiple vulnerabilities fixed in Current Release of Liberty for Java for IBM Bluemix (CVE-2012-6153, CVE-2014-3577, CVE-2015-0178) ***
---------------------------------------------
2015-03-11T10:06:12-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21696864
*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities could, if exploited, allow ...
---------------------------------------------
http://support.citrix.com/article/CTX200484
*** HPSBNS03280 rev.1 - HP NonStop Servers running SAMBA, Remote Execution of Arbitrary Code ***
---------------------------------------------
A potential security vulnerability has been identified with HP NonStop Servers running SAMBA. The vulnerability could be exploited remotely resulting in execution of arbitrary code.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** HPSBUX03281 SSRT101968 rev.1 - HP-UX running Java7, Remote Unauthorized Access, Disclosure of Information and Other Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** USN-2524-1: eCryptfs vulnerability ***
---------------------------------------------
Ubuntu Security Notice USN-2524-110th March, 2015ecryptfs-utils vulnerabilityA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Ubuntu 10.04 LTSSummarySensitive information in encrypted home and Private directories could beexposed if an attacker gained access to your files.Software description ecryptfs-utils - eCryptfs cryptographic filesystem utilities DetailsSylvain Pelissier discovered that eCryptfs did not generate a random
---------------------------------------------
http://www.ubuntu.com/usn/usn-2524-1/
*** USN-2522-3: ICU vulnerabilities ***
---------------------------------------------
Ubuntu Security Notice USN-2522-310th March, 2015icu vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTSSummaryICU could be made to crash or run programs as your login if it processedspecially crafted data. Software description icu - International Components for Unicode library DetailsUSN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the fontpatches caused a regression when using LibreOffice Calc. The patches havenow been updated
---------------------------------------------
http://www.ubuntu.com/usn/usn-2522-3/
*** VU#794095: Telerik Analytics Monitor Library allows DLL hijacking ***
---------------------------------------------
Vulnerability Note VU#794095 Telerik Analytics Monitor Library allows DLL hijacking Original Release date: 10 Mar 2015 | Last revised: 10 Mar 2015 Overview Telerik Analytics Monitor Library is a third-party application analytics service that collects detailed application metrics for vendors. Some versions of the Telerik library allow DLL hijacking, allowing an attacker to load malicious code in the context of the Telerik-based application. Description CWE-114: Process ControlTelerik
---------------------------------------------
http://www.kb.cert.org/vuls/id/794095
*** WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7841
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 09-03-2015 18:00 − Dienstag 10-03-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** MS15-MAR - Microsoft Security Bulletin Summary for March 2015 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for March 2015.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS15-MAR
*** Apple Patches for iOS, OS X and Apple TV, (Tue, Mar 10th) ***
---------------------------------------------
With yesterdays updates for iOS, OS X and Apple TV, Apple also addressed a number of security vulnerabilities, most notably the Freak vulnerability. After updating, the affected operating systems no longer support export quality ciphers. However, Apple browsers continue to support SSLv3 and as a result, continue to be vulnerable to POODLE. Quick Summary of the security content of Apples updates: XCode 6.2: This update addresses 4 vulnerabilities in subversion and 1 in git. OS X: 5...
---------------------------------------------
https://isc.sans.edu/diary/Apple+Patches+for+iOS%2C+OS+X+and+Apple+TV/19443
*** Exploiting the DRAM rowhammer bug to gain kernel privileges ***
---------------------------------------------
"Rowhammer" is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer...
---------------------------------------------
http://googleprojectzero.blogspot.co.at/2015/03/exploiting-dram-rowhammer-b…
*** Network Forensics What Are Your Investigations Missing - SANS DFIR WEBCAST ***
---------------------------------------------
Traditionally, computer forensic investigations focused exclusively on data from the seized media associated with a system of interest.Recently, memory analysis has become an integral part of forensic analysis, resulting in a new and significantly different way for digital examiners and investigators to perform their craft.Now another evolution in computer forensics is at hand - one that includes data collected from network devices as well as the from wires themselves. Every day, more and more...
---------------------------------------------
http://blog.malwareresearch.institute/video/2015/03/09/network-forensics-wh…
*** Yahoo Patches Critical eCommerce, Small Business Vulnerabilities ***
---------------------------------------------
Yahoo has fixed a handful of vulnerabilities that could have given an attacker free reign over all of its user-run eCommerce websites and caused multiple headaches for small business owners.
---------------------------------------------
http://threatpost.com/yahoo-patches-critical-ecommerce-small-business-vulne…
*** Attackers targeting Elasticsearch remote code execution hole ***
---------------------------------------------
Devs ring patch alarm bells, drop shell code Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/03/10/elastic_sea…
*** SMS Trojan bypasses CAPTCHA ***
---------------------------------------------
Trojan-SMS.AndroidOS.Podec proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system. It can also subscribe users to premium-rate services while bypassing CAPTCHA.
---------------------------------------------
http://securelist.com/analysis/publications/69169/sms-trojan-bypasses-captc…
*** Xen Security Advisory CVE-2015-2150 / XSA-120 ***
---------------------------------------------
Non-maskable interrupts triggerable by guests
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-120.html
*** Xen Security Advisory CVE-2015-2151 / XSA-123 ***
---------------------------------------------
Hypervisor memory corruption due to x86 emulator flaw
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-123.html
*** Xen Security Advisory XSA-124 ***
---------------------------------------------
Non-standard PCI device functionality may render pass-through insecure
---------------------------------------------
http://xenbits.xen.org/xsa/advisory-124.html
*** Exploiting the DRAM "Row Hammer" Bug ***
---------------------------------------------
IBM has determined that all IBM System z, System p, and System x products are not vulnerable to this attack. IBM is analyzing other IBM products to determine if they are potentially impacted by this issue. Please actively monitor both your IBM Support Portal for available fixes and/or remediation steps and this blog for additional information.
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/exploiting_the_dram_r…
*** Row Hammer Privilege Escalation Vulnerability ***
---------------------------------------------
cisco-sa-20150309-rowhammer
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products ***
---------------------------------------------
cisco-sa-20150310-ssl
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…
*** Varnish 4.0.3 heap-buffer-overflow while parsing backend server HTTP response ***
---------------------------------------------
Topic: Varnish 4.0.3 heap-buffer-overflow while parsing backend server HTTP response Risk: High Text:Hi there, Latest varnish-cache 4.0.3 (https://www.varnish-cache.org/) seem to have a problem with parsing HTTP responses fro...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030056
*** Foxit Reader Update Service Unsafe Service Path Lets Local Users Gain Elevated Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1031879
*** Foxit Reader GIF File LZWMinimumCodeSize Memory Corruption Error Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1031878
*** Foxit Reader GIF File Ubyte Size Memory Corruption Error Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1031877
*** Red Hat Enterprise MRG Messaging Qpid Daemon Bugs Let Remote Users Deny Service and Access the System ***
---------------------------------------------
http://www.securitytracker.com/id/1031872
*** Rails ActiveModel::Name Flaw Lets Remote Users Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1031873
*** Security Advisory: MainWP-Child WordPress Plugin ***
---------------------------------------------
Security Risk: Critical Exploitation level: Very Easy/Remote DREAD Score: 9/10 Vulnerability: Password bypass / Privilege Escalation Patched Version: 2.0.9.2 During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to worpdress.org, it is installed on more than 90,000 WordPress sites as as remote administration...
---------------------------------------------
http://blog.sucuri.net/2015/03/security-advisory-mainwp-child-wordpress-plu…
*** Google Analytics by Yoast 5.3.2 - Cross-Site Scripting (XSS) ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7838
*** Fraction Theme <= 1.1.1 - Privilege Escalation via CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7840
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 06-03-2015 18:00 − Montag 09-03-2015 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Attackers concealing malicious macros in XML files ***
---------------------------------------------
XML files are harmless text files right? Wrong! The group behind the malicious Microsoft Office document campaigns have started to utilize Microsoft Office XML formats to hide malicious macros. This week, our spam traps were flooded with spam with XML...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-ma…
*** Samba Remote Code Execution Vulnerability - CVE-2015-0240 ***
---------------------------------------------
The Samba team reported CVE-2015-0240 last February 23, 2015. This vulnerability is very difficult to exploit and we are not aware of successful exploitation. However, it is quite interesting from the point for view of detection. There are two important facts: The vulnerability resides in the Netlogon Remote Protocol implementation of Samba which is a...
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/samba-remote-cod…
*** How Malware Generates Mutex Names to Evade Detection, (Mon, Mar 9th) ***
---------------------------------------------
Malicious software sometimes uses mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host. Incident responders can look for known mutex names to spot the presence of malware on the system. To evade detection, some malware avoids using a hardcoded name for its mutex, as is the case with the specimen discussed in this note. Static Mutex Names as Indicators of Compromise For background details about mutex...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19429&rss
*** New crypto ransomware in town : CryptoFortress ***
---------------------------------------------
This post has been heavily edited to fix my mistake.
---------------------------------------------
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html
*** Seagate Confirms NAS Zero Day, Won't Patch Until May ***
---------------------------------------------
Seagate confirmed a publicly disclosed vulnerability in one of its network attached storage products, but said it wont have a patch available until May.
---------------------------------------------
http://threatpost.com/seagate-confirms-nas-zero-day-wont-patch-until-may/11…
*** OpenSSL Audit ***
---------------------------------------------
IntroductionThe reputation built by NCC Group, including iSEC Partners, Matasano Security, Intrepidus Group and NGS Secure, has led compani ...
---------------------------------------------
https://www.nccgroup.com/en/blog/2015/03/openssl-audit/
*** l+f: Vernetzte Wetterstation funkte WLAN-Passwort zum Hersteller ***
---------------------------------------------
Die Netatmo-Wetterstationen schickten nicht nur ihre Messwerte ins Netz, sondern auch SSID und WLAN-Passwort des Nutzers.
---------------------------------------------
http://heise.de/-2571218
*** Update - Notizen zu FREAK ***
---------------------------------------------
In den letzten Tagen gab es wieder einmal große mediale Aufmerksamkeit für eine Schwachstelle in OpenSSL und anderen Crypto-Libraries. Der Eintrag für die zugehörige CVE-ID CVE-2015-0204 besteht seit November letzten Jahres, aktualisierte Versionen von OpenSSL wurden heuer im Jänner veröffentlicht. | Update 2015-03-09 | Ergänzung: Auflistungen betroffener Bibliotheken/Anbieter finden sich auf...
---------------------------------------------
http://www.cert.at/services/blog/20150306175713-1442.html
*** Mono TLS vulnerabilities ***
---------------------------------------------
Topic: Mono TLS vulnerabilities Risk: Medium Text:Hi A TLS impersonation attack was discovered in Monos TLS stack by researchers at Inria. During checks on our TLS stack, w...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015030042
*** IBM Security Bulletin: Multiple Vulnerabilities in the IBM Java SDK affect IBM Notes and Domino (Oracle January 2015 Critical Patch Update) ***
---------------------------------------------
2015-03-09T11:05:28-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21698222
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation (CVE-2014-3570, CVE-2014-3572, CVE-2015-0204) ***
---------------------------------------------
2015-03-09T11:04:47-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21698574
*** IBM Security Bulletin: Vulnerability in SSLv3 Affects Power Hardware Management Console (CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568) ***
---------------------------------------------
2015-03-09T11:01:43-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=nas8N1020593
*** IBM Security Bulletin: Vulnerability in SSLv3 enabled in IBM Host On-Demand affects Rational Functional Tester (CVE-2014-3566) ***
---------------------------------------------
2015-03-09T11:01:10-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21697348
*** IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal (CVE-2014-6214; CVE-2015-0139; CVE-2015-0177) ***
---------------------------------------------
2015-03-09T11:10:19-04:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21697213
*** HPSBUX03235 SSRT101750 rev.3 - HP-UX Running BIND, Remote Denial of Service (DoS) ***
---------------------------------------------
A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** Vulnerabilities in WordPress Pluins ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7826https://wpvulndb.com/vulnerabilities/7827https://wpvulndb.com/vulnerabilities/7828https://wpvulndb.com/vulnerabilities/7829https://wpvulndb.com/vulnerabilities/7830https://wpvulndb.com/vulnerabilities/7831https://wpvulndb.com/vulnerabilities/7832https://wpvulndb.com/vulnerabilities/7833https://wpvulndb.com/vulnerabilities/7834https://wpvulndb.com/vulnerabilities/7835https://wpvulndb.com/vulnerabilities/7836https://wpvulndb.com/vulnerabilities/7837
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 05-03-2015 18:00 − Freitag 06-03-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Oracle hängt Adware an den Java-Installer für Mac OS X ***
---------------------------------------------
Bei der Installation von Java wird nun auch Mac-Nutzern Adware angedreht - dabei handelt es sich aktuell um eine Browser-Erweiterung.
---------------------------------------------
http://heise.de/-2568995
*** Intuit Failed at 'Know Your Customer' Basics ***
---------------------------------------------
Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes dont go far ..
---------------------------------------------
http://krebsonsecurity.com/2015/03/intuit-failed-at-know-your-customer-basi…
*** Why A Free Obfuscator Is Not Always Free. ***
---------------------------------------------
We all love our code but some of us love it so much that we don't want anyone else to read or understand it. When you think about it, that's understandable - hours and hours of hard dev work, days of testing and weeks ..
---------------------------------------------
http://blog.sucuri.net/2015/03/why-a-free-obfuscator-is-not-always-free.html
*** Cisco IOS Autonomic Networking Infrastructure Self-Referential Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Contact Form DB 2.8.29 - CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7826
*** Cisco IOS Software and Cisco IOS XE Software Crafted RADIUS Packet Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Cisco IOS XR Software Malformed SNMP Packet Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Freak: Auch Windows von SSL-Lücke betroffen ***
---------------------------------------------
Deutlich mehr Clients gefährdet als bisher angenommen - Neben Android und iOS auch Opera unter Linux ..
---------------------------------------------
http://derstandard.at/2000012569585
*** Internetdienst Onlinetvrecorder.com gehackt ***
---------------------------------------------
Der Internet-Aufnahmedienst Onlinetvrecorder.com ist Opfer eines Hackangriffes geworden. Der Anbieter empfiehlt allen Nutzern, ihr Passwort zu ändern.
---------------------------------------------
http://heise.de/-2569350
*** Multiple vulnerabilities in Siemens products ***
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-15-064-01https://ics-cert.us-cert.gov//advisories/ICSA-15-064-02https://ics-cert.us-cert.gov//advisories/ICSA-15-064-03https://ics-cert.us-cert.gov//advisories/ICSA-15-064-04https://ics-cert.us-cert.gov//advisories/ICSA-15-064-05
*** Verbraucherschützer warnen vor falschen E-Mails von Paketdiensten ***
---------------------------------------------
Links führen laut deutscher Verbraucherzentrale zu Schadsoftware - Falsche Mails nutzen Namen von DHL und UPS
---------------------------------------------
http://derstandard.at/2000012593805
*** Powerspy: Stalking über den Akkuverbrauch ***
---------------------------------------------
Statt über Bluetooth und per GPS lassen sich Smartphone-Benutzer auch anhand ihres Akkuverbrauchs verfolgen. Powerspy macht's möglich.
---------------------------------------------
http://www.golem.de/news/powerspy-stalking-ueber-den-akkuverbrauch-1503-112…
*** Adobe drückt sich vor Finderlohn für gemeldete Lücken ***
---------------------------------------------
Wer Lücken im Adobe Reader, Flash und Co. findet, kann diese jetzt über ein Belohnungsprogramm an den Hersteller melden. Eine geldwerte Belohnung gibt es allerdings nicht – zumindest nicht von Adobe.
---------------------------------------------
http://heise.de/-2569878
*** The Ongoing Debate about the Gap between Compliance and Security ***
---------------------------------------------
Companies required to comply with the Payment Card Industry Data Security Standard (PCI DSS) must meet a wide range of technical and operation requirements. The challenge organizations face regarding PCI compliance has shifted from achieving the minimum level required to satisfy PCI audit ..
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/the-ongoing-debate-abo…
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 04-03-2015 18:00 − Donnerstag 05-03-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** MICROSYS PROMOTIC Stack Buffer Overflow ***
---------------------------------------------
This advisory provides mitigation details for a stack-based buffer overflow vulnerability in the MICROSYS, spol. s r.o. PROMOTIC application.
---------------------------------------------
https://ics-cert.us-cert.gov//advisories/ICSA-15-062-01
*** Adobe Launches Web Application Vulnerability Disclosure Program on HackerOne ***
---------------------------------------------
In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application ..
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1179
*** SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS) ***
---------------------------------------------
The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only. This vulnerability is mitigated by the fact that an attacker ..
---------------------------------------------
https://www.drupal.org/node/2445935
*** Cisco IOS XR Software Malformed RSVP Packet Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Cisco Secure Access Control Server Default Tomcat Administration Interface Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Toshiba Bluetooth Stack Untrusted Service Path Lets Local Users Gain System Privileges ***
---------------------------------------------
http://www.securitytracker.com/id/1031825
*** BIND DNSSEC Guide ***
---------------------------------------------
ISC has new documentation introducing DNSSEC, configuring BIND for common DNSSEC features, and basic DNSSEC troubleshooting. ISCs BIND DNSSEC Guide, co-written with DeepDive Networking, covers DNSSEC requirements, setting up a validating resolver, maintaining signed authoritative zones, and ..
---------------------------------------------
http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html
*** SANS ICS410 Vienna ***
---------------------------------------------
SANS presents the essential ICS/SCADA training course, ICS410 ICS Security Essentials. This specialist training event is running with the support of the International Atomic Energy Agency (IAEA) and follows the IAEAs International Conference on Computer Security in a Nuclear World which takes place the preceding week in Vienna.
---------------------------------------------
https://www.sans.org/event/ics410-vienna-with-iaea
*** Malware "Casper": Wie die Franzosen in Syrien spionieren ***
---------------------------------------------
Sicherheitsforscher analysieren Schadprogramm, das wohl von Frankreichs Geheimdiensten eingesetzt wird
---------------------------------------------
http://derstandard.at/2000012513213
*** Format Injection Vulnerability in Duo Security Web SDK ***
---------------------------------------------
Format Injection is not a new bug, but it was never described as a subclass of A1 Injection. You probably already hate me for giving it a name (at least I didn't create a logo!) but calling it an 'injection' is too general.
---------------------------------------------
http://sakurity.com/blog/2015/03/03/duo_format_injection.html
*** The State Of The Internet ***
---------------------------------------------
One great idea behind the internet is to connect devices from nearly every position on earth. Well, this idea sometimes has its drawbacks. In order to get an overview about devices that are actually connected, the University of ..
---------------------------------------------
https://splone.com/blog/2015/3/4/the-state-of-the-internet
*** Schutz vor Freak Attack: Diese Browser sind betroffen ***
---------------------------------------------
Der Freak-Angriff kompromittiert unzählige verschlüsselte Webseiten und Angreifer könnten sensible Daten ausspionieren. Ob man für die Attacke anfällig ist, hängt aber vom eingesetzten Betriebssystem, Webbrowser und der besuchten Internetseite ab.
---------------------------------------------
http://heise.de/-2567655
*** OpenSSL Cookbook 2nd Edition released ***
---------------------------------------------
Today we're releasing the second edition of OpenSSL Cookbook, Feisty Ducks free OpenSSL book. This edition is a major update, with some improvements to the existing text and new content added. The new edition has about 95 pages, an increase of about 35 pages.
---------------------------------------------
http://blog.ivanristic.com/2015/03/openssl-cookbook-second-edition-released…
*** Utilizing NLP To Detect APT in DNS ***
---------------------------------------------
Imagine that after a nice, relaxing long weekend, you come in to work Monday morning at your job at the bank. While waking up with a cup of coffee, you begin checking email. Among the usual messages, there's a message about a security update and you click it. Security updates are so common these days that it's ..
---------------------------------------------
https://labs.opendns.com/2015/03/05/nlp-apt-dns/
*** l+f: Abgelaufenes SSL-Zertifikat bei Visa ***
---------------------------------------------
Wenn der Browser beim Besuch von Visa.de einen Zertifikatswarnung anzeigt, kann ein Angriff im Gange sein – oder der Admin hat vergessen, wann das Zertifikat abläuft.
---------------------------------------------
http://heise.de/-2568054
*** VB2014 paper: Leaving our ZIP undone: how to abuse ZIP to deliver malware apps ***
---------------------------------------------
Gregory Panakkal explains there are different ways of looking at APK files - and that sometimes has unintended consequences.Since the close of the VB2014 conference in Seattle in October, we have been sharing VB2014 conference papers as well as video recordings of the presentations. Today, we ..
---------------------------------------------
http://www.virusbtn.com/blog/2015/03_05.xml
*** Domain Trusts: Why You Should Care ***
---------------------------------------------
Red teams have been abusing Windows domain trusts for years with great success, but the topic is still underrepresented in public infosec discussions. While the community has started to talk more about Active Directory ..
---------------------------------------------
http://www.harmj0y.net/blog/redteaming/domain-trusts-why-you-should-care/
*** Decoding ZeuS Disguised as an .RTF File ***
---------------------------------------------
While going through emails that were reported by our internal users using Reporter, I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponized the attachment incorrectly. ..
---------------------------------------------
http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 03-03-2015 18:00 − Mittwoch 04-03-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Datensicherheit: Smartphones sollen sicherer werden - zumindest ein bisschen ***
---------------------------------------------
Wie lassen sich mobile Geräte wenn schon nicht sicher, dann zumindest weniger unsicher machen? In Barcelona stellen Silent Circle, Jolla und Qualcomm ihre Ideen vor.
---------------------------------------------
http://www.golem.de/news/datensicherheit-smartphones-sollen-sicherer-werden…
*** phpMoAdmin 0-day Nmap Script ***
---------------------------------------------
An 0-day vulnerability has been posted on Full-Disclosure this morning. It affects the MongoDB GUI phpMoAdmin. The GUI is similar to the well-known phpMyAdmin and allows the DB administrator to perform maintenance tasks on the ..
---------------------------------------------
http://blog.rootshell.be/2015/03/04/phpmoadmin-0-day-nmap-script/
*** Freak Attack: SSL-Verschlüsselung von Millionen Webseiten angreifbar ***
---------------------------------------------
Wenn Nutzer von Apple- und Android-Geräten eine der Millionen für den Angriff Freak anfälligen Webseiten ansurfen, kann ein Man-in-the-Middle die verschlüsselten Verbindungen knacken. Angreifer können nicht nur Daten mitlesen, sondern auch manipulieren.
---------------------------------------------
http://heise.de/-2566444
*** CryptoFortress : Teerac.A (aka TorrentLocker) got a new identity ***
---------------------------------------------
Blitz post. I was hunting for Gootkit (pushed in a Nuclear Pack instance in France those days) but instead I got a Teerac.A.
---------------------------------------------
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html
*** SuperFish SSL Sniffing ***
---------------------------------------------
Let's start off by saying that SuperFish may top Adobe's ColdFusion un-authenticated remote code executions versions 6-10. Although, Adobe may not have put those vulnerabilities in there themselves and knowingly, Lenovo has no excuse.
---------------------------------------------
http://pashakravtsov.com/2015/03/03/SuperFish-SSL-Sniffing/
*** Forensik-Training: Shellshock-Hinweise in Serverlogs aufspüren ***
---------------------------------------------
Die europäische Sichereitsbehörde ENISA hat ihr Trainingsmaterial für netzwerkforensische Analysen aktualisiert und um neue Themen ergänzt.
---------------------------------------------
http://heise.de/-2566554
*** Threat Spotlight: Angler Lurking in the Domain Shadows ***
---------------------------------------------
Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts ..
---------------------------------------------
http://blogs.cisco.com/security/talos/angler-domain-shadowing
*** A Few Thoughts on Cryptographic Engineering ***
---------------------------------------------
This is the story of how a handful of cryptographers hacked the NSA. Its also a story of encryption backdoors, and why they never quite work out the way you want them to.
---------------------------------------------
http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-fac…
*** Google: Chrome-Support für Android 4.0 wird eingestellt ***
---------------------------------------------
Der Chrome-Browser wird für Android 4.0 nur noch wenige Wochen mit Updates versorgt. Nach Version 42 wird der Support beendet. Der steigende Wartungsaufwand für das dreieinhalb Jahre alte Android sei nicht mehr gerechtfertigt, sagt Google.
---------------------------------------------
http://www.golem.de/news/google-chrome-support-fuer-android-4-0-wird-einges…
*** Skyfall Meets Skype ***
---------------------------------------------
The portmanteau-named SKYPEFALL.EXE is the latest, very active, malware-spamming campaign spreading through Skype.
---------------------------------------------
http://securelist.com/blog/incidents/69065/skyfall-meets-skype/
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 02-03-2015 18:00 − Dienstag 03-03-2015 18:00
Handler: Alexander Riepl
Co-Handler: n/a
*** Ads Gone Bad ***
---------------------------------------------
FireEye Labs tracks malvertising activity and recently discovered hundreds of sites that may have been exposed to malvertisements via abuse of ad networks that use real-time bidding (RTB). Since February 4, 2015, FireEye Labs has seen over 1,700 advertiser RTB requests that resulted in downloading of malicious SWF files. We believe this activity is part of an active malvertising operation.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2015/03/ads_gone_bad.html
*** D-Link Routers Haunted by Remote Command Injection Bug ***
---------------------------------------------
Some D-Link routers contain a vulnerability that leaves them open to remote attacks that can give an attacker root access, allow DNS hijacking and other attacks. The vulnerability affects affects a number of D-Link's home routers and the key ..
---------------------------------------------
http://threatpost.com/d-link-routers-haunted-by-remote-command-injection-bu…
*** Older Keen Team Use-After-Free IE Exploit Added to Angler Exploit Kit ***
---------------------------------------------
Attackers behind one of the more popular exploit kits, Angler, have added a tweaked version of an exploit from last fall, a use after free vulnerability in Microsofts Internet Explorer browser.
---------------------------------------------
http://threatpost.com/older-keen-team-use-after-free-ie-exploit-added-to-an…
*** How to keep your Smart Home safe ***
---------------------------------------------
The Internet of Things (IoT) devices can help you save time and hassle and improve your quality of life. As an example, you can check the contents of your fridge and turn on the oven while at the grocery store thus saving money, uncertainty, and ..
---------------------------------------------
https://www.f-secure.com/weblog/archives/00002792.html
*** Symantec NetBackup OpsCenter Server Javascript Injection RCE ***
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se…
*** SSH-Client Putty: Fast vergessene Sicherheitslücke geschlossen ***
---------------------------------------------
Der Schöpfer von Putty entschuldigt sich dafür, eine Sicherheitslücke erst nach eineinhalb Jahren vollständig geschlossen zu haben und ergänzt die neue Version um weitere Bugfixes und zwei neue Funktionen.
---------------------------------------------
http://heise.de/-2563230
*** SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass ***
---------------------------------------------
https://www.drupal.org/node/2428851
*** New gTLD Portals Taken Offline by ICANN Due to Security Flaw ***
---------------------------------------------
The Internet Corporation for Assigned Names and Numbers (ICANN) shut down two new generic top-level domain (gTLD) portals on February 27 after learning of a vulnerability that could have been exploited to view users' data.
---------------------------------------------
http://www.securityweek.com/new-gtld-portals-taken-offline-icann-due-securi…
*** Cyber criminals target call center operators in Apple Pay fraud schema ***
---------------------------------------------
Cybercriminals are targeting call centers operators in Apple Pay fraud to circumvent the checks implemented by Apple, banks and card issuers. The security expert Cherian Abraham revealed a spike in the fraud on Apple's ..
---------------------------------------------
http://securityaffairs.co/wordpress/34359/cyber-crime/apple-pay-fraud.html
*** Captcha <= 4.0.6 - Captcha Bypass ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7822
*** Financial Trojans in 2014: Takedowns contributed to 53 percent drop in infections, but threat is still prevalent ***
---------------------------------------------
While the number of financial Trojan detections decreased in 2014, the threat was still ..
---------------------------------------------
http://www.symantec.com/connect/blogs/financial-trojans-2014-takedowns-cont…
*** phpMoAdmin Zero-day Vulnerability Puts Websites Using MongoDB at Risk ***
---------------------------------------------
About two weeks back, over 40,000 organizations running MongoDB were found unprotected and vulnerable to hackers. Now, once again the users of MongoDB database are at risk because of a critical zero-day vulnerability making ..
---------------------------------------------
http://thehackernews.com/2015/03/phpMoAdmin-mongoDB-exploit.html
*** Ted Unangst: OpenBSD will Browser sicherer machen ***
---------------------------------------------
Mindestens ein Webbrowser soll durch die Umsetzung einer Speicherrichtlinie aus OpenBSD abgesichert werden. Dafür bezahlt die Stiftung des Betriebssystems einen Entwickler mit Erfahrung bei Libressl.
---------------------------------------------
http://www.golem.de/news/ted-unangst-openbsd-will-browser-sicherer-machen-1…
*** Thanks for the Memories: Identifying Malware from a Memory Capture ***
---------------------------------------------
Weve all seen attackers try and disguise their running malware as something legitimate. They might use a file name of a legitimate Windows file or even inject code into a legitimate process thats already running. Regardless of how its done, that code has to run, which means it has to be in memory. Somewhere.
---------------------------------------------
http://www.contextis.com/resources/blog/thanks-memories-identifying-malware…
*** LogPOS - New Point of Sale Malware Using Mailslots ***
---------------------------------------------
There has been an explosion in POS malware in the last year. At Morphick, Jeremy Humble and I found 2 undiscovered families in 2014 and we just found our first new family of 2015. This new malware which were calling ..
---------------------------------------------
http://morphick.com/blog/2015/2/27/mailslot-pos
*** Change to Lollipop Encryption Policy May Not Have Much Effect, Experts Say ***
---------------------------------------------
Google has made a subtle, but important, shift in the requirements for Android handset makers, saying now that OEMs manufacturing phones that will run Lollipop do not have to enable disk encryption by default. This is a major change from the ..
---------------------------------------------
http://threatpost.com/change-to-lollipop-encryption-policy-may-not-have-muc…
*** Cisco Network Analysis Module Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 27-02-2015 18:00 − Montag 02-03-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Abusing Blu-ray Players Pt. 1 - Sandbox Escapes ***
---------------------------------------------
tl;drIn today's (28 February) closing keynote talk at the Abertay Ethical Hacking Society's Secuir-Tay conference I discussed how it was po ...
---------------------------------------------
https://www.nccgroup.com/en/blog/2015/02/abusing-blu-ray-players-pt-1-sandb…
*** dnstest - Monitor Your DNS for Hijacking ***
---------------------------------------------
In light of the latest round of attacks against and/or hijacking of DNS, it occurred to me that most people really don't know what to do about it. More importantly, many companies don't even notice they've been attacked until a customer complains. Especially for smaller companies who may not have as many customers, or only...
---------------------------------------------
https://blog.whitehatsec.com/dnstest-monitor-your-dns-for-hijacking/
*** Virtualization Incident Response ***
---------------------------------------------
Virtualization is a game changer, this session looks at the new world of virtualization and the impact on Incident Response & Computer Forensics. Details include answers to several important questions: Is forensics more difficult or perhaps actually easier in the virtual realm? What do I image if the Data Store has PI from 200 different companies on it that are not subjects to the investigation? Where are virtual machine files stored? What files are of forensic value? What about all of...
---------------------------------------------
http://blog.malwareresearch.institute/video/2015/02/27/virtualization-incid…
*** TorrentLocker campaign uses email authentication to tune the operations ***
---------------------------------------------
The emails of a new TorrentLocker campaign use Domain-based Message Authentication, Reporting and Conformance (DMARC) to avoid detection and collect data. Cyber criminals are continuously improving the technique to spread malicious code and avoid detection systems. Recently security experts at Trend Micro noticed an improvement in the evasion techniques implemented by malware authors to spread the...
---------------------------------------------
http://securityaffairs.co/wordpress/34268/cyber-crime/new-torrentlocker-cam…
*** The Rmnet botnet is very much alive! ***
---------------------------------------------
February 27, 2015 Despite the numerous reports of news agencies that Europol held massive operation to stop the Rmnet botnet, Doctor Webs analysts continue to monitor this botnets activity. According to the media reports, the staff of British polices office engaged in combating cyber crimes, together with experts from Germany, Italy and the Netherlands, has suppressed the activity of several major Rmnets command and control servers. According to the news reports, on February 24, 2015 command...
---------------------------------------------
http://news.drweb.com/show/?i=9310&lng=en&c=9
*** The return of the dangerous Trojan for Mac OS X ***
---------------------------------------------
February 27, 2015 Doctor Web analysts conducted a research of a new version of the backdoor Trojan for Mac OS X named Mac.BackDoor.OpinionSpy.3. This malicious program is intended to spy on Mac users: it can collect and transmit information about loaded web pages to the attackers, analyze the traffic passing through the computers network card, intercept the network packets sent by instant messaging programs and perform some other dangerous features. Mac.BackDoor.OpinionSpy programs have been...
---------------------------------------------
http://news.drweb.com/show/?i=9309&lng=en&c=9
*** OWASP ProActive Controls: Part 1 ***
---------------------------------------------
What is OWASP ProActive Controls? In one line, this project can be explained as "Secure Coding Practices by Developers for Developers". OWASP ProActive Controls is a document prepared for developers who are developing or are new to developing software/application with secure software development. This OWASP project lists 10 controls that can help a developer implement...
---------------------------------------------
http://resources.infosecinstitute.com/owasp-proactive-controls-part-1/
*** Xen Hypervisor Flaws Force Amazon, Rackspace to Reboot Servers (SecurityWeek) ***
---------------------------------------------
Rackspace, Amazon, Linode and likely other cloud providers will reboot some of their servers over the next week after they patch several vulnerabilities affecting the Xen open-source hypervisor.
---------------------------------------------
http://www.securityweek.com/xen-hypervisor-flaws-force-amazon-rackspace-reb…
*** Zero-Day-Lücken in Seagates Business NAS ***
---------------------------------------------
Wer ein Business-NAS von Seagate nutzt, sollte sicherstellen, dass es nicht über das Internet erreichbar ist. Im Webinterface klaffen kritische Lücken, zu denen bereits ein passender Exploit kursiert.
---------------------------------------------
http://heise.de/-2563240
*** Cisco ACE 4710 Application Control Engine and Application Networking Manager Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
CVE-2015-0651
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Cisco Unified Web Interaction Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
CVE-2015-0655
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** IBM Security Bulletin: A page in IBM Curam Universal Access contains a risk of Sensitive Information Exposure(CVE-2014-4804) ***
---------------------------------------------
2015-02-27T18:10:56-05:00
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21695931
*** Jetty 9.2.8 Shared Buffer Leakage ***
---------------------------------------------
Topic: Jetty 9.2.8 Shared Buffer Leakage Risk: High Text:GDS LABS ALERT: CVE-2015-2080 JetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server SYNOPSIS == Go...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015020151
*** Apache Standard Taglibs 1.2.1 XXE / Remote Command Execution ***
---------------------------------------------
Topic: Apache Standard Taglibs 1.2.1 XXE / Remote Command Execution Risk: High Text:CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags Severity: Important Vendor: The Apache Software Foundation ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015020154
*** HPSBST03274 rev.1 - HP XP P9000 Command View Advanced Edition Software Online Help for Windows and Linux, Remote Cross-site Scripting (XSS) ***
---------------------------------------------
Potential security vulnerabilities have been identified with HP XP P9000 Command View Advanced Edition Software Online Help for Windows and Linux. The vulnerabilities could be exploited resulting in remote Cross-site scripting (XSS).
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…
*** IP Blacklist Cloud - SQL Injection ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7816
*** WP-ViperGB 1.3.10 - XSS Weakness and CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7817
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 26-02-2015 18:00 − Freitag 27-02-2015 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** #JetLeak: Jetty-Webserver gibt Verbindungsdaten preis ***
---------------------------------------------
Der Jetty-Server steckt unter anderem in Hadoop, Heroku, Eclipse und der Google AppEngine. Angreifer können eine jetzt entdeckte Lücke dazu nutzen, Daten aus den Verbindungen anderer Nutzer auszuspionieren.
---------------------------------------------
http://heise.de/-2560894
*** Spam Uses Default Passwords to Hack Routers ***
---------------------------------------------
In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims. Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam...
---------------------------------------------
http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-rout…
*** Adventures in Xen exploitation ***
---------------------------------------------
tl;drThis post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217).This issue was patched in June 2012 and was dis ...
---------------------------------------------
https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/
*** Sicherheits-Tool PrivDog telefoniert nach Hause - unverschlüsselt ***
---------------------------------------------
Das vermeintliche Sicherheits-Tool PrivDog steht erneut in der Kritik, denn es sendet alle besuchten URLs unverschlüsselt an den Hersteller.
---------------------------------------------
http://heise.de/-2560926
*** Dridex Downloader Analysis ***
---------------------------------------------
Introduction Yesterday I received in my company inbox an email with an attached .xlsm file named D92724446.xlsm coming from Clare588(a)78-83-77-53.spectrumnet.bg. Central and local AV engines did not find anything malicious, and a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file...
---------------------------------------------
http://resources.infosecinstitute.com/dridex-downloader-analysis/
*** D-Link remote access vulnerabilities remain unpatched ***
---------------------------------------------
D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to a systems engineer in Canada. Peter Adkins, who does security research in his free time, released details of the flaws on Thursday. Adkins said in a phone interview that he has been in intermittent contact with D-Link since Jan. 11 on the issues, but the company has not indicated when it might patch.
---------------------------------------------
http://www.cio.com/article/2889994/dlink-remote-access-vulnerabilities-rema…
*** Microsoft Malware Protection Center assists in disrupting Ramnit ***
---------------------------------------------
Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol's European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft's Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC). The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit - The...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2015/02/25/microsoft-malware-protec…
*** The Evil CVE: CVE-666-666 - "Report Not Read" ***
---------------------------------------------
I had an interesting discussion with a friend this morning. He explained that, when he is conducting a pentest, he does not hesitate to add sometimes in his report a specific finding regarding the lack of attention given to the previous reports. If some companies are motivated by good intentions and ask for regular pentests against their infrastructure or a specific application, what if they even don't...
---------------------------------------------
http://blog.rootshell.be/2015/02/26/the-evil-cve-cve-666-666-report-not-rea…
*** Weekly Metasploit Wrapup ***
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2015/02/26/weekly-me…
*** Threatpost News Wrap, February 27, 2015 ***
---------------------------------------------
Mike Mimoso and Dennis Fisher discuss the news of the last week, including the Superfish fiasco, the Gemalto SIM hack controversy and the continuing NSA drama.
---------------------------------------------
http://threatpost.com/threatpost-news-wrap-february-27-2015/111312
*** VMSA-2015-0001.1 ***
---------------------------------------------
VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2015-0001.html
*** Security Advisory: BIG-IP ASM cross-site scripting (XSS) vulnerability CVE-2015-1050 ***
---------------------------------------------
(SOL16081)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/16000/000/sol16081.htm…
*** Security Advisory: OpenSSL vulnerability CVE-2014-0160 ***
---------------------------------------------
(SOL15159)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/100/sol15159.htm…
*** Security Advisory: XSS vulnerability in echo.jsp CVE-2014-4023 ***
---------------------------------------------
(SOL15532)
---------------------------------------------
https://support.f5.com:443/kb/en-us/solutions/public/15000/500/sol15532.htm…
*** Cisco Security Notices ***
---------------------------------------------
*** Vulnerability in IPv6 Neighbor Discovery in Cisco IOS and IOS-XE Software ***
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Vulnerability in Authentication Proxy Feature in Cisco IOS Software ***
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…
*** Cisco Common Services Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
*** Cisco ACE 4710 Application Control Engine and Application Neworking Manager Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015…
---------------------------------------------
*** DSA-3176 request-tracker4 - security update ***
---------------------------------------------
Multiple vulnerabilities have been discovered in Request Tracker, anextensible trouble-ticket tracking system. The Common Vulnerabilitiesand Exposures project identifies the following problems:
---------------------------------------------
https://www.debian.org/security/2015/dsa-3176
*** Network Vision IntraVue Code Injection Vulnerability ***
---------------------------------------------
This advisory provides mitigation details for a code injection vulnerability in Network Vision's IntraVue software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-057-01
*** [2015-02-27] Multiple vulnerabilities in Loxone Smart Home ***
---------------------------------------------
Multiple design and implementation flaws within Loxone Smart Home enable an attacker to control arbitrary devices connected to the system, execute JavaScript code in the users browser, steal the users credentials and cause a denial of service.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2015…
*** TYPO3 CMS 6.2.10 released ***
---------------------------------------------
The TYPO3 Community announces the version 6.2.10 LTS of the TYPO3 Enterprise Content Management System.
---------------------------------------------
http://www.typo3.org/news/article/typo3-cms-6210-released/
*** IBM Security Bulletin: Rational Integration Tester component in Rational Test Workbench affected by Netty vulnerability (CVE-2014-3488) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21695042
*** IBM Security Bulletin: Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server affected by Castor Library vulnerablity (CVE-2014-3004) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg21695037
---------------------------------------------
*** Huge-IT Slider - SQL Injection ***
https://wpvulndb.com/vulnerabilities/7811
*** CrossSlide jQuery Plugin <= 2.0.5 - Stored XSS & CSRF ***
https://wpvulndb.com/vulnerabilities/7812
*** WPBook - CSRF ***
https://wpvulndb.com/vulnerabilities/7813
*** WPBook <= 2.7 - Cross-Site Request Forgery (CSRF) ***
https://wpvulndb.com/vulnerabilities/7813
*** WP Media Cleaner <= 2.2.6 - Cross-Site Scripting (XSS) ***
https://wpvulndb.com/vulnerabilities/7814
---------------------------------------------